In early April, Dame Chi Onwurah, chair of the Science Innovation and Technology Select Committee, made some pointed remarks about the UK Government’s technology strategy, or its relative lack thereof.
Her argument centred on our dependency on a small number of Big Tech providers, principally Microsoft and AWS, with Palantir receiving mention due to their NHS and military contracts, along with legitimately framed concerns over UK dependencies on foreign supply chains.
There was much to agree with in Dame Chi’s article, with just one jarring point – her definition of sovereignty. Namely that, “it means exactly what you want it to mean.” Such a formulation might be political shorthand; the politician making a soundbite of complex concepts for public consumption, but for digital and data sovereignty it’s dangerous to over-simplify.
Politicians sometimes choose to be imprecise, but it’s important to be unambiguous here. Digital sovereignty requires that the only legislation acting on a piece of sovereign data is that of its parent country, or if you prefer; “the laws a country accepts to provide judicial primacy”.
Sovereignty an active digital battleground
Despite this, Dame Onwurah’s article was a call to action on a topic many readers probably didn’t realise was an issue. Make no mistake, sovereignty is already an active digital battleground for Big Tech and hyperscalers. It is likely to be the defining factor of technology delivery in the UK, Europe and globally for the next few years.
The digital sovereignty issue is largely a product of public cloud, and more directly high-profile court cases such as SCHREMS II, which sought to control personal data transfers to regimes deemed less likely to protect it than our own. Before public hyperscale cloud, nearly all domestic and government data processing was performed in datacentres in-country.
Non-sovereign IT or software providers occasionally required remote engineer access for support, but most access to your data was physically, as well as logically and digitally, limited to in-country.
Cloud adoption, and in particular the UK’s decision to adopt US-headquartered public cloud services, broke down those sovereign walls.
Mandated sovereign processes and contracts gave way to as-a-service models while supplier-defined terms of service allowed data offshoring, and it’s the effect of those that have led to pan-European calls for digital sovereignty.
Sovereignty is therefore commonly suggested to be a hyperscaler issue, but it’s actually broader than that. All non-sovereign (which principally means US) service providers must adjust.
So, the term hyperscaler isn’t a useful frame for these discussions. Others like IBM, Oracle, HPE need to adapt too, and all the various approaches to sovereign cloud and IT services now distinctly fall into three types that don’t neatly meet the hyperscaler-or-not classification.
That means that a hyperscaler-specific focus when it comes to sovereign cloud and AI is counterproductive. Each provider needs to be considered independently on their own merits and approaches.
Geopolitical tension and offshoring worries
Sovereignty worries have also been driven by a period of unusually high geopolitical tension. Whilst the US remains a valued European ally, threats and posturing from the White House have caused concern amongst UK and EU leaders. The result is a swing in the pendulum, with European nations seeking more sovereign control after years of increasing reliance on US-based cloud providers. The IT industry is responding, but not all providers are making the changes they must to operate in markets defined by sovereignty rather than scalability.
Of the big three, Microsoft were the first to think about sovereign capabilities. They built a German M365 outpost years ago, though that went defunct in 2022 and they appear to be struggling most with the transition now.
Their global public cloud services (Azure and M365) operate in more than 100 countries that support UK and some European services, so to restructure that into sovereign-first operating models will take some work. Conversely, AWS and GCP, who both use offshore processing, but are principally regional in nature, are adapting more quickly.
Another issue for Microsoft is historic lack of transparency around global data flows and exactly how their platform works. Last year Redmond was unable to give information on data flows when requested to do so by the Scottish Police Authority (a legal requirement under Data Protection laws). And more recently ProPublica revealed that US FedRAMP authorities had encountered exactly the same issues trying to certify Microsoft cloud services for US government use.
ProPublica claimed that after five years of trying and failing to get core information about Microsoft’s security and data processing in Microsoft’s US Government Community Cloud High platform, they had to give up.
This raises a question unique to Microsoft. Can they actually re-model their complex global-by-default services to deliver pure in-country sovereign cloud delivery?
They look to be struggling so far. Their commitment to deliver CoPilot in-country AI inference by the end of 2025 for the UK has just been rolled back to the end of 2026, whilst EU nations will now apparently only get regional, and not sovereign inference.
Sovereignty Levels 1 and 2
Instead of national capabilities, Microsoft is trying to focus buyers’ minds on re-defining what sovereignty means to fit their existing product stack; a strategy that previously sufficed but is unlikely to be successful again.
This is the Sovereignty Level 1 response: Adapt the definition to better align with existing product architectures.
Most non-sovereign providers have introduced “data boundary” constructs, supported by additional technical controls, though these may not fully satisfy stricter interpretations of sovereignty from data protection authorities.
Microsoft leans on this more than AWS or Google, who both have this in their sovereignty catalogue but have already moved most customer discussions on to Sovereignty Level 2.
That approach is to partner regionally and work with a local partner through a sovereign operating model.
This can improve customer confidence, but where the control plane or ultimate corporate control remains offshore, sovereignty concerns may still persist depending on the implementation.
The AWS approach centres on this option, namely that their European Sovereign Cloud is a regional platform they claim fully adheres to EU rules and regulations but fails in the basic respect that the EU is a collective, not a sovereign, entity.
EU alignment also creates a political barrier to non-EU members like the UK. Ceding digital sovereignty to EU controls might be too much for the government to accept. It’s also not yet fully clear that corporate control is 100% vested in the AWS German representatives and Cloud Act jurisdiction might still apply.
Microsoft’s efforts to build in-country sovereign cloud in Germany and France are yet to achieve full operation, and moves by both governments to reduce Microsoft dependency may further impact their realisation.
Google and S3NS
Google’s in-country partner approach has had more success. In a joint venture with Thales, named S3NS, they’ve taken a hands-off position. S3NS now offers assured France-specific air-gapped capabilities, a fundamental requirement for sovereign cloud or AI services. Platforms that periodically “phone home” for upgrades, licence checks, or processing do not pass the sovereignty test.
S3NS bridges the gap from the Level 2 to the Level 3 approach with fully air-gapped operations, wholly under local control to give self-evident sovereign cloud.
AWS and Microsoft have air-gapped options on the table, but Google Distributed Cloud Air-Gapped (GDC-AG) is currently the most well developed and capable, despite still lacking some services that are in their public cloud platform.
It’s not particularly cheap – isolated working carries a premium – but the MOD’s announcement of a £400m contract over five years, and others of similar size in NATO and the German military attest to their trust in its sovereignty.
AWS’s alternative, LocalStack, works for development purposes but is not rated for production workloads. My previous analysis of Microsoft’s Azure Local Disconnected product makes that look distinctly beta-like in comparison.
The landscape of hyperscaler offers for sovereign cloud is thus immature. Google has found a way to deliver locally, AWS is yet to break out of the EU-region model, and Microsoft is already slipping on sovereign commitments it made for AI.
Meanwhile, as sovereignty becomes increasingly important, local cloud providers can become viable recipients of investment once again. They will however need time, government support and forward-looking investors to grow. Even then, some will likely fail.
One logical answer is a future of hybrid, partnership-led solutions. That requires a technology-neutral, cloud-ready procurement approach from government that makes portability, switching, and multi-vendor operation possible in practice. The big providers also need to be willing to make that work and may need to do so with country specific partnerships.
Google’s approach in France through S3NS provides insight into what a national cloud and hyperscale collaboration could look like; a scalable “hyper-core” under national management with flexible in-country SME delivery partners for the edge.
If we’re serious about digital sovereignty across Europe and UK, it’s about time we started these conversations.