Cloudflare Outage Cascades Into DeFi: When Internet Infrastructure Concentration Meets Finance

The Cascade: From CDN to DeFi to Fintech

The Cloudflare outage's impact on financial services operated through three distinct but interconnected channels, each revealing a different facet of infrastructure concentration risk.

Channel 1: DeFi Protocol Frontends

DeFi protocols operate on blockchain networks, but users access them through web-based frontends — essentially websites and web applications. The vast majority of these frontends are hosted behind Cloudflare, which provides CDN caching, DDoS protection, SSL/TLS termination, and performance optimization. When Cloudflare went down, the blockchain smart contracts continued to function, but users could not access them through normal interfaces.

This created a surreal situation: the "decentralized" financial system was technically operational, but practically inaccessible. Sophisticated users who knew how to interact directly with blockchain smart contracts through command-line tools could still execute transactions. But the overwhelming majority of DeFi users — including institutional participants — relied on web frontends and were locked out.

The financial impact was material. DeFi protocols manage billions of dollars in total value locked (TVL). During the outage, users could not manage their positions, add or withdraw collateral, or respond to margin calls. In volatile markets, the inability to manage positions during a CDN outage could cause significant financial losses — and the user would have no recourse against either Cloudflare or the DeFi protocol.

Channel 2: Cryptocurrency Exchange APIs

Major cryptocurrency exchanges — including those that serve as bridges between traditional finance and the crypto ecosystem — rely on Cloudflare for API delivery. Institutional trading firms and market makers that connect to exchange APIs through Cloudflare-protected endpoints lost connectivity during the outage. This disrupted automated trading strategies, prevented risk management operations, and created information asymmetries between participants with direct exchange connections and those relying on CDN-delivered APIs.

Channel 3: Traditional Fintech Services

The Cloudflare outage also affected traditional fintech services that have become embedded in the banking ecosystem. Payment processors, account aggregation services, open banking API providers, and fraud detection systems that use Cloudflare for their API infrastructure experienced disruptions. For banks that rely on these fintech services as part of their service delivery chain, the Cloudflare outage created indirect operational impacts.

This indirect dependency — bank → fintech partner → Cloudflare — is precisely the kind of multi-layer supply chain risk that DORA Art. 28-29 was designed to address. The bank's direct vendor is the fintech partner, but the risk originates from the fintech partner's infrastructure dependency on Cloudflare. A thorough third-party risk assessment must map these dependency chains and identify the concentration risks they create.

The Hidden Centralization of "Decentralized" Finance

On November 18, 2025, Cloudflare — the internet infrastructure company that handles approximately 20% of all web traffic globally — experienced a significant outage. The Guardian and Galaxy reported the cascading effects on November 18 and 21, 2025, respectively. The impact extended far beyond typical website unavailability: decentralized finance (DeFi) protocols, cryptocurrency exchanges, fintech applications, and traditional financial service APIs that relied on Cloudflare's content delivery network (CDN) and DDoS protection services went down simultaneously.

The irony was sharp. DeFi protocols — marketed explicitly as "decentralized" alternatives to traditional financial infrastructure — proved to be critically dependent on centralized internet infrastructure. While the underlying blockchain networks continued to operate (blockchains run on peer-to-peer networks, not CDNs), the user-facing frontends, APIs, oracle services, and data feeds that make DeFi usable all relied on Cloudflare. When Cloudflare went down, "decentralized" finance became inaccessible for most users.

The outage exposed a structural reality that has direct implications for DORA: internet infrastructure is concentrated in a small number of providers, and financial services — both traditional and crypto/DeFi — depend on this concentrated infrastructure. Cloudflare, Akamai, AWS CloudFront, and Fastly collectively handle the vast majority of CDN traffic. A failure at any one of these providers can cascade into thousands of financial service applications simultaneously.

For regulated financial institutions operating under DORA, the Cloudflare outage demonstrated that third-party risk management must extend beyond direct commercial vendors to include the infrastructure providers that underpin those vendors' services. A bank may contract with a fintech partner for payment processing, but if that fintech partner depends on Cloudflare for its API delivery and DDoS protection, the bank has an indirect Cloudflare dependency that its third-party risk framework must identify and manage.

The DeFi dimension adds a novel regulatory question. Traditional financial regulators, including those implementing DORA, are increasingly required to engage with crypto-asset service providers under MiCA (Markets in Crypto-Assets Regulation). The Cloudflare outage demonstrated that even "decentralized" crypto services have centralized infrastructure dependencies that create the same concentration risks DORA was designed to address.

DORA and the Internet Infrastructure Layer

The Cloudflare outage forces a critical question for DORA implementation: where does the ICT third-party risk boundary end? DORA Art. 28-30 addresses direct vendor relationships, and Art. 31 enables designation of Critical ICT Third-Party Providers (CTPPs). But the internet infrastructure layer — CDN providers, DNS providers, cloud platforms — sits beneath the direct vendor relationships and creates systemic concentration risk that individual institution-level risk management cannot fully address.

Art. 28 — Multi-Layer Vendor Dependency

DORA Art. 28 requires financial entities to manage risks from ICT third-party service providers. The Cloudflare outage demonstrates that this management must extend to multi-layer dependency chains. A bank's risk assessment for a fintech partner must include an assessment of the fintech partner's infrastructure dependencies — including CDN providers, cloud platforms, DNS services, and other internet infrastructure that the partner relies on.

This creates a practical challenge: how deep must the dependency mapping go? If a bank's fintech partner uses Cloudflare, which runs on bare-metal servers in data centers operated by various hosting providers, which depend on power from regional utilities, must the bank's risk assessment trace the entire chain? DORA's proportionality principle (Art. 4) suggests that the depth of mapping should be proportionate to the criticality of the service — critical services warrant deeper dependency analysis than auxiliary services.

Art. 31 — CTPPs and Internet Infrastructure

DORA Art. 31 establishes the framework for designating Critical ICT Third-Party Providers (CTPPs) — providers whose failure would create systemic risk to the financial sector. Cloudflare's role in delivering financial service APIs and protecting financial applications from DDoS attacks makes it a strong candidate for CTPP designation.

The Cloudflare outage demonstrated that a single CDN provider failure can simultaneously disrupt thousands of financial service applications across the entire sector. This meets the systemic risk threshold that Art. 31 was designed to address. If Cloudflare, Akamai, AWS CloudFront, or similar providers were designated as CTPPs, they would be subject to direct oversight by the EU's Joint Oversight Network — including requirements for resilience testing, incident reporting, and exit planning.

The "Decentralization" Illusion

The DeFi dimension of the Cloudflare outage has implications for the EU's MiCA regulation and its intersection with DORA. MiCA (Regulation 2023/1114) establishes requirements for crypto-asset service providers (CASPs), including operational resilience requirements that parallel DORA's framework.

The Cloudflare outage demonstrated that CASPs and DeFi protocols — regardless of their "decentralized" marketing — depend on the same centralized internet infrastructure as traditional financial services. The operational resilience requirements for CASPs should therefore include the same CDN/infrastructure dependency analysis that DORA requires for traditional financial entities.

For supervisory authorities, this means that the "decentralization" claim should be treated with skepticism during operational resilience assessments. A DeFi protocol or CASP that claims to be "decentralized" but whose user-facing services depend entirely on a single CDN provider has the same concentration risk as a traditional fintech — and should be held to the same standard.

Internet Infrastructure as Financial Infrastructure

The Cloudflare outage crystallizes a structural reality that DORA's framework must grapple with: internet infrastructure is financial infrastructure. The financial sector's dependence on a small number of CDN providers, cloud platforms, and DNS services creates systemic concentration risk at a layer below the vendor relationships that individual institutions manage.

The Concentration Map

The internet infrastructure layer serving the financial sector is highly concentrated:

• CDN: Cloudflare (~20% of web traffic), AWS CloudFront (~15%), Akamai (~10%), Fastly (~5%) — four providers handle roughly half of all CDN traffic
• Cloud: AWS (~32% market share), Azure (~22%), GCP (~12%) — three providers handle two-thirds of cloud infrastructure
• DNS: Cloudflare DNS, AWS Route 53, Google Cloud DNS — three providers dominate managed DNS
• DDoS protection: Cloudflare, Akamai, AWS Shield — three providers dominate financial sector DDoS protection

A failure at any of these providers cascades through thousands of financial service applications. The CrowdStrike/Falcon outage of July 2024 demonstrated this with endpoint security; the Cloudflare outage of November 2025 demonstrated it with CDN infrastructure.

Regulatory Implications

The concentration of internet infrastructure presents a challenge that no single regulatory framework can fully address. DORA addresses financial sector ICT risk, but the internet infrastructure providers serve all industries — finance is one customer among many. Designating Cloudflare as a CTPP under DORA Art. 31 would subject it to financial sector-specific oversight, but Cloudflare's primary incentive structure is driven by its entire customer base, not the financial sector specifically.

This suggests that effective oversight of internet infrastructure concentration may require cross-sector regulatory coordination — between financial regulators (implementing DORA), digital market regulators (implementing the Digital Services Act and Digital Markets Act), and cybersecurity authorities (implementing NIS2). The Cloudflare outage demonstrated that the risk is systemic across sectors, and sector-specific regulation alone is insufficient.

Practical Recommendations for Financial Institutions

Map CDN and infrastructure dependencies. Every financial institution should identify which CDN providers, cloud platforms, and DNS services underpin its direct and indirect vendor relationships. This mapping should be included in the ICT third-party risk register.

Implement multi-CDN strategies for critical services. For API endpoints and customer-facing applications that are critical to service delivery, financial institutions should implement multi-CDN strategies — distributing traffic across multiple CDN providers so that the failure of any single provider does not cause a total service outage.

Test for infrastructure provider failure. DORA Art. 24 resilience testing should include scenarios for CDN failure, cloud region failure, and DNS failure. These tests should verify that failover mechanisms work and that recovery times meet the institution's service level commitments.

Assess DeFi and crypto exposure to infrastructure concentration. Financial institutions with crypto-asset exposure — whether through custody, trading, or DeFi participation — should assess the infrastructure concentration risk of their crypto counterparties and service providers. The "decentralization" narrative should not be accepted at face value.

Engage with CTPP designation processes. As the EU's CTPP designation framework develops under DORA Art. 31, financial institutions should advocate for the inclusion of critical internet infrastructure providers — CDN, cloud, DNS — in the designation scope, ensuring that systemic infrastructure concentration is addressed at the regulatory level.