Digital resilience: what recent web outages reveal about systemic risk

In November 2025, large sections of the internet went dark, and not for the first time. Cloudflare’s outage on November 18 was the latest in a series of cloud and infrastructure disruptions affecting major providers, including Amazon Web Services and Microsoft Azure.

While each event may have been short-lived, together they highlight a potential vulnerability in how modern businesses depend on a concentrated digital backbone.

Concentration risk: the trend behind the headlines

Cloudflare suffered a cascading outage that prevented access to platforms including X and ChatGPT, e-commerce giants, financial services, and even public-sector portals. Ironically, popular outage tracker Downdetector was itself 'down'. Cloudflare’s analysis found the issue was caused by a configuration bug rather than a cyberattack and was resolved within hours.

Beyond the incident itself, the outage showed the risk of concentration. When one vendor supports security, DNS, CDN, and edge compute for so much of the internet, a single software issue can ripple across multiple regulated sectors. This is not a Cloudflare problem. It’s a systemic one. 

The rise of cloud-native business models has accelerated this concentration. Firms have consolidated around a small number of providers because they offer speed, global reach, and security at scale. When one of these shared platforms falters, the impact is amplified across markets, supply chains, and even countries.

Cloud, CDN, and edge networks now form the connective tissue of the digital economy. Each link in that chain carries operational, financial, and compliance implications for firms that rely on it. Incidents like this test the strength of third-party oversight, the adequacy of resilience plans, and the credibility of board-level governance. Regulatory frameworks such as the Digital Operational Resilience Act (DORA) and the UK’s Operational Resilience regime make it clear: firms must demonstrate the resilience of their critical suppliers, not assume it.

What to focus on now

After any disruption, companies work to stabilise systems, restore critical services, and communicate with customers and stakeholders. These early decisions matter. Effective recovery relies on clear communication, rehearsed playbooks, and the confidence to act quickly when the root cause sits outside the firm’s direct control.

Once the initial storm has passed, attention then turns to reducing dependency risk and strengthening operational resilience across three priorities:

1. Map third-party dependencies: Standard vendor assessments and SLAs rarely show the full picture. Use dependency mapping to identify where single points of failure sit across your digital ecosystem — including sub-vendors of major cloud and content delivery providers.
2. Diversify architectures: Multi-cloud or multi-CDN strategies can limit concentration risk, but they must be managed carefully. Work with compliance and security teams to balance resilience with regulatory and data protection obligations.
3. Engage regulators early: Regulators increasingly expect collaboration, not compliance alone. Sharing insights and testing scenarios with supervisory bodies helps shape more practical standards — and reduces the risk of surprises when incidents occur.

The recent wave of outages has shown that digital resilience is both an IT concern and a governance issue. As dependency on shared infrastructure deepens, the question isn’t whether another disruption will happen, but how prepared firms will be when it does.