Cloud provider publishes ‘tech sovereignty’ plan for UK

The government should reframe its technology strategy to ensure the UK does not lose control of its digital infrastructure and data in the fallout of potential geopolitical developments, urges domestic cloud provider Civo.

Published on 30 September 2025, Civo’s Tech Sovereignty Agenda outlines seven high-level principles to help reframe the government’s tech strategy, with a particular focus on protecting and nurturing the UK’s homegrown tech ecosystem.

As it stands, the government is attempting to make the UK an artificial intelligence (AI) superpower – with plans to rapidly expand the country’s sovereign compute capacity and create AI growth zones to facilitate the building of new datacentres – with massive investments for the underlying cloud infrastructure coming from Microsoft, Google and Amazon Web Services (AWS) thus far.

In this context, Civo’s call for a new approach follows warnings from the UK’s competition watchdog, the Competition and Markets Authority (CMA), which concluded in late July 2025 that Microsoft and AWS should face “targeted and bespoke” interventions to curb the competition-harming behaviours of these firms.

It also comes on the heels of senior Microsoft employees admitting to the French senate in June 2025 that the company cannot guarantee the sovereignty of European data stored and processed in its services, and revelations published by Computer Weekly that UK public sector data hosted in Microsoft’s hyperscale cloud infrastructure could be processed in more than 100 countries.

The principles outlined by Civo therefore include “sovereign procurement”, to allow UK-owned and operated providers to be prioritised for highly sensitive infrastructure workloads; “transparent investment”, to ensure there is oversight of what is delivered off the back of foreign investment pledges; “resilience first”, to make multi-supplier arrangements mandatory for critical national infrastructure; and “data protection”, to ensure there are clear safeguards in place protecting UK data from foreign jurisdictions.

Other principles focus on creating dedicated “homegrown backing” for UK tech firms; creating a “partnership of equals” to guarantee economic value is retained by the UK rather than lost through net outflows of capital; and establishing “sovereign cloud” capabilities as a national security priority.

The cloud provider argues that, at a time of growing geopolitical uncertainty, it is vital that nation-states look to build resilience into their digital infrastructure.

Highlighting the importance of data storage and the jurisdictions that can access it, Civo added that discussions around digital sovereignty should not be limited to concerns around the physical geography of datacentres, and must also encompass questions of control, trust and access.

Responding to a survey from Civo – the results of which were published in June 2025 – 83% of UK IT leaders said they were worried that geopolitical developments may affect their ability to control and access their data, with 61% of decision-makers now viewing data sovereignty as a strategic priority.

The polling also identified a visibility gap, with just 35% of respondents saying they have full insight into the jurisdiction where their organisation’s data is hosted.

In the UK specifically, the government’s first Chronic risks analysis, published in July 2025 by the Cabinet Office, noted how “the growing dominance of a limited group of service providers is creating dependency risks” – including operational, financial and security vulnerabilities – while also restricting market innovation and customer choice.

The analysis also cited separate findings from the CMA’s “cloud services market investigation”, which found that 70% to 90% of the UK cloud computing market is dominated by just two providers, Microsoft and AWS.

Published on 31 July 2025, that investigation concluded that “competition is not working well” in the UK cloud market.

In line with concerns about where UK data is stored and accessed, Computer Weekly reported in late August 2025 that Microsoft has refused to hand over crucial information about its data flows to Scottish policing bodies, while simultaneously admitting that it is unable to guarantee the sovereignty of data held and processed within its Office 365 infrastructure.

In late September, Computer Weekly then revealed – off the back of an analysis of Microsoft’s own distributed documentation online, conducted by independent security consultant Owen Sayers – that Microsoft personnel or contractors can remotely access Office 365 data from 105 different countries, using 148 different sub-processors.

This includes a wide range of nations without any UK or European data adequacy agreements, including China.

Although the documentation – which is buried in non-indexed, difficult-to-find web pages – came to light in the context of Computer Weekly investigating police cloud use, the issue of routine data transfers within Microsoft’s cloud architecture affects the whole of the UK government and public sector, which are obliged by the G-Cloud and Tepas frameworks to ensure data remains in the UK by default.

“Our Tech Sovereignty Agenda is a call to action to seize the opportunities of UK tech. We have seen plenty of investment in recent months in the UK – all good news. What we need more of is a recognition that the UK’s tech future cannot be entirely outsourced abroad,” said Civo CEO Mark Boost.

“It is too important, and we have too much to offer at home. We need to bring together the best of global tech with a thriving homegrown sovereign tech ecosystem, protecting our digital infrastructure from overreliance on a few foreign firms, and giving the UK the opportunity to thrive on its own terms in this brave new world.”