What does the future hold for the cloud market, given market developments and the pace of technological change in 2023? It is always illuminating to cast an eye over the past year’s developments, and pull out some trends and discuss what these may mean for the cloud computing sector in 2024.
In a world consumed with interest in artificial intelligence (AI), cryptocurrencies and quantum computing, you might be forgiven for thinking cloud computing issues are taking a back seat this year. However, the current controversy over Microsoft’s acquisition of Activision Blizzard is not the only area of regulatory scrutiny of the cloud market. This deal perhaps indicates a shift in regulator attitudes across the globe, as while it has been cleared to proceed in the European Union, it is currently prevented from going ahead in the United Kingdom, due to regulators’ concerns about its impact on the cloud-based gaming market. It was also originally blocked in the United States by the Federal Trade Commission, until mid-July when the FTC lost its appeal to prevent the acquisition. As of August 2023, Microsoft is discussing ways to permit the deal to proceed with UK authorities. Businesses will also likely rely on the cloud to exploit AI successfully. This includes an expanding range of standardised, pre-configured AI-enabled services offered by the largest cloud providers, as this can represent lower risk, lower cost ways to engage with important AI functionality. But even bespoke private AI solutions will require raw computing power that only private cloud implementation can deliver.
The market overall
Gartner again predicts yet more growth in spending on public cloud services, with its latest figures forecasting 20.7 per cent growth in 2023, taking spending to US$591.8 billion and estimating that end-user spending will reach nearly US$600 billion in 2023.
Software as a service (SaaS) remains the largest public cloud services market segment, forecasted to reach US$195.2 billion in end-user spending in 2023. Similarly, infrastructure as a service (IaaS) is projected to grow, increasing from US$115.7 billion in 2022 to a predicted US$150.2 billion in 2023. Cloud providers are also driving revenue from emerging technologies in cloud computing, such as hyperscale edge computing and secure access service edge. A 2022 Research and Markets report estimates that the global computing platform market size could reach US$1,240.9 billion by 2027, with IaaS likely to grow at a compound annual growth rate of 22.5 per cent. A Flexera user survey indicates that the hybrid cloud segment is the larger contributor to the overall size of the cloud computing market with 24 per cent of all respondents investing in public cloud-only usage. Cloud vendors have also been quick to capitalise on the demand for AI-enabled services, offering standardised AI products (eg, chatbots, image recognition tools, data mining tools) with AI functionality, and automated ways to improve fairness and mitigate bias in AI tools.
Interestingly, some investors are querying whether cloud company revenue growth will continue on the trajectory predicted by market analysts. There is also speculation about whether collapsing valuations for cloud and SaaS companies will have a knock-on effect on larger tech companies looking for new venture capital investment. Data from Bessemer Venture Partners Cloud 100 index shows revenue multiples for cloud companies dropping significantly as between June 2021 and June 2022. Amazon Web Services’ Q1 2023 results also showed that its annual revenue growth rate has slowed (with a year-on-year drop in profit) indicating the impact of customers reducing expenditure amid ongoing macroeconomic uncertainty) and this effect is likely to continue for the remainder of 2024. Productiv’s 2023 SaaS trends report shows that the average enterprise SaaS portfolio has grown to 371 apps (a 32 per cent increase between 2021 and 2023), with average SaaS spend per employee in 2023 being about US$9,000, although interestingly it also notes that only about 47 per cent of SaaS licences are used over a 90-day period on average (with the highest levels of licence wastage seen in larger organisations).
Continuing geopolitical uncertainty could affect investor sentiment in new tech, which may have consequences for the cloud computing model. Does cloud being cheaper and permitting scalability shield the sector from the effects of a prolonged economic downturn? Or does it mean there is no room for further efficiency savings to be made? The knock-on impact of investment in other new tech (such as AI and blockchain) could reduce enterprise spend on cloud computing as technology leaders allocate tech spending to AI applications. The May 2023 US Bureau of Labor Statistics Producer Price Index reported a 3.9 per cent month-over-month decline in the cost of host computers and servers, and cloud services saw prices increase by 2.3 per cent. These price changes could affect the consumption of cloud resources if decreases in the costs of data centre hardware mean there is no significant cost advantage to outweigh the risks associated with migrating to the cloud, although the cost-benefit analysis will vary by an enterprise’s need to scale computing resources up and down. From a global perspective, there is a question over whether the recent rapid rise in interest rates will affect how companies choose to fund cloud infrastructure projects, potentially relying on internal financing to limit exposure to further interest rate rises.
It is also worth looking at the key global markets for cloud computing to see changes in adoption patterns and emerging trends. MIT Technology Review’s Global Cloud Ecosystem Index 2022 assesses four themes (infrastructure, ecosystem adoption, security and assurance, and talent) and their role in promoting the availability of cloud services worldwide. It ranks 76 nations and territories on the technology, regulations and talent they use to promote cloud computing services. Singapore leads the Index overall, given its cloud-first strategy, which was launched in 2018, that has benefited from a central government commitment and an ability to cultivate collaboration and cooperation across a nationwide digital transformation project. After Singapore, the rest of the Index’s top 10 places are taken by European countries that seek to balance the rights of digital consumers (by means of the EU General Data Protection Regulation) while making determined efforts to tackle monopolistic practices in the tech sector. Singapore’s digital transformation means it now has an estimated 600 government systems in the cloud, and Microsoft was engaged by its safety and defence departments to develop a sovereign cloud.
African nations form seven of the 10 lowest-ranked countries, predominantly due to the continent’s sparse broadband and data centre resources. It is estimated that to serve its increasing computing needs, the continent must develop 700 data centres, yet currently, there are only 93 in service across 15 African countries, meaning the continent is home to less than 2 per cent of global data centre capacity. More than half of Africa’s data centres are located in South Africa, where there are 53 internet users per 100 residents. However, digital infrastructure consultancies say around 70 new data centres were built between 2017 and 2022 and that Africa’s commercial hosting capacity is now doubling every three years. It is predicted that the African data centre market will exceed US$4.92 billion by 2028. The region has witnessed a steady growth rate and interest from the major global cloud service providers.
It is worth considering whether the distribution of data centres (and the attendant growth of cloud computing) will be affected by new geographical markets for operators. We are seeing that existing operators are increasingly encouraged to relocate or move operations to developing countries to take advantage of lower wage costs and renting costs. At the same time, the European Union is concerned with promoting data localisation to maintain EU data sovereignty in respect of EU citizens’ personal data, which is driving the partitioning of cloud service provider markets. Amid this, are there opportunities for smaller operators to exploit niche opportunities?
Trends in cloud use
The increased demand for cloud services is also reflected in a diversification in the use of cloud infrastructure services (particularly in healthcare and the public sector). Post-pandemic, the cloud supports the now-permanent patterns of remote working, learning, gaming and streaming, as well as entrenched patterns of consumer online purchasing. We also anticipate that any potential early adopter interest in Meta’s Metaverse project (and equivalent technologies) might continue to drive demand for scalable cloud services, as will more cloud-native application development. This growing use case will need to be supported by continued investment in cloud resources, and while the lifting of pandemic restrictions in most parts of the world has led to increased market confidence, the sharp (and continuing) economic shock that followed Russia’s invasion of Ukraine, spikes in oil and commodities prices and predominately higher interest rates in most major markets, may temper the rampant rate of growth in IT investment in 2023 and 2024.
Recent Cloud Industry Forum research also underlines the integral role that the cloud continues to play in the ongoing transformation of businesses. Eighty per cent of respondents agreed that cloud migration has simplified the challenges faced by IT departments. However, 58 per cent noted that their organisations struggle to keep up with cloud technology and cost is a contributing factor to this. It is also clear that businesses consider cloud computing to be very important or critical for digital transformation (given its reliability in supporting technological development in the face of the pandemic and the recent economic downturn) and global health. It also appears that hybrid IT is the direction of travel for most organisations. Data security remains a significant challenge in the cloud, with organisations demanding improved data security standards, often to meet stringent regulatory requirements. A June 2023 poll by HashiCorp also showed that while enterprises are keen to realise their multi-cloud ambitions, their plans are hampered by staff recruitment and retention issues, with a lack of skilled cloud talent affecting their abilities to deliver cloud strategy successfully. Other challenges to migration include assessing technical feasibility, understanding application dependencies and assessing costs associated with on-premises versus cloud delivery models.
Perceived market share issues within the cloud market regarding the top five IaaS providers are now being scrutinised by the regulators, given that the market is deep, but not at all broad. 2023 figures suggest Amazon has retained the top position in the IaaS market, followed by Microsoft, Google, Alibaba and IBM Cloud, with the top five providers reportedly accounting for 70 per cent of the market in 2023. Amazon continued to lead the worldwide IaaS market with a 32 per cent market share. Alibaba (the third-largest provider) leads the Chinese cloud market, it is also poised to be the leading regional provider in Indonesia, Malaysia and other emerging cloud markets. Commentators are expressing disquiet about the supposed consolidation of the world’s digital ecosystem in the hands of a select cohort of companies, given the February 2023 Canalys analysis suggesting that nearly two-thirds of cloud infrastructure spending was captured by the world’s top three hyperscale providers (such that purportedly US$6 in every US$10 spent on cloud infrastructure is spent on these providers). Amazon and Microsoft accounted for more than half of cloud infrastructure revenues in the first quarter of 2023, with the eight largest providers controlling roughly 80 per cent of the market.
Regulatory authorities worldwide are using policy tools to temper dominance in the cloud market. From the proposal for the European Union’s proposed Data Act, which mandates greater interoperability and data portability (and may limit or prohibit fees being charged when consumers switch service providers) to GAIA-X, a European initiative for a common software and governance framework for cloud and edge services, and the EU potentially proposing to investigate the US$20 billion acquisition of the cloud-based design tool Figma[i], EU regulators are squaring up to cloud providers to limit harm to consumers arising from a heavily concentrated cloud service provider marketplace.
The EU Digital Markets Act came into force in May 2023 and regulates designated gatekeepers, overseeing their activities in the digital space. Entities within scope are companies operating a core platform service, which includes cloud computing service providers. Entities that meet the Act’s quantitative thresholds must notify the European Commission of this by 3 July 2023, and the body will then designate them as ‘gatekeepers’ by 6 September 2023. Following designation as a gatekeeper, entities will have to comply with the Act’s new requirements by 6 March 2024 (which will include prohibitions on unfair conditions of use, self-preferencing, and preventing users from loading other applications or uninstalling pre-installed applications). The UK’s Digital Markets, Competition and Consumers Bill designates certain digital businesses as having strategic market status (SMS) and gives the UK Competition and Markets Authority (CMA) power to impose conduct requirements on such businesses, dictating how the business conducts itself in relation to relevant digital activities. Unlike the EU’s Digital Markets Act, the UK’s Bill does not specify the obligations that will apply to SMS firms. Instead, it empowers the CMA to impose bespoke requirements on designated firms to support one or more of the following: fair dealing, open choices, and trust and transparency.
The US regulators continue to push a pro-antitrust agenda with a couple of major updates to the merger review process. First, the Federal Trade Commission, with the concurrence of the Department of Justice, published proposed amendments to US premerger notification rules. These proposed amendments, which could go into effect later this year, substantially increase the amount of information required to complete the premerger notification form. Notably, if implemented as published, transaction parties will need to provide additional documentation regarding market conditions and disclose details relating to investment vehicles, alongside many other changes. The US regulators estimate that the additional burden of providing all of the new information could result in adding 12 to 222 hours to the time needed to complete a premerger filing, depending on the filing’s complexity. In addition to this substantial overhaul of the premerger notification form, US regulators have jointly issued new draft Merger Guidelines that detail the analyses regulators will perform when reviewing a proposed transaction. The proposed guidelines set out a laundry list of factors the regulators may consider, many of which have been designated as priorities by the pro-antitrust Biden administration, including labour market effects, vertical effects, and trends toward consolidation.
And the end of 2023 Q1 saw the US Federal Trade Commission (FTC) issue a request for information (RFI) on the business practices of cloud computing providers. The RFI is a tool the FTC uses to gather information about a given industry or business practices. In this case, it is focused on cloud computing, particularly on issues related to market power, business practices affecting competition, and potential security risks. In doing so, the FTC acknowledges it is following its ‘other regulatory colleagues’ in the United States, United Kingdom, France, Japan, Netherlands and South Korea that have also conducted inquiries into cloud computing. While the FTC’s interest in cloud computing is nascent, the RFI’s results and any subsequent efforts will clearly shape the cloud market in the United States and beyond.
The UK’s CMA has also opened a market investigation into the distribution of cloud gaming services through app stores on mobile devices in the UK. Ofcom, the UK’s telecoms regulator, has also published an interim report on its market study into cloud services in the UK, finding evidence of active competition in cloud infrastructure. Ofcom’s view is that certain market features make it difficult for customers to switch and use multiple suppliers, which is limiting competition. The regulator is concerned that a significant number of customers may face barriers to switching and multi-cloud use, particularly with Amazon Web Services and Microsoft. Its final report is to be published in October 2023, but it has already announced that it intends to refer the cloud market to the CMA for investigation.
Increased regulatory scrutiny
We saw last year signs that the winds were changing. Following the UK Treasury’s 2022 policy paper examining the role that ‘critical third parties’ play in the financial services infrastructure, and the subsequent 2022 discussion paper, DP3/22, the UK government is now taking action to regulate these types of entities. Given the potential for significant disruption, and increased financial stability risks, in circumstances where many firms rely on the same third-party provider, the Financial Services and Markets Act 2023 will give the Treasury powers to designate certain entities as critical third parties, and impose duties and give directions to such entities when they are providing services to financial services firms. Service providers may also be required to meet minimum resiliency standards and make increased information disclosures to the FCA, which will be able to take enforcement action if entities fail to comply with these standards. It is widely anticipated that the power to designate businesses as critical third parties will be largely targeted at major cloud service providers given the systemic risk posed by the financial sector’s dependency on a small number of providers.[ii] This means the largest cloud service providers will be subject to far greater regulatory scrutiny, which will include the FCA’s power to enter premises under a warrant.
The UK government’s National Cyber Security Strategy 2022 showed its approach to tackling cyberattacks and providing guidance on preventing attacks and building cyber-resilience. A mid-2021 UK consultation on supply chain cybersecurity led to the launch of the strategy. Both the European Union and the United Kingdom have separately considered revisions to the regions’ respective network and information systems regulations to close perceived gaps in cybersecurity defences. The UK strategy focuses on supply chain cybersecurity risks, in particular those posed by the mass adoption of managed services. Providers of these services have the ability to access the networks of thousands of other companies. A vulnerability in one such service provider could expose all its customers’ networks, potentially jeopardising critical infrastructure – a classic weakest link effect. At present, the legislative timetable for amending the UK NIS Regulations 2018 to extend the requirements to managed service providers and strengthen existing incident reporting duties is not known, but revisions are anticipated to come into force in 2024. The European Union’s approach is sector-based, expanding the remit of Directive (EU) 2016/1148 (the NIS Directive) to cover all medium- and large-sized enterprises across a number of sectors, as well as addressing cybersecurity of the information and communication technology (ITC) supply chain, covering business-to-business ICT service management. Directive (EU) 2022/2555 (the NIS2 Directive) came into force on 16 January 2023 and must be implemented by EU member states by 17 October 2024. The NIS2 Directive must be viewed in the context of other sectoral developments, such as Directive (EU) 2022/2557 (the Critical Entities Resilience (CER) Directive) and the proposed Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (the DORA Regulation). The interplay between the UK and EU reforms looks set to lead to divergent scopes and reporting obligations, as well as the need to designate NIS representatives in both the UK and EU.
The UK’s proposed NIS reforms should also be seen in the context of the UK’s ambitious cybersecurity strategy for 2022–2030, which was launched in January 2022. Separately, it has developed the Product Security and Telecommunications Infrastructure Act to enhance the security of connected smart devices and to train more cyber professionals. The UK is also taking a look at data centre security, launching a consultation in May 2022 on the UK’s data storage and processing infrastructure, such as the infrastructure of data centres, cloud platforms and managed service providers, given the strategic importance of data and the UK’s reliance on large-scale data storage and processing services to deliver essential services.
But the dependence on cloud (and the need to rely on it to deliver innovation and savings) cuts both ways — from April 2023, all cloud computing costs associated with research and development, including storage, qualify for tax relief in the UK.
From a data protection angle, there are also signs of increased regulator interest, with the Irish Data Protection Commission imposing a €1.2bn fine on Meta, the owner of Facebook, for mishandling user data in May 2023 (the fine is currently the subject of an appeal by Meta), and national data protection authorities across the European Union and in the United Kingdom fining Clearview AI for violation of lawfulness and transparency principles under data protection legislation. This shows the international push to regulate international data transfers and keep personal data protected when being collected or processed by cloud providers. As a response to the need to meet EU compliance needs (in particular as regards personal data), Oracle launched an EU-only public cloud in July 2023, which is initially available from data centres in Frankfurt and Madrid. It is operated by Oracle-owned legal entities incorporated in the EU and is designed to protect against data being taken outside of the EU.
There is also concern in the market about the abuse of certain cloud technologies. The European Commission is considering measures to restrict outsourcing, particularly that of sensitive technologies (eg, AI, semiconductor and quantum computing technologies) to countries of concern, such as China and Russia.
The dominance of cloud as a technology means cloud providers also have to grapple with larger societal and political challenges, the most pressing of which are environmental sustainability in the cloud context and data sovereignty and related privacy concerns.
While a UK Cloud Industry Forum report stated that 82 per cent of respondents said that environmental, social, and corporate governance (ESG) credentials are important factors in cloud procurement, when ranked alongside other factors, such as price, reliability and trustworthiness, ESG and sustainability rank much lower. Unsurprisingly, cost is the most widely mentioned consideration, followed by range of services, trust, ability to scale, and the speed of response of a chosen cloud-managed service provider. A blog post by Justin Keeble, Google Cloud’s managing director for global sustainability, highlighted the risks of greenwashing, a practice also under scrutiny from regulators globally, such as the FCA, the CMA and the UK Advertising Standards Authority. The UK government’s Department for Business, Energy and Industrial Strategy is advising firms to use cloud services to reduce carbon emissions. We are also seeing more customers set ESG ratings that their suppliers must meet (such as Deutsche Bank’s mandatory ESG ratings for suppliers, for high-value contracts). Data centres are also looking at sustainability issues, given that it is estimated they use about 1 per cent of the global electricity demand and contribute to 0.3 per cent of all carbon dioxide emissions. Reducing the energy consumption of cooling data centres, or using renewable energy sources, is an objective, but the Green Software Foundation, a consortium of software developers, is looking at developing and designing more energy-efficient software.