When US president Trump implemented sanctions against the International Criminal Court (ICC) in February 2025, it wasn’t long before ICC chief prosecutor Karim Khan found himself locked out of his Microsoft 365 email account.
This sent digital sovereignty-shaped shock waves across Europe and raised fears that US cloud hyperscalers could wield a “kill switch” against customers that fall foul of US political imperatives. Many saw it as another example of the US’s “America First” policies hitting home, this time in the digital domain and against an organisation’s vital information infrastructure.
For the ICC, it pushed the organisation to migrate to German supplier ZenDiS’s openDesk, which provides office productivity tools based on open source, GDPR-compliant technology.
For many others in the UK and Europe, it pushed the question of digital sovereignty to the fore. In response to the ICC-Microsoft affair, for example, Dutch lawmakers petitioned their government to move to 30% Dutch or European cloud services by 2029.
In this article, we look at data sovereignty in terms of the risks – political, legal and economic – with special reference to the massive penetration of US hyperscalers in the UK and European markets. We also hear from voices concerned about US hyperscaler penetration into the public sector, vital services and the cloud economy, and reveal massive penetration of the UK public sector by the hyperscalers.
This is the first article in a series, with the next looking more deeply at campaigner concerns and state-level responses around data sovereignty.
What is data/digital sovereignty?
To discuss data sovereignty at all, we need to arrive at a working definition or a set of definitions. The idea of data sovereignty comes from the wider political notion of sovereignty as applied to states, where it means the solely held power to govern a country.
When it comes to data, we can extend that idea to mean complete control over data and applications to give us a concept of data sovereignty or digital sovereignty. That could apply to enterprises and their need to retain data in specific jurisdictions to meet legal and regulatory requirements.
What are the risks to nation states around data sovereignty?
The risks to nation states around data sovereignty fall under three main categories:
- Risks of political interference from foreign states;
- Legal interference when the laws of one state affect data held in another;
- Issues of economic sovereignty, where the degree of foreign company control over data in an economy is considered a risk.
The political risk and the hyperscaler ‘kill switch’
The ICC-Microsoft affair shows that data sovereignty isn’t just theoretical. It’s a live risk, says Liberal Democrat spokesperson for science, innovation and technology, Tim Clement-Jones.
“If you see that kind of risk, where a hyperscaler like Microsoft can be pressured to withdraw a service, you have to look at the fact that we are so heavily embedded – we’ve got Microsoft, AWS and Google all over government,” he says. “Where are the alternative UK suppliers?”
US president Trump and his unpredictable and/or targeted decision-making have been a major driver around data sovereignty, not least because so much cloud capability deployed across the globe is US-owned, in particular by the three main hyperscalers – AWS, Microsoft and Google Cloud.
The legal risk and ‘jurisdictional overreach’
Then there are concerns around legal interference. This is where the laws of one country apply to data held in systems that may also be subject to the laws of another. This is referred to as “jurisdictional overreach”.
Risks of that type around data sovereignty are exemplified by the US Cloud Act and Chinese National Intelligence Law (NIL), which both create situations where the laws of one country directly conflict with the laws of another, where the data is protected.
The US Clarifying Lawful Overseas Use of Data (Cloud) Act was passed in 2018, and empowers US law enforcement agencies to compel US-based technology companies to provide data to them, wherever that data is stored, inside or outside the US. That requirement directly affects privacy laws elsewhere, such as the EU’s GDPR, which prohibits transfer of data to a third country.
Meanwhile, the Chinese NIL mandates assistance and cooperation with Chinese state intelligence work and can apply to Chinese companies and citizens wherever they are. Like the US Cloud Act, GDPR makes it impossible to comply with this in Europe because the NIL might require a company to hand over data on customers in Europe, again contravening transfer of data overseas.
The economic risk: becoming a ‘digital colony’
There’s a point where worries about foreign political interference and data sovereignty become entwined with issues of economic sovereignty. The concern is that UK and European states don’t have the homegrown capacity to offer cloud and software services as the US giants do, and that is a risk to the economic wellbeing of those countries.
Axel Voss, German Christian Democrat MEP in the European Parliament, is a keen advocate of building increased European economic sovereignty in the digital realm, saying that he believes Europe risks becoming a digital colony of the US or China.
“It shows up when Europe’s daily digital life and increasingly our critical infrastructure runs on non-European hardware, software, cloud services and platforms,” says Voss. “That means the next technological wave can be shaped by actors who don’t share our values or standards. That creates systemic risks for prosperity, privacy and security, and it can leave Europeans feeling that democratic institutions have ‘lost control’ over the digital environment.
“The biggest risks are strategic lock-in and unilateral dependencies. If core collaboration tools, identity, storage, cloud and AI are controlled elsewhere, Europe’s administrations and companies lose real freedom of choice and bargaining power.”
That dependency can sometimes come to light in shocking ways. Last year, it was revealed that Scottish police forces that use Microsoft 365 have no idea what country their data may be kept in – and Microsoft wouldn’t tell them.
Clement-Jones says: “Their data can be held all over the world in any datacentre run by Microsoft. The first thing that comes into my mind is really, that’s crazy. How can they do that? How do they justify that? Surely an organisation like the police force is going to demand physical sovereignty.”
The scale of hyperscaler penetration: the UK public sector
US hyperscale cloud providers have near-universal penetration across the UK public sector and account for the majority of technology spending. In the financial year 2023/2024, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services. When software services that run on hyperscale cloud – such as software as a service (SaaS) – are included, that share rises to 99%.
This is the case for more than 1,100 public sector bodies, including government departments, councils, police forces and NHS organisations, according to data that comes from analyst Tussell. The public sector procurement specialist publishes its Tech Titans list every year of the top 150 tech suppliers by spend received from the UK public sector, and breaks that down by department. In the financial year 2023/24, these companies were paid around £17.7bn of public sector budget, which was 84% of total spend.
In the data, it is possible to identify an actual hyperscaler in only one case – AWS is present under its own name. But for the most part, cloud provision comes via resellers of the three key US-owned public clouds, AWS, Microsoft Azure and Google Cloud, with Oracle and IBM also counted as hyperscalers for this analysis. Prominent cloud resellers to the UK public sector are Bytes, Capgemini and Softcat, but the list extends to around 30 such suppliers.
It is also possible to verify suppliers as resellers of hyperscaler cloud provision because they publish information about their accreditations, such as AWS Premier Tier Services Partner, Azure Expert Managed Service Provider, or Google Cloud Premier Partner. That is not to say that they are solely providers of cloud connectivity, as they often provide consultancy too.
Out of the £17.7bn total Tech Titans spend, more than half – 55% or £9.9bn – was spent on hyperscale cloud either directly or via cloud resellers in financial year (FY) 2023/2024. Beyond direct or reseller provision of hyperscale cloud connectivity, suppliers that offer services that use hyperscale cloud – e.g. SaaS – can also be identified, or at least ruled out as suppliers of cloud connectivity. Adding these to direct hyperscale and cloud resellers, they accounted for 86% of total Tech Titans spend, with £15.3bn going their way.
Out of 22 government departments in the data, 21 spent budget on hyperscale cloud in some form in that year, with 13 of them spending 50% or more of their tech budget on hyperscale cloud directly or via cloud resellers.
The top five public sector spenders on hyperscale cloud were: Ministry of Defence (£1.09bn), HM Revenue & Customs (£1.01bn), the Home Office (£775m), Department for Work and Pensions (£622m), and NHS England (£442m).
Out of 64 police forces and other police agencies in the data, 55 spent budget on hyperscale cloud, which rose to 59 if services that use hyperscale cloud were included. The Metropolitan Police spent £354m on hyperscale cloud.
Out of 271 NHS organisations in the data, 270 spent budget on hyperscale cloud in 2023/24.
Conclusion: UK digital infrastructure dependent on foreign tech
The Tussell/Computer Weekly data highlights how deeply embedded US cloud infrastructure has become across the UK public sector – a reality that complicates efforts by European policymakers to promote “sovereign cloud” alternatives.
When nearly every government department and myriad local and other agencies relies on a handful of offshore entities, the line between supplied services and national sovereignty blurs. As some of the campaigners we spoke to warn, the risk is no longer just about where data sits, but whether a nation state has complete control – sovereignty – over its own critical functions.
To correct this situation potentially requires a radical shift in strategy. In the next feature in this series, we look at how governments and campaigners in the UK and Europe have responded.
