The Open Rights Group (ORG) has written to UK MPs with an urgent warning: Britain's critical digital infrastructure is dangerously dependent on a handful of American technology companies. From border systems on AWS to tax platforms on Azure, the UK's most sensitive operations run on foundations controlled by foreign corporations. As the Cyber Security and Resilience Bill progresses through Parliament, digital sovereignty has become impossible to ignore — and for UK SMEs, this is not abstract policy but a direct threat to operational continuity and data security.
What Is Digital Sovereignty — and Why Should UK Businesses Care?
Digital sovereignty is a nation's ability to control its own digital infrastructure, data, and technology supply chains without undue foreign dependence. It is the digital equivalent of energy independence — no responsible strategy should concentrate critical systems on providers subject to another country's laws and political pressures.
For UK businesses, this is not merely a government concern. Every organisation storing customer data on US-owned cloud platforms or relying on American SaaS tools faces the same risk: decisions made in Washington can directly affect systems in Birmingham, Leeds, or Edinburgh.
"Just as relying on one country for the UK's energy needs would be risky and irresponsible, so is overreliance on US companies to supply the bulk of our digital infrastructure." — James Baker, Executive Director, Open Rights Group
When Vendor Lock-In Becomes a Weapon: Three Warnings
The risks of digital dependency are not hypothetical. Recent events demonstrate precisely how foreign technology control can be weaponised.
The ICC and Microsoft
When the Trump administration imposed sanctions related to the International Criminal Court's investigations, Microsoft blocked the ICC's access to email and collaboration services. An international judicial body found itself unable to communicate because its infrastructure was controlled by a company subject to US political direction. The ICC has since migrated to openDesk, a European open-source platform, to prevent any single government from disrupting its operations again.
John Deere's Remote Kill Switch
John Deere remotely disabled agricultural equipment stolen by Russian forces in Ukraine — widely applauded at the time. But the same remote-disable capability exists in every John Deere product worldwide. If a manufacturer can disable equipment in response to geopolitical events, it can do so anywhere, for any reason its home government compels. UK agricultural businesses and logistics operators face an identical vulnerability.
The Huawei Expulsion
The UK spent billions removing Huawei equipment from 5G networks over Chinese government influence concerns. Yet the same logic applies in reverse: UK systems dependent on American technology are equally subject to US government influence, including through the Cloud Act.
The US Cloud Act (2018) grants American law enforcement authority to compel US-headquartered companies to hand over data — even when physically stored in the UK or EU. UK businesses using AWS, Azure, or Google Cloud have no legal mechanism to prevent this, regardless of their service contracts.
The US Cloud Act: "Stored in the UK" Does Not Mean "Protected by UK Law"
Many UK businesses assume choosing a UK data centre region ensures data is subject solely to British jurisdiction. This is dangerously incorrect. The Clarifying Lawful Overseas Use of Data Act was enacted in 2018 to establish that US companies must comply with American data requests regardless of where data is physically stored.
Customer records, financial data, intellectual property, and confidential communications held on any US-headquartered platform are potentially accessible to US authorities without the data owner's knowledge or consent.
| Scenario | Platform | Subject to US Cloud Act? | UK Legal Protection |
|---|---|---|---|
| UK business on AWS London | US-owned (Amazon) | Yes | Limited |
| UK business on UK-owned cloud | UK-owned provider | No | Full UK/GDPR |
| UK business on EU cloud | EU-owned provider | No | GDPR + EU adequacy |
| UK business using US SaaS | US-owned | Yes | Limited |
| UK business on Azure UK South | US-owned (Microsoft) | Yes | Limited |
The Cyber Security and Resilience Bill
Introduced to the House of Commons on 12 November 2025, the Bill passed its second reading on 6 January 2026 and is progressing through Committee stage. Royal Assent is expected later in 2026, with full implementation by 2028.
Key Provisions
- Expanded scope: More organisations fall under mandatory requirements, including managed service providers and supply chain participants
- Mandatory incident reporting: Significant incidents must be reported within 72 hours, preliminary notification within 24 hours
- Supply chain obligations: Regulated entities must assess and manage cyber risks throughout their supply chains
- Enhanced enforcement: Penalties up to £17 million or 4% of global annual turnover
- Technical standards: The Secretary of State gains powers to set binding technical standards
The ORG's proposed amendment would require government to develop a digital sovereignty strategy, assessing foreign technology dependencies and providing guidance on reducing single-vendor risk.
The Ransomware Payment Ban
Running parallel to the Bill, the UK Government plans a targeted ban on ransomware payments — both reflecting a fundamental shift in how the UK approaches cyber resilience.
In the government's consultation, 72% of respondents supported a ban. Only 17% of UK organisations hit by ransomware paid in 2025, down from 44% in 2023.
- Outright ban for public sector and critical national infrastructure — legally prohibited from paying ransoms
- Payment prevention regime for other businesses — must notify government before paying
- Mandatory 72-hour reporting for all UK organisations regardless of payment intent
- Intelligence sharing — incidents feed into a national threat picture for faster response
Even before the payment ban becomes law, update your incident response plans to assume payment is not an option. Organisations with robust backups, tested recovery procedures, and cyber insurance covering remediation costs will be far better positioned when the legislation takes effect.
UK Cloud Market Dependency: The Numbers
AWS, Microsoft Azure, and Google Cloud collectively control approximately 81% of the UK cloud infrastructure market, creating systemic risk at both national and business levels.
The CMA's cloud market investigation identified significant switching barriers: egress fees, proprietary dependencies, and re-architecture complexity — creating what the CMA described as "a self-reinforcing cycle of concentration."
| Switching Barrier | Description | Cost Impact | Mitigation |
|---|---|---|---|
| Data Egress Fees | Charges for transferring data out | £0.05-£0.09 per GB | Negotiate caps; free-egress providers |
| Proprietary Lock-In | Apps on provider-specific services | 6-18 months re-architecture | Open standards and portable frameworks |
| Skills Dependency | Team expertise in one platform | £5K-£15K per engineer | Cross-train; hire for portable skills |
| Contract Lock-In | Committed-use discounts penalising exit | 20-40% discount loss | Shorter commitments; multi-cloud |
| Integration Complexity | Interconnected platform-specific tools | £50K-£500K+ projects | Abstraction layers; document dependencies |
What This Means for UK SMEs
For businesses with 10 to 200 employees, sovereignty risks manifest concretely. SMEs typically concentrate their entire stack with a single provider — making them disproportionately vulnerable.
- Service disruption: A sanctions decision or policy change by a US provider could block access to critical systems
- Data exposure: The Cloud Act means customer data on US platforms is accessible to US authorities
- Cost escalation: Vendor lock-in makes switching progressively more expensive
- Compliance risk: UK GDPR obligations may conflict with US jurisdictional claims
- Supply chain pressure: Larger clients increasingly require data sovereignty compliance
UK SME Cloud Dependency (Typical Profile)
Single Vendor vs Multi-Cloud: The Trade-Offs
Single US Cloud Vendor
Multi-Cloud / Hybrid Strategy
Practical Steps UK Businesses Should Take Now
Digital sovereignty is not all-or-nothing. You do not need to abandon US providers — but you need informed choices about where sensitive data and critical systems reside.
1. Conduct a Cloud Dependency Audit
Map every system and data store to its underlying provider. Classify each by sovereignty risk — high for systems subject to the US Cloud Act, low for UK or EU-owned infrastructure.
2. Review Contracts for Sovereignty Clauses
Examine agreements for data residency guarantees and jurisdictional provisions. Many standard contracts offer no Cloud Act protection. Seek UK-jurisdiction commitments.
3. Implement a Tiered Data Strategy
- Tier 1 — Sovereign: Personal data, financial records, legal and health data on UK/EU-owned infrastructure
- Tier 2 — Controlled: Business-critical applications on UK data centre regions with contractual protections
- Tier 3 — General: Non-sensitive workloads where convenience takes priority over sovereignty
4. Evaluate UK and EU Alternatives
Providers such as OVHcloud, Hetzner, Scaleway, and UK-based operators offer infrastructure not subject to the US Cloud Act. For storage, email, and collaboration, sovereign alternatives now offer feature parity at competitive pricing.
5. Prepare for Mandatory Incident Reporting
Establish reporting procedures, designate responsible individuals, and test your ability to detect, assess, and report incidents within 72 hours.
6. Update Ransomware Response Plans
- Immutable backup systems tested with regular recovery drills
- Network segmentation to limit blast radius
- Cyber insurance covering remediation rather than ransom payments
- Pre-established relationships with incident response specialists
7. Engage Strategic IT Advice
For SMEs without a full-time CIO, a Virtual CIO service provides strategic expertise to navigate digital sovereignty, regulation, and cloud strategy.
Frequently Asked Questions
Does the US Cloud Act apply to UK data stored in UK data centres?
Yes. The Cloud Act applies to data held by any US-headquartered company regardless of physical location. If you use AWS, Azure, or Google Cloud, US authorities can compel the provider to hand over your data — even from a London data centre.
Should UK businesses stop using US cloud providers entirely?
Not necessarily. The recommended approach is tiered: move sensitive data to UK or EU-sovereign infrastructure while using US platforms for workloads where sovereignty risk is acceptable.
When will the Cyber Security and Resilience Bill become law?
Royal Assent is expected later in 2026, with phased implementation through to 2028. Begin preparing now — the regulatory direction is clear and early compliance provides competitive advantage.
Will the ransomware payment ban apply to all businesses?
The outright ban covers public sector and critical infrastructure. Other businesses must notify government before paying any ransom. Mandatory 72-hour reporting applies to all UK organisations.
How can small businesses afford multi-cloud strategies?
Multi-cloud does not mean duplicate infrastructure. For most SMEs, it means deliberate choices: UK-based email and storage, a sovereign backup solution, and open standards preventing lock-in.
"The organisations that will thrive in this new regulatory environment are those that treat digital sovereignty not as a burden, but as a competitive advantage — demonstrating to clients and regulators that their data is genuinely under UK control."
Navigate Digital Sovereignty and Cyber Security Compliance
CloudSwitched helps UK businesses audit cloud dependencies, develop sovereignty-aware strategies, and prepare for the Cyber Security and Resilience Bill. Our Virtual CIO service provides strategic guidance, and our Cyber Essentials certification support ensures your security foundations are solid.
Get Strategic IT Advice
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
