European Banks Rebalance Cloud Dependencies in Polarised World, Morningstar DBRS Warns
European banks are accelerating a strategic pivot away from U.S. hyperscale cloud providers in favour of sovereign and hybrid architectures, according to a new commentary from Morningstar DBRS. The research note, "A Shift in European Banking: Rebalancing Cloud Dependencies in a Polarised World," argues that regulatory pressure, geopolitical tension and concentration risk are reshaping how the region's lenders think about digital infrastructure.
The commentary, authored under the leadership of Arnaud Journois, Senior Vice President for European Financial Institution Ratings at Morningstar DBRS, finds that the dominance of a small group of U.S. providers, principally AWS, Microsoft Azure and Google Cloud, has become a strategic concern for European supervisors and bank boards alike. The agency notes that rising friction between Washington, Brussels and other capitals has sharpened questions over data sovereignty, jurisdictional reach and the ability of European institutions to control sensitive workloads in a more polarised geopolitical environment.
What Morningstar DBRS found
The note highlights three core dynamics. First, European banks are actively reducing dependence on U.S. cloud providers, driven by concerns over data sovereignty, regulatory compliance and geopolitical exposure. Second, EU regulators are nudging banks toward diversified, sovereign and resilient cloud architectures, with concentration risk now a central supervisory theme. Third, large European banks are already shifting sensitive workloads to domestic providers and adopting hybrid multi-cloud models to strengthen resilience and reduce systemic vulnerabilities.
"We note that some European banks have begun using domestic cloud providers, adopting hybrid and multi cloud approaches to increase diversification and re-evaluate their digital provider strategies," said Journois. "By diversifying their cloud strategies and strengthening their reliance on European providers, banks are positioning themselves to meet the more stringent regulatory expectations for data governance while securing greater independence from external political and technological pressures."
The DORA backdrop
The shift is occurring against a tightening regulatory backdrop. The EU's Digital Operational Resilience Act (DORA) has put third-party ICT risk, and in particular cloud concentration, squarely in the sights of national competent authorities and the European Supervisory Authorities. Banks must now map critical providers, demonstrate exit strategies and prove they can withstand the failure or unavailability of a single hyperscaler. Morningstar DBRS sees DORA as a catalyst that is forcing boards to revisit cloud strategies that were, until recently, defaulted to whichever U.S. hyperscaler offered the deepest service catalogue.
Hybrid and sovereign on the rise
In response, European lenders are turning to a mix of domestic cloud providers, sovereign offerings backed by European operators, and hybrid models that keep regulated or sensitive workloads on infrastructure under European legal jurisdiction. The agency frames this not as a wholesale retreat from U.S. providers, which remain essential for scale and innovation, but as a rebalancing aimed at containing concentration risk and preserving optionality.
For Morningstar DBRS, the credit implications are nuanced. A more resilient and diversified cloud footprint should, over time, support operational stability and regulatory standing. The transition itself, however, will carry execution risk, cost and complexity, particularly for mid-sized banks with leaner technology functions. The commentary is available via Morningstar DBRS at dbrs.morningstar.com.
