When the chair of your own independent inquiry walks out a year early, citing “glacially slow progress,” that is not a minor administrative footnote – it is a distress signal.
Kip Meek’s departure from the Competition and Markets Authority (CMA) in late January, reportedly driven by frustration at the snail-like pace of action following the cloud services market investigation, should be deeply uncomfortable reading for British businesses who depend on digital infrastructure they can trust, not to mention everyone in Whitehall and Westminster.
After an extensive two-and-a-half-year investigation, the CMA published its findings in July 2025. The report was explicit: Amazon Web Services (AWS) and Microsoft together account for roughly 80% of the UK’s cloud services market, a duopoly so deeply entrenched that the watchdog recommended both companies be designated with strategic market status. That designation was supposed to trigger stricter rules, open competition, and end the era of anti-competitive licensing practices that have effectively locked UK organisations into one vendor’s ecosystem.
Yet months on, nothing has moved. Every day the CMA delays is a day the market calcifies further. In business terms, “time is money” and UK customers have been forced to pick up the bill and unwillingly bolster Microsoft’s coffers.
Tightening the grip
They are investing, innovating, and, in Microsoft’s case, launching products that appear specifically designed to tighten the grip. The recently announced Microsoft 365 Local, which runs Office applications on Azure Local infrastructure, is a case in point.
Marketed as a path toward greater control for European organisations, many observers see it as precisely the opposite – a strategy to slow the shift toward genuine digital sovereignty by keeping customers anchored to Microsoft’s architecture, just on premises rather than in the public cloud. The wolf, in other words, has changed its coat but it’s still a wolf.
The CMA must designate AWS and Microsoft with strategic market status, impose meaningful remedies on Microsoft’s licensing practices, and open the market to genuine competition Bill McCluggage
There is a serious and underappreciated security dimension to this. Cyber security professionals have raised sustained concerns about hybrid Microsoft configurations, particularly those blending older on-premises infrastructure with cloud-based services.
The vulnerabilities are well-documented: legacy authentication protocols that were never designed for the modern threat landscape; hybrid deployments that create seams attackers can exploit; the “harvest now, decrypt later” threat that makes today’s encrypted data tomorrow’s liability; and misconfiguration risks that multiply as complexity increases.
The alarming reality is that the world’s default productivity tool is quietly becoming a national security liability. The problem does not go away by layering a new product name on top of familiar architecture – if anything, sprawling hybrid deployments make things worse.
Sovereignty debate
The sovereignty debate makes this particularly acute. In early 2025, the International Criminal Court’s chief prosecutor had his Microsoft Office 365 account suspended following US government sanctions.
Whatever the precise sequence of events – and Microsoft’s public account has since been the subject of a parliamentary correction request after a senior executive’s testimony to the House of Commons Business and Trade Committee was found to contain inaccuracies – the episode is only the most visible in a pattern of failures that should concern any organisation deeply dependent on Microsoft.
The company has faced sustained and serious criticism of its security practices. The US Cyber Safety Review Board concluded following a significant 2023 breach that Microsoft’s security culture was inadequate and that the intrusion was preventable: Exchange and Active Directory vulnerabilities have repeatedly served as entry points for state-level attackers; and, as noted, a senior Microsoft executive provided parliamentary testimony that was subsequently found to contain inaccuracies and required correction.
Every British public body, NHS trust, local council and financial firm should be asking not only what happens if a provider is compelled to act against your interests, but whether you should be so comprehensively dependent on any single vendor whose track record of critical errors is this well documented.
This is only further exacerbated by migration costs, contractual dependencies, and integration complexity that flow from years of unchallenged Microsoft dominance that have made alternatives financially and functionally inaccessible for most organisations. That is precisely the kind of market failure the CMA was created to prevent. It has identified the problem. It has written the report. Now it needs to act.
Strategic constraint
If the CMA fails to act within a credible timeframe, the opportunity closes. Lock-in is a strategic constraint on the UK’s ability to control its own data, its own communications, and its own critical infrastructure. Kip Meek resigned because, after years of diligent work, he could see the outcome of this investigation slipping away in slow motion.
The CMA must designate AWS and Microsoft with strategic market status, impose meaningful remedies on Microsoft’s licensing practices, and open the market to genuine competition before the window for doing so closes permanently.
If it does not do so, the consequences will be stark. Not only in terms of the significant harms to British businesses and the UK’s economic and innovation prospects, but also the CMA’s future as a trusted and credible authority. It has a clearly defined statutory obligation to promote competition for the benefit of consumers, and the question now is not whether it has the power to act. The question is whether it has the will.
For the sake of UK businesses, UK citizens, and the UK’s long-term digital sovereignty, the answer had better be yes.
Bill McCluggage was executive director for IT strategy and policy in the Cabinet Office and deputy UK government CIO from 2009 to 2012, CTO for EMC System UK (now Dell Technologies) in the UK and Ireland, and then the first CIO for the Irish government in 2013. He is now a technology advisor and consultant.
