A new survey from LSEG shows that most financial services firms from around the globe have made changes or updates to their cloud strategies partially in response to data privacy, security and sovereignty regulations. While the approaches to compliance vary across regions, depending on the respective local regulatory framework, one theme stands out: operational resilience is a shared priority for both firms and regulators.
- Cloud strategies are shifting: Financial services firms from around the globe have made changes or updates to their cloud strategies partially in response to data privacy, security and sovereignty regulations, according to a new LSEG survey.
- Compliance approaches differ by region: The approaches that firms take to meeting their cloud compliance obligations vary as jurisdictions are at different stages of creating their cloud rulebooks.
- However, firms and regulators alike seem to understand the importance of operational resilience as a way to reduce outages and enhance their strategies.
In a recent LSEG survey, 84% of respondents say they have changed or updated their cloud strategies in response to data privacy, security and sovereignty regulations, with more than a quarter (28%) making extensive changes. Amid these shifts, operational resilience has emerged as a shared priority for both firms and regulators, reflecting a common goal to strengthen cloud stability and reduce disruption.
The survey is based on research commissioned by LSEG that was conducted online by Phase 5, an independent marketing research and consulting company, from November 2024 through March 2025. A total of 453 financial services executives around the globe completed the survey. Nearly two-thirds (63%) of survey respondents are primary decision-makers for financial market data and IT solutions in their organisation. The survey covered 12 countries.
Operational resilience: a shared priority
Operational resilience in the cloud is one shared priority area for financial firms and regulators. Globally 30% of respondents say their organisation experienced an operational disruption due to cloud services in the past 12 months. As a result, resilience and security are becoming central to how firms evaluate the value of their cloud strategies, cited by 47% of respondents as a key performance indicator.
The EMEA region places the most importance on operational resilience when selecting a cloud provider, with 95% of respondents rating this either very important (61%) or critical (34%). Some 29% of EMEA respondents reported an operational disruption due to cloud services over the past 12 months, slightly below the global average.
The picture in APAC is more complex. The region has the highest rate of operational disruption – 38%, and APAC firms are focused on operational resilience – 51% of respondents say that it is an indicator used to assess return on investment (ROI) of cloud strategies at their firm, which is the highest of the three regions. However, there is a disconnect when it comes to supporting that goal, as only 21% of respondents say that operational resilience is critical when selecting a cloud provider, the lowest of the three regions.
APAC regulators are starting to encourage a greater focus on operational resilience. For example, in November 2024, some APAC regulators - including the Australian Prudential Regulation Authority, Hong Kong Monetary Authority, Otoritas Jasa Keuangan (Indonesia), Bank of Japan, Bank Negara Malaysia, Bangko Sentral ng Pilipinas, Bank of Thailand, and the Monetary Authority of Singapore (MAS) - and global cloud service providers conducted a crisis management tabletop exercise, which was the first of its kind in the region.
Adapting to a dynamic regulatory landscape
One third (33%) of financial firms say that regulatory changes are impacting their cloud strategies, including migration, artificial intelligence, analytics, and more. According to the survey, top indicators used to assess ROI on their cloud strategies include flexible capacity (51%), revenue growth (47%) and greater security/resilience (47%).
The survey also highlights how firms are evolving their cloud strategies to meet compliance expectations. Of those respondents who say their cloud strategy is impacted by data privacy, security and sovereignty regulations[1], 59% say they are adopting hybrid strategies and 56% are adopting multi-cloud strategies to adapt to regulatory requirements. In addition, 37% of financial services firms are limiting what data is kept in the cloud, while 35% are working with locally/regionally owned vendors.
In the survey, multi-cloud strategies are defined as those in which workloads, applications, and data are distributed across multiple public cloud providers. Hybrid cloud strategies are those in which workloads, applications, and data are distributed across a combination of public and private cloud or on-premises locations.
These shifts reflect a strategic and responsive approach to regulation, balancing compliance with innovation and operational resilience.
The relationship between rules and ROI
Regulatory frameworks vary by region. For example, one-third (33%) of APAC respondents say that they have had to change or update their cloud strategy extensively in response to data privacy, security and sovereignty regulations – compared with less than one-quarter (24%) of EMEA respondents. The APAC region’s jurisdictional cloud rules continue to evolve. For example, respondents must comply with India’s Digital Personal Data Protection Act (2023) and the recent amendments to Australia’s Privacy Act, and updates are expected to Japan’s data rules within the next year.
One-third (33%) of Americas respondents say that regulatory changes are the top barrier to achieving expected ROI from cloud strategies. This result is driven by Canadian respondents, of which 96% say they made either moderate or extensive changes to their cloud strategies due to data privacy, security and sovereignty regulations. Canadian banks are implementing a Third-Party Risk Management guideline (April 2023), an Integrity and Security guideline (January 2024), and an Operational Risk Management and Resilience Guideline (August 2024). In the US, the new administration is expected to influence the direction of cloud regulation in time, and bilateral trade agreements may impact firms’ cloud strategies too.
Regulatory change is also a key issue for EMEA respondents, but in a slightly different way. “Data loss and leakage risks” is the top barrier to achieving expected ROI from cloud strategies at 31%. Tied with it are regulatory changes (31%) and compliance concerns (31%). The EU and UK have long had cloud rules for financial services firms, and the EU’s Digital Operational Resilience Act (DORA) is having a significant impact on cloud strategies.
Overall, cloud regulations are having an impact on the ROI that financial firms want to deliver on their cloud investments in all regions. However, in some areas, financial firms agree that the requirements can have a silver lining to drive ROI as they aim to increase operational resilience.
[1] Data sovereignty regulations seek to ensure that data is subject to the laws and policies of the jurisdiction in which it was generated.
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2025 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.
