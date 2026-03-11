When the chair of your own independent inquiry walks out a year early, citing “glacially slow progress,” that is not a minor administrative footnote - it is a distress signal.

Kip Meek’s departure from the Competition and Markets Authority (CMA) in late January, reportedly driven by frustration at the snail-like pace of action following the cloud services market investigation, should be deeply uncomfortable reading for British businesses who depend on digital infrastructure they can trust, not to mention everyone in Whitehall and Westminster.

After an extensive two-and-a-half-year investigation, the CMA published its findings in July 2025. The report was explicit: Amazon Web Services (AWS) and Microsoft together account for roughly 80% of the UK’s cloud services market, a duopoly so deeply entrenched that the watchdog recommended both companies be designated with strategic market status. That designation was supposed to trigger stricter rules, open competition, and end the era of anti-competitive licensing practices that have effectively locked UK organisations into one vendor’s ecosystem.

Yet months on, nothing has moved. Every day the CMA delays is a day the market calcifies further. In business terms, “time is money” and UK customers have been forced to pick up the bill and unwillingly bolster Microsoft’s coffers.

Tightening the grip They are investing, innovating, and, in Microsoft’s case, launching products that appear specifically designed to tighten the grip. The recently announced Microsoft 365 Local, which runs Office applications on Azure Local infrastructure, is a case in point. Marketed as a path toward greater control for European organisations, many observers see it as precisely the opposite - a strategy to slow the shift toward genuine digital sovereignty by keeping customers anchored to Microsoft’s architecture, just on premises rather than in the public cloud. The wolf, in other words, has changed its coat but it’s still a wolf. The CMA must designate AWS and Microsoft with strategic market status, impose meaningful remedies on Microsoft’s licensing practices, and open the market to genuine competition Bill McCluggage There is a serious and underappreciated security dimension to this. Cyber security professionals have raised sustained concerns about hybrid Microsoft configurations, particularly those blending older on-premises infrastructure with cloud-based services. The vulnerabilities are well-documented: legacy authentication protocols that were never designed for the modern threat landscape; hybrid deployments that create seams attackers can exploit; the “harvest now, decrypt later” threat that makes today’s encrypted data tomorrow’s liability; and misconfiguration risks that multiply as complexity increases. The alarming reality is that the world’s default productivity tool is quietly becoming a national security liability. The problem does not go away by layering a new product name on top of familiar architecture – if anything, sprawling hybrid deployments make things worse.

Sovereignty debate The sovereignty debate makes this particularly acute. In early 2025, the International Criminal Court’s chief prosecutor had his Microsoft Office 365 account suspended following US government sanctions. Whatever the precise sequence of events - and Microsoft’s public account has since been the subject of a parliamentary correction request after a senior executive’s testimony to the House of Commons Business and Trade Committee was found to contain inaccuracies - the episode is only the most visible in a pattern of failures that should concern any organisation deeply dependent on Microsoft. The company has faced sustained and serious criticism of its security practices. The US Cyber Safety Review Board concluded following a significant 2023 breach that Microsoft’s security culture was inadequate and that the intrusion was preventable: Exchange and Active Directory vulnerabilities have repeatedly served as entry points for state-level attackers; and, as noted, a senior Microsoft executive provided parliamentary testimony that was subsequently found to contain inaccuracies and required correction. Every British public body, NHS trust, local council and financial firm should be asking not only what happens if a provider is compelled to act against your interests, but whether you should be so comprehensively dependent on any single vendor whose track record of critical errors is this well documented. This is only further exacerbated by migration costs, contractual dependencies, and integration complexity that flow from years of unchallenged Microsoft dominance that have made alternatives financially and functionally inaccessible for most organisations. That is precisely the kind of market failure the CMA was created to prevent. It has identified the problem. It has written the report. Now it needs to act.