The Decision That Has Outgrown IT
For most of the past decade, cloud strategy has been an IT decision with business implications that boards have trusted their technology leadership to manage. The technology team decides which cloud providers to use, which architecture patterns to adopt, which management tools to invest in. The board approves the capital investment and receives periodic updates on programme progress. This division of responsibility made sense when cloud was primarily a technology delivery decision.
Cloud in 2024 is not primarily a technology delivery decision. It is a business strategy decision with implications for competitive positioning, regulatory compliance, talent strategy, supply chain risk, and financial structure that exceed the scope of what technology leadership alone should govern. The forces that have converged to produce this shift have been building for several years. In 2024 they reach the point where the board conversation cannot be deferred without creating governance risk.
Four forces are driving this convergence, and understanding them separately is less valuable than understanding why they have arrived simultaneously.
The AI Capability Force
Artificial intelligence investment has been escalating for three years, but the scale and urgency of AI investment in 2024 has a different character from the innovation budget AI exploration of previous years. Post-GPT-4, enterprise boards are approving AI investments that are strategic in scale: infrastructure investments, capability acquisitions, talent programmes, and process transformation initiatives that are measured in the tens of millions rather than in innovation experiment budgets.
These AI investments depend entirely on cloud infrastructure. The training compute, the inference infrastructure, the data pipelines, and the retrieval architecture that enterprise AI requires at scale are cloud-native capabilities. An organisation’s cloud strategy determines what AI capabilities it can deploy, at what cost, with what performance characteristics, and under what governance model. Approving an AI strategy without understanding the cloud strategy it depends on is approving a building without understanding the foundation.
The board that has engaged with AI strategy but not with cloud strategy has approved the top of the stack without reviewing what it sits on.
The Regulatory Pressure Force
The regulatory environment for cloud infrastructure in Europe has changed materially in the past eighteen months. NIS2, DORA, the EU AI Act, and the evolving EUCS cloud certification scheme collectively create compliance obligations that are directly connected to cloud architecture decisions.
NIS2 requires supply chain security assessment for cloud providers as an Article 21 minimum measure. DORA requires operational resilience testing, exit planning, and concentration risk management for financial entities’ critical ICT third-party providers, which include cloud services. The EU AI Act creates cybersecurity requirements for AI systems that are operationalised through cloud infrastructure. The EUCS certification scheme, when finalised, will create assurance tiers for cloud services that regulated organisations will need to navigate in their procurement decisions.
Each of these regulatory frameworks creates obligations that require cloud strategy decisions: which providers to use for which workloads, which contractual protections to require, which exit capabilities to maintain, and which sovereignty requirements to apply. These decisions have financial, operational, and legal consequences that require board-level governance, not only IT-level management.
The Cost Scrutiny Force
Cloud spending has become material for most large enterprises. What was a variable IT cost in 2018 has become a fixed-cost item on most balance sheets that rivals facility and infrastructure costs in scale. CFOs who have been monitoring cloud costs as a percentage of revenue are increasingly scrutinising the return on that spending in ways that require technology leadership to provide business-case clarity they have not previously been asked to supply.
The FinOps discipline has made cloud cost visibility better for many organisations, but visibility without accountability is not cost management. True FinOps maturity, where engineering teams own their cloud costs as part of their operational accountability, requires governance structures and incentive models that go beyond IT. Product owners need to make economic decisions about cloud resource consumption. Business units need to see the cloud cost component of their operating budgets. Executives need to assess cloud cost as an element of business unit performance rather than as an IT overhead.
These requirements put cloud governance into the operating model conversation that belongs at the board level, not into the IT cost centre conversation where it has historically lived.
The Geopolitical Risk Force
The concentration of European enterprise digital infrastructure in US hyperscalers represents a geopolitical risk that boards in some sectors have been asked about by regulators and have not had good answers to. The US CLOUD Act exposure, the supply chain risk from hyperscaler service dependencies, and the strategic vulnerability that comes from infrastructure concentration in non-European providers are risk dimensions that enterprise risk frameworks have not historically assessed with the rigour they deserve.
The European cloud sovereignty conversation, driven by GAIA-X, national cloud strategies, and EUCS certification development, has been creating a framework for this assessment. In 2024, boards in regulated industries and critical infrastructure are being asked by supervisors to demonstrate that they have assessed and managed their cloud provider concentration risk. The organisations that have not done this assessment are behind the organisations that have.
What the Board Conversation Looks Like
The board conversation about cloud strategy that 2024 requires is different from the IT roadmap updates that boards have previously received on cloud topics. It is a strategy conversation with four dimensions.
Competitive dimension: how does our cloud capability compare to our major competitors’, and is the gap a competitive risk or opportunity? AI capability, delivery velocity, and operational efficiency are all partially determined by cloud architecture maturity. Boards should have a view on where their organisations stand.
Regulatory dimension: which cloud architecture decisions have compliance implications, and are we confident that our current cloud strategy satisfies our regulatory obligations across NIS2, DORA, AI Act, and relevant sector-specific requirements?
Financial dimension: is our cloud spending generating the return the investment case projected, and do we have the financial governance mechanisms to manage cloud cost as cloud spending scales with AI investment?
Risk dimension: what are our cloud provider concentration risks, what is our exposure under scenarios where a provider relationship is disrupted, and do we have the exit capability our regulatory obligations require?
These are the questions that should be on the board agenda in 2024. They are the questions that convert cloud from an IT matter to a business governance matter. The technology leaders who bring them to the board are doing their job. The boards that ask them are doing theirs.