In July 2024, a single faulty software update from cybersecurity vendor CrowdStrike brought down an estimated 8.5 million Windows devices worldwide. Airlines grounded flights. Hospitals reverted to paper records. Banks, broadcasters, and emergency services went offline simultaneously. The incident was not a cyberattack. It was something arguably more unsettling: proof that when organisations cluster around the same handful of technology providers, a single point of failure can ripple across entire economies. That is cloud concentration risk in action, and regulators around the world have taken notice.
Cloud concentration risk refers to the systemic exposure that emerges when a critical mass of organisations depends on the same provider, platform, or piece of infrastructure. AWS, Microsoft Azure, and Google Cloud together account for roughly two-thirds of global cloud infrastructure. CrowdStrike, at the time of its 2024 outage, held around 18% of the global endpoint security market. These are not niche players, they are load-bearing pillars of the modern digital economy.
Supply chain cybersecurity has evolved as a concept precisely because the attack surface no longer stops at your own perimeter. Your risk profile now includes every vendor, every sub-processor, and every cloud service your third parties rely on. A threat actor who cannot breach your defences directly may find it far easier to compromise a shared supplier upstream. SolarWinds, Kaseya, MOVEit, and CrowdStrike are all variations of the same underlying problem: critical dependencies that organisations have often managed poorly, or not at all.
The European Union's Digital Operational Resilience Act (DORA) came into full effect on 17 January 2025. It is one of the most significant pieces of financial sector legislation in recent years, and third-party risk sits at its core. DORA requires financial entities to maintain comprehensive registers of all ICT third-party arrangements, conduct rigorous risk assessments, and ensure that contracts with critical providers meet specific resilience standards. Crucially, it establishes an EU-wide oversight framework specifically for Critical ICT Third-Party Providers (CTPPs), meaning major cloud and technology vendors now face direct regulatory scrutiny, not just their financial sector clients.
The logic is straightforward: if a single cloud provider serves enough systemically important banks, its failure becomes a financial stability event, not merely an IT incident. By treating big technology providers as systemic risk vectors in their own right, DORA forces the industry to confront a dependency that has grown quietly for over a decade. Other jurisdictions are watching closely, and many are moving in the same direction.
South African financial institutions face a rapidly evolving regulatory environment. In May 2024, the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA) jointly published Joint Standard 2 of 2024, which sets out binding cybersecurity and cyber resilience requirements for financial sector entities. The standard addresses risk governance, incident reporting, and the management of third-party ICT service providers, signalling clearly that vendor risk is no longer a matter of internal policy preference but of regulatory obligation.
Beyond that, the FSCA's 2024 Three-Year Regulation Plan (covering April 2024 to March 2027) explicitly includes a new Joint Standard on third-party service provision and outsourcing. The regulator identified this as an area requiring dedicated attention, meaning further prescriptive guidance on vendor risk for South Africa is on its way. Organisations that are not already building structured third-party risk management programmes are working against a tightening deadline.
For South African businesses operating across borders, the picture is compounded by international obligations. Any entity that touches EU data subjects or interacts with EU-regulated financial institutions will feel the downstream effects of DORA whether or not they are directly in scope. The compliance bar is being raised globally, and South Africa's regulatory direction is clearly aligned with that trend.
Cloud concentration risk and vendor lock-in are closely related problems. Many organisations have consolidated their technology stacks around a single hyperscaler or security vendor not because it was the best risk decision, but because it was the most convenient commercial one. Volume discounts, integrated tooling, and simplified procurement make it appealing to go deep with one provider. The risk accumulates silently until something breaks.
Vendor lock-in limits your ability to respond when a provider fails, raises prices, or discontinues a service. It reduces your negotiating leverage. It also creates a concentration of sensitive data and critical processes in a single external entity whose security posture, financial health, and strategic decisions are entirely outside your control. From a third-party risk management perspective, that is a significant and often under-acknowledged exposure.
Addressing cloud concentration risk and supply chain cybersecurity exposure does not require abandoning your current infrastructure. It requires deliberately mapping it, assessing it, and building contingency into it. Effective third-party risk management starts with visibility: knowing who your critical vendors are, what data and processes they touch, and what your exposure would be if they became unavailable or were compromised.
From there, organisations should conduct tiered risk assessments, with the most rigorous scrutiny applied to vendors that handle sensitive data, provide critical services, or cannot easily be replaced. Contracts should include specific provisions for security standards, incident notification timelines, audit rights, and exit arrangements. Concentration limits, where feasible, reduce the systemic exposure of clustering too much risk in any one provider.
Multi-cloud strategies and business continuity planning for provider failures are no longer theoretical best practices. The CrowdStrike incident demonstrated that even a non-malicious update from a trusted vendor can halt operations on a global scale. Organisations need documented playbooks for what happens when a critical third party goes down, and those playbooks need to be tested before they are needed.
The shift in how regulators view third-party and cloud risk is not a temporary trend. It reflects a fundamental reassessment of where systemic risk now lives in digital economies. The concentration of critical services in a small number of global technology providers has created interdependencies that transcend individual organisations and sectors. Regulators in the EU, the UK, and increasingly South Africa are responding by treating these providers, and the organisations that depend on them, as part of a shared resilience challenge.
For South African businesses, the message is clear: third-party risk management is no longer an optional programme that larger organisations run as a governance formality. It is a regulatory expectation, a material business risk, and an increasingly visible measure of organisational maturity. The organisations that build structured, evidence-based vendor risk programmes now will be better positioned when the next CrowdStrike moment arrives, and given the direction of travel, it is a question of when, not if.
