(although since we're all 3rd hand in this except for people who either can't or won't comment for reasonably obvious reasons, using words like "facts" and "doubt" and "evidence" is probably a mistake)
What will be interesting is the long tail. The entities providing layered services who do have reporting obligations under EU or US laws, or other economies, who then surface to say they got risk/exposure as a result of this.
Having been the recipient of a supply chain integrity questionnaire from a US corp entity, I can assure you that this is a well understood, extensive space for questions. An awful lot of indirect dependency can stem from a cloud service compromise.