Clear risk analysis, realistic mitigation strategies, and policy insights Conclusion Hosts CIO Session “Gaining Control Over Cloud”

June 6th, 2025

By: Lucas Jellema

Lucas Jellema

CTO

For many organizations, public cloud has become an indispensable part of their IT strategy. However, since January 2025, perspectives on public cloud have shifted. New risks have emerged, and existing ones have become more visible - now forming a concrete topic of discussion, analysis, and action.

To explore these developments, Conclusion hosted a private CIO session in late May. In a confidential setting, CIOs and IT leaders engaged in open dialogue about both the opportunities and risks of (public) cloud usage. Central to the discussion was the question: how can organizations make conscious, future-proof decisions?

Growing awareness of risks

All participants in the session use public cloud services and observe a growing awareness of associated risks within their organizations, from executive boards, in politics, the media, and even among personal contacts. The dependence on American cloud providers by both government bodies and private enterprises has become increasingly apparent, partly due to coverage by Arjen Lubach, NOS News, and other media. These reports highlight geopolitical tensions, the unpredictability of the US government, and now also its legal system.

Consider cases such as Amsterdam Trade Bank and the International Criminal Court, where US cloud providers, under orders from the US government, abruptly terminated services. The result: clients lost immediate access to their processes and data - a fundamental risk, with a third party holding the “kill switch”.

But there are broader and more probable risk scenarios that demand attention in IT policy, beyond the current geopolitical climate in the US or threats from Russia.

Analysis and mitigation:no one-size-fits-all

Three CTOs from the Conclusion ecosystem presented a pragmatic analysis of actual dependencies and risks associated with public cloud. Their focus was on mitigation: reducing the likelihood of disruptions and limiting their impact. A key insight was the significant variation in applications, functions, services, and datasets. Some applications cannot afford even a second of downtime, while others can be offline for weeks. Some data is public, while other data is strictly confidential.

This diversity calls for tailored risk analysis and mitigation strategies. This includes analyzing dependencies on (cloud) services, third parties, internal staff, expertise, communities, hardware, physical locations, and even climate developments. Identifying critical connections and potential bottlenecks, understanding the consequences of various scenarios, and determining which outcomes are unacceptable is the first step - followed by designing and implementing measures to reduce vulnerability.

Examples of such measures include:

- Redundancy in systems and personnel

- Regular data backups

- Migrating workloads to sovereign or self-managed environments

- Active lifecycle management of technology, applications, and data

- Encryption (with self-managed keys) of data in transit and at rest

- Architectural guidelines that enhance workload portability

- Minimising vendor lock-in

- Use of open standards

SaaS: double dependency, double concern

SaaS applications require special attention. They are often owned by one party but run on the cloud infrastructure of another. This means two potential “kill switches”, with at least one party capable of causing serious disruption. Risks include price hikes, stagnating feature development, and restricted access to your own data. Active monitoring of SaaS providers is therefore essential, as is an exit strategy that ensures continued access to your data in a usable format.

European alternatives and technological opportunities

European alternatives to US cloud providers remain limited in both capacity and functionality. However, through collaboration and exploration, organizations - alongside the EU - can help accelerate this development. Additionally, smart use of AI-assisted engineering offers opportunities to offset productivity losses that may result from moving away from rich PaaS offerings.

Real-world examples: cloud control in practice

Two case studies illustrated how Conclusion helps clients manage public cloud risks. These involved an energy producer and a rail infrastructure operator, both of whom adopted a balanced strategy combining public and private cloud - tailored to cost, risk, available expertise, and required flexibility.

Reflection and next steps

The session ran slightly over time, thanks to lively discussions, participant case studies, and shared experiences with vendors, policymakers, and media reports. It was a valuable morning—offering a reality check and an inspiring exchange among peers. The session provided concrete takeaways for refining policy and taking action.

Would you like to gain control over your cloud strategy?I’d be happy to talk with you

Lucas JellemaCTO