Navigating operational resilience regulation in cloud computing

The rate of adoption for cloud computing has grown steadily across many industries, driven by the need for flexibility, innovation and cost efficiency.

One of the key verticals that has fully embraced cloud technology is the financial services sector. Cloud is particularly suited to this industry as it allows for more efficient storage, faster processing of large amounts of data, and consolidation of records which gives firms the ability to accurately analyze data.

However, migrating to the cloud poses some challenges for financial institutions.  Cyber criminals target the industry due to the high-value nature of the data that financial services companies hold. Cloud migration, if tackled improperly, can result in the organization's data being exposed to threat actors. To help combat this, the industry is heavily regulated in terms of how data is stored and protected.

The UK’s PS21/3 regulation, which came into force on the 31st of March 2025, set out new guidelines for financial institutions, such as banks, insurers, and payment providers, to ensure a high standard of operational resilience for the industry.

Operational Resilience and Cloud Computing

The regulation highlights a few key areas that financial institutions should be aware of for their cloud strategy. Primarily, PS21/3 emphasizes the need for operational resilience, meaning that cloud-based services can withstand disruption. Downtime and outages are particularly devastating for financial institutions, as loss of service can disrupt commerce and heavily affect business functions for the victim organization and any third parties that utilize their service.

The regulation also states that firms should have a clear exit plan in place for migrating away from their current managed service provider (MSP). This is to ensure that, in the event of a breach, data can be moved to a safe environment and prevent threat actors from breaching the same system multiple times.

Another key focus for the regulation is proper oversight of third-party cloud providers. Public clouds are popular, along with MSP solutions, as they allow businesses to take advantage of cloud technology without having to invest in their own cloud infrastructure. PS21/3 pushes organizations to properly vet their cloud providers to ensure they are secure enough for the sensitive data held by financial institutions.

Best Practices for PS21/3 Compliance

For financial institutions to be properly compliant with the new PS21/3 regulation, organizations can conduct due diligence in several ways.

Firstly, businesses must take responsibility for their third-party cyber risk management. Most organizations do not create their own cloud infrastructure, as this is expensive, time- consuming, and requires specific expertise which are not usually found in-house. Instead, it is much more common to use an external cloud provider. This could be in the form of public clouds, or something more specialized and tailored to the organization’s specific business needs. Financial institutions must conduct a comprehensive vendor assessment before onboarding their cloud service provider (CSP), to ensure that they also comply with industry regulations, which can be included as part of the contract with the CSP. It is also good practice for financial services companies to request their CSPs to provide audit reports, such as ISO 270001.

Financial services companies should also build operational resilience into their cloud strategy. This can be done by utilizing multi-cloud or hybrid-cloud architectures, which reduces the reliance on one specific CPS, adding an extra layer of protection when one cloud provider suffers downtime. It is also important for businesses to have robust, regularly tested disaster recovery and incident response plans in place, to minimize the effect of any downtime and ensure the system is back up and running as quickly as possible.

To be cyber resilient, firms need to be flexible with their cloud partners. Cloud migration is a long and complex process, but PS21/3 demands that firms have credible exit plans if they need to switch providers or revert to on-premises solutions. Given the complexity of cloud environments, ensuring data portability and minimal disruption during a transition is a significant challenge. To make this transition as smooth as possible, financial institutions must maintain comprehensive documentation of cloud configurations and establish a phased exit plan with clear milestones and contingency measures.

PS21/3 presents both a compliance challenge and an opportunity for financial institutions to strengthen their cloud strategies. By proactively addressing third-party risk, operational resilience, exit planning, and data security, firms can meet regulatory expectations and enhance trust, agility, and competitiveness in an increasingly digital landscape.

As cloud adoption continues to evolve, financial institutions must adopt a strategic, risk-aware approach to cloud computing, ensuring compliance without compromising innovation.

Image Credit: Wayne Williams

Sean Tilley is Senior Director of Sales EMEA at 11:11 Systems.