Why we build regulated platforms on Azure, not AWS.

Both Azure and AWS are capable of hosting regulated financial services platforms. The engineering question is not which one can do it — both can. The question is where the investment has been made in tooling, documentation, compliance certifications, and identity infrastructure that specifically matters for FSCA and FCA-regulated workloads.

Microsoft's answer is Entra ID, Purview, Azure Policy, and a compliance portfolio that currently covers 100+ certifications including ISO 27001, SOC 2, POPIA alignment documentation, and FCA operational resilience guidelines. The compliance documentation is specific, detailed, and regularly updated. The equivalent AWS documentation is thinner in the regulated financial services space, particularly for South Africa.

Identity is the most important argument. Entra ID (formerly Azure AD) is the industry standard for enterprise identity in the UK financial services sector. FCA-regulated firms have it. Their auditors understand it. The B2C variant gives you compliant customer identity for retail-facing products without having to build authentication from scratch. The integration with MCOB-relevant audit requirements is documented.

For South African firms, the argument is similar but different. POPIA requires data to stay within South Africa where possible. Azure has a South Africa North and South Africa West region. AWS has a Cape Town region. Both satisfy the geographic requirement. But the POPIA alignment documentation from Microsoft is more detailed, and the Entra B2C offering for SA-based identity providers is more mature.

Row-level security, audit log retention, key management, and network segmentation are not hard on either platform. But the tooling around policy enforcement — Azure Policy, Defender for Cloud, Microsoft Purview — maps more directly to the kind of evidence an auditor expects to see. When you're preparing for an FSCA audit, showing a Defender for Cloud compliance dashboard is a more familiar artefact than an AWS Security Hub report.

We're not ideological about this. If a client has existing AWS infrastructure, significant team expertise in AWS, or a specific service that only exists on AWS, that's a real argument. We've built on AWS and it works. But for greenfield regulated platforms where we control the architecture decision: we default to Azure, because the audit evidence trail is easier to construct and the identity infrastructure is already where the regulated industry lives.

The operational resilience argument is worth noting too. The FCA's operational resilience rules require firms to demonstrate continuity of important business services. Azure's region pairing, availability zone design, and Business Continuity documentation are well-suited to building the technical evidence for an ORE submission.

If you're building a regulated platform in South Africa or the UK and are evaluating cloud infrastructure, the right question is not 'which is better'. The right question is 'which has the compliance documentation and identity infrastructure that maps to my specific regulator's requirements'. For FSCA and FCA: that's Azure.

Working through a similar problem?