Britain's reliance on US cloud services has now become a billion-pound risk.

Britain's reliance on US cloud services has now become a billion-pound risk.

      TL;DR Almost the entire UK public sector (95%, or 99% including cloud software) relies on US hyperscalers, concentrating billions of pounds and essential services within Microsoft, Amazon, and Google systems. Analysts caution that this presents a strategic risk due to potential outages, the US CLOUD Act, and opaque gateways. The CMA identified AWS and Microsoft as having substantial market power but chose to pursue voluntary commitments rather than enforce binding regulations.

      The British public sector has grown heavily dependent on a handful of US cloud companies, and analysts express concerns that this concentration poses a strategic risk. Nearly all UK governmental organizations invest in hyperscale cloud services, leading to annual expenditures in the billions.

      According to a Computer Weekly investigation, about 95% of central and local public sector entities allocated budget for hyperscale cloud in 2023/24; this figure rises to 99% when including software operating on these platforms, encompassing over 1,100 organizations.

      Funding is heavily skewed, with £17.7 billion spent on major technology suppliers, of which 55%, or £9.9 billion, went directly to hyperscalers or their resellers. The largest expenditures come from significant government departments, such as the Ministry of Defence at £1.09 billion and HM Revenue & Customs at £1.01 billion, followed closely by the Home Office, DWP, and NHS England, each investing hundreds of millions.

      Three firms dominate the infrastructure: Microsoft, Google, and Amazon control the majority of connections across surveyed departments and councils. This reflects a broader trend where reliance on US hyperscalers transforms cloud dependency into a political risk, not merely a technical one.

      Concerns about concentration and security

      The concern is not primarily about frequent service failures, but rather the implications when they do occur or when geopolitical factors come into play. Approximately 39% of UK companies reported outages linked to US hyperscalers in the previous year, and 77% of IT leaders express worries about geopolitical vulnerabilities.

      Supplier gateways can often operate as “black boxes” for internal teams, and the US CLOUD Act allows American authorities to access data stored by US-owned providers, even when it's on British soil. Such worries have spurred interest in European alternatives to AWS, Azure, and GCP.

      This level of dependence is not unique to the UK, but the country's response has been more lenient compared to Europe. Brussels is advancing an EU tech sovereignty initiative that restricts US cloud access for sensitive government data.

      A cautious regulator and a difficult exit

      Britain's competition authority conducted a three-year assessment of the market. The CMA discovered that AWS and Microsoft possess “significant unilateral market power,” backed by high entry barriers and lock-in effects that make switching providers uncommon.

      However, the CMA opted against imposing binding regulations, instead agreeing to voluntary commitments regarding egress fees and interoperability, while launching a separate investigation into Microsoft’s software licensing. Vendors maintain that this dominance is due to true scale, security, and cost benefits, rather than solely lock-in.

      This dilemma is critical because the services are affordable, highly functional, and deeply integrated, complicating any attempts to disentangle them. Europe’s experience indicates that efforts to diminish Big Tech’s influence often meet with internal conflicts.

      At present, the UK has prioritized efficiency but has also increased its exposure, making any recovery of the technology stack a slow and expensive process. The pressing question remains whether the risk remains hypothetical or if an outage or geopolitical event will force the situation into the forefront.

Other articles

Within IBM's concealed 'Court 19' at Wimbledon Within IBM's concealed 'Court 19' at Wimbledon Underneath Wimbledon's 18th court, IBM's 'Court 19' processes 2.7 million data points during each tournament, showcasing the Championships as a platform for AI. Brad Smith: the United States oversees AI without defined regulations. Brad Smith: the United States oversees AI without defined regulations. Microsoft president Brad Smith states that Washington is imposing regulations on AI without clear guidelines, following sudden export-control actions against Anthropic and OpenAI. New EU regulations require the installation of a driver-monitoring camera in each vehicle. New EU regulations require the installation of a driver-monitoring camera in each vehicle. The second phase of the EU's vehicle safety regulations requires all new cars and vans to be equipped with driver-attention cameras and pedestrian-detecting brakes starting from 7 July 2026. Lyzr utilized its own AI agent to assist in securing a $100 million funding round. Lyzr utilized its own AI agent to assist in securing a $100 million funding round. Enterprise AI startup Lyzr reports that its agent, Agent Sam, engaged with over 130 investors while securing a $100 million Series B round at an approximate valuation of $500 million. Suspected Chinese agents infiltrate university email servers. Suspected Chinese agents infiltrate university email servers. Proofpoint reports that a group aligned with China is exploiting vulnerabilities in Roundcube to infiltrate mailboxes at universities in the US and Canada, aiming to steal research related to physics and defense. Jack Dorsey’s Block resolves Cash App fraud allegations with 46 states for $45 million. Jack Dorsey’s Block resolves Cash App fraud allegations with 46 states for $45 million. Block will disburse $45 million to 46 U.S. states concerning the management of fraud on Cash App, as state regulators step in to fill the void left by the diminished CFPB.

Britain's reliance on US cloud services has now become a billion-pound risk.

Almost all public organizations in the UK rely on US hyperscalers, which centralize billions of pounds and essential services within systems that Whitehall cannot completely oversee.