Who really controls your cloud?

A component-by-component analysis of a typical enterprise cloud platform and why 20 of 21 layers have jurisdictional exposure outside your home regulator's reach.

Why your data sovereignty assumptions probably don’t hold up

In November 2025, the European Supervisory Authorities formally designated AWS, Microsoft, Google Cloud and IBM as Critical ICT Third-Party Providers under DORA. The UK is extending its Critical Third Parties regime, SMCR holds senior managers personally accountable for third-party risk, and OCC, FFIEC, NYDFS and OSFI B-13 are moving in the same direction.

Regulators want firms to demonstrate, not assert, that they understand their critical cloud dependencies and the legal frameworks behind them. Most can’t, because of a quiet structural problem.

Why “in-region” doesn’t mean what you think

Financial Services and Insurance firms face mounting third-party concentration scrutiny and regulators are increasingly asking firms to demonstrate that they understand, not just disclose, their critical third-party dependencies and the legal frameworks those dependencies operate under.

This paper gives technology, compliance and risk leaders the evidence base to have that conversation internally before a regulator asks it externally. Most regulated firms believe an in-region cloud zone gives them jurisdictional control over their data. It doesn’t.

Data location and operational control are separate layers. Workloads in your home region almost always depend on control planes, software supply chains and operational services run by vendors bound by foreign legal frameworks, including the US CLOUD Act, which applies regardless of where data is stored.

This paper analyses a typical enterprise stack component by component to show exactly where the exposure sits, and gives technology, risk and compliance leaders a practical framework for evaluating it. The worked example is UK-hosted, but the dependency pattern is near-identical for any firm on a hyperscaler.

For more information, visit www.esynergy.co.uk

Download the Whitepaper

First Name

Last Name

Company Name

Business Email

Job Title

Country

Sector

By clicking on the submit button, you consent to esynergy keeping you informed about the latest news on technology and trends shaping the future of financial technologies. You can unsubscribe at any time.*

Please tick this box if you would like FinTech Global to keep you informed about our events and industry insights by email. You can unsubscribe at any time.