For EMEA regulators, AWS’ global outage highlighted the difference in regulation for critical national infrastructure networks and hyperscalers’ cloud infrastructure
On 20 October 2025, much of the connected world ground to a halt. Messaging apps, streaming services, gaming platforms, and enterprise APIs suddenly stopped responding. The cause lay deep inside Amazon Web Services’ us-east-1 region, where DNS resolution failures affected multiple AWS services including DynamoDB, disrupting thousands of dependent services.
What the outage exposed is not simply a technical failure, but a structural reality: the world is increasingly running on two types of networks. One is the national critical infrastructure built and regulated under telecom law – resilient, segmented and publicly accountable. The other is the global hyperscaler network, an intricate web of data centres, private fibre routes, and proprietary interconnects, run by a handful of corporations that operate beyond traditional regulatory reach.
According to consultant John Strand, the AWS episode “unveiled a difficult truth: the modern internet depends on a handful of cloud providers whose internal failures can cascade across banks, hospitals, government agencies, and news outlets.” This, he argues, is the very definition of a single point of failure – a risk that national telecom frameworks were designed to avoid through redundancy and oversight – to the point telcos would argue too much.
Strand points out that AWS operates “a parallel internet, with its own fibre-optic backbones, routers, switches, and interconnection points.” Legally, this infrastructure already resembles telecommunications. Yet unlike traditional carriers, AWS is not bound by continuity obligations, universal service contributions, or public-interest oversight. Telecom providers must publish terms, guarantee interconnection, and maintain backup power levels; cloud operators face none of these statutory duties, he reckons.
During the outage, over 2,000 enterprises were affected – from Uber and Starbucks to PlayStation, Coinbase and the UK’s tax authority. Few had viable contingencies outside the same ecosystem. In a regulated telecom context, that would constitute a failure to serve upon reasonable request. But in the cloud world, resilience is treated as a premium feature, not a baseline duty.
“AWS does not guarantee full resilience as a baseline public obligation,” Strand notes. “Instead, it increasingly frames resilience as an optional, premium feature – something customers can purchase if they can afford it.”
The asymmetry is striking. A regional mobile operator may be penalised for downtime that lasts as little as minutes. A global hyperscaler can disable swathes of the internet for hours with little more than an apology. This imbalance is not accidental, Strand says, but “the product of deliberate lobbying and regulatory forbearance” that allows hyperscalers to avoid classification as critical infrastructure.
In Europe, while hyperscalers are now classified as essential services under NIS2, they face primarily cybersecurity-focused obligations rather than the broader continuity and resilience requirements (including physical infrastructure standards) that apply to telecoms under both NIS2 and the Critical Entities Resilience Directive.
As the distinction between “application” and “infrastructure” continues to blur, regulators across EMEA will need to reassess whether the public interest is still adequately protected.
The AWS outage should therefore be treated not as a one-off disruption, but as a signal. The resilience of Europe’s digital infrastructure may soon depend as much on the governance of hyperscaler networks as on the legacy telco grid. The question facing policymakers is no longer whether to regulate the cloud – but how to ensure accountability from the networks that we’re all depending on.
