For a long time “cloud first” was the undisputed adage of digital transformation: flexible, scalable, cost-efficient. But recent signals from regulators DNB and AFM show that blindly relying on public clouds poses a risk that can no longer be ignored.
Financial institutions are returning to on-premise and hybrid technology. Not out of nostalgia, but out of sheer necessity. In a world rife with cybercrime, data dominance, and geopolitical threats, digital dependence on a small number of non-European IT vendors is explicitly identified by regulators as a systemic risk.
The Geopolitical Reality: Dependency as a Systemic Risk
Reality has changed – and IT strategy must follow suit. What once began as technological innovation has now become strategic self-protection.
Governance responsibility today extends beyond SLAs and uptime. Legal authority, data sovereignty, and compliance assurance are now central to boardrooms. DNB points out that a single outage, cyber incident, or geopolitical tension at a hyperscaler can impact multiple institutions simultaneously, putting the stability of the financial system under pressure.
In addition, the financial sector has become increasingly dependent on a small number of non-European IT vendors (so-called ” hyperscalers”). This concentration creates a shared vulnerability at the system level.
Boardrooms are facing critical questions:
- Who manages our infrastructure and under whose jurisdiction does it fall?
- What happens in the event of political tensions or sanctions affecting crucial services?
- How do we guarantee supplier independence in the event of a threat of vendor failure? lock -in?
Cloud is scalable – but in this light, not always manageable.
Legislation and Regulations: Compliance as a Strategic Instrument
European legislation, such as Digital Operational The Resilience Act (DORA) and the GDPR increasingly impose obligations on where and how sensitive data is managed.
On-premise and hybrid IT are therefore becoming crucial tools for ensuring compliance and digital autonomy. Cybersecurity, access control, encryption, and network segmentation remain more controllable under our own control – a vital advantage in a sector where reputations are at stake daily.
Supervisors DNB and AFM are becoming increasingly explicit: anyone working with sensitive customer data and critical processes must be able to substantiate where, how, and under whose control this happens.
Costs and Control: The Downside of Pay As You Go
What once seemed like a cost advantage now often turns out to be an unpredictable expense: scaling, license upgrades, and fees charged by a cloud provider when you move data out of their network or data centers make cloud spending difficult to control.
On-premises offers clarity, stability in TCO, and independence from external vendors. CFOs and CIOs are discovering that investment control and compliance go hand in hand with strategic autonomy.
Hybrid IT: Innovation with Control
The future isn’t a choice between cloud or on-premise, but control and flexibility. European software solutions like Corporater offer organizations full scalability and integration without cloud lock-in, with minimal dependency on third parties. Benefits:
- Full control over data and infrastructure
- Integration with ERP and data landscapes
- Configuration without coding
- Built-in BI and reporting
In this way, organizations combine innovative power with maximum control, without compromising on compliance or data sovereignty.
‘Control First’ as a Strategic Breakthrough
The revaluation of on-premise and hybrid IT is not a setback, but a strategic breakthrough. The warnings from DNB and AFM underscore that concentration and systemic risks are real and must be actively mitigated. For Board members, this means:
- Rethinking IT strategy and developing clear exit strategies
- The shift from ‘ cloud first’ to ‘control first’
- Demonstrate courage, leadership and a long-term vision on digital autonomy
The digital future no longer demands just speed and scalability, but control, independence, and strategic autonomy. In a world of increasing geopolitical and cyber threats, “Control First” is not a luxury, but a necessary standard.