Foresight Briefing · 006

Executive summary

• Regulators are moving beyond AI models and ethics to treat cloud, SaaS and digital infrastructure as regulated strategic infrastructure, with the AI Act, DORA and an emerging Cloud and AI framework converging around the vendor stack.

  
  

• Since early 2025, DORA has pushed supervisors toward direct oversight of critical ICT and cloud providers, increasing pressure on firms to understand concentration risk, embedded dependencies and exit options across their digital estate.

  
  

• From August 2026, the AI Act will apply more fully to AI embedded in third-party platforms and services, shifting responsibility from internal AI governance alone to shared compliance across suppliers, contracts and operating models.

  
  

• Over the next 6–12 months, these converging regimes are likely to reshape vendor behaviour, contract terms, resilience expectations and infrastructure strategy, making this a board-level issue rather than a narrow compliance topic.

Considered board-level actions

• Reframe cloud, SaaS and AI-enabled platforms as regulated infrastructure dependencies, not simply IT procurement or outsourcing decisions.

  
  

• Map critical business processes to key cloud, ICT and embedded-AI providers, with a particular focus on concentration risk, fourth-party exposure and exit feasibility.

  
  

• Align AI governance, third-party risk and cloud strategy into a single executive view so regulatory, resilience and commercial assumptions are tested together.
  

1. From AI compliance to infrastructure exposure

Most boards now recognise that AI systems will be regulated, and many have workstreams to classify use cases and update policies. The emerging risk is that regulatory pressure is no longer limited to algorithms and data, it is expanding to the digital plumbing that supports them.

In the EU, DORA has been fully applicable since January 2025, creating a harmonised framework for ICT risk in financial entities and formal oversight of critical ICT third-party providers, including major cloud platforms. This signals a shift from viewing cloud purely as an outsourcing choice to treating it as systemic infrastructure subject to direct supervisory attention.

Confidence assessment: High confidence that supervisors now treat major cloud and ICT providers as systemic nodes, and medium confidence on how quickly this will translate into concrete changes to services, contracts or pricing for mid-market customers.

Board implications this quarter

• Reframe cloud and SaaS not only as IT procurement decisions but as regulated infrastructure, especially in EU-exposed financial lines of business.

• Ask which critical processes depend on providers that could be captured by DORA-style regimes, and how concentration risk is monitored today.

• Recognise that regulatory actions affecting a single critical provider can become an operational shock for many firms at once.
  

2. Where the risk is moving: three shifts since early 2025

2.1 AI Act obligations extend into your vendor stack

The EU AI Act entered into force in August 2024 and becomes fully applicable from August 2026, with some obligations already live. It introduces a risk-based regime for AI, with strict requirements for high-risk systems and governance duties for deployers, and it applies not only to in-house systems but also to AI functions embedded in purchased software and third-party platforms.

Recent 2026 guidance stresses that companies must systematically identify their AI applications, classify them, and ensure that AI embedded in cloud services or SaaS platforms also meets regulatory requirements. This means internal risk teams may be accountable for AI behaviour in systems they do not fully control, while providers face incentives to standardise, restrict or withdraw higher-risk functions to manage their own compliance.

Confidence assessment: High confidence that AI Act obligations now extend materially into third-party and embedded AI, and medium confidence on how consistently this is being mapped in vendor-risk and procurement processes outside the largest firms.

Board implications this quarter

• Treat AI compliance as a shared responsibility with vendors, not an internal issue only.

• Ask for an inventory of AI functionality delivered via cloud, SaaS and key platforms, and how AI Act obligations will be met in those relationships.

• Expect some vendors to change features, terms or data-handling practices with limited notice as they respond to the Act.
  

2.2 DORA concentrates attention on critical ICT and cloud providers

DORA moves EU financial supervision from generic outsourcing guidance to an explicit regime for ICT risk, including specific tools for overseeing critical third-party providers. By 2026, supervisors are shifting from paper frameworks to demanding evidence of operational resilience and third-party risk management in practice.

Recent commentary on DORA implementation highlights regulators’ focus on third-, fourth- and fifth-party dependencies and concentration risk in cloud services. Financial entities are expected to maintain registers of ICT providers, identify contracts supporting critical functions, and design exit strategies and contractual controls that assume providers may be disrupted or required to change service offerings under supervisory pressure.

Confidence assessment: High confidence that DORA will drive more granular mapping of cloud and ICT dependencies in financial services, and medium confidence that similar expectations will be extended, formally or informally, to non-financial sectors over time.

Board implications this quarter

• For EU-exposed financial entities, treat DORA as a board-level change in how ICT and cloud risk is supervised, not just another compliance checklist.

• For corporates, anticipate that banks, insurers and critical partners subject to DORA will push DORA-style third-party risk expectations down their supply chains.

• Ask whether the current third-party risk framework can satisfy DORA-grade expectations around concentration and exit strategies, even if the firm is not directly regulated.
  

2.3 A Cloud and AI framework signals structural change

In April 2026, EU institutions agreed a roadmap towards a proposed Cloud and AI Development Act, aiming for a comprehensive framework for high-performance computing and digital infrastructure by 2027. The stated direction includes managing the demands of AI applications, interoperability and technological sovereignty, which implies a more interventionist stance towards large cloud and infrastructure providers.

Although details are still emerging, the very fact that a dedicated cloud-and-AI framework is being developed alongside the AI Act and DORA indicates that regulators see infrastructure as a strategic lever in AI governance and economic resilience. For firms that rely heavily on a small number of global providers, this raises the prospect of future measures affecting data location, interoperability, pricing and access terms.

Confidence assessment: Medium-to-high confidence that the regulatory direction points towards more structured oversight of cloud and AI infrastructure, and medium confidence on the specific mechanisms and timelines, but low confidence in the assumption that today’s infrastructure landscape will remain lightly regulated.

Board implications this quarter

• Recognise that large-scale AI and cloud infrastructure is moving into the same category as critical market infrastructure in regulators’ thinking.

• Ask whether strategic plans assume continued frictionless access to specific global providers or regions, and what happens if that assumption fails.

• Monitor developments around the Cloud and AI Development Act as an early warning of future structural constraints or obligations.
  

3. The cascade across your risk landscape

Most internal teams file AI governance under Regulatory and Policy or Technology Risk, and treat cloud and SaaS under IT or procurement. The current convergence of the AI Act, DORA and emerging cloud-specific frameworks creates a genuine multi-domain cascade.

Regulatory and policy origin

The risk begins in Regulatory & Policy through AI Governance, Digital Markets and New Legislation Regulatory Change, with the AI Act and DORA changing expectations for AI systems, ICT resilience and critical providers.

Operational resilience transmission

It then moves into Operational & Supply Chain through Third-Party Outsourcing Risk, Digital Infrastructure Cloud Concentration and Infrastructure Dependencies, because firms rely on a small number of providers for cloud, SaaS, data and AI workloads.

Economic and financial consequences

The same shift can then spill into Economic & Financial through higher compliance costs, vendor repricing, transition costs and potential fragmentation in standards and service models across jurisdictions.

Cyber and disruption channel

Finally, Physical & Cyber Disruption appears through Cyber Technology Disruption, because regulatory-driven migrations, controls changes or provider restructuring can create outages, degraded performance or new cyber-operational vulnerabilities.

Confidence assessment: High confidence that the convergence of AI, cloud and operational-resilience regulation will produce cross-domain cascades, and medium confidence on which channel will dominate for any given organisation.

Board implications this quarter

• Ask for a cross-functional assessment spanning technology, risk, legal and procurement of how AI Act and DORA-style regimes affect the current vendor stack.

• Require a view of crown-jewel processes that depend on a small number of cloud or ICT providers, and how those dependencies are being managed.

• Treat this as a strategic infrastructure question, not just an AI ethics or compliance topic.
  

4. Why the next 6-12 months are the critical window

Two developments make the coming year especially important. DORA is now in force, with regulators moving from framework set-up to active oversight, while the AI Act’s main obligations become fully applicable by August 2026. At the same time, the EU roadmap towards a Cloud and AI Development Act signals that the structure of the infrastructure market itself is now a live policy issue.

Together, these create a plausible 12-month scenario in which a combination of AI Act enforcement, DORA-driven scrutiny of a critical provider, or an early policy move under a cloud-and-AI framework forces rapid change in how firms consume and govern cloud and AI services.

Confidence assessment: High confidence that 2026-2027 will set de facto expectations for AI-in-infrastructure governance, and medium confidence on the exact trigger events, but low confidence in business-as-usual assumptions for highly concentrated cloud dependencies.

Board implications this quarter

• Treat this planning cycle as the point to move from tracking AI regulation to explicitly mapping infrastructure and vendor exposure.

• Ask whether third-party risk, cloud strategy and AI governance frameworks are coordinated, or still operating in parallel.

• Decide now whether to position the organisation as an early mover in diversifying and governing critical digital infrastructure.
  

5. Why this matters for business

Three practical points stand out.

The active risk phase begins before enforcement

Once providers and regulators act on these frameworks, contractual and architectural changes can arrive quickly, leaving little time to adapt if dependencies are poorly understood.

The supply chain is the hidden exposure

Many organisations do not yet have a full view of third-, fourth- and fifth-party ICT providers supporting critical functions, especially where AI capabilities are embedded. Financial-sector expectations under DORA are likely to influence what banks and insurers require of their corporate clients, especially around concentration risk and exit planning.

Reputational and strategic risk compound quietly

Boards that cannot explain how AI and resilience regulation affect their dependence on a small number of critical providers may face questions from regulators, investors and customers.

Confidence assessment: High confidence that boards under-estimate the infrastructure and supply-chain dimension of AI regulation, and medium confidence on how quickly market expectations will crystallise.

Board implications this quarter

• Elevate AI in infrastructure and vendors as a formal topic for the board or risk committee.

• Require a preliminary map of critical digital dependencies, including where AI is embedded and which regimes apply.

• Integrate this into strategic planning, M&A and resilience discussions, not just compliance reporting.
  

6. Where the HORIZON Futures Engine adds value

Most organisations already have teams monitoring AI regulation, cyber risk and supplier contracts, but often in separate silos. The gap is understanding how converging AI, cloud and operational-resilience regimes interact across domains and what that means for specific businesses over a 2-18 month horizon.

Cross-domain cascade mapping

Linking AI Act and DORA developments to Regulatory and Policy, Economic and Financial, Operational Resilience and Physical Security risk domains, rather than treating them as isolated compliance items.

Emerging-issue clustering and early warning

Clustering weak signals from supervisors, policy roadmaps and vendor communications into emerging issues, and tagging them to Watchlist and Early Warning Indicators with clearly defined scope, between a 2-18 month horizon.

Alternative futures analysis

Building structured scenarios around regulatory pace, infrastructure concentration and vendor behaviour, and stress-testing current strategies against faster- or slower-moving futures.

7. Signals to watch over the next 12 months

• Further lists and guidance from EU supervisors on critical ICT third-party providers and DORA oversight practices.

• AI Act enforcement actions or supervisory statements that touch AI embedded in cloud or SaaS platforms, not just internally built systems.

• Policy consultations and drafts related to the Cloud and AI Development Act and analogous initiatives in other jurisdictions.

• Vendor communications about changes to AI features, data-location options, resilience testing or exit terms in response to regulatory developments.
  

8. Questions for your next executive or risk committee meeting

• Which business-critical services rely on a small number of cloud, SaaS or ICT providers that may be captured by DORA-style or AI-infrastructure regimes?

• How are AI Act obligations for AI embedded in third-party tools being identified and governed today?

• What is the plan if a key provider is designated critical and must change services, regions or terms under supervisory pressure?

• Are cloud strategy, third-party risk and AI governance programmes coordinated, or could conflicting assumptions emerge as regulation tightens?