Britain's reliance on US cloud services has become a billion-pound risk.
TL;DR: The majority of the UK public sector (95%, or 99% when including cloud software) is reliant on US hyperscalers, which concentrates critical services and billions of pounds in the systems of Microsoft, Amazon, and Google. Analysts caution that this reliance poses a strategic risk due to potential outages, the US CLOUD Act, and opaque “black box” gateways. The CMA established that AWS and Microsoft hold substantial market power but chose to pursue voluntary commitments instead of imposing binding regulations.
The UK public sector has increasingly depended on a few US cloud providers, raising concerns about the strategic implications of this concentration. Almost all government entities in the UK invest in hyperscale cloud services, leading to significant yearly expenditures.
In 2023/24, around 95% of central and local public-sector organizations utilized hyperscale cloud services, as reported by Computer Weekly. When factoring in the software that operates on these platforms, this number rises to 99% among more than 1,100 organizations.
The financial outlay is significantly focused. Out of £17.7 billion spent on major technology suppliers, 55%, equivalent to £9.9 billion, was allocated directly to hyperscalers or their resellers.
Key public sector spenders included the Ministry of Defence at £1.09 billion and HM Revenue & Customs at £1.01 billion, with the Home Office, DWP, and NHS England also investing hundreds of millions.
Microsoft, Google, and Amazon dominate the infrastructure, managing most of the connections across evaluated departments and councils. This concentration transforms cloud reliance into a political concern beyond just technical considerations.
Security officials express alarm over this concentration, not because failures are frequent, but because of the ramifications when they occur or in the context of geopolitical tensions. Last year, 39% of UK companies reported outages linked to US hyperscalers, and 77% of IT leaders voiced worries about geopolitical risks.
Supplier interfaces can often be opaque to internal teams, and the US CLOUD Act allows American authorities to access data maintained by US-based providers, even if it is stored in the UK. These concerns have spurred interest in European alternatives to AWS, Azure, and GCP.
While this dependency is not exclusive to the UK, the British response has been less stringent compared to the rest of Europe. Brussels has introduced an EU tech sovereignty initiative aimed at limiting US cloud usage for sensitive governmental data.
A regulator that hesitated and a difficult exit
Britain’s competition authority spent three years assessing the market, concluding that AWS and Microsoft possess "significant unilateral market power," supported by high barriers to entry and lock-in effects that make switching providers infrequent.
However, the CMA opted against enforcing binding regulations, choosing to accept voluntary agreements regarding egress fees and interoperability, while launching a separate investigation into Microsoft’s software licensing. Vendors assert that their dominance stems from real strengths in scale, security, and cost, not merely from lock-in tactics.
This creates a dilemma, as the services are affordable, efficient, and deeply integrated, making them difficult to dismantle. Europe's own experiences highlight the internal divisions encountered in efforts to reduce Big Tech's influence.
Thus far, Britain has traded efficiency for exposure, and reversing this trend would be a slow and expensive process. The billion-pound question remains whether the risks will remain hypothetical or if an outage or geopolitical crisis will escalate the situation first.
Other articles
Britain's reliance on US cloud services has become a billion-pound risk.
Almost all public institutions in the UK rely on US hyperscalers, centralizing billions of pounds and essential services in systems that Whitehall cannot fully access.
