The reliance of Britain on US cloud services has become a billion-pound risk.
TL;DR Nearly the entire UK public sector (95%, or 99% including cloud-based software) relies on US hyperscalers, funneling billions into Microsoft, Amazon, and Google systems. Analysts caution this poses a strategic risk due to potential outages, the US CLOUD Act, and opaque “black box” gateways. The CMA recognized that AWS and Microsoft wield significant market power but chose voluntary commitments over mandatory regulations.
The public sector in Britain has become heavily dependent on a small number of US cloud providers, prompting warnings from analysts about the strategic risks involved. Almost all UK government entities allocate substantial resources to hyperscale cloud services, totaling billions of pounds annually.
According to a data analysis by Computer Weekly, approximately 95% of central and local public-sector organizations utilized hyperscale cloud services in 2023/24, with that figure increasing to 99% when including software running on these platforms, encompassing over 1,100 organizations.
The financial investment is notably concentrated. Out of the £17.7 billion spent with major tech suppliers, 55%, equating to £9.9 billion, was directly directed to hyperscalers or their resellers.
The UK’s largest spenders include the Ministry of Defence at £1.09 billion and HM Revenue & Customs at £1.01 billion, followed by the Home Office, DWP, and NHS England, each committing hundreds of millions.
Three major companies dominate the infrastructure, with Microsoft, Google, and Amazon overseeing the majority of connections across surveyed departments and councils. This reflects a broader trend where reliance on US hyperscalers introduces political risk alongside technical concerns.
Security officials are particularly alarmed not by the frequency of service failures but by the implications of such failures or geopolitical interference. In the past year, 39% of UK companies reported outages from a US hyperscaler, while 77% of IT leaders expressed worries about geopolitical vulnerabilities.
Supplier gateways often act as a “black box” for in-house teams, and the US CLOUD Act permits American authorities to access data held by US-owned companies, even if it resides in the UK. These concerns have sparked interest in European alternatives to AWS, Azure, and GCP.
This dependence is not exclusive to the UK, but the UK’s response has been less stringent compared to other European nations. Brussels has put forward an EU tech sovereignty initiative aimed at limiting US cloud usage for sensitive government data.
After three years of investigation, Britain's competition watchdog, the CMA, concluded that AWS and Microsoft possess “significant unilateral market power,” supported by high barriers and lock-in effects that make switching providers uncommon. However, it opted for voluntary commitments regarding egress fees and interoperability instead of imposing binding regulations, and it has launched a separate inquiry into Microsoft’s software licensing. Vendors argue that their dominance stems from genuine scale, security, and cost benefits rather than merely lock-in tactics.
This situation underscores the dilemma; these services are affordable, effective, and deeply integrated, making them challenging to extricate. Europe’s own efforts to mitigate Big Tech’s influence have encountered internal disagreements.
At present, Britain has traded efficiency for increased exposure, and reclaiming cloud infrastructure would be a gradual and expensive process. The pressing question remains whether the risks will remain hypothetical or if a significant outage or geopolitical incident will precipitate action.
Other articles
The reliance of Britain on US cloud services has become a billion-pound risk.
Almost all public organizations in the UK rely on US hyperscale companies, consolidating billions of pounds and essential services within systems that Whitehall cannot entirely monitor.
