If you are choosing a cloud model for a finance and expense-tracking platform in 2026, the honest answer is that the four-way menu - public, private, hybrid, multi-cloud - no longer describes a real decision. The market has already converged. An LSEG survey of 453 financial-services executives in July 2025 found that 82% already run a hybrid or multi-cloud strategy, and 87% have increased cloud spending over the past two years. Nutanix's financial-services Enterprise Cloud Index points the same direction even more sharply: respondents expect a roughly threefold increase in hybrid multicloud adoption within three years, making it the leading operating model in the sector. So the question a senior engineer should actually be answering is not "which of four models" but "where does each workload sit inside a hybrid estate, and who is accountable for that placement." Public-only and private-only are now the exceptions you justify, not the defaults you assume.
This matters because a finance and expense-tracking solution is not one workload. It is a ledger, an identity boundary, an integration layer to banking rails and ERP systems, a reporting and analytics tier, and increasingly an AI layer doing categorization, anomaly detection and forecasting. Those components have different gravity. Treating them as a single "app" that lives in one cloud tier is how teams end up either overpaying for dedicated infrastructure they did not need or putting regulated data somewhere they cannot defend in an audit.
Why the sensitive core trends private, and it is not abstract
The argument for keeping the ledger and customer financial data on dedicated or private infrastructure is usually framed as "compliance." That undersells it. The operative driver in finance right now is ransomware exposure, and the numbers are stark: in the Nutanix study, 99% of financial-services respondents had experienced a ransomware attack in the prior three years, and 89% said they had room to improve their defences. When nearly every peer has already been hit, the blast radius of a shared-tenancy compromise on your core ledger is not a theoretical risk to wave away in a design review. That is the concrete case for dedicated infrastructure under the data that would end your business if it leaked or got encrypted - not the data-residency checkbox.
Why the rest trends public, including the part teams forget
The flip side is that the elastic, bursty, undifferentiated parts of an expense platform - month-end reporting load, receipt OCR, dev and test environments, the AI/ML tier - are exactly what public hyperscalers are good at, and that is where the sector is investing. LSEG found 91% of firms are advancing AI through the cloud, and the shift in rationale is the part worth internalizing: it has moved from cost-cutting to outcome - scalability, revenue, and AI capability. But public cloud is not a one-way door. Flexera's 2025 State of the Cloud Report, surveying 759 IT professionals, found that about one-fifth (21%) of cloud workloads have already been repatriated from public cloud back on-premises. Placement is a reversible engineering decision that should be revisited per workload, not a migration you do once and defend forever.
Multi-cloud is a governance commitment, not a free lunch
Multi-cloud is sold on avoiding vendor lock-in and accessing specialist services, and both are real. Flexera's data confirms the spread is now normal: enterprises run across AWS at 53%, Azure at 29% and Google Cloud at 16%. But the original framing - "specialist services from various providers" - skips the bill. Operating across providers multiplies your security surface, your identity and networking complexity, and above all your cost-governance burden. The market's answer is FinOps as a standing discipline: the same Flexera report shows 59% of organizations now have a dedicated FinOps team, up from 51%. If you adopt multi-cloud for a finance platform without a funded FinOps and governance function, you have not bought flexibility. You have bought unmanaged spend and a wider attack surface.
DORA turned this into a regulatory decision, not just an architectural one
For any team serving EU financial customers - which, from the Netherlands, is most of them - the cloud-model choice is now hard-coded by regulation. The Digital Operational Resilience Act became applicable across the EU on 17 January 2025. It imposes binding ICT third-party risk-management duties: a mandatory register of ICT providers, prescribed contractual clauses, oversight of subcontracting, and an EU oversight framework for "critical" ICT third-party providers that explicitly includes cloud service providers. This is not advisory. LSEG found 84% of firms have already had to adjust their cloud strategy in response to frameworks like DORA and GDPR, and 92% now rate operational resilience as critical when choosing a provider.
The practical consequences for how you choose are specific. Concentration risk is now a named obligation, which strengthens the multi-cloud case for genuinely critical functions - but only if you can actually fail over, not just hold two contracts. Every provider and subprocessor needs a documented exit strategy, which makes the lock-in you accept a board-level question rather than an architect's preference. And the contracts themselves carry mandated clauses, so "we'll use the standard hyperscaler terms" is no longer sufficient.
How to actually decide
Drop the "which of four models" question and run placement workload by workload against three axes. First, data sensitivity and blast radius: the ledger and customer financial records bias toward dedicated or private infrastructure; derived, aggregated and test data does not. Second, elasticity and differentiation: bursty, undifferentiated load - reporting, OCR, ML - belongs on public cloud where you pay for what you burn, and stays reversible. Third, regulatory criticality under DORA: functions whose outage is material need demonstrable resilience and a real exit path, which is where deliberate multi-cloud earns its complexity. Run those three axes and you will almost always land on a hybrid estate - the question is only how the line is drawn, and that line is the actual engineering work.
That is also where the real cost lives, and where it is most often underestimated. A hybrid, partly multi-cloud finance platform is not harder to draw on a whiteboard than a single-cloud one. It is harder to operate: identity federation across boundaries, consistent policy enforcement, audit evidence that satisfies DORA continuously rather than at year-end, and FinOps discipline so the multi-cloud bill does not quietly compound. The model is the easy part. The operating discipline is the part that determines whether the architecture survives contact with an auditor, a ransomware crew, or a CFO reading the cloud invoice.
At Expeditious Software, our DevOps, cloud and platform-engineering specialists help finance teams make these placement decisions deliberately - and build the identity, policy and FinOps guardrails that keep a hybrid estate compliant and affordable. Get in touch to talk through the right service model for your finance and expense-tracking platform.
Sources
- LSEG Global Cloud Survey: Financial Services Firms Embrace Cloud to Drive Competitiveness (LSEG, London Stock Exchange Group)
- Nutanix Study Projects Hybrid Multicloud Adoption for Financial Services Will Triple (Nutanix Enterprise Cloud Index, financial services edition)
- The latest cloud computing trends: Flexera 2025 State of the Cloud Report (Flexera)
- Digital Operational Resilience Act (DORA) (EIOPA, European Insurance and Occupational Pensions Authority)
