Bradford datacentre with heat reuse gains planning consent

Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Tue, 19 May 2026 05:21:32 GMT https://www.computerweekly.com editor@computerweekly.com <p>Bradford is to be the site of one of the UK’s first projects to reuse waste heat from a <a href="https://www.computerweekly.com/resources/Data-Centre">datacentre</a>, after operator <a href="https://www.computerweekly.com/news/366566397/Octopus-Energy-invests-200m-in-datacentre-heat-reuse-startup-Deep-Green">Deep Green</a> this week gained planning consent for a 5.6MW facility. The datacentre will be built next to and integrate with heat generation at the under-construction Bradford Energy Centre.</p> <p>The site – near the junction of Listerhills Road and Thornton Road – aims to provide <a href="https://www.computerweekly.com/news/366639995/Enormous-AI-growth-zone-datacentre-gets-planning-approval">artificial intelligence (AI)-capable datacentre resources</a>, which are estimated to come on stream around the end of 2028, after a 24-month construction period.</p> <p>Instead of venting heat drawn away from computer equipment into the atmosphere, the Deep Green datacentre will transfer excess heat into the Bradford Energy Network and make it available to buildings in the area. </p> <p>The datacentre will use a closed-loop cooling system, which practically eliminates water wastage, and will enable the transfer of heat for further use. </p> <p>Deep Green hopes the Bradford site will provide high-density colocation capacity for universities, public sector bodies and businesses that want to run AI inference and data-intensive workloads.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The UK needs more datacentres. But it does not need more waste. Our model is simple – use the electrons twice. First to power AI and high-performance computing. Then to heat homes and buildings </figure> <figcaption> <strong>Mark Lee, Deep Green</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Reuse of heat from datacentres has made little progress in the UK. Elsewhere, Deep Green has a datacentre project in Greater Manchester that will provide heat for a nearby swimming pool. Meanwhile, in London, Vantage Data Centres has a project underway where datacentre heat could be used to warm up to 25,000 homes.</p> <p>Mark Lee, chief executive of Deep Green, said: “The UK needs more datacentres. But it does not need more waste. Our model is simple – use the electrons twice. First to power AI and high-performance computing. Then to heat homes and buildings.”</p> <p>Datacentres produce heat to practically the same level as they consume electricity for compute. So, for every megawatt expended on compute, that amount of heat is produced. In the not-too-distant future, <a href="https://www.computerweekly.com/news/366639658/Huge-grid-and-heat-challenges-ahead-as-Nvidia-set-for-1MW-rack">AI racks of 1MW each</a> – achievable by 2028, according to Nvidia’s roadmap – will produce the equivalent heat of 200 electric ovens. </p> <p>But there are challenges to using that heat. A major one is that the temperature of cooling water coming out of datacentre racks is not very hot in the power generation scheme of things. For that reason, it is not possible to generate electricity from it, so it can only really be used for a local heating scheme.</p> <p>There are almost none of these in the UK, so there is nothing for a datacentre that wants to reuse heat to link up to. </p> <p>The Bradford Energy Scheme is an exception. It is a large-scale heat pump with underground pipes that transport heat across the city, which were laid ahead of the recent pedestrianisation of Bradford city centre. They link to university and college buildings and Bradford City Hall, with the option for others in the city centre to connect in the coming years. </p> <p>Tracy Brabin, mayor of West Yorkshire, said: “Deep Green’s pioneering approach will power our businesses, heat our communities, support the creation of good jobs and help us meet our net-zero ambitions. As the UK’s youngest city and its leading producer of applied AI postgraduates, Bradford is perfectly placed to harness this opportunity and help us innovate to build a stronger, better off West Yorkshire.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about datacentres</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640447/Hit-the-north-UK-datacentre-focus-shifts-to-M62-and-points-north">UK datacentre focus shifts to M62 and points north</a>: Barbour ABI data shows 8GW of total datacentre pipeline with most big projects in the north and Scotland, while London and the M4 corridor are about 25% of projected capacity.</li> <li><a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">Data dive – UK government’s 2030 datacentre capacity targets look shaky</a>. We look at UK datacentre capacity – current and projected – and find DSIT’s 2030 target for 6GW of AI-capable capacity is currently out of reach, unless operators get a move on.</li> </ul> </div> </div> Deep Green’s 5.6MW AI datacentre will take 24 months to build and will link up to an energy centre to heat buildings across Bradford city centre via pre-laid pipes https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Bradford-Energy-Centre-CREDIT-LDRS-Norr-hero.jpg https://www.computerweekly.com/news/366643098/Bradford-datacentre-with-heat-reuse-gains-planning-consent Thu, 14 May 2026 09:31:00 GMT Bradford datacentre with heat reuse gains planning consent <p>For many IT leaders, the move to public cloud has already happened. For others, it is accelerating fast. The case is familiar, and focuses on scalability, resilience, speed, and access to advanced services that are hard to replicate on‑premise. What is less clear is how to measure and confidently <a href="https://www.computerweekly.com/resources/Data-centre-energy-efficiency-and-green-IT">manage the environmental impact</a> of that shift. </p> <p>Cloud providers have made real progress in carbon reporting, but anyone <a href="https://www.computerweekly.com/news/366642586/Interview-Hitachi-Vantara-takes-long-view-on-business-and-sustainability">responsible for sustainability</a>, risk or compliance will recognise a growing problem. The data behind cloud emissions is still inconsistent, incomplete and hard to validate. As reporting expectations tighten, especially under frameworks like the corporate sustainability reporting directive (CSRD), that uncertainty is becoming more than an academic issue.   </p> <h3>Cloud carbon data quite opaque</h3> <p>The uncomfortable truth is this that cloud <a href="https://www.computerweekly.com/news/366642416/DSIT-gets-sums-badly-wrong-on-AI-datacentre-carbon-footprint">carbon data</a> is not yet transparent enough to rely on blindly. That does not however mean that organisations are powerless. It means they need to take a different approach. </p> <p>This approach is rooted in better architecture, not better promises, and by building a cloud carbon data supply chain, business and IT leaders will have the foundations necessary to accelerate their path to net zero while improving efficiency too. </p> <p>This is an area that Digital Catapult is supporting through targeted intervention to accelerate the practical application of deep tech innovation across industry. Through our engagement with industry, it’s clear that cloud emissions data should be treated like any other complex supply chain, requiring traceability, governance and system-level design.  </p> <h3>The problem isn’t effort, it’s structure </h3> <p>AWS, Microsoft and Google all publish customer carbon tools that provide region‑level estimates, service‑level insights and increasingly granular Scope 3 coverage. This progress should not be dismissed. Independent analysis, however, continues to show structural gaps which include methodologies that differ between providers, market-based accounting which dominates the space and often masks real grid impacts, and region-level data that remains patchy or averaged. </p> <p>For organisations preparing for more rigorous sustainability assurance, this creates an awkward question around the best way to make credible decisions when the underlying data is imperfect. The answer is not to wait for hyper-scalers to “fix” transparency, but to design for imperfection. In convening capabilities and strengthening UK industrial supply chain resilience, we recognise the innovation necessary to do this and the insight that can be applied from the logistics and supply chain space to solve this challenge.  </p> <h3>Lessons from physical supply chains </h3> <p>Other sectors have faced this problem for years. Manufacturing supply chains rarely have clean, uniform carbon data. They operate across tiers, borders and contractual boundaries, with inconsistent formats and limited verification. Digital Catapult’s Cross‑Catapult Carbon Accounting (CCCA) research shows that progress comes not from perfect data, but from good systems. </p> <p>In manufacturing, shared data frameworks, traceability and governance allow organisations to work with incomplete information while still producing auditable outcomes. Cloud emissions are no different, and treating cloud sustainability as a data supply chain, rather than a single report, changes the equation and will be critical to enabling sustainable carbon cloud computing that will equip the UK to be future ready. </p> <h3>What does a cloud carbon data supply chain look like? </h3> <p>In practice, a cloud carbon data supply chain can be broken down into four layers, starting with the data producers. These include cloud provider dashboards, but also independent grid‑carbon datasets such as <a href="https://app.electricitymaps.com/map/live/fifteen_minutes">Electricity Maps</a> or <a href="https://watttime.org/">WattTime</a>, hourly renewable energy certificates aligned with <a href="https://energytag.org/">EnergyTag</a>, and internal telemetry showing how workloads actually behave, and no single source is sufficient on its own. </p> <p>The second layer is transformation and modelling, where raw data must be normalised. Regions, scopes and accounting methods need consistent definitions and data lineage must be explicit. This layer also supports dual accounting, with market-based figures for reporting, and location-based figures to understand real operational impact.  </p> <p> The third layer is governance and trust, which is often the missing piece. Standard KPIs (such as PUE, WUE and CUE), verification rules and clear treatment of Scope 3 and Scope 3 emissions make outputs defensible. Where data is unavailable, procurement and contracts must step in to set transparency expectations. </p> <p>The final layer is decision and reporting, and only once the upstream system is credible should data flow into dashboards, optimisation tools and regulatory reports. Reporting becomes a by-product of good architecture, not a scramble at year end. There are key benefits to building a cloud carbon data supply chain, and there are certain steps that IT leaders can take now to set themselves up for the future and to unlock new opportunities.   </p> <h3>What IT leaders can do now  </h3> <p>When it comes to the necessary steps that IT leaders can take now to build the architecture required for sustainable cloud computing, cloud provider tools should be used but never in isolation. </p> <p>Comparing market‑ and location‑based views and validating both against independent grid data immediately improves understanding and reflects a more resilient, supply chain-led approach to carbon data. Moreover, region selection should be treated as a sustainability decision, not just a cost or latency choice, particularly as digital infrastructure becomes more tightly coupled with energy systems and grid dynamics.  </p> <p>Google’s publication of regional clean energy data and Microsoft’s carbon optimisation tools make this increasingly practical for IT leaders, and this is where Digital Catapult is supporting partners to translate insight into action. </p> <p>Carbon-aware workload scheduling for example, can reduce emissions for certain workloads, particularly batch and AI training jobs, but evidence shows benefits vary. The opportunity lies in selective, data‑driven application, not blanket rules. </p> <p>At the engineering level, Software Carbon Intensity (SCI) metrics allow teams to compare architectures, optimise code and track improvements over time, without simply shifting emissions elsewhere. </p> <p>Alongside this, organisations should actively demand greater transparency through procurement. Region‑level emissions data, standard efficiency metrics, access to raw APIs and optional granular energy certificates all reduce long‑term risk and rework. In following these steps, IT leaders can unlock new opportunities to mobilise commercial growth while navigating regulatory frameworks and enabling many to present accurate emissions data on their cloud activity.   </p> <p>Taken together, these steps form the foundations of a cloud carbon data supply chain, enabling organisations to move from fragmented, inconsistent data toward a more robust, auditable and decision-ready system. In doing so, IT leaders can not only improve sustainability outcomes, but also unlock operational efficiencies, support compliance with evolving frameworks, and drive more resilient, future-ready digital infrastructure.   </p> <p>While hyperscalers are improving their disclosures, gaps will remain for some time. Waiting for perfect data is therefore a losing strategy and is why Digital Catapult continues to partner with industry leaders to support them as they consider alternative solutions that leverage deep tech innovation. </p> <p>This is why we emphasise that a better response is to treat cloud emissions like any other critical supply chain, recognising the value of building a framework for improved resilience, governance and traceability. Organisations that do so will not only improve sustainability outcomes, but also strengthen compliance, credibility and decision‑making, equipping many to be future-ready.  </p> <p>Cloud sustainability is no longer just about what providers claim. It is about how enterprises design the systems that sit on top, and any business interested in understanding how to integrate and apply novel design systems can learn more here.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from the IT Sustainability Think Tank</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/opinion/How-to-improve-AI-efficiency-beyond-cost-optimisation">How to improve AI efficiency beyond cost optimisation</a>. With half of generative AI projects expected to overrun budgets by 2028, IT leaders must drive efficiency across the AI stack to protect margins and address environmental challenges</li> <li><a href="https://www.computerweekly.com/opinion/What-you-need-to-know-before-emissions-regulators-come-knocking">What you need to know before emissions regulators come knocking</a>. Carbon emissions reporting is becoming mandatory. But accounting is not the same as reducing, especially given the smoke and mirrors in some carbon footprint reporting</li> </ul> </div> </div> <p></p> <p></p> Why better architecture – not better promises – is the key to sustainable cloud computing. The data isn’t perfect but there are steps IT leaders can take to build the right structure https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/IT-sustainability-think-tank-hero.jpg https://www.computerweekly.com/opinion/How-to-build-a-cloud-carbon-data-supply-chain Wed, 13 May 2026 11:59:00 GMT How to build a cloud carbon data supply chain <p>Modern societies do not just use data. They depend on it. Banking systems, hospitals, logistics networks, and governments all rely on continuous access to digital infrastructure. Yet recent attacks on <a href="https://www.computerweekly.com/resources/Data-Centre">datacentres</a> in the Middle East point to a growing vulnerability. The systems that sustain everyday life are not only digital, but physical, and increasingly exposed to conflict.</p> <p>Policy debates have largely focused on who controls data. <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">Advocates of data sovereignty</a> argue that keeping data within national borders strengthens legal authority and reduces reliance on foreign actors. Others emphasise the advantages of globally-distributed cloud infrastructure, including efficiency, scalability, and redundancy. </p> <p>But both approaches overlook a more fundamental issue. In conflict, control over data matters less than whether it remains accessible at all. Data sovereignty, on its own, does not guarantee protection.</p> <p>In fact, it can create new vulnerabilities. When critical systems – financial services, healthcare records, government databases – are concentrated within national borders, they may become single points of failure. In a conflict scenario, targeted disruption could disable essential services. Keeping data “at home” may strengthen legal control, but it can also make it easier to disrupt.</p> <section class="section main-article-chapter" data-menu-title="Sovereign a bunched target; cloud beyond national control"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Sovereign a bunched target; cloud beyond national control</h2> <p>At the same time, reliance on global cloud providers introduces a different kind of risk.</p> <p>Infrastructure operated by companies such as Amazon or Microsoft offers resilience through distribution, but it <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">places critical data beyond full national control</a>. During crises, access to data stored across jurisdictions may be shaped by foreign laws, corporate decisions, or geopolitical pressures. What appears resilient in technical terms may prove uncertain in political ones.</p> <p>Both models are largely optimised for peacetime. They prioritise efficiency, scale, and control, but not resilience under conditions of disruption.</p> <p>A more useful starting point is to shift the focus from control to resilience. The question is not simply where data is stored or who governs it, but whether systems can continue to function when infrastructure is degraded, fragmented, or under attack.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Is cloud data sovereignty all just a case of ‘Trust me, bro’?</a> Hyperscaler cloud is inherently global. Does that make data sovereignty unattainable – especially given the powers US courts hold? We grilled the hyperscalers in an attempt to find out. </li> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold: Responses to data sovereignty risk</a>. We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Many systems are “dual use”"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Many systems are “dual use”</h2> <p>One proposed approach is to separate military and civilian data systems. This aligns with long-standing principles under the Geneva Conventions, which seek to limit harm to civilian infrastructure. Clear separation could, in theory, reduce the likelihood that civilian datacentres are treated as legitimate targets.</p> <p>However, this distinction is difficult to sustain in practice. Digital systems are deeply interconnected. Civilian infrastructure supports logistics, communication, and other functions with military relevance. Many systems are therefore “dual use”, making them difficult to classify and potentially vulnerable regardless of formal designation.</p> <p>There is also a legal gap. Existing international humanitarian law was developed in a context where infrastructure could be more clearly categorised as civilian or military. Datacentres do not fit easily into this framework, particularly when they are privately operated and globally integrated. </p> <p>As a result, the systems that underpin hospitals, financial networks, and public services occupy a grey zone – essential to civilian life, but not clearly protected as such. The rise of AI will only deepen this ambiguity. Systems that power everyday services – routing deliveries, managing traffic, analysing data – can be repurposed in real time for military logistics or strategic decision-making.</p> </section> <section class="section main-article-chapter" data-menu-title="A hybrid approach for developing countries?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A hybrid approach for developing countries?</h2> <p>These challenges are especially pronounced for smaller and developing countries. In many such contexts, digital systems are already constrained by limited infrastructure and institutional capacity. Full data localisation may be impractical, while complete reliance on external providers creates exposure to external disruptions. Here, resilience is less about asserting control over data location and more about ensuring continuity under stress.</p> <p>A more feasible approach is diversification: maintaining limited domestic capacity for essential services, while securing reliable backup arrangements across trusted partners. In this context, sovereignty is not defined solely by where data resides, but by whether access can be maintained when it is most needed.</p> <p>Private technology companies also play a central role. As operators of critical infrastructure, they are increasingly part of national resilience. This raises questions about their responsibilities in ensuring continuity, transparency, and equitable access during crises, particularly when their operations span multiple jurisdictions.</p> </section> <section class="section main-article-chapter" data-menu-title="A source of strength; a source of weakness"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A source of strength; a source of weakness</h2> <p>From a technical perspective, strengthening resilience requires rethinking system design. While the internet was originally built with redundancy in mind, contemporary cloud architectures often prioritise efficiency and centralisation. Highly interconnected systems can amplify failures rather than contain them. </p> <p>Building resilience means distributing infrastructure across diverse locations, reducing hidden dependencies, and enabling systems to operate in degraded conditions when necessary.</p> <p>The implications extend beyond data policy. As dependence on digital systems grows, decisions about data storage, infrastructure providers, and jurisdictional control increasingly intersect with foreign policy, trade, and security strategy. </p> <p>Data governance is no longer only about regulation – it is part of how states manage risk. When the internet first developed, security and privacy were treated as secondary concerns, addressed gradually as new risks emerged. A similar lag is now visible in how we govern data infrastructure in conflict.</p> <p>Data systems are now as critical – and as vulnerable – as physical supply chains. The central question is no longer simply who controls data, but whether societies can still function when access to it is disrupted. In the end, data that cannot be accessed is data that cannot be governed.</p> </section> The recent Middle East conflict shows the contradictions inherent in modern data systems and the need to focus less on who controls data and more on how to protect the infrastructure https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/drone-missiles-automated-weapon-military-chesky-adobe.jpg https://www.computerweekly.com/opinion/Can-data-sovereignty-become-a-liability-in-war Wed, 13 May 2026 11:09:00 GMT Can data sovereignty become a liability in war? <p>Electricity grid “land grabs” to ensure capacity ahead of graphics processing unit (GPU) shipments. Additions to capacity as ever-larger <a href="https://www.computerweekly.com/resources/Data-centre-capacity-planning">datacentres switch on</a>. And the arrival, deployment and “burning in” of Hopper and Blackwell GPUs. </p> <p>These are some of the things we can see in <a href="https://ukpowernetworks.opendatasoft.com/explore/assets/ukpn-data-centre-demand-profiles/">data from electricity grid provider UK Power Networks (UKPN)</a>, which provides electricity utilisation rates taken half hourly for 96 datacentre sites within its region. This stretches from the datacentre hotspots of west London and Docklands, south-eastwards to Kent, Surrey and Sussex, and includes all of Essex and East Anglia. </p> <p>Computer Weekly research conducted in March 2026 analysed Electricity Performance Certificate data to <a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">identify datacentre locations and capacities</a>, finding 80 datacentres in the UKPN region with a combined capacity of 798MW.</p> <p>The UKPN dataset starts at the beginning of 2023 and runs to April 2026. Altogether, it comprises almost 5.4 million rows and covers datacentres categorised by the voltage they import from the grid: extra-high voltage (12 sites), high voltage (60), and low voltage (24).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f.jpg"> <img data-src="https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f_mobile.jpg" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f_mobile.jpg 960w,https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f.jpg 1280w" alt="Chart shows datacentre power demand data from UK Power Networks" height="411" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Utilisation ratios are calculated by comparing actual electricity import – measured half-hourly by smart meter – against the maximum capacity booked by the customer. </p> <p>Site voltage corresponds to the likely size of the datacentre. Low-voltage (LV) sites are typically 400V connections for smaller enterprises, edge datacentres and server rooms. High voltage (HV) in the UKPN data likely refers to 11kV or 33kV connections to colocation hubs and mid-range datacentres. Extra-high-voltage (EHV) connections are 33kV, 66kV, or 132kV, and cover hyperscale campuses and emerging artificial intelligence (AI) factories.</p> <p>The average utilisation rate for all UKPN data is just over 20% of booked capacity. Extra-high-voltage sites use the least of their allotted supply (12%), while low-voltage sites use more (18%).</p> <p>We have taken the data points and split them by voltage levels that correspond to datacentre size. These are then shown in a chart where dips, plateaus, spikes, and so on are visible. These correspond to real-world events that include activation of new datacentre capacity, increases in booked capacity in advance of AI GPU deployments, the heatwave of July and August 2025, actual deployment and “burning in” of AI datacentre infrastructure, and a rush to beat Ofgem’s “use it or lose it” directive in early 2026.</p> <p>Bear in mind that the chart shows utilisation rate, so while in some cases the cause of a spike might be obvious – such as increased power draw for cooling during a heatwave – other changes might not be so obvious, such as an increase in booked capacity that changes the ratio.  </p> <p>Now let’s look at some of the key events that show up in the data. </p> <section class="section main-article-chapter" data-menu-title="Small sites can’t deal with the heatwave: July and August 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Small sites can’t deal with the heatwave: July and August 2025</h2> <p>One of the most pronounced spikes in the green (low-voltage site) data occurred in July and August 2025, when meteorological data shows the UK faced four distinct heatwaves between June and August. Temperatures reached 35.8°C in Kent on 1 July, while August saw sustained high night-time temperatures. </p> <p>The spikes in the chart show the electrical signature of smaller air-cooled datacentres and server rooms desperately trying to keep temperatures down. Unlike large hyperscale sites that use liquid cooling, smaller sites are the most vulnerable to climate stress.</p> <p>They typically rely on legacy direct expansion air-conditioning. When ambient temperatures exceed 30°C, these units draw two or three times their normal power just to maintain the status quo. Electricity utilisation ratio spikes here because total facility power skyrockets while IT load remains static, resulting in a temporary collapse of <a href="https://www.techtarget.com/searchdatacenter/definition/power-usage-effectiveness-PUE">power usage effectiveness (PUE)</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Capacity increases: Ratios decline – late 2023 into 2024"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Capacity increases: Ratios decline – late 2023 into 2024</h2> <p>Much of the story revealed by the data is that of large-scale sites adding capacity, and booking more electricity supply in anticipation of deliveries and deployment of GPUs. This started to happen in late 2023 and into 2024. </p> <p>The sudden drop-off in September and October 2023 for the largest datacentres – the red line – is likely the result of capacity coming online. </p> <p>So, when a hyperscale site activates a new phase, its import capacity – the total power booked from the grid (the denominator) – jumps instantly. But because the IT load (the numerator) only populates as servers are physically racked and “burned in” over subsequent months, the utilisation percentage appears to crash.</p> <p>At the same time, we see gradual (blue line) and more pronounced (green line) declines in late 2023 and into 2024. That’s a likely indication that larger, newer, more efficient facilities are pulling general-purpose workloads away from the older small and mid-range facilities.</p> <p>CBRE’s forecast for large-scale colocation take-up in London in 2024 was forecast to hit 130MW, and as this new, efficient capacity came online, it “emptied” the less efficient sites.</p> <p>The fact that the smallest datacentres (likely enterprise-owned or older retail colocation sites) took until May 2024 to settle from utilisation ratios of 0.2 to 0.15 indicates a longer migration period. Unlike the hyperscalers, which move workloads in massive, software-defined blocks, smaller organisations are more likely to be bound by physical hardware lifecycles. </p> <p>Sites that activated capacity in late 2023 included:</p> <ul class="default-list"> <li>Iron Mountain’s LON-2, with the first phase of its eventual 27MW of capacity in Slough, was confirmed as operational at the end of 2023. Its grid capacity was likely booked into the UKPN system in September 2023 as part of its pre-commissioning phase.</li> <li>Equinix’s LD11x/LD13 expansions, meanwhile, were specifically designed to lure the big three hyperscalers, and moved from construction to “available capacity” in late 2023.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="GPU supply constraint and the ‘West London land grab’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>GPU supply constraint and the ‘West London land grab’</h2> <p>From late 2023, the lead times on Nvidia GPU clusters became very lengthy, with Omdia reporting 36 to 52 weeks for H100-based servers. At the same time, datacentre operators scrambled for grid supply, often booking way beyond what they would immediately use so they could be ready to deploy Hopper GPUs when they finally arrived in mid- to late-2024. That’s another reason grid utilisation appears to plummet in late 2023 in the chart. </p> <p>In July 2022, the Greater London Authority (GLA) sent a warning to developers, stating that major new planning applications in Hillingdon, Ealing and Hounslow would face delays of up to a decade, with some connection dates pushed back as far as 2035 or 2037.</p> <p>That breaking point was triggered by the extreme concentration of datacentres along the M4 corridor. By mid-2023, datacentres accounted for 18% of total demand in West London. Transmission-level capacity and local distribution reached full capacity because developers had legally “reserved” future power capacity and left zero headroom for new housing or industrial projects.</p> <p>Financial reports from datacentre Real Estate Investment Trusts (REITs) like Equinix and Digital Realty back this up. In their 2023 annual reports, these firms noted record “backlog” levels, where capacity was signed and committed but not yet billing.</p> <p>In the data, a high backlog means the distribution network operator (UKPN) has allocated the power, but the servers aren’t spinning, and this matches the 2023-2024 trough where utilisation ratios settled at a lower baseline compared with the pre-AI land grab.</p> <p>The reason the ratio didn’t bounce back immediately is that AI density is more efficient than legacy density. A rack of H100s might draw 40kW, but it replaces dozens of legacy racks drawing 5kW each. As hopper GPUs finally arrived in mid- to late-2024, they filled that phantom capacity, but because grid capacity had been aggressively over-booked in 2023, utilisation ratios remained low. The industry effectively built a buffer that it is still filling today.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about datacentres</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">Data dive – UK government’s 2030 datacentre capacity targets look shaky</a>: We look at UK datacentre capacity – current and projected – and find DSIT’s 2030 target for 6GW of AI-capable capacity is currently out of reach, unless operators get a move on.</li> <li><a href="https://www.computerweekly.com/feature/Data-dive-A-new-American-Century-in-the-datacentre-pipeline">Data dive – a new American Century in the datacentre pipeline?</a> Looking at datacentre development internationally, we see how the UK faces apparent relative decline, how countries are responding to the AI age, and what MW vs GDP can tell us.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="GPU deployment, AI datacentre burn-in: 2024 and 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>GPU deployment, AI datacentre burn-in: 2024 and 2025</h2> <p>The peaks of mid-2024 fit with the likely deployment of Nvidia Hopper (H100/H200) GPUs. The Hopper generation was the first GPU to hit a 700W Thermal Design Power (TDP) – ie, the wattage for which its cooling had to be designed. An HGX H100 node of eight GPUs draws roughly 10.2kW. The spikes in the data from late-2024 likely represent the initiation of large-scale training runs where thousands of these units synchronise their power draw.</p> <p>These represented a shift in datacentre power dynamics, from the steady-state draws of the previous Ampere (A100) generation to highly volatile, high-density profiles.</p> <p>Late 2025 marked a pivot from Hopper to Blackwell’s high-density liquid-cooled requirements. This transition is reflected in the UKPN telemetry as a distinct shift from steady-state power draw to the volatile, “peaky” plateaus of large-scale Blackwell training epochs. </p> <p>The “mountain range” in the chart beginning in November 2025 marks the power-on month for the UK’s first Nvidia Blackwell (B200) clusters. This is the signature of initial model training, which is an extremely intensive, non-stop process.</p> <p>Each B200 GPU has a base 1,000W TDP, configurable up to 1,200W. The GB200 Grace-Blackwell Superchip, meanwhile – which shipped from late 2024 – mandated direct-to-chip liquid cooling to manage its extreme density. </p> <p>The smoking gun here is the launch of the Nebius AI Cloud cluster at Ark Data Centres’ Longcross Park in Surrey. This went live in November 2025 with several thousand Nvidia Blackwell GPUs and a 16MW signature. </p> <p>The EHV line remains elevated and jagged through March 2026, reflecting the high, sustained draw of “epochs” and “checkpoints” during frontier model pre-training.</p> </section> <section class="section main-article-chapter" data-menu-title="One final spike: Use it so they don’t lose it?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>One final spike: Use it so they don’t lose it?</h2> <p>The giant spike in late March 2026 coincides with the Ofgem Demand Connections Reform deadline of 13 March 2026. </p> <p>In the face of massive increases in electricity demand, not least by datacentre operators – and with the demand queue soaring to 125GW by June 2025 – Ofgem had proposed tougher financial tests and <a href="https://data.parliament.uk/DepositedPapers/Files/DEP2023-0906/connections.pdf">“use it or lose it”</a> rules to clear the queue. Large-scale operators with parked capacity were incentivised to show power draw to prove their projects were “viable” and “strategically important” before the new rules could claw back their unutilised megawatts.</p> </section> Electricity supply utilisation ratios show datacentre developer ‘land grab’, capacity switch-ons, the coming of Hopper and Blackwell GPUs, and usage ramping during training runs https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Fotolia_108959769_datacenter_cooling.jpg https://www.computerweekly.com/news/366642960/Data-dive-Power-grid-data-shows-birth-of-AI-in-UK-datacentres Wed, 13 May 2026 07:55:00 GMT Data dive: Power grid data shows birth of AI in UK datacentres <p>Datacentre capacity has reached 67.7GW globally, with five countries accounting for 69% of that total, and the US alone accounting for 43%, according to the <a href="https://www.idc-a.org/">International Datacentre Authority’s (IDCA)</a> <em>Datacentre report 2026</em>.</p> <p>The study based its research on data from organisations such as the International Energy Agency, World Bank, United Nations and International Telecommunications Union, as well as governments, datacentre developers and operators.  </p> <p>It discovered that where datacentres account for 5% or more of <a href="https://www.computerweekly.com/news/366634715/Datacentre-energy-demands-set-to-soar-by-2030-as-AI-growth-accelerates-predicts-Gartner">electricity grid usage</a>, there seemed to be a threshold at which public opposition rises significantly and governments move from incentives to regulation.</p> <p>And while there was huge growth in <a href="https://www.computerweekly.com/resources/Data-Centre">the datacentre industry</a>, whether a nation or region can profit optimally depended on using its resources wisely and attaining tech sector skills among 2.5% of the workforce, it found.</p> <p>The US was the site for the most datacentre capacity, with 29.2GW of a global total 67.7GW. US datacentres accounted for 6% of the country’s electricity supply. Behind the US are: China, 8.5GW and 0.8% of electricity use; Germany, 5.5GW (9.5%), UK, 2GW (5.8%), and Japan, 1.7GW (1.5%). Those five states accounted for 69% of global datacentre capacity. </p> <p>In the US, however, the IDCA research estimated that 13% of datacentre consumption – around 3GW – was unused but still live capacity.</p> <p>China emerged as the “sleeping giant”, according to the report, because less than 1% of electricity production was devoted to datacentres, despite producing almost twice the amount of electricity as the US.</p> <section class="section main-article-chapter" data-menu-title="International haves and have-nots"> <h2 class="section-title"><i class="icon" data-icon="1"></i>International haves and have-nots</h2> <p>The report concluded that 5% of electricity grid usage going to datacentres was the threshold at which public concern, government regulation and grid supply can be seen to increase. It pointed to the US, which has seen <a href="https://www.computerweekly.com/news/366639449/UK-to-see-weekend-protests-against-dirty-datacentres">community pushback</a> and connection difficulties in the Midwest, Texas and California, with multi-year delays in the ability to provision power new facilities.</p> <p>Meanwhile, in Europe, the Netherlands, Germany, and Switzerland have exceeded the 9% consumption level, while that’s also the case for Singapore. </p> <p>Also in Europe, the report found that countries with electricity grids driven by nuclear power – such as France, Slovakia and Slovenia – may relieve these constraints. </p> <p>At the other end of the scale, it discovered that more than 70 countries devoted less than 0.1% of their power to datacentres, and for more than 30 countries that figure was less than 0.01%.</p> </section> <section class="section main-article-chapter" data-menu-title="Datacentre energy use league table"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Datacentre energy use league table</h2> <p>Singapore used the highest proportion of its electricity to power datacentres at 19.5% of the total generated. Next in the IDCA report was Lithuania (11.1%), the Netherlands (9.7%), Denmark (8.4%), Ireland (8.2%), Estonia (6.9%), Luxembourg (6.3%), Germany (6.1%), Hong Kong (6%) and the US (6%). Further down the rankings are Australia (5.1%), the UK (3.6%), South Korea (2%), Japan (1.2%), and India and China (both 0.8%).</p> <p>IDCA built what it described as an optimised national model of ideal consumption levels for each nation, noting that construction of new datacentres was contingent on stronger electricity grids and robust fibre-optic networks.</p> <p>For developed nations, IDCA said 6.25% of national electricity consumption was an effective cap on datacentre growth – i.e., it was the point at which the correlation was very strong between datacentre consumption and political actions and community pushback that result in projects being cancelled or slowed.  </p> <p>Meanwhile, IDCA ranked countries by the headroom they possess to build datacentres without significantly needing to develop new electricity generation. Here, IDCA ranked countries by headroom measured in GW. China led the way with 58.9GW of headroom, followed by India (12.7GW), Russia (6.7GW), Japan (5.5GW), Brazil (4.5GW), Canada (3.6GW), South Korea (3.2GW), Saudi Arabia (2.6GW), Iran (2.4GW) and Mexico (2.4GW).</p> </section> <section class="section main-article-chapter" data-menu-title="The water stress scale"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The water stress scale</h2> <p>IDCA pointed out that modern AI datacentres require <a href="https://www.computerweekly.com/feature/How-to-keep-datacentres-cool">liquid cooling</a> but that a lot of pushback around perceived worries over water use are misguided. That’s because the latest direct-to-chip cooling systems are closed systems that recycle water somewhat similar to a car radiator.</p> <p>Having said that, the IDCA report stated: “The vast majority of existing traditional cloud and enterprise facilities rely on older, less efficient cooling architectures like water-cooled chillers or evaporative cooling towers. In these legacy designs, water is evaporated to remove the latent heat of vaporisation from the air, and that evaporated water is never recovered.”</p> <p>The IDCA report ranked countries on a “water stress” scale of 0-100, where those with deserts are unsurprisingly high on the scale and mountainous and riverine states at the low end. Most at risk are Bahrain (100), Belize (86), Libya (80), Kuwait (80) and South Sudan (73). The least at risk are Norway (0), New Zealand (0), Iceland (1), Canada (2) and Bhutan (3).</p> </section> <section class="section main-article-chapter" data-menu-title="Servers per head differential of 100,000x"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Servers per head differential of 100,000x</h2> <p>The IDCA report said there was a difference of 100,000x in the number of servers per head of population between the most and least dense in this respect.  Providing connectivity alongside this, IDCA said there was an estimated 1.3 to 1.5 million km of subsea cables, in around 550 systems, with about 1,200 landing stations. </p> <p>Out of these, there are around 70 landing stations in the US, 50 in the UK and more than 12 in countries that include the Philippines, Indonesia, Japan, Spain, Denmark, Sweden and some Middle Eastern countries. Meanwhile, there are around 14 million km of terrestrial cables in main networks. </p> </section> <section class="section main-article-chapter" data-menu-title="IT jobs deficit"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IT jobs deficit</h2> <p>IDCA found that IT jobs worldwide account for between 0.1% and 4% of populations. According to IDCA, 2.5% of the workforce employed in tech was optimum to “to ensure a thorough, successful digital economy creation and management”, though this varied based on local conditions and expectations. </p> <p>Overall, the IDCA found that there was a deficit of 100 million IT-related jobs worldwide, with developing nations accounting for 80% of that.</p> <p>Ranking countries with the most deficit, top of the list was India, with a shortfall of 28.8 million in the IT workforce, followed by China (17.5 million), Pakistan (5.8 million), Nigeria (5.8 million), and Indonesia (5.3 million). </p> </section> <section class="section main-article-chapter" data-menu-title="Gamma, Sigma and Goldilocks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Gamma, Sigma and Goldilocks</h2> <p>The report covered a number of other areas in connection with datacentres that include datacentre security, standards, design, investment and community pushback. It also provided three indexes: Gamma, Sigma and Goldilocks, with countries ranked 0-100. </p> <p>The Gamma index looked at technological and social factors in digital readiness. Top of the list was: Finland at 85 (with Scandinavia collectively ranking 83), the Netherlands (83), Estonia (80), New Zealand (79) and Switzerland (79). Bottom of the list was: Equatorial Guinea (4), South Sudan (12), Turkmenistan (17), Haiti (17), and Democratic Republic of Congo (19). The UK ranked 14th, with a score of 74. </p> <p>The Sigma index integrated the Gamma index, with adjustments for stress on water and electricity grids, such as the amount of headroom they possess, for example. The Sigma index was topped by Finland (99), followed by Sweden (97), Norway (97), New Zealand (94) and Iceland (94). The UK was ranked 15th (84).</p> <p>“The Sigma Index is useful in determining a nation’s overall suitability for rapid datacentre growth and the digital infrastructure that would accompany it,” the report said.</p> <p>Finally, the IDCA report provided a Goldilocks index, which technological factors are separated from the rest then comparing those to the cost of living and income. That way, it hoped to provide an idea of countries for whom rapid development would not be disruptive and would hit “just right”. Top of the Goldilocks index was Colombia with a score of 5.2, followed by North Macedonia, China, South Africa and Montenegro, all on 5.2 except the last of these (5.1). </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about datacentre development</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">Data dive: UK government’s 2030 datacentre capacity targets look shaky</a>. We look at UK datacentre capacity – current and projected – and find DSIT’s 2030 target for 6GW of AI-capable capacity is currently out of reach, unless operators get a move on</li> <li><a href="https://www.computerweekly.com/news/366640447/Hit-the-north-UK-datacentre-focus-shifts-to-M62-and-points-north">Hit the north! UK datacentre focus shifts to M62 and points north</a>. Barbour ABI data shows 8GW of total datacentre pipeline with most big projects in the north and Scotland, while London and the M4 corridor are about 25% of projected capacity. </li> </ul> </div> </div> </section> International Data Center Authority report shows capacity concentrated in a few developed nations, while ‘Goldilocks index’ shows which states can benefit from rapid development https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/bear-wild-threat-Lubos-Chlubny-adove.jpg https://www.computerweekly.com/news/366642726/IDCA-datacentres-report-Global-concentration-and-the-Goldilocks-zone Tue, 12 May 2026 19:01:00 GMT IDCA datacentres report: Global concentration and the Goldilocks zone <p>Microsoft has addressed around 140 newly discovered common vulnerabilities and exposures (CVEs) <a href="https://msrc.microsoft.com/update-guide/releaseNote/2026-may" target="_blank" rel="noopener">in its May Patch Tuesday update</a>, but for the first time in a long time, the latest monthly drop contains no zero-day flaws, meaning that none of the issues in scope have been actively exploited or publicly disclosed.</p> <p>But while a less panic-inducing drop will be welcomed by security teams around the world, the May 2026 Patch Tuesday update contains almost 20 critical severity flaws that will inevitably draw the attention of threat actors in the coming days and weeks.</p> <p>Jack Bicer, <a href="https://www.action1.com/" target="_blank" rel="noopener">Action1</a> director of vulnerability research, said: “Although the absence of zero-days is a positive sign, the high number of critical vulnerabilities – particularly compared to recent months – means organisations should still move quickly to evaluate and deploy updates across affected systems.”</p> <p>This month’s update is also particularly significant as it heralds a critical Secure Boot certificate expiration deadline on 26 June, a few weeks from now. Devices that fail to receive <a href="https://www.darkreading.com/endpoint-security/microsoftoriginal-windows-secure-boot-certificates-expire" target="_blank" rel="noopener">updated Secure Boot certificates</a> – which are now rolling out – face potentially catastrophic failures or as-yet-undiscovered security flaws that may prove impossible to fix.</p> <p>“The May 2026 update cycle is a high-stakes bridge to the 26 June certificate expiration deadline, making fleet-wide rotation to new trust anchors the month’s absolute priority,” said Rain Baker, senior incident response specialist at <a href="https://nightwing.com/cyber-defense/" target="_blank" rel="noopener">Nightwing’s ShadowScout</a> team.</p> <p>“For those who haven’t patched for last month’s releases for the <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server" target="_blank" rel="noopener">Windows Shell and Microsoft Defender bypass flaws</a>, it is imperative that security teams give these the highest priority,” added Baker.</p> <section class="section main-article-chapter" data-menu-title="Bugs abounding"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Bugs abounding</h2> <p>Among some of the critical updates issued this month is a fix for a Windows DNS Client remote code execution (RCE) flaw tracked as <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41096" target="_blank" rel="noopener">CVE-2026-41096</a>. This vulnerability stems from a heap-based buffer overflow condition in Windows NetLogon and could enable an unauthenticated actor to take over the target system by sending it a malicious DNS response.</p> <p>“Because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly,” said Action1’s Bicer. “Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks. </p> <p>“This CVE requires immediate attention considering its severity rating, network-based attack vector, no authentication requirements and no user interaction. DNS-related vulnerabilities are especially dangerous because they target foundational network services that are broadly exposed across enterprise infrastructure.”</p> <p>Also drawing attention is <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42898" target="_blank" rel="noopener">CVE-2026-42898</a>, another RCE issue,which is in on-premise versions of Microsoft Dynamics 365, which bears a common vulnerability scoring system (CVSS) score of 9.9. Again, this issue requires no user interaction and, because it can affect systems beyond the original security scope of the vulnerable component, carries an extreme risk to enterprises.</p> <p>Previous attacks on Dynamics 365 infrastructure have exposed important, privileged data, and because CRM environments plug into so many other important systems, successful exploitation could lead to wholesale compromise.</p> <p>Meanwhile, Automox chief technology officer Jason Kikta weighed in on <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089" target="_blank" rel="noopener">CVE-2026-41089</a>, an RCE flaw in Windows Netlogon, and CVE-2026-40402, an elevation of privilege (EoP) vulnerability in Hyper-V.</p> <p>“CVE-2026-41089 – CVSS 9.8 out of 10 – is a stack-based buffer overflow in Windows Netlogon,” said Kikta. “An attacker sends a crafted network request to a domain controller. No authentication required. No user interaction required. If you’ve been doing this long enough, the description language sounds sadly familiar.</p> <p>“I'd be careful drawing <a href="https://www.computerweekly.com/news/252489539/Race-to-patch-as-Microsoft-confirms-Zerologon-attacks-in-the-wild" target="_blank" rel="noopener">a direct line to Zerologon</a>. The underlying bug is a stack overflow, not a crypto protocol flaw, and Microsoft has not labeled this one as wormable. The mechanism is different, but the blast radius is still ugly when you’re talking about pre-auth code execution on a domain controller.”</p> <p>The Hyper-V issue can be exploited by a low-privileged account inside a guest virtual machine (VM) to execute code on the host with system-level privileges. Kikta warned that one compromised guest could serve as a pivot point for every other VM on the same host, and add the host fabric into the bargain. Hosted desktop environments and shared virtualisation platforms are likely to be swiftly targeted.</p> <p>“Multi-tenant VDI, on-premise virtualisation with untrusted workloads, or any Hyper-V host running guests you don't fully control. Same-week, same-day patch depending on what’s on top of it,” Kikta advised.</p> </section> <section class="section main-article-chapter" data-menu-title="Patch apocalypse?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Patch apocalypse?</h2> <p>Although lacking in zero-days, Redmond’s latest meaty update will do little to assuage the concerns of onlookers alarmed at the supposedly earth-shattering vulnerability discovery capabilities of <a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide" target="_blank" rel="noopener">Anthropic’s Claude Mythos frontier AI model</a>.</p> <p>Chris Goettl, vice-president of security product management at <a href="https://www.ivanti.com/" target="_blank" rel="noopener">Ivanti</a>, said that these concerns were being taken seriously by many key software suppliers and other tech firms that are becoming far more aggressive in their patching in response to the changes of the past few weeks.</p> <p>“<a href="https://blogs.oracle.com/security/accelerating-vulnerability-detection-and-response-at-oracle" target="_blank" rel="noopener">Oracle announced a new release cadence starting in May 2026</a> to address the acceleration of vulnerability detection introduced by Mythos and other AI security models; monthly Critical Security Patch Update (CSPUs) will fill in the two-month gap between their quarterly Critical Patch Update (CPU),” he said.</p> <p>“Apple is another early participant in Project Glasswing and has seen a recent spike in the number of exposures resolved. They typically average around 20 CVEs per iOS security update [but] <a href="https://www.zerodayinitiative.com/blog/2026/5/12/the-apple-macos-security-update-review" target="_blank" rel="noopener">for their most recent update on May 11</a>, there is a spike of 52 CVEs resolved. Across the 11 Apple updates, the CVE counts range from 25 at the low end to 52 on the high end and Apple backported changes all the way to iPhone 6s and iOS 15. While there are not actively exploited vulnerabilities, there are a lot of updates to manage.”</p> <p>Meanwhile, Mozilla, the backers of the Firefox browser, which is said to have had more than 270 vulnerabilities identified after Claude Mythos was applied to it, has also moved to a more aggressive weekly cadence for its security updates since the release of Firefox 150.0.0 in April 2026 – version 150.0.3 of Firefox dropped earlier today (12 May).</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Patch Tuesday</h3> <ul style="list-style-type: square;" class="default-list"> <li><strong><strong>April 2026: </strong></strong>Microsoft’s latest Patch Tuesday update may be one of the largest in history, <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server" target="_blank" rel="noopener">with more than 160 issues in scope</a>.</li> <li><strong>March 2026: </strong>Zero-days in .NET and SQL Server, and a handful of critical RCE bugs, form the nucleus of Microsoft’s <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366639784/Microsoft-patches-zero-days-in-NET-and-SQL-Server">March Patch Tuesday update</a>.</li> <li><strong>February 2026: </strong>Microsoft releases patches for six zero-day flaws in its latest monthly update, <a href="https://www.computerweekly.com/news/366638958/February-Patch-Tuesday-Microsoft-drops-six-zero-days" target="_blank" rel="noopener">many of them related to security feature bypass issues</a>.</li> <li><strong>January 2026: </strong>January brings a larger-than-of-late Patch Tuesday update out of Redmond, but an uptick in disclosures <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366637296/Microsoft-patches-112-CVEs-on-first-Patch-Tuesday-of-2026">is often expected at this time of year</a>.</li> <li><strong>December 2025: </strong>The final Patch Tuesday update of the year brings 56 new CVEs, bringing the year-end total <a href="https://www.computerweekly.com/news/366636275/Microsoft-patched-over-1100-CVEs-in-2025" target="_blank" rel="noopener">to more than 1,100</a>.</li> <li><strong>November 2025:</strong> An elevation of privilege vulnerability in Windows Kernel tops the list of issues to address in the <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366634166/Microsoft-users-warned-over-privilege-elevation-flaw">latest monthly Patch Tuesday update</a>.</li> <li><strong>October 2025:</strong> Windows 10 is no longer supported, but that does not mean it is not impacted <a href="https://www.computerweekly.com/news/366632872/Patch-Tuesday-Windows-10-end-of-life-pain-for-IT-departments" target="_blank" rel="noopener">by the latest Patch Tuesday update</a>.</li> <li><strong>September 2025:</strong> Nearly half the CVEs Microsoft disclosed in its September security update, including one publicly known bug, <a href="https://www.darkreading.com/application-security/eop-flaws-again-lead-microsoft-patch-day" target="_blank" rel="noopener">enable escalation of privileges</a> (Dark Reading).</li> <li><strong>August 2025:</strong> Microsoft rolls out fixes for over 100 CVEs <a href="https://www.computerweekly.com/news/366629273/Eight-critical-RCE-flaws-make-Microsofts-latest-Patch-Tuesday-list" target="_blank" rel="noopener">in its August Patch Tuesday update</a>.</li> <li><strong>July 2025:</strong> Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366627196/July-Patch-Tuesday-brings-over-130-new-flaws-to-address">mercifully light on zero-days</a>.</li> <li><strong>June 2025:</strong> Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still <a href="https://www.computerweekly.com/news/366625818/June-Patch-Tuesday-brings-a-lighter-load-for-defenders" target="_blank" rel="noopener">warrant close attention</a>.</li> <li><strong>May 2025:</strong> Microsoft fixes five exploited, and two publicly disclosed, zero-days <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366623992/May-Patch-Tuesday-brings-five-exploited-zero-days-to-fix">in the fifth Patch Tuesday update of 2025</a>.</li> </ul> </div> </div> </section> No zero-day flaws were addressed in May’s Patch Tuesday update but as usual there is much for admins to chew over in the coming days https://cdn.ttgtmedia.com/visuals/German/article/upgrade-computer-adobe.jpg https://www.computerweekly.com/news/366642908/Microsoft-releases-rare-zero-day-free-Patch-Tuesday-update Tue, 12 May 2026 18:02:00 GMT Microsoft releases rare zero-day free Patch Tuesday update <p>Sustainability and strategy don’t always seem like natural bedfellows in a profit-driven world, but Simon Ninan, global head of strategy at <a href="https://www.computerweekly.com/feature/Hitachi-Vantara-VSP-One-leads-revamped-storage-portfolio">Hitachi Vantara</a>, wants to make it a reality, finding fresh approaches that deliver for customers, products, profit and the planet together. </p> <p>He says that if you want to see something better tomorrow, you have to start today. And for Ninan, it’s about finding a way through conflicting requirements. His core strategy team aims to combine knowledge, experience and ideas so that “one plus one equals five” and solves sustainability and <a href="https://www.computerweekly.com/ezine/Computer-Weekly/Viewing-business-through-a-sustainability-lens">business</a> challenges together.</p> <p>“I grew up in Bangalore, India,” he says. “Bangalore has changed a lot. It used to be known as green – now there’s so much traffic, a lot of the greenness is gone. It’s a shame.”</p> <p>In India, there’s still “incredibly intense” competition for resources as the country races to catch up, but in a “fair” way. Ideas around balancing those issues are often inculcated as you grow up, says Ninan.</p> <p>Similarly, it seemed to him that the longevity of companies and the “hardiness or value” embedded in their vision can be deeply connected.</p> <p>Comparisons with the US, where he arrived after studying computer science and engineering, were stark. Growth delivered clear benefits to the population, but at the same time, he saw “a land of excess”, where resources were often wasted.</p> <p>“I have continued consistently to think about how a little can potentially go a long way. How can we drive better decisions, and avoid innovation for innovation’s sake, technology for technology’s sake?” he says. “It’s about fusing business and technology. And there’s opportunity in that.”</p> <section class="section main-article-chapter" data-menu-title="Long-term vision shapes sustainability strategy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Long-term vision shapes sustainability strategy</h2> <p>Ninan joined Hitachi Vantara in 2019, following seven years as an executive at Japan-headquartered parent Hitachi, and before that at Monitor Deloitte. </p> <p>At the board and corporate levels, Hitachi has a culture of going beyond short-term strategic planning.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Simon-Ninan-Hitachi-Vantara-140x180px.jpg" alt="Photo of Simon Ninan, global head of strategy at Hitachi Vantara"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“I have continued to think about how a little can potentially go a long way. How can we drive better decisions, and avoid innovation for innovation’s sake, technology for technology’s sake? It’s about fusing business and technology. And there’s opportunity in that”</span></strong></span></p> <p><em><span style="color: #34495e;">Simon Ninan, Hitachi Vantara</span></em></p> </blockquote> <p>That begins by asking how the world might look 30, 50 or even 70 years from today, and planning for “mega-trends”, such as in terms of productivity and artificial intelligence (AI), socio-politics and climate change. The strategic time frame is the next two generations at minimum, including innovating around products and solutions that benefit society at large.</p> <p>That long-term focus is “very interesting and unique”, says Ninan.</p> <p>“We also talk about ageing demographics, or changing demographics. Emerging markets, availability of resources, productivity, the digital divide,” Ninan says. “Big hurdles that society will face. Then, working backward as it were, Hitachi asks what we can do today.”</p> </section> <section class="section main-article-chapter" data-menu-title="Japanese principles guide collaborative approach"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Japanese principles guide collaborative approach</h2> <p>Hitachi founder Namahei Odaira originally tied the company philosophy to the Japanese principles of “wa”, “makoto” and “kaitakusha-seishin”.</p> <p>At Hitachi, the harmony-related concept of “wa” encourages respect for others’ opinions and promotes open, fair and impartial discussion. In sustainability, this translates into a highly collaborative, cross-functional approach that connects efforts across the full lifecycle of products and operations, and to ensure impacts are understood holistically, says Ninan.</p> <p>“Makoto” is about sincerity – approaching issues with openness, honesty and respect, “in the spirit of true teamwork”.</p> <p>“In <a href="https://www.computerweekly.com/opinion/IT-Sustainability-Think-Tank-How-IT-sustainability-entered-the-mandate-era-during-2025">sustainability</a>, this is reflected in transparency, proactive data collection and reporting, and a commitment to go beyond simply meeting requirements to delivering on the spirit of our goals,” says Ninan.</p> <p>“Kaitakusha-seishin” may be best translated as “pioneering spirit”. Ninan says that at Hitachi, this emphasises a striving for leadership through pursuing new challenges and higher goals, but building on a commitment to innovation that goes beyond mere compliance, to driving positive impacts for society and the planet. That mission is now being extended to other parts of the world where Hitachi operates.</p> <p>“I find that really powerful, because it says you can make trade-offs in your bottom line for a bigger goal,” he adds. “It’s very ambitious. We have a double bottom line. Every company tries to make sure it delivers profit, but the double bottom line means it’s not just about the shareholders; it’s about the stakeholders and the value you’re delivering – your customers, your partners, your employees.”</p> </section> <section class="section main-article-chapter" data-menu-title="Tackling Scope 3 emissions in datacentres"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tackling Scope 3 emissions in datacentres</h2> <p>Today’s sustainability challenges for the team include weighing up the challenges and potential benefits of <a href="https://www.computerweekly.com/feature/AI-drives-storage-array-makers-to-embrace-data-management">AI</a> enablement, for example. Also, there’s a need to rethink the value of hybrid cloud data solutions versus the return on investment in data, says Ninan.</p> <p>The most recent “major strategy refresh” with a medium- to long-term perspective at Hitachi Vantara was three years ago. It involved “extensive embedding” of Hitachi’s sustainability reporting into Hitachi Vantara, with Ninan as one of the executives presiding. </p> <p>That challenge had become “a huge proposition” with related opportunities around green IT and sustainability. Ninan had noticed that while Scope 1 and Scope 2 emissions were handled quite well, Scope 3 emissions accounting still needed work.</p> <p>“It didn’t do a really good job of Scope 3. Yet <a href="https://www.computerweekly.com/feature/Interview-CyrusOne-on-the-sustainable-innovation-that-drives-datacentre-business-outcomes">datacentres are a most impactful industry for global sustainability</a>,” he says.</p> <p>Sustainability is also important because so many datacentre projects are being cancelled. Ninan says that trend will increase, not least because <a href="https://www.computerweekly.com/feature/Datacentre-developers-tout-benefits-to-local-communities-but-do-they-deliver">people often don’t want datacentres in their backyard</a>, whether for environmental reasons or otherwise.</p> <p>“They’re now leery about the effects of AI. They’ve also seen bills go up, and they worry about water resources,” he adds.</p> </section> <section class="section main-article-chapter" data-menu-title="Cross-functional teams drive sustainability goals"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cross-functional teams drive sustainability goals</h2> <p>Ninan’s team includes one other person, plus four entirely focused on product sustainability, helped by another <a href="https://www.computerweekly.com/news/366638707/Interview-Sarwar-Khan-on-shaping-BTs-green-future-and-delivering-sustainability-at-scale">sustainability</a> director and the sustainability lead analyst at Hitachi Digital, which is a centre of excellence shared across multiple Hitachi divisions.</p> <p>Also, Ninan’s team works bi-weekly with people who have a 20% or so commitment to sustainability in addition to their day jobs in finance, HR, logistics, operations and the like. Formal executive committee governance meetings happen quarterly. </p> <p>Hitatch Vantara has reported multiple <a href="https://www.hitachivantara.com/content/dam/hvac/pdfs/analyst-content/helping-make-the-world-a-better-place-2024-sustainability-report.pdf">sustainability awards for its tech</a>, including around AI, and high ratings from the likes of EnergyStar and EcoVadis. It launched a sustainability service level agreement (SLA) last year. </p> <p>Hitachi Vantara’s <a href="https://www.computerweekly.com/feature/An-action-plan-for-net-zero-compatible-with-budget-contraints">net-zero</a> target is 2040, following the Science-based Targets Initiative (SBTi) – a “more aggressive” target than its parent’s 2050.</p> <p>“And we have our state-of-the-art distribution centres, particularly one in the Netherlands, that have launched a whole bunch of new initiatives around logistics, distribution, biodiversity and so on,” he says. </p> <p>Ninan points out that customers today are more often “buying outcomes”, rather than being 100% focused on product. And he suggests that if more tech companies don’t wake up, poor sustainability can and will hit profits – if it hasn’t already.</p> <p>IT companies will lose customers and their credibility. In his view, <a href="https://www.computerweekly.com/feature/Pure-AVK-self-powered-Dublin-datacentre-dodges-grid-constraints">datacentre</a> operators could “make or break” sustainability goals, and it’s crucial for those in the industry to lead the way. </p> <p>Which is also an opportunity, not just for marketing narratives or even benchmarking, but to drive innovation, he says.</p> <p>So that’s what Ninan and his cross-functional team does – sponsoring and overseeing strategy and building sustainability together. Not least because it often takes people a long time to appreciate the importance of sustainability.</p> <p>“I make a lot of noise about that,” he says. “I’ve had to become a real champion for sustainability.”</p> </section> <section class="section main-article-chapter" data-menu-title="Bridging US and European sustainability narratives"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Bridging US and European sustainability narratives</h2> <p>In the US, especially, narratives on sustainability can differ from those in many other regions and markets. In Europe, sustainability is seen as crucial simply because the planet depends on it.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> I’ve had to become a real champion for sustainability </figure> <figcaption> <strong>Simon Ninan, Hitachi Vantara</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>However, US arguments typically must be formulated in dollars and cents. In the US, if you can’t make the economics work, if you can’t show how profits will be realised, it’s much more difficult to reach a consensus.</p> <p>Europe sometimes creates burdensome regulations and reporting requirements in an effort to get everyone on board, but that’s seen as a necessary evil.</p> <p>“You can’t have that ‘necessary evil’ conversation in the US. They say, ‘Tell me how it’s going to improve my revenue, and profits, and maybe then I’ll pay attention to it’,” says Ninan.</p> <p>“Then, of course, you have changing political administrations – and you hear they want to deregulate, as a matter of national competitiveness and innovation, with greenness potentially coming in at some future date or time.”</p> </section> <section class="section main-article-chapter" data-menu-title="Making the business case for green technology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Making the business case for green technology</h2> <p>The challenge – and partly the fun – for Ninan and his team is to keep figuring out how to straddle the different <a href="https://www.techtarget.com/sustainability/feature/How-to-lead-on-sustainability-in-the-rise-of-greenhushing">narratives</a>, to explain how sustainability is good for businesses that are governed quarter to quarter by the markets. That includes via outreach, with public relations activities such as podcasts or thought leadership articles also a really interesting part of his job.</p> <p>“That’s where I talk about Hitachi Vantara products a bit, and that datacentres are about 3% of greenhouse gas emissions globally, of power consumed, and how that’s multiplying with the AI and internet of things revolutions,” says Ninan.</p> <p>Then his strategy might include pointing out projections for datacentre growth. If datacentre footprints triple in the next five years, as some estimates suggest, that will create problems for businesses.</p> <p>Power grids can’t handle it. They’re not ready, and resources such as energy and water are lacking. Economies can’t currently sustain that sort of datacentre demand; investment is required to meet the “real value” proposition, which typically boils down to cost savings, he says.</p> <p>“So, we explain that if you deploy our <a href="https://www.techtarget.com/searchstorage/opinion/Hitachi-Vantara-expands-in-hybrid-and-multi-cloud-storage">storage</a> and data solutions in datacentres, because of the proprietary technology, we can optimise how data is moved, stored and processed. We can reduce power consumption in datacentres by 30% to 60% compared to the average,” he says. “Forget the cost of buying the bits. Sure, we’ll do a great job for you there, but we’ll save you longer-term costs.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more IT sustainability interviews</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366638707/Interview-Sarwar-Khan-on-shaping-BTs-green-future-and-delivering-sustainability-at-scale">Sarwar Khan on shaping BT’s green future and delivering sustainability at scale</a>: How the sustainability practice enables BT to move on ‘tough topic’ targets that increase innovation, efficiency and success across its product portfolio.</li> <li><a href="https://www.computerweekly.com/feature/Interview-CyrusOne-on-the-sustainable-innovation-that-drives-datacentre-business-outcomes">CyrusOne on the sustainable innovation that drives datacentre business outcomes</a>: Sustainability initiatives continue to drive competitive advantage in addition to cutting costs, reveals Kyle Myers of colocation giant CyrusOne.</li> </ul> </div> </div> </section> We talk to Hitachi Vantara’s Simon Ninan about how the company looks to the far horizon when trying to match business needs with those of society https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/IT-sustainability-interviews-hero.jpg https://www.computerweekly.com/news/366642586/Interview-Hitachi-Vantara-takes-long-view-on-business-and-sustainability Tue, 12 May 2026 09:40:00 GMT Interview: Hitachi Vantara takes long view on business and sustainability <p>As it furthers its journey into providing critical infrastructure throughout the UK, business connectivity provider <a href="https://www.computerweekly.com/search">Neos Networks</a> has teamed with mobile infrastructure services firm Cornerstone to provide connectivity services to UK “microscaler” StonesThro to support distributed sovereign edge cloud infrastructure.</p> <p>Seeking to establish a difference between <a href="https://www.stonesthro.co.uk/">StonesThro</a> and hyperscalers that centralise infrastructure in major datacentres, <a href="https://neosnetworks.com/">Neos</a> noted that microscalers distribute cloud and artificial intelligence (AI) compute power to localised sites.</p> <p>By connecting these regional hubs into its national, business‑dedicated network, Neos assured that StonesThro and <a href="https://www.cornerstone.network/">Cornerstone</a> could serve users in key urban and industrial areas. The planned deployments will also use Cornerstone’s national infrastructure footprint, enabling distributed cloud nodes to be deployed at scale.</p> <p>The partners believe that such a distributed model is already unlocking new capabilities for sectors where proximity is important for functionality, ranging from autonomous vehicles and large enterprises to local authorities and high-security sovereign software providers. Additionally, they say that for critical national infrastructure (CNI) customers handling sensitive data, the UK sovereign model offers an alternative to international cloud providers.</p> <p>In 2025, in partnership with Network Rail, Neos Networks announced <a href="https://www.computerweekly.com/news/366634755/First-fibre-laid-under-Project-Reach-UK-digital-backbone">Project Reach, claimed to be the biggest core fibre network deployment</a> in decades. Neos’ UK-wide network will support Cornerstone and StonesThro in delivering secure connectivity to CNI operators, such as those in the rail industry, which often require domestic infrastructure.</p> <section class="section main-article-chapter" data-menu-title="Supporting UK digital ambitions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Supporting UK digital ambitions</h2> <p>In what the firms believe will be another key advantage, they stressed how they are supporting the UK government’s AI and datacentre ambitions through an alternative infrastructure model. Rather than concentrating compute power in large southern datacentres, they believe that StonesThro’s distributed approach moves AI capabilities closer to where they’re needed and closer to where power is generated, addressing both the <a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">UK’s datacentre capacity shortage</a> and grid transmission challenges.</p> <p>“Our national footprint is the ideal backbone for Cornerstone and StonesThro’s edge AI cloud,” commented Neos Networks CEO Lee Myall. “Through our high-capacity connectivity, we are providing the UK-wide sovereign coverage, optionality and technical resilience required for high-security projects. We are proud to power the infrastructure that will enable the next generation of real-time applications and critical national services.</p> <p>“Working with Neos Networks and Cornerstone allows us to develop and scale sovereign edge AI infrastructure with national reach,” added StonesThro chief information security officer Andy Bates. “Its position as the UK’s largest B2B connectivity provider, alongside its access to the rail network through Project Reach, makes it the ideal collaborator to help us deliver a local solution for local people.”</p> <p>Specifically designed to end the worst signal blackspots on the major rail arteries of Britain and no less than rewire the UK for the next decade of digital growth, Project Reach’s nationwide roll-out will see at least 1,000km of high-grade fibre laid alongside Britain’s railways. By using the rail network as a national corridor for new fibre, Neos stated that it was taking advantage of the most direct, secure and future-proof routes available.</p> <p>The infrastructure will support everything from rail operations and transport digitisation to the surging demand created by AI, cloud and datacentre expansion. Structurally, the project brings together public and private sector investment and infrastructure, and its developers claim they will be able to save taxpayers around £300m while delivering substantial benefits to rail users.</p> <p>The scheme also aims to <a href="https://www.computerweekly.com/news/366626732/UK-rail-network-gets-on-track-for-enhanced-connectivity">create a high-performing digital connectivity backbone</a> for businesses, providing connectivity to datacentres and high-performance edge facilities, supporting the UK’s digital ambitions and driving innovation.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about UK critical network infrastructure</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640692/Zayo-provides-critical-connectivity-infrastructure-for-AI-cloud-datacentres">Zayo provides critical connectivity infrastructure for AI, cloud datacentres</a>: Enterprise network provider deploys connectivity infrastructure to one of the UK’s largest AI cloud datacentre campuses to support up to 720 MW of AI-ready infrastructure.</li> <li><a href="https://www.computerweekly.com/news/366639976/Render-Networks-unveils-synchronised-agentic-critical-infrastructure-architecture">Render Networks unveils synchronised agentic critical infrastructure</a>: Critical infrastructure execution and intelligence software provider unveils agentic AI architecture designed for dynamic, scalable execution at infrastructure operators and constructors.</li> <li><a href="https://www.computerweekly.com/news/366638864/Cisco-shapes-up-for-delivery-of-critical-infrastructure-in-the-AI-era">Cisco shapes up for delivery of critical infrastructure in the AI era</a>: Annual European expo reveals what IT and networking behemoth claims will be a leap forward in AI adoption, with new products encompassing switches, optics, agentic operations and SASE.</li> <li><a href="https://www.computerweekly.com/news/366632062/3bn-opportunity-in-digital-network-upgrade-of-UK-critical-infrastructure">£3bn opportunity in digital network upgrade of UK critical infrastructure</a>: Study from BT highlights multibillion-pound net benefit that could be unlocked by upgrading critical services to digital platform.</li> </ul> </div> </div> </section> Strategic collaboration designed to enable distributed microscale AI compute with national, resilient connectivity for critical sectors https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Neos-Networks-Ethernet-hero.jpg https://www.computerweekly.com/news/366642748/Neos-Networks-Cornerstone-StonesThro-power-UK-sovereign-edge-cloud Fri, 08 May 2026 05:18:00 GMT Neos Networks, Cornerstone and StonesThro power UK sovereign edge cloud <p>Members of the European Parliament (MEPs) have called for the expansion of Europol to be paused following disclosures that the police organisation ran a shadow IT system containing vast amounts of data without adequate security or data protection measures in place.</p> <p>An investigation by <a href="https://www.computerweekly.com/news/366642525/They-protect-the-law-while-breaking-it-Inside-Europols-shadow-IT-system">Computer Weekly</a>, <a href="https://correctiv.org/en/europe/2026/05/05/they-protect-the-law-while-breaking-it-inside-europols-shadow-it-system/">Correctiv</a> and <a href="https://wearesolomon.com/en/mag/focus-area/accountability/they-protect-the-law-while-breaking-it-inside-europols-shadow-it-system/">Solomon</a> revealed that Europol stored petabytes of crime-related data on a network that operated for years without scrutiny from regulators, despite significant privacy and security flaws.</p> <p>Europol’s “shadow” databases were used to analyse vast volumes of sensitive data, such as telephone records, identity documents, banking information or geolocation data and included data relating to individuals not suspected of any crime. They also included a shadow system known as the Pressure Cooker, used for analysing open-source information on the internet, that lacked proper controls.</p> <p>Despite several years of monitoring by the European Data Protection Supervisor (EDPS), some major flaws remained unaddressed in 2026.</p> <section class="section main-article-chapter" data-menu-title="Call for Parliamentary oversight"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Call for Parliamentary oversight</h2> <p><a title="Özlem Alev Demirel | Home page" href="https://oezlem-alev-demirel.de/">Özlem Alev Demirel</a>, German MEP for the Left group, issued a <a href="https://oezlem-alev-demirel.de/2026/05/europols-datenmissbrauch-stellt-existenzrecht-der-behoerde-in-frag/">statement</a> calling for plans to expand Europol’s mandate to be put on hold.</p> <p>“This latest data protection scandal violates every legal standard, disregards the fundamental rights of those affected and renders oversight mechanisms absurd,” she wrote.</p> <p>German <a href="https://www.europarl.europa.eu/meps/en/96932/BIRGIT_SIPPEL/home">MEP Brigit Sippel</a> told this investigation that the fact that the data of innocent people was stored and analysed without any traceable record of who accessed it or altered the entries undermined confidence in the reliability of evidence and the rule of law.</p> <p>“Before we begin discussing a potential expansion of Europol’s mandate, there needs to be genuine Parliamentary oversight, independent supervision with real powers of intervention, and full disclosure and transparency regarding matters that have remained hidden until now,” she added.</p> </section> <section class="section main-article-chapter" data-menu-title="Home Office urged to answer questions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Home Office urged to answer questions</h2> <p>In the UK, conservative MP David Davis called <a href="https://x.com/DavidDavisMP/status/2052387489474568632">in a post on X (<em>formerly Twitter</em>)</a> for the Home Office to answer questions about Europol’s storage of data on British citizens.</p> <p>“The Home Office must now say whether any personal data of entirely innocent British citizens is being stored in Europol’s systems and, if so, why it is being stored and why the UK government is allowing it to be stored,” he added.</p> </section> <section class="section main-article-chapter" data-menu-title="Confidence in evidence may be affected"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Confidence in evidence may be affected</h2> <p>Speaking at a meeting of the European Parliament’s committee on Civil Liberties, Justice and Home Affairs <a href="https://www.europarl.europa.eu/committees/en/libe/about">(Libe</a>) on Thursday, <a href="https://www.europarl.europa.eu/meps/en/96932/BIRGIT_SIPPEL/home">MEP Birgit Sippel</a> said that revelations could undermine confidence in Europol.</p> <p>“I think the mere fact that a European agency has operated a parallel data system without any control raises concern, not only regarding data protection, but also on the way of working of agencies, and could affect even the confidence and reliability of agencies and the evidence,” she added.</p> <p>EDPS Wojciech Wiewiórowski told the Libe meeting that this investigation raised new points and accusations that the EDPS would definitely be following. He confirmed that some of the EDPS enforcement decisions – such as its admonishment of Europol in 2020 and a <a href="https://www.edps.europa.eu/press-publications/press-news/press-releases/2022/edps-orders-europol-erase-data-concerning_en">decision requiring Europol to delete data</a> in 2022 – were connected with the use of platforms identified in this investigation.</p> <p>Wiewiórowski said that EDPS needed a wider range of sanctions to oversee European institutions. He added that he has the ability to issue a soft response, in the form of an admonishment, and hard response, in the form of an order to stop processing data, which “might be really dangerous for security in Europe”, but nothing in between.</p> <p>With discussions underway about enlarging the mandate of Europol, he suggested that it would be a mistake for Europol to be enlarged without increasing oversight.</p> <p>Saskia Bricmont, Belgian Green MEP, added in a statement that she would prioritise a discussion with the European Commission and the Libe Committee over the findings of this investigation.</p> <p>“It is urgent that the agency and the European Commission provide detailed explanations,” she said. “Yet, once again, it is thanks to the work of investigative journalists that we are discovering a problem within Europol, which only serves to heighten mistrust.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Europol</h3> <ul class="default-list"> <li>The <a href="https://www.computerweekly.com/news/366634419/Hungry-for-data-Inside-Europols-secretive-AI-programme">EU’s law enforcement agency has been quietly amassing data to feed an ambitious but secretive artificial intelligence development programme</a> that could have far-reaching privacy implications.</li> <li>Europol wants <a href="https://www.computerweekly.com/news/366618230/Europol-seeks-evidence-of-encryption-on-crime-enforcement-as-it-steps-up-pressure-on-Big-Tech">examples of police investigations hampered by end-to-end encryption</a> as it pressures tech companies to provide law enforcement access to encrypted message.</li> <li>Law enforcement bodies from across the world have revealed how they <a href="https://www.computerweekly.com/news/366611232/Europol-provides-detail-on-Ghost-encrypted-comms-platform-takedown">collaborated to bring down encrypted network Ghost</a> and the new ways of working that have been established with Europol at the centre.</li> </ul> </div> </div> </section> Expansion of Europol’s mandate should be paused while allegations investigated, a number of MEPs say https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Europol-building-2-PR-hero.jpg https://www.computerweekly.com/news/366642721/MEPs-call-for-greater-scrutiny-of-Europol-following-concerns-over-Shadow-IT Fri, 08 May 2026 04:57:00 GMT MEPs call for greater scrutiny of Europol following concerns over shadow IT <p>Artificial intelligence (AI) – and in particular agentic AI – can bring considerable increases in productivity to any organisation that uses it, with potential gains of £10 for every £1 spent. But achieving those rewards will require great effort to ensure AI becomes part of organisational culture.</p> <p>That’s the view shared by executives at a Node4 user day event in Nottingham this week, where the mid-market enterprise application, <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">software-as-a-service (SaaS) provider</a> and Microsoft partner showcased a range of AI-based solutions.</p> <p>According to Derby-based <a href="https://node4.co.uk/">Node4</a>, we are set to move past the era of “clunky” AI experiments and into a period where the technology is being industrialised at a rate that outpaces most corporate governance structures. Also showcased was agentic AI, but here, Node4 thinks it will be a year or so before customers trust it.</p> <p>Meanwhile, <a href="https://www.computerweekly.com/news/366642487/Cloud-and-data-sovereignty-caught-in-a-paradox">data sovereignty</a> is an everyday conversation for the company (<a href="#Sovereignty"><em>see box</em></a>).</p> <section class="section main-article-chapter" data-menu-title="The three rings of AI: From assistance to orchestration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The three rings of AI: From assistance to orchestration</h2> <p>Core to the thinking on AI are three stages of AI adoption: First, simple assistance, where users ask questions of a large language model (LLM) where once they would have used a web search tool. Second is co-work, where <a href="https://www.computerweekly.com/news/366639977/Microsoft-Cowork-One-data-store-for-all-your-M365-assets">co-pilot-type tools</a> in an environment help more directly, such as Claude Code. And third, there is orchestration via agentic AI, where agents that are built to carry out specific tasks can be invoked in a variety of settings, often autonomously by preset triggers.</p> <p>But while such capabilities already exist in almost all enterprise application environments, including, for example, in the Microsoft Dynamics 365 Business Central for which Node4 is a specialist, most customers have yet to make use of them. </p> <p>Mark Skelton, chief technology officer (CTO) at Node4 (<em>pictured, above</em>), said: “It’s something we’re struggling with. The challenge with AI at the moment is the consumerisation effect.</p> <p>“We did two roundtables last night, and we had probably 30 customers in those sessions. We asked them, where are you on your AI journey? Almost everyone in the room said, ‘Well, we’re nowhere’.</p> <p>“But when we asked the question, ‘Are you using OpenAI or ChatGPT or cloud?’ Most hands went up. So, what’s happening is business users are using this stuff on their personal accounts.”</p> <p>The concern here, said Skelton, is that if personal accounts are being used, business data is at risk of leaking out.</p> <p>Skelton said the Node4 solution is to help train customers and to showcase what’s possible with simple AI assistance, co-work and agentic AI by means of free-of-charge consulting sessions, “innovation factories” and showing customers how AI can help with real-world workloads.</p> <p>“One thing we do is automate board reports, for example,” said Skelton. “We have to do it every month. And there’s no reason why AI can’t do it. Every organisation will have to do a similar process.</p> <p>“You start with something like that. The customer goes, ‘OK, right, you’re solving a big problem. That’s a bunch of work and five days’ worth of someone’s time that I can now automate and free up their time’.”</p> </section> <section class="section main-article-chapter" data-menu-title="Agentic the future, but trust will take time"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Agentic the future, but trust will take time</h2> <p>Despite recognising the challenges of how to get there, Node4 executives envisage a future of agentic AI. At the event, it showcased pre-built agents and custom agent-building capabilities in Business Central, as well as a set of agents it develops, named “enhanced”, that tackle functions not covered by Microsoft.</p> <p>Currently, Node4 is keen to emphasise that there will be a human-in-the-loop for some time and that AI agents will not be off the leash and able to change or move corporate data.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> We’re probably [six months to a year] away from having [AI agents] committing stuff without human checking. I think that’s sensible because we are still in a phase where this stuff can hallucinate </figure> <figcaption> <strong>Mark Skelton, Node4</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>So, when will Node4 customers be able to trust an AI agent to make changes in a finance ledger or an enterprise resource planning database?</p> <p>“The technology is definitely capable,” said Skelton. “But I think we’re probably in a six-month-to-year window away from actually having these things committing stuff without human checking. I think that’s sensible because we are still in a phase where this stuff can hallucinate.</p> <p>“If it’s not designed right, it can be dangerous. So, I reckon about a year away, but whenever a CTO predicts these days, you can probably halve it because of the rate of innovation.</p> <p>“The human and the guardrails are still very important at this stage,” added Skelton. “Once you’ve built your model and built all the intelligence into the agent, it’s repeatable, and that’s where you get your value. But that starting point – understanding the process you’re trying to automate and execute – is critical, because if you get the input wrong, the output could be catastrophic.”</p> <p>Node4 has around 1,800 customers, of which 800 are users of the Microsoft Dynamics platform. Of those, 63% are on the fully SaaS Business Central, with the remainder on various legacy iterations of Navision.</p> <p>The company also runs its own cloud and datacentres, which can be used for sovereign capability should a customer require it.</p> </section> <section class="section main-article-chapter" data-menu-title="Customer base: Different sectors, different speeds"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Customer base: Different sectors, different speeds</h2> <p>About 1,200 customers are private sector, and 600 public sector. Node4 made north of £33m from the UK public sector for 2024-2025, according to Tussell figures, with its biggest UK government customer being the Department for the Environment, Food and Rural Affairs (£23m).</p> <p>Node4 customers that are not yet SaaS users comprise a fair chunk of the customer base. According to Skelton, it’s not that they don’t want to move. Many simply lack the time and resources to do so.</p> <p>He said: “Traditionally, it’s been very costly to move because the move from Navision to Business Central is not like a Windows upgrade where you click a button and it does it for you.</p> <p>“There are complexities around code conversion and workflow. These are traditionally big projects. They could be 200-day, 300-day projects – so very costly for businesses to do. Where you see this long Navision tail, it tends to be in the smaller organisations that don’t have the big IT departments.</p> <p>“Now, we’re using AI to automate a lot of this process. We’re using AI to do all the code conversion, the workflow remappings, all that kind of stuff. And then we’re going to look at future pipelines about how we automate all the testing.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="Sovereignty"></a>Data sovereignty ‘an everyday conversation’</h3> <p><a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Data sovereignty is a hot topic</a> in the current <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">geopolitical environment</a>. Meanwhile, Microsoft has said more than once that it can’t guarantee that customer data won’t be moved offshore. And in any case, if a US company were subject to a US court order, it would be compelled to provide access to data that stateside law enforcement asked for.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The art to [data sovereignty is] working out what is mission-critical data that [customers] really need sovereignty around versus non-critical </figure> <figcaption> <strong>Mark Skelton, Node4</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>So, how does Node4 navigate that conversation? </p> <p>“What’s going on in the world is having a major impact on how customers are thinking and where their data sits. Of course, with Microsoft, we have to be very careful. So, we design models that sit behind all these data platforms to understand where the data can actually go and put some restrictions and controls around it.”</p> <p>Skelton also pointed to the fact that Node4 also has its own datacentres in the UK.</p> <p>“Customers are now going, ‘I don’t feel comfortable with this data sitting in Microsoft or anywhere else. Can it be in a UK-centric datacentre owned by a UK company?’ We’re seeing a bit of an uptick in demand for our datacentre capability for that reason.”</p> <p>Skelton said Node4 can still work with the Microsoft ecosystem, with data or even AI models residing in its datacentres.</p> <p>That’s partly because customers aren’t usually worried about all their data from a sovereignty perspective.</p> <p>“It may be partial sets of data that are critical,” he said. “That’s the art to this; working out what is mission-critical data that they really need sovereignty around versus non-critical. The non-critical would sit in the Microsoft cloud system. The critical stuff sits in ours, and we create the plumbing and the controls between that to make sure all the data is controlled. But it’s a daily conversation.”</p> </div> </div> <p></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Microsoft and AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366639308/Microsoft-CEO-opens-up-London-AI-tour-with-Copilot-push">Microsoft CEO opens London AI Tour with Copilot push</a>: Microsoft CEO Satya Nadella used his event keynote to showcase how the artificial intelligence in M365 is a foundation for agentic AI in the enterprise.</li> <li><a href="https://www.computerweekly.com/news/366639977/Microsoft-Cowork-One-data-store-for-all-your-M365-assets">Microsoft Cowork – one data store for all your M365 assets</a>: Microsoft has revealed the next stage of its plans to place its software at the heart of enterprise data, which is now powered by agentic AI.</li> </ul> </div> </div> </section> UK mid-market supplier showcases the three stages of AI – assistance, co-work and orchestration – but faces a reality in which most users have yet to arrive at first base https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Node4-user-day-Nottingham-hero.jpg https://www.computerweekly.com/news/366642876/Node4-AI-and-agentic-the-future-but-culture-the-key-to-unlock-it Fri, 08 May 2026 04:55:00 GMT Node4: AI and agentic the future, but culture the key to unlock it <p>In the high-stakes environment of the <a href="https://www.computerweekly.com/resources/Healthcare-and-NHS-IT">operating theatre</a>, the surgeon’s steady hand (or the robotic scalpel) is literally the sharp end of the process. But in their train lies the invisible grind of hospital logistics, where incredibly valuable surgery resources are often deployed less than optimally as humans try to apply subjective estimation to theatre scheduling and planning.</p> <p>For years, the promise of digital health has been synonymous with telepresence, often in the form of a “Zoom for surgeons” that allowed remote observation during procedures in the operating room (OR). </p> <p>But as healthcare moves into 2026, the focus is shifting to “intelligence-first” surgery. By treating the operating theatre as <a href="https://www.computerweekly.com/feature/Work-is-broken-Can-agentic-AI-fix-it">an “unbounded” problem</a> that can be reasoned through at scale, technologists are solving the logistical challenges that have limited optimal working.</p> <p>By utilising computer vision as an instrument of measure, and generative artificial intelligence (GenAI) as a tool for predictive scheduling, AWS customer Proximie is transforming the operating theatre from a black box into a data-rich environment. </p> <p>We spoke to Proximie at AWS’s recent London Summit, and found out how the company manages 120TB of unstructured video data across a hybrid edge-to-cloud architecture, the technical guardrails they have built to <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">protect patient data sovereignty</a>, and why the future of surgery relies on AI becoming an invisible “texture” <a href="https://www.computerweekly.com/news/366632366/How-the-UAE-is-using-AI-to-transform-healthcare">in the hospital environment</a>.</p> <section class="section main-article-chapter" data-menu-title="The ‘hanging around’ problem"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The ‘hanging around’ problem</h2> <p>The starting point for Proximie isn’t surgery itself, but the five billion people worldwide who lack access to safe procedures. </p> <p>Richard Carter, CTO at Proximie, argues that because building new hospitals and training staff takes decades, the key thing is to get more out of existing resources. “Healthcare is largely a logistics and communications challenge,” Carter says. “The time is not in getting surgeons to work faster; the time is to minimise the hanging around time.”</p> <p>To solve this, Proximie uses ceiling-mounted sensors to create a statement of fact around OR workflows. Unlike human recall, which Carter describes as fragile and subjective, computer vision provides an objective record of exactly when a patient enters the anaesthetic room and when they depart the procedure room. By removing sentiment from the discussion, hospitals can identify exactly where the “dead time” exists.</p> </section> <section class="section main-article-chapter" data-menu-title="The predictive scheduler"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The predictive scheduler</h2> <p>This data collection allows Proximie to tackle one of the most difficult variables in hospital management – elective list scheduling. If a scheduler underestimates a procedure, the entire day’s list falls behind, putting immense pressure on staff. If they overestimate, valuable capacity is wasted.</p> <p>By analysing three years of Electronic Health Record (EHR) data, Proximie’s AI can now outperform human schedulers. It correlates variables that are often too complex for manual calculation, such as the statistical link between a patient’s BMI, age  and the specific surgeon-anaesthetist combination. </p> <p>The real-world impact is significant. Thoracic surgeons at St Thomas’ in London have successfully added one extra major case per day simply by using this real-time data to tighten their schedules.</p> </section> <section class="section main-article-chapter" data-menu-title="From ‘Zoom for surgeons’ to unbounded AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From ‘Zoom for surgeons’ to unbounded AI</h2> <p>During the pandemic, Proximie was often described as “Zoom for surgeons”. While telepresence was a vital off-ramp that normalised digital entry into the OR, Carter explains that video access has now become a feature, not the product. The real challenge is the “unstructured” nature of video and audio data, which historically was impossible to process at scale.</p> <p>“If you’re playing a game of chess, although it is very large, there is a finite number of chess positions,” Carter says. “With healthcare, it is absolutely infinite, because we are all unique as individuals.” </p> <p>He defines healthcare as an unbounded problem, but that 2026-era AI can finally reason around these infinite variables. The goal is for AI to become a texture within the hospital – an invisible layer that removes the “grunt work and grind” rather than acting as a standalone gadget.</p> </section> <section class="section main-article-chapter" data-menu-title="Technical architecture – edge vs cloud"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Technical architecture – edge vs cloud</h2> <p>Managing 120TB of unstructured data globally requires a sophisticated hybrid model to navigate latency and data privacy.</p> <p>Edge devices, mounted on the OR ceilings, handle privacy at the source. They obfuscate and redact sensitive information on the device before any data ever leaves the room. Carter is adamant that no unobscured data ever leaves the OR. Once redacted, the data is sent to the AWS cloud for massive, asynchronous processing. Carter argues that on-premise solutions are economically unviable because they lack the upgrade path and cross-system visibility that a cloud provider such as AWS offers.</p> <p>Meanwhile, in real time frame-by-frame analysis, certain procedures, such as laparoscopy – which is entirely hypothetical, says Carter – the system will only have 18 milliseconds to analyse a frame at 60fps. This makes edge computing necessary for tasks where latency would have a practical impact.</p> </section> <section class="section main-article-chapter" data-menu-title="The encryption moat"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The encryption moat</h2> <p>When operating across different jurisdictions, data sovereignty is a non-negotiable requirement. Proximie utilises AWS Global Accelerator to ensure data is routed and stored strictly within a user’s jurisdiction. “The user doesn’t have to decide where to put data,” Carter says. “The workflow obligates it.”</p> <p>Addressing concerns regarding the US Cloud Act – which potentially allows US courts to demand data from US-headquartered companies – Carter offers a pragmatic technical defence.</p> <p>While Proximie would comply with legal obligations, their encryption standards serve as a “shield”. He suggests that the data would be “inaccessible in the form in which it would be provided”, effectively rendering any legal surrender moot because raw, readable data remains technically impenetrable to outside parties.</p> </section> <section class="section main-article-chapter" data-menu-title="Safeguarding against hallucinations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Safeguarding against hallucinations</h2> <p>In a flesh and blood environment, the risk of AI hallucinations must be zero. Proximie manages this through a human-in-the-loop governance model. The AI provides recommendations, such as a “win of the day” or highlighting the greatest opportunity for efficiency, but it is never allowed to be executive.</p> <p>Crucially, the system requires the AI to state its reasoning. It cannot just give a recommendation, but must show the specific data points used to reach that conclusion. This traceability allows theatre managers and clinicians – whom Carter notes are not shy about challenging colleagues – to maintain final control over the workflow.</p> </section> <section class="section main-article-chapter" data-menu-title="The future of surgical logistics"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The future of surgical logistics</h2> <p>As Proximie scales, the roadmap is focused on making AI even more of a background utility. By solving the core infrastructure and logistics questions that even the most skilled humans struggle with, the company aims to move closer to its mission of providing safe surgery for the five billion people currently without it.</p> <p>The transition from a telepresence tool to an intelligence-first operating system is, in Carter’s view, the only way to meet the infinite demands of global healthcare. By leveraging the scale of the cloud and the privacy of the edge, the OR is finally moving beyond the limitations of human recall and into an era of objective, data-driven efficiency.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about use of AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366642040/Digital-twin-of-athletes-heart-to-demonstrate-future-of-healthcare">Digital twin of athlete’s heart to demonstrate future of healthcare</a>. IT services firm opens a window to the future of healthcare and physical training as tech advancements converge.</li> <li><a href="https://www.computerweekly.com/news/366633420/NHS-could-save-millions-of-hours-a-year-using-AI-pilot-shows">NHS could save millions of hours a year using AI, pilot shows</a>. A Microsoft Copilot AI trial in 90 NHS organisations found that a national roll-out could save up to 400,000 hours per month.</li> </ul> </div> </div> </section> AWS customer Proximie delivers AI-driven operating theatre logistics and tele-surgery. We spoke to its engineering vice-president about the challenges of cloud in a life or death environment https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/healthcare-doctor-tablet-1-adobe.jpeg https://www.computerweekly.com/feature/Beyond-telesurgery-How-Proximie-uses-AI-to-optimise-surgery-logistics Wed, 06 May 2026 08:36:00 GMT Beyond telesurgery: How Proximie uses AI to optimise surgery logistics <p>For years, rip and replace has dominated conversations about the mainframe. A smarter, more pragmatic reality is now taking hold. </p> <p><a href="https://www.computerweekly.com/resources/Data-centre-hardware">Mainframe systems</a> can process millions of transactions in seconds, making them indispensable for core business functions – from database management to ERP and CRM – that demand absolute consistency and speed. Far from being obsolete, they are the quietly powerful bedrock of modern commerce, handling 90% of all credit card transactions and serving over 70% of global enterprises, according to Gartner.</p> <p>But as digital demands grow, businesses need their mainframes to keep up. Modernisation helps them move with more agility, support developers better, plug into cloud technologies and manage costs more smartly, which are all essential to stay competitive.</p> <p>This forces a new, more urgent question for today's IT leaders. As every penny of investment is scrutinised, the focus has shifted from debating the mainframe's future to a more practical challenge. Namely, how do we modernise this critical infrastructure and clearly demonstrate its value in a hybrid world?</p> <p><strong>Practical modernisation without the Big Bang</strong></p> <p>In conversations I have with IT leaders it's clear the idea of a risky 'big bang' migration is losing its appeal and for good technical reasons. </p> <p>More than <a href="https://www.forbes.com/sites/heatherwishartsmith/2024/11/12/mainframes-the-backbone-of-the-worldwide-economy/">70% of Fortune 500 companies</a> still rely on mainframes – according to Forbes – often built on decades of interwoven COBOL and RPG code and custom business logic. In this environment, where a single change can trigger a domino effect across critical programmes, attempting a wholesale lift-and-shift presents too many risks to be considered a viable strategy.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about mainframes</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366642233/Agentic-AI-speeds-up-mainframe-modernisation-but-human-experts-remain-key">Agentic AI speeds up mainframe modernisation, but human experts remain key</a>. Agentic AI tools are helping organisations overcome Cobol skills shortages and untangle legacy infrastructure, but successful modernisation still requires an expert in the loop to manage complexity.</li> <li><a href="https://www.computerweekly.com/opinion/How-mainframe-modernisation-is-powering-government-digital-transformation">How mainframe modernisation is powering government digital transformation</a>. Mainframes are no longer seen as a constraint on public sector digital transformation, with government agencies abandoning rip-and-replace strategies in favour of modernising mainframe systems with hybrid cloud and AI.</li> </ul> </div> </div> <p>Instead, a more practical, incremental modernisation is proving effective. The key is to connect mainframes with cloud environments to create a hybrid ecosystem that leverages the best of both worlds. A key technical pattern is to API-enable core mainframe applications, to allow them to participate seamlessly in this broader architecture. This allows teams to build new, cloud-native front ends that leverage the unmatched security and reliability of mainframe transaction processing on the back-end.</p> <p>There’s no denying this approach demands substantial investment, time and meticulous planning. But this approach to modernising without dismantling allows teams to innovate securely, reduce technical debt and ensure every change is targeted and aligned with clear organisational objectives. It’s an approach that allows teams to innovate without introducing unnecessary risk, systematically reduce technical debt and ensure that every single investment in modernisation is directly aligned with clear, measurable business objectives.</p> <p><strong>How AI is changing the performance conversation</strong></p> <p>AI is accelerating this modernisation shift by directly addressing the longstanding challenge of data gravity, and recognises that the smartest approach is to bring analysis to the data instead of forcing the data to move.</p> <p>Rather than undertaking the costly, complex and high-risk process of moving massive volumes of sensitive information to a separate platform, AI models can now run directly on the mainframe. </p> <p>This provides, for the first time, clear business insights from raw performance data, right at the source. A retail bank, for example, can analyse live transaction data to understand why a customer might abandon a purchase, all without that information ever leaving the secure mainframe environment.</p> <p>Building on this, generative <a href="https://www.computerweekly.com/news/366642233/Agentic-AI-speeds-up-mainframe-modernisation-but-human-experts-remain-key">AI is accelerating the modernisation process</a> itself, offering powerful new ways to analyse legacy systems and streamline transformations. </p> <p>This technological shift completely reframes the investment conversation. Leaders can now justify mainframe spending not as a defensive capital expenditure to maintain the status quo, but as a growth-focused operational expenditure that directly underpins business success and a better customer experience.</p> <p><strong>Total cost of ownership as a strategic tool</strong></p> <p>And this is exactly where Total Cost of Ownership (TCO) becomes key. As AI reshapes how organisations extract value from the mainframe, IT leaders need a way to quantify that value clearly and credibly across the business.  </p> <p>Modern TCO can’t stop at a basic comparison of hardware costs. In the AI era, the conversation needs to mature from TCO to Total Business Value. This means calculating the ROI of the platform by factoring in the strengths that drive real impact: built-in security that reduces breach risk, resilience that prevents costly outages, and the transactional performance that underpins core business operations.</p> <p>The 2025 BMC Mainframe Survey confirms the mainframe is here for the long haul,<a href="https://www.bmc.com/documents/e-book/modern-platform-positioned-for-age-of-ai.html"> with a 97% long-term commitment rate</a>. This reality brings a new question to the forefront, namely how do you manage it intelligently? The answer lies in a value-based TCO, which provides the framework to make the crucial "modernise vs migrate" decision for every application.</p> <p>For one financial services giant, <a href="https://www.apptio.com/case-study/financial-services-company-optimizes-its-portfolio-with-full-tco-for-4500-applications/">this meant standardising how TCO was calculated across more than 4,500 applications</a>. By creating a unified data model that captured this broader view of value, they gained the clarity needed for an honest, apples-to-apples comparison. This is what makes modern TCO a strategic aid in business as it provides one source of truth needed to turn a complex choice into a clear business decision.</p> <p><strong>Future proofing</strong></p> <p>By tapping into AI for sharper insights, looking at TCO through a value‑driven lens, and taking a hybrid path to modernisation, leaders can get far more out of their most important systems and stay central to today’s digital business landscape.</p> <p>But this is just the beginning. The future of the mainframe lies in its ability to evolve, and AI is the key accelerator. As we look ahead to an era defined by AI and even quantum computing, the platform's unique strengths mean more applications, not less, will be best-fit for the mainframe, delivering unmatched value for the years to come.</p> <p></p> Mainframes are very much still vital for performance- and security-conscious use cases. To optimise TCO, AI and hybrid cloud can help them retain their advantages https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/mainframe-servers-storage-datacentre-6-kwarkot-adobe.jpg https://www.computerweekly.com/opinion/AI-to-help-mainframes-remain-business-critical-in-2026 Wed, 06 May 2026 06:32:00 GMT AI to help mainframes remain business critical in 2026 <p>Hyperscaler cloud is incompatible with <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">data sovereignty</a>. That’s because, as US companies, the hyperscalers are potentially subject to US court orders that can compel them to exfiltrate overseas citizen data.</p> <p>The paradoxical situation for <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">hyperscaler clouds</a> is that they are inherently global and connected because that’s how they gain their economies of scale. </p> <p>Those conclusions result from a <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Computer Weekly investigation into data sovereignty</a> that asked the hyperscalers a set of questions aimed at discovering their ability – in technical terms – to withstand US court orders that compel eavesdropping on foreign citizens.</p> <p>We asked Amazon Web Services (AWS), Google Cloud, Microsoft, IBM and Oracle the following:</p> <ul class="default-list"> <li>How they would technically prevent a US court order that compelled them to access customer data.</li> <li>How they perform data-in-use functions on in-the-clear data if they say they don’t possess the keys to do so.</li> <li>Whether US-authored updates that contain US court-ordered “technical assistance” updates could bypass data controls and air gaps.</li> <li>Whether they could demonstrate they have a distinct UK region capable of operating all core services in total isolation from global infrastructure.</li> <li>Whether standard terms of service allow them to move customer data and metadata to other geographies.</li> </ul> <p>The context of the investigation is the heightened sense of risk in terms of <a href="https://www.computerweekly.com/feature/Go-big-or-go-home-Should-UK-IT-buyers-favour-US-clouds-or-homegrown-providers">data sovereignty in the current geopolitical situation</a>. In particular, it is focused on the powers of US courts to order US-headquartered companies to provide data held on their systems, wherever those systems are.</p> <p>Instruments for achieving this include the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, which compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if that data is held overseas. US courts can also enact non-disclosure orders that prohibit a company from telling the data subject that their information has been requested or handed over.</p> <p>In addition, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702 – due for renewal soon – can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens targeted therewith.</p> <p>Hyperscaler responses to our questions seemed largely to avoid core issues. When we asked about cloud services in general, they responded as though we’d asked about air-gapped and on-premise offers. When we asked about the potential use of backdoor access via updates ordered by US courts, they talked about the use of local staff (or air-gapping again). And when we asked about the possibility of harvesting data, they pointed to encryption and customer-held keys, but did not address that, for the most part, data is processed unencrypted. </p> <p>There are several difficulties with these responses, which you can <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">read for yourself here</a>.</p> <p>One of these difficulties is that, ultimately, a US court can compel “technical assistance” to gain foreign citizen data held in its systems, and that can occur via a compiled software update that would be unreadable by humans and would not contain obvious clues about its function.</p> <p>Another is that even in the rare cases where expensive and resource-intensive data-in-use encryption is used, it is still possible to scrape data from memory.</p> <p>A further difficulty is that in standard terms of service, hyperscalers routinely transit data to other geographies as part of <a href="https://www.computerweekly.com/news/366589152/Microsoft-admits-no-guarantee-of-sovereignty-for-UK-policing-data">follow-the-sun support</a>.</p> <p>The reality is that to achieve anything approaching data sovereignty, customers must opt out of standard cloud terms of service, or use air-gapped services, though none of these is technically 100% proofed against intrusion. </p> <p>All this is a key issue for the UK, given that in the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending. </p> <p>In the 2023-2024 financial year, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, according to <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">data from analyst firm Tussell</a>.</p> <p>Notable examples include <a href="https://www.computerweekly.com/news/366630792/Ministry-of-Defence-signs-400m-sovereign-cloud-deal-with-Google">Google’s £400m contract signed last year to supply the Ministry of Defence with “sovereign cloud” capability</a> based on its Google Distributed Cloud air-gapped offer. But that’s just one example. </p> <p>The UK public sector is densely connected to US hyperscaler infrastructure, and the UK’s Department for Science, Innovation and Technology (DSIT) <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">lacks a definition of data sovereignty</a>.  </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector. </li> </ul> </div> </div> We asked the hyperscalers how they would respond to US court-ordered eavesdropping on foreign citizen data – and got responses that highlight a paradoxical situation https://cdn.ttgtmedia.com/visuals/searchITChannel/systems_channel/itchannel_article_020.jpg https://www.computerweekly.com/news/366642487/Cloud-and-data-sovereignty-caught-in-a-paradox Wed, 06 May 2026 06:19:00 GMT Cloud and data sovereignty caught in a paradox <p>In the UK, giant cloud providers – Amazon Web Services (AWS), Google Cloud and Microsoft – run the systems we depend on for vital functionality in the public and private sectors. </p> <p>In the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending. </p> <p>In the financial year 2023/2024, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, including government departments, councils, police forces and NHS organisations, <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">according to data that comes from analyst Tussell</a>.</p> <p>This begs the question, if the UK’s key national infrastructure is run by foreign-owned companies, is the data of UK citizens secure should a court in the US compel a hyperscaler to provide it? Here lies <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">the nub of data sovereignty</a>. </p> <p>In this article, we provide a definition of data sovereignty, the ways it may be undermined from overseas – particularly by the US Cloud Act and FISA Section 702 – drill down into the detail of differing states of encryption and what they mean for security and sovereignty, and look at the inherently cross-border nature of cloud services and its impact on data sovereignty. </p> <p>Core to the article are questions we asked the hyperscalers that aimed to get at exactly how their services could be described as providing data sovereignty. </p> <p>These included how they could technically prevent US court-compelled snooping, the protection afforded by encryption, especially during processing, and how <a href="https://www.computerweekly.com/news/366632561/Court-dismisses-Apples-appeal-against-Home-Office-backdoor">court-compelled backdoors</a> might be injected into infrastructure updates. We also asked to what extent it is possible to offer a sovereign UK cloud region and whether standard cloud terms conflict with <a href="https://www.computerweekly.com/opinion/Data-is-a-sovereignty-issue-And-broader-than-just-the-hyperscalers">data sovereignty</a>.</p> <p>The results illustrate the paradox that lies at the heart of cloud services and data sovereignty.</p> <section class="section main-article-chapter" data-menu-title="Defining data sovereignty"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Defining data sovereignty</h2> <p>We live in a land where the government can’t define data sovereignty. <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">We asked</a> the UK Department for Science, Innovation and Technology (DSIT) in February about its progress towards a <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">definition of data sovereignty</a>, but it couldn’t give one or say when it would have one. </p> <p>But we can work out a definition.</p> <p>The idea of sovereignty as applied to states means the solely held power to govern or control a country.</p> <p>For example, if country A invades country B and establishes control over a swathe of land, where country B’s armed forces, police, and so on, no longer have any authority, then it can be said that country B no longer has sovereignty in the portion of its territory so affected. </p> <p>We can form a definition of data sovereignty based on the same principle. </p> <p>So, if a company headquartered in country A provides technology services in country B, and can effect access to data of citizens of that country, then country B cannot say the data of its citizens is sovereign.</p> <p>Country B may have laws that protect the data of its citizens. But if the country in which the tech company is headquartered has the ability to compel it to provide data held in its systems in another country, then those two sets of laws conflict. Or more to the point, the laws of country B are undermined, and are not sovereign. </p> <p>It’s a parallel to where a country has laws that govern its citizens, but the presence of foreign armed forces and the rules they impose nullify its writ. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector. </li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="The Cloud Act and FISA Section 702"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The Cloud Act and FISA Section 702</h2> <p>A good example of a law that compels companies headquartered within its jurisdiction to hand over data they possess is the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, passed into law during US President Donald Trump’s first term.</p> <p>Cloud here stands for Clarifying Lawful Overseas Use of Data. It was enacted in 2018 after Microsoft refused to hand over customer data held in a datacentre in Ireland, and it was determined that the US Department of Justice could not use domestic warrants to seize data held overseas. </p> <p>The Cloud Act compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if overseas. </p> <p>At the same time, a US court can issue a non-disclosure order alongside any order under the Cloud Act. That’s basically a gag order that prohibits a company from telling the data subject that their information has been requested or handed over.</p> <p>There are ways a company subject to a Cloud Act order can challenge the court. These include a challenge on grounds of “comity”, in which the user in question is not a US person and that disclosure would violate the laws of a “qualifying foreign country”, namely one that has a bilateral agreement with the US, like the UK or Australia.</p> <p>Also, the Cloud Act is considered to be “encryption neutral”, so companies can be compelled to hand over what they have, but it does not compel them to break their own encryption if they do not already have the keys.</p> <p>Having said all that, US government agencies have other laws in their toolbox. </p> <p>Namely, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702, which is up for an imminent vote to re-authorise it. Using this, the US government can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens who are targeted by provisions under the act.</p> <p>The European Court of Justice (ECJ) has twice struck down data-sharing agreements between the US and EU (<a href="https://www.computerweekly.com/feature/Max-Schrems-The-man-who-broke-Safe-Harbour">Schrems I</a> and <a href="https://www.computerweekly.com/opinion/How-Schrems-II-will-impact-data-sharing-between-the-UK-and-the-US">Schrems II</a>) because FISA Section 702 does not provide equivalent protection to EU citizens.</p> <p>Such “technical assistance” could take the form of compiled code in a software update that enabled the exfiltration of data. </p> </section> <section class="section main-article-chapter" data-menu-title="Does encryption protect citizen data?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Does encryption protect citizen data?</h2> <p>When we get to the responses of the hyperscalers to questions about data sovereignty, we will see an appeal to the fact that data in their systems is encrypted and that only customers hold the keys.</p> <p>We have also seen that the US Cloud Act does not compel a court-ordered company to hand over encryption keys, although FISA 702 can compel “technical assistance” to gain access to data.</p> <p>Here, it is important to drill down into encryption. </p> <p>Firstly, to say that for most data for most of the time, encryption is as good a protection as you can get. Current encryption standards dictate algorithms that are practically impenetrable.</p> <p>So, if you apply, for example, <a href="https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard">AES-256</a> to data-at-rest or data-in-transit, it cannot be read.</p> <p>The fly in the ointment comes when data is being processed. It’s also a problem for companies that argue that the data they hold is secure because it is encrypted.</p> <p>The problem is that – generally speaking – data-in-use must be unencrypted to be processed. And so, in theory, a foreign law enforcement agency that wanted to access data in a cloud system overseas could order data to be collected during processing.</p> <p>Memory scraping, in which malware scans active memory to steal unencrypted data, is possible, for example.</p> <p>It’s true that most data-in-use is unencrypted, although cloud providers do offer so-called confidential computing of some sort.</p> <p>For example, a <a href="https://www.techtarget.com/searchitoperations/definition/trusted-execution-environment-TEE">trusted execution environment (TEE)</a> in so-called confidential computing creates a hardware-encrypted “black box” inside the central processing unit (CPU), which means an unauthorised intruder cannot see inside it while data is being processed.</p> <p>TEEs are breakable, however. It is possible to “listen” to the CPU and measure power consumption or tiny timing fluctuations to guess the data being processed.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/homomorphic-encryption">Fully homomorphic encryption (FHE)</a> is the Holy Grail, however, because it allows for computation without decrypting data. But that also means it is computationally expensive and isn’t commonplace.</p> </section> <section class="section main-article-chapter" data-menu-title="Air gaps, updates and follow-the-sun"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Air gaps, updates and follow-the-sun</h2> <p>Hyperscaler clouds are an international web of regions and availability zones. They comprise a global operating system, almost entirely managed by artificial intelligence (AI) and orchestrated automation.</p> <p>Cloud networks are made up of regions and availability zones (AZs). Regions are geographically separate – and thus upon them rests the claim of sovereignty by the cloud providers – while AZs are datacentres within a region. AZs within a region are connected by high-bandwidth connections, whereas regions are all interconnected but not by the same low-latency connections.</p> <p>Clouds run on software-defined everything, with every component represented as code, where faults can be monitored and workloads shifted to a different location should issues be detected, and with rolling updates on a non-disruptive zone-by-zone basis.</p> <p>Follow-the-sun in support terms is when support teams hand off responsibility to teams elsewhere in the world to benefit from more convenient (ie, less costly) working hours than the region in question. </p> <p>Follow-the-sun in workload terms means the movement of workloads across the globe to take advantage of lower energy costs or cooler ambient temperatures.</p> <p>In both cases, there is potentially a risk to sovereignty, by dint of where data resides at any given time and the jurisdiction under which support staff may operate, although customers can specify that data permanently resides in a given region. </p> <p>If you sign a standard business or enterprise support contract with a hyperscaler, you are opting in to follow-the-sun by default. A standard agreement usually means you agree to terms that allow the provider to support your account from any global location to meet 24/7 uptime guarantees. </p> <p>It also allows them to route technical metadata (logs, access records, telemetry) to global hubs to maintain the cloud and to allow global administrators access for emergency maintenance, regardless of where those administrators are.</p> <p>The fact that it is metadata that moves potentially allows a provider to say, “We don’t move your data”, but the metadata may be enough for a FISA Section 702 investigation, for example. </p> <p>You can’t just uncheck a box in the settings to opt out of follow-the-sun. Instead, you have to move to a <a href="https://www.computerweekly.com/feature/Sovereign-cloud-and-AI-services-tipped-for-take-off-in-2026">sovereign cloud</a> or regulated industry contract – the AWS European Sovereign Cloud or Microsoft Sovereign Cloud, for example. These guarantee that support and operations are handled only in a specific region.</p> <p>There are also “sovereign cloud” solutions, in which the “cloud” is disconnected from the wide area network (WAN).</p> <p>Obviously, if a customer is on a standard contract, support has full oversight of maintenance and updates, and quite likely from anywhere in the world. You’d think that a local sovereign cloud would remove that scenario, but the cloud provider’s infrastructure must still be maintained, and it is via patching that that occurs. Here is where unwanted snooping could be introduced. </p> <p>Even if the UK staff are the only ones physically in the datacentre, the private keys used to sign “official” software updates likely reside in a hardware security module (HSM) in the US or its facility elsewhere.</p> <p>So, if a US court compels the company to sign an update that contains legally sanctioned spyware, UK “sovereign” staff have no technical way to verify that the code doesn’t contain a backdoor. </p> </section> <section class="section main-article-chapter" data-menu-title="Questions to the hyperscalers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Questions to the hyperscalers</h2> <p>We asked <a href="#AWS">AWS</a>, <a href="#Google">Google Cloud</a> and <a href="#Microsoft">Microsoft</a> five questions around data sovereignty. We also asked <a href="#IBM">IBM</a> and Oracle, because they are both fair-sized US-based suppliers to the UK public sector. </p> <p>The intention was to gauge the levels of exposure their customers could face with regard to data sovereignty.</p> <p>All responded except Oracle, whose PR representatives failed to reply to three emails. </p> <p>The questions were preceded by a preamble that drew attention to the US Cloud Act, non-disclosure orders and FISA Section 702, and the powers therein to compel a provider to grant access, forbid notifications to customers of a court order, compel “technical assistance”, and the possibility of updates authored in the US as a means to effect access to customer data. </p> <p>The questions asked about:</p> <ul class="default-list"> <li>The technical barriers, if any, in the provider’s cloud services that prevent a court order from forcing the use of encryption keys to decrypt customer data.</li> <li>The technical means by which data-in-use functions are carried out without cloud provider access to encryption keys.</li> <li>Whether the cloud provider can guarantee a US-authored software update that contains “technical assistance” aimed at gaining access to data cannot bypass air-gapped systems.</li> <li>Whether the cloud provider has a wholly distinct UK region with exclusively UK-resident support and engineering, including third-party contractors. </li> <li>Whether standard terms of cloud service allow for customer data to be moved offshore, or whether a customer can have 100% UK data residency without a bespoke contract.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Hyperscalers dodge the questions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hyperscalers dodge the questions</h2> <p>Here we summarise their responses. Full responses are available to view in the <a href="#QandAs">box at the end of this article</a>.</p> <p>Hyperscaler responses to our questions fall under the following categories.</p> <p><strong>“Don’t look there! Look at the air gap!”</strong> The subject of the questions was cloud services in general, but responses often shifted attention to specifically air-gapped offerings.</p> <p><a href="#Google">Google</a> opted to talk about its niche, air-gapped Google Distributed Cloud in response to nearly every question. Perhaps a tacit admission that standard cloud terms of service come nowhere near providing data sovereignty. </p> <p>Google wasn’t alone here, though; just the most dependent on the tactic. AWS also pointed to its AWS Dedicated Local Zones and Outposts managed on-premise offers when asked about cloud services.  </p> <p><strong>“Look! Local people!” </strong>A number of responses tried to distract from the inherent technical vulnerabilities that come with the global, linked nature of hyperscaler cloud. They instead drew attention to the residency or nationality of human operators rather than the reality that automated, US-signed code updates can bypass human gatekeepers entirely.</p> <p>It is virtually impossible for a locally resident operator to scan a multi-gigabyte compiled binary for a state-level backdoor. A backdoor in a modern cloud stack wouldn’t be a line of code that said, “<em>if (user == 'FBI') return data</em>”. It would be a subtle mathematical weakness in an encryption library or a port knocking sequence hidden in a network driver. </p> <p>Local operators can, at best, scan for known viruses, not state-level “technical assistance”.</p> <p><strong>Encryption? Of course. For data-in-use? Errr. </strong>All hyperscalers highlighted the use of encryption in customer data and customer key retention to imply total security. </p> <p>That works for “at-rest” and “in-transit” scenarios. But it glosses over data-in-use scenarios where data must, in most cases, be decrypted in memory. </p> <p>If a US-compelled “technical assistance” order under FISA Section 702 forces a US company to push a firmware update to its own HSMs or Nitro controllers, that update is signed by the US parent. Hardware isolation is only as sovereign as the person who holds the cryptographic signing key for the firmware.</p> <p>Also, in a software-as-a-service (SaaS) environment like M365, Microsoft provides the application and is the administrator. Here, customer-managed keys often break “search” and “discovery” features in SaaS. So, if a customer wants to search their emails in M365, the data must be decrypted by Microsoft’s service. </p> <p><strong>Is it sovereign? Of course; it’s in the EU. </strong>In some cases, hyperscalers responded by pointing to European sovereign solutions. <a href="#AWS">AWS</a>, for example, points to its <a href="https://www.computerweekly.com/news/366557158/AWS-to-open-European-sovereign-cloud-region">European Sovereign Cloud service</a>, which doesn’t locate data in the UK and is not technically sovereign anyway, given the EU is not a sovereign state. </p> <p>Meanwhile, if AWS Seattle has “control” over the AWS Germany subsidiary, which it does, financially and technically, a US court doesn’t care about the EU’s “Sovereign Cloud” label.</p> <p><strong>“Trust Me, Bro,” as a legal pledge.</strong> <a href="#Microsoft">Microsoft</a> majored on this one in its responses. It switches out technical proof of impossibility for corporate pledges to “challenge every government request” in court. This asks the customer to trust a legal process rather than a technical lock. </p> <p>Spoiler alert: There are zero known instances where a hyperscaler has successfully and permanently defied a final, non-appealable US court order to protect a non-US citizen’s data stored abroad.</p> <p>To sum all this up, the hyperscalers are essentially saying that standard cloud is not sovereign. To achieve a level of protection that would allow them to answer these questions with any level of integrity, a customer must move to isolated, air-gapped, or hardware-encrypted tiers that are significantly more expensive, regionally limited and functionally constrained. And would that be cloud?</p> </section> <section class="section main-article-chapter" data-menu-title="The paradox of data sovereignty in the cloud"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The paradox of data sovereignty in the cloud</h2> <p>At the end of the day, hyperscaler cloud is caught in a paradox when it comes to data sovereignty. If a cloud were truly sovereign – disconnected, local-only, human-managed – it would lose the cloud economics that make it attractive due to its global scale, automation and the accompanying economies. And so, “sovereign cloud” is really often a marketing term that means standard cloud with extra paperwork.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="QandAs"></a>The questions we asked and hyperscaler responses</h3> <p>We wanted to get to the bottom of just how sovereign hyperscaler cloud services are. The main article discusses the key issues and summarises the responses of hyperscalers to the questions put to them by Computer Weekly.</p> <p>Here we reproduce the questions in full, along with hyperscaler responses.</p> <p>We asked for “specific, technical” answers to questions, and hyperscalers were told general marketing statements or high-level policy positions would not be printed (though that’s what some responses amount to and are printed here).</p> <p>The goal of the questions was stated as: “To provide readers with a clear view of which sovereignty claims are backed by verifiable technical mechanisms and which remain matters of corporate policy.”</p> <p>The following context was also given, namely that under 18 USC 2705(b), federal courts can issue non-disclosure orders alongside US Cloud Act data warrants that legally forbid providers from notifying customers of a breach. </p> <p>Also, that when combined with the “technical assistance” provisions of FISA Section 702, the US government can compel a provider to facilitate access to data. </p> <p>Finally, a key assumption stated in the preamble to questions was that because cloud stacks rely on a global supply chain where code is authored and signed at a US headquarters, the “update” is a potential invisible vector for state-level intervention that is difficult to obstruct.</p> <h2>What we asked the hyperscalers</h2> <p><strong>Question 1:</strong> If your cloud services require access to data “in the clear” to perform processing tasks (such as indexing, AI inferencing, or analytics), how do you technically prevent a US-compelled warrant from forcing you to use the required cryptographic keys to decrypt and surreptitiously provide that data to law enforcement?</p> <p><strong>Question 2:</strong> If you claim to never have access to encrypted customer data, how do you technically perform “data-in-use” functions without possessing the keys to decrypt that data within your processing environment?</p> <p><strong>Question 3:</strong> If your sovereign cloud relies on a software supply chain authored and signed by a US-headquartered parent company, how can you technically guarantee that a US-compelled “technical assistance” update – issued under a mandatory gag order – could not silently bypass local air gaps and data controls?</p> <p><strong>Question 4:</strong> Can you provide evidence of a wholly distinct UK region capable of operating all core services in total isolation from your global infrastructure, managed exclusively by a 100% UK-resident support and engineering framework – including all third-party subcontractors?</p> <p><strong>Question 5:</strong> Do your standard terms of service grant you the discretion to move or “offshore” customer data and metadata for residency, resiliency, or global support purposes, and if so, how can a UK customer maintain 100% residency without a bespoke contract that breaks your global automation model?</p> <h2><a id="AWS"></a>The responses: AWS</h2> <p><strong>Computer Weekly commentary</strong></p> <p>Where the questions ask for “specific, technical” responses, AWS answers vaguely, such as when it refers to “a range of technical measures and operational controls” in questions 1 and 2. </p> <p>Also, when what has been asked is specifically technical, what appears as a sleight of hand is to refer to operator and staff access to data. In the context of a massive, automated technical environment, whether an individual has access to masses of compiled code in updates is irrelevant. </p> <p>We see that type of response in questions 1, 2 and 3. The effect here is to draw attention away from a potential scenario in which a US court forced AWS to provide “technical assistance” in an update script that would easily cross borders and bypass human gatekeeping. The idea that some update code is written in European countries is another irrelevance thrown in. </p> <p>When asked in question 4 about a discrete UK region isolated from the rest of AWS’s global infrastructure, the response refers to AWS-managed on-premise infrastructure. Such an offer might provide in-country capacity – although we don’t know whether updates come from elsewhere – but it isn’t really the cloud. </p> <p>When asked whether “standard Terms of Service grant you the discretion to move or ‘offshore’ customer data and metadata”, AWS points to its European Sovereign Cloud service, which doesn’t apply to the UK and is arguably not sovereign, given the EU is not a sovereign state.</p> <p><strong>AWS response to question 1: </strong></p> <p><em>AWS customers have a range of technical measures and operational controls to prevent access to data, and AWS has designed products and services that make sure that no one – not even AWS operators – has any technical means to access customer content.</em></p> <p><em>The Cloud Act does not create any new authority for law enforcement to compel service providers to decrypt communications.</em></p> <p><strong>AWS response to question 2: </strong></p> <p><em>AWS customers have a range of technical measures and operational controls to prevent access to data, and AWS has designed products and services that make sure that no one – not even AWS operators – has any technical means to access customer content.</em></p> <p><strong>AWS response to question 3: </strong></p> <p><em>Only AWS European Sovereign Cloud employees located in the EU and subject to EU law have deployment authority over software updates. Authorised EU-resident employees of the AWS European Sovereign Cloud also have independent access to a replica of the source code needed to maintain the AWS European Sovereign Cloud services.</em></p> <p><em>“The premise of this question is also misleading. Amazon is a global company that operates worldwide supply chains reliant on suppliers and teams from every part of the world. Some of our largest AWS development teams are located in Europe – with key centers in Dublin, Dresden, and Berlin – contributing to core AWS solutions including the AWS Nitro System that powers all modern EC2 instances, Amazon Linux, and Amazon CloudWatch.</em></p> <p><strong>AWS response to question 4:</strong></p> <p><em>AWS offers several products that help customers address UK-specific sovereignty requirements. AWS Dedicated Local Zones can be deployed in a chosen UK location with local AWS employee operations and security features for data isolation and compliance. AWS Outposts deploy in customer UK facilities with hardware-enforced isolation ensuring no AWS operator access to customer data. </em></p> <p><strong>AWS response to question</strong> <strong>5:</strong></p> <p><em>With AWS, customers own their data, control where it’s stored, and decide who can access it. AWS is transparent about how services process customer data, and customers can use tools like AWS Control Tower for management. The AWS European Sovereign Cloud allows customers to keep all metadata they create entirely in the EU, including sovereign Identity and Access Management (IAM), billing, and usage metering systems. </em></p> <h2><a id="Google"></a>The responses: Google Cloud</h2> <p><strong>Computer Weekly commentary</strong></p> <p>The questions were about hyperscaler cloud services. Google provided more information than the other providers, but responded to nearly all the questions as if it had been asked about one very specific and not particularly common offering, namely Google Distributed Cloud (GDC) air-gapped. </p> <p>GDC air-gapped is an on-premise solution, where – Google claims – any updates must be physically transported across the air gap and can be scanned by a trusted operator. Likewise, it says it literally could not comply with a US court order to spy on a customer or hand over data because it has no reach into their systems. That’s likely true for GDC air-gapped, but it’s not what it was asked about.</p> <p>But, Google – rather helpfully – provides information about its mainstream cloud offer that allows us to get a good idea about standard cloud services terms and conditions that the other hyperscalers don’t elaborate upon.</p> <p>For example, it says: “In a standard cloud, Google pushes updated code silently, and often multiple times in a day.” </p> <p>Similarly, it says: “Standard Terms of Service (ToS) that govern the public cloud . . . often include clauses for global load balancing, ‘follow-the-sun’ support, and data movement for resiliency.”</p> <p>And: “The standard ‘global support’ model relies on an engineer in any region being able to ‘see’ your project to troubleshoot.”</p> <p><strong>Google response to question 1:</strong></p> <p><em>In the context of Google Distributed Cloud (GDC) air-gapped, the solution to the compelled disclosure dilemma isn't just a policy promise – it is a fundamental architectural constraint. Because the air-gapped version of GDC is physically and logically isolated from the public internet and Google’s corporate network, the technical barriers to a US-compelled warrant are built into the "sovereignty by design" model.</em></p> <p><em>1. Physical and Network Isolation</em></p> <p><em>No Remote Access: GDC air-gapped does not have a backhaul connection to Google’s global infrastructure. There is no persistent management plane or "phone home" feature that Google can toggle to extract data.</em></p> <p><em>Hardware Ownership: The hardware resides in the customer's chosen location (or a partner's sovereign data center). Google employees generally do not have unescorted physical access to the site.</em></p> <p><em>2. Customer-Managed Encryption Keys (CMEK)</em></p> <p><em>While processing data “in the clear” requires keys, the ownership of those keys is the technical pivot point:</em></p> <p><em>Hardware Security Modules (HSM): In a GDC air-gapped environment, the keys are stored in local HSMs physically located within the air-gapped boundary.</em></p> <p><em>Root of Trust: The customer (or a designated sovereign partner) holds the root of trust. Google does not possess a master key or a remote mechanism to bypass the local HSM to decrypt data for indexing or AI tasks.</em></p> <p><em>3. Tactical Operational Sovereignty</em></p> <p><em>To prevent surreptitious access, GDC air-gapped utilizes a Sovereign Operations model:</em></p> <p><em>No Google Personnel Required: The day-to-day operations, including patching and AI model deployment, can be handled by the customer or a local, cleared third party.</em></p> <p><em>Auditability: Every action taken within the environment is logged locally. Since Google cannot access these logs remotely, they cannot hide a data extraction process from the customer’s own security operations center (SOC).</em></p> <p><em>From a legal standpoint, if Google is served a warrant for data residing in a GDC air-gapped instance, the technical response is “Inability to Comply.” Because Google does not have the network path to reach the data, the physical access to the servers, or the cryptographic keys to decrypt the disks, they cannot “surreptitiously” provide the data. Any attempt to gain that data would require a physical raid on the customer’s own facility – which falls under the customer's local laws and security protocols, not Google’s.</em></p> <p><strong>Google response to question 2:</strong></p> <p><em>In the context of Google Distributed Cloud (GDC) air-gapped, the claim of no access isn’t saying the data is never decrypted; it is saying that Google (the entity/personnel) never has access to the keys or the environment where decryption occurs. The distinction lies in the transition from Data-at-Rest to Data-in-Use within a boundary that Google cannot enter. Here is how that is technically achieved:</em></p> <p><em>1. Sovereign Boundary Logic</em></p> <p><em>In a standard public cloud, the provider manages the hypervisor and the orchestration layer. In GDC air-gapped, the entire stack, from the silicon to the AI workbench, is moved inside the customer’s perimeter.</em></p> <p><em>Local Decryption: When an AI model needs to “see” data in the clear to perform inferencing, the decryption happens on-premises using keys pulled from a local HSM </em></p> <p><em>Isolation of the Execution Environment: The decryption occurs within the customer’s air-gapped hardware. Because there is no network path back to Google, the “clear text” data exists only in the local RAM of the air-gapped servers.</em></p> <p><em>2. Customer-Controlled Key Access</em></p> <p><em>The software performing the processing must request the key from the local Key Management Service (KMS).</em></p> <p><em>Access Control Policies: The customer defines the Identity and Access Management (IAM) roles.</em></p> <p><em>Technically Barred: Google does not have an identity in the customer’s local air-gapped IAM system. Therefore, the processing environment can’t “ask” for a key on Google’s behalf, and Google cannot “push” a command to release a key to an unauthorized third party as these are Customer managed encryption keys (CMEK).</em></p> <p><strong>Google response to question 3:</strong></p> <p><em>In Google Distributed Cloud (GDC) air-gapped, this risk is mitigated through a combination of Customer-Led Updates, Binary Authorization, Third-Party Operations.</em></p> <p><em>1. No “Automatic” Updates</em></p> <p><em>In a standard cloud, Google pushes updated code silently, and often multiple times in a day. In GDC air-gapped, there is no physical connection to Google.</em></p> <p><em>The Manual Bridge: Updates are provided as signed container images and binaries. The customer (or their trusted sovereign partner) must download these to a separate secure workstation, scan them, and then physically move them across the “air-gap” via encrypted media.</em></p> <p><em>Technical Sovereignty: This creates a human-in-the-loop bottleneck. A US-compelled “silent” update is impossible because Google cannot “push” anything. The customer chooses when and if to ingest the update.</em></p> <p><em>2. The “Sovereign Operator” Audit</em></p> <p><em>A critical technical defense is who applies the update.</em></p> <p><em>Third-Party Managed: GDC can be operated entirely by a local, cleared partner (eg, STE in Singapore, Proximus in Belgium). These operators act as a “sovereign shield.”</em></p> <p><em>Inspection: Before the update is applied to the live environment, these operators can deploy it in an isolated “staging” air-gap. They monitor for “phone home” behavior (which would fail anyway due to the air-gap) or unauthorized data export attempts at the virtual network layer.</em></p> <p><em>3. Technical Assistance vs. Technical Impossibility</em></p> <p><em>A company can be compelled to provide “technical assistance,” but they cannot be forced to perform the “technically impossible.”</em></p> <p><em>Hardware Root of Trust: Because the keys are in your HSM, Google cannot remotely sign a command to “export” data.</em></p> <p><em>The Gag Order Paradox: Even if Google were under a gag order, they cannot physically enter your data center to plug in a USB drive. If the only way to execute the warrant is to walk a physical drive into a sovereign facility, the legal burden shifts to the local government and the physical security team at the door.</em></p> <p><strong>Google response to question 4:</strong></p> <p><em>Yes - this could be built for customers using Google Distributed Cloud Air Gapped, like the landmark deal we have announced for the MOD. In 2025, Google Cloud and the UK Ministry of Defence (MoD) formalized a landmark agreement for a sovereign, air-gapped cloud. [Link to press release]. </em></p> <p><em>Pasting the helpful info here: </em></p> <p><em>Google Distributed Cloud Air Gapped: The sovereign cloud environment will be built upon Google Distributed Cloud (GDC) air-gapped, a platform designed for workloads that require strict data residency and security controls. GDC provides a hardened, air-gapped environment, ensuring that the MOD’s critical data remains within UK sovereign territory and under their direct control. This platform will also enable the responsible integration of Google's advanced AI and machine learning tools, empowering the MOD with enhanced analytical capabilities to provide operational efficiencies.</em></p> <p><strong>Google response to question 5:</strong></p> <p><em>The short answer is no. In the context of Google Distributed Cloud (GDC) air-gapped, the standard Terms of Service (ToS) that govern the public cloud which often include clauses for global load balancing, “follow-the-sun” support, and data movement for resiliency do not apply. GDC air-gapped is governed by a separate, specific legal and technical framework designed to ensure that the global automation model is physically unable to move our customers’ data or metadata.</em></p> <p><em>1. Service-Specific Terms</em></p> <p><em>Instead of the standard online ToS, air-gapped customers use GDC Air-Gapped Service Specific Terms. These terms explicitly recognize the disconnected nature of the environment:</em></p> <p><em>Removal of “Offshoring” Discretion: Because the system is air-gapped, Google legally and technically removes its own ability to move data. The terms define the "Sovereign Boundary," stating that data and metadata (logs, telemetry, and configuration) must remain within the customer-controlled or partner-operated facility.</em></p> <p><em>2. Breaking Global Automation</em></p> <p><em>You do not need a “bespoke contract” to prevent data movement because the automation model itself is local.</em></p> <p><em>Local Management Plane: In the public cloud, the control plane lives in a global mesh. In GDC air-gapped, the control plane is physically located inside the rack in your UK data center.</em></p> <p><em>Hardware-Locked Metadata: Metadata like IP addresses, VM names, and audit logs are stored on local disks within the air-gapped environment. There is no automated routine that can “call” this metadata back to a global database because there is no network route to the outside world.</em></p> <p><em>3. Sovereign Operations vs. Global Support</em></p> <p><em>The standard “global support” model relies on an engineer in any region being able to “see” your project to troubleshoot. GDC air-gapped replaces this with Resident Support.</em></p> <p><em>100% Residency of Support: Support is provided by a UK-resident, cleared team. If they need to look at a log, they do it within the UK boundary.</em></p> <p><em>No Remote Access: Even if a US engineer wanted to help, they have no technical way to log into the system. The "automation" for support is localized to a secure UK-based operations center.</em></p> <p><em>4. How to Maintain 100% Residency Without “Breaking” the Cloud</em></p> <p><em>The innovation of GDC air-gapped is that it provides a cloud-native experience that is functionally identical to the public cloud but architecturally siloed.</em></p> <p><em>Local Resiliency: Instead of relying on a US region for backup, you achieve resiliency by deploying multiple GDC racks across different UK-only zones</em></p> <p><em>The Secure Supply Chain: Google provides the code (the binaries), but you provide the home. Once that code is installed, it operates as a “black box” that answers only to your local UK administrators.</em></p> <h2><a id="Microsoft"></a>The responses: Microsoft</h2> <p><strong>Computer Weekly commentary</strong></p> <p>Microsoft chose not to respond to the questions inline, so it’s not as easy to see what its answers respond to.</p> <p>Again, we see reference to “workloads in air-gapped or disconnected environments”, when that was not the subject of the questions. </p> <p>Where questions asked for “specific, technical” responses, we get bland answers. There’s also a long paragraph about encryption keys that appears to be about data-at-rest or in-transit, which we didn’t ask about.</p> <p>There is also reference to “UK customers . . . ability to store and process their data within UK datacenters . . . [That] includes compliance with local regulations and provides geo-redundant protection for business continuity”. </p> <p>Microsoft Azure does have a data-in-use encryption offer in Azure Confidential Computing, although it doesn’t mention it by name.</p> <p>In its final paragraph, Microsoft talks of its commitment to and “strong record” in challenging court orders. But really, it amounts to “Trust me, bro.”</p> <p><strong>Microsoft responses</strong></p> <p><em>Microsoft customers can deploy workloads in air-gapped or disconnected environments using Azure Local and Microsoft 365 Local, with full control over update management, monitoring, and lifecycle operations via a local control plane.</em></p> <p><em>External Key Management allows customers to use their own on-premises or third-party Hardware Security Modules (HSMs) for encryption, ensuring Microsoft does not have access to customer keys. Microsoft’s custom HSM is deployed globally. In addition, Azure Confidential Compute, Azure Key Vault, and Double Key Encryption, are designed, deployed, and operated such that Microsoft is incapable of accessing, using, or extracting data stored in the service, including cryptographic keys.</em></p> <p><em>Microsoft performs "Data-in-Use" functions without possessing customer encryption keys by leveraging a layered encryption model and customer-managed keys.</em></p> <p><em>Microsoft offers UK customers the ability to store and process their data within UK datacenters. This includes compliance with local regulations and provides geo-redundant protection for business continuity.</em></p> <p><em>Microsoft does not provide any government with direct, unfettered access to customer data. Any data access request is subject to rigorous review, according to a strict process, by internal and external legal teams to ensure it is legally valid and compulsory, compliant with all applicable law, and strictly limited to specific account identifiers.  Further, as part of our Defending Your Data initiative we’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so. We have a strong record of doing just that, including through litigation where necessary.</em></p> <h2><a id="IBM"></a>The responses: IBM</h2> <p><strong>Computer Weekly commentary</strong></p> <p>IBM considered that question 1 merged disparate issues, so it didn’t answer it.</p> <p>Like others, it answered questions as if it had been asked about air-gapped environments, when it wasn’t. </p> <p>When asked about data-in-use encryption, it refers to its new IBM Sovereign Core, which appears to be a product aimed at holding encryption keys in-country but doesn’t specifically mention in-memory encryption. It references the same product when asked about “a wholly distinct UK region”.</p> <p>IBM Sovereign Core is currently in tech preview and published materials are a little light on detail. We’d want to know more about in-use encryption and connections to IBM’s global network, updates, and so on.</p> <p><strong>IBM response to question 1:  </strong></p> <p><em>This question merges several distinct concepts that are technically separate. In modern software applications data‑in‑use processing, encryption key management and lawful access requests, are all designed and governed by different architectural and operational controls. Please refer to questions 2 and 3 for relevant information. </em></p> <p><strong>IBM response to question</strong> <strong>2:</strong></p> <p><em>IBM Sovereign Core processes data‑in‑use within the customer application’s trusted execution environment, where purpose‑bound application code determines when and how data is processed; decryption, where required, is transient, in‑memory, and under the application’s control with customer visibility. Capabilities like Keep Your Own Key encryption ensure keys are held and managed exclusively by the customer and are not accessible to IBM.</em></p> <p><strong>IBM response to question 3:</strong></p> <p><em>Software supply‑chain, execution in air‑gapped environments, and legal access frameworks are all independent by design, governed by separate technical and operational controls: our clients hold full technical authority in air gapped environments, and IBM technology places transparency and control in the hands of our clients, consistent with our publicly available data access principles and law‑enforcement transparency reports. </em></p> <p><strong>IBM response to question</strong> <strong>4: </strong></p> <p><em>IBM Sovereign Core enables UK enterprises to run and govern AI workloads within the UK jurisdictional boundaries, without relying on a global provider control plane, and with the flexibility to choose UK‑based operating partners. </em></p> <p><strong>IBM response to question</strong> <strong>5:</strong></p> <p><em>For more than a century, IBM has earned the trust of our clients by responsibly managing their most valuable data. IBM is transparent about how it handles client data and does so in accordance with all applicable laws.</em></p> </div> </div> </section> Hyperscaler cloud is inherently global. Does that make data sovereignty unattainable – especially given the powers US courts hold? We grilled the hyperscalers in an attempt to find out https://cdn.ttgtmedia.com/visuals/German/article/cloud-access-and-identity-2-adobe.jpg https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro Wed, 06 May 2026 06:18:00 GMT Is cloud data sovereignty all just a case of ‘Trust me, bro’? <p>Every organisation today is measured by two things: “exit velocity” and its “ability to pivot”.</p> <p>Exit velocity is how quickly you can move away from a technology, platform or contract the moment it stops serving you. Ability to pivot is how easily you can shift direction, technologically or operationally, without destabilising the business.</p> <p>Together, they define a company’s real digital resilience. And right now, most organisations don’t have either.</p> <p>This is the backdrop to new research findings:<a href="https://www.suse.com/navigating-digital-resilience-2026/"> 98% of IT</a> leaders now <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">prioritise digital sovereignty</a>, yet half still lack a formal strategy. Meanwhile,<a href="https://www.suse.com/navigating-digital-resilience-2026/"> 94% say open source</a> is very or extremely important to resilience. The intent is there but the ability to act is lagging. The gap between aspiration and execution reveals a deeper truth: knowing where your data sits is not the same as being in control of it.</p> <p>If you look at recent headlines and analysis on digital sovereignty, the discussion is mostly framed in terms of risk and the need for nation-states to exert greater control over their data and digital infrastructure. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>. We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.</li> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold: Responses to data sovereignty risk</a>. We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> </ul> </div> </div> <p>Commentators are heavily focused on the downsides of continued over-reliance on big tech, with the tone skewed towards "threats", "battlegrounds", "traps" and other significant concerns. Crucially, though, much of this commentary conflates two distinct dimensions of the problem and that conflation is itself a risk, because it allows jurisdictional measures to stand in for genuine technical independence.</p> <p><strong>Lack of control</strong></p> <p>So, what’s the problem? In a nutshell, organisations everywhere have built much of their critical infrastructure on platforms they don’t control. This is hardly surprising. The <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">outsourced as-a-service model</a> has delivered enormous performance and financial benefits everywhere it is available. </p> <p>The numbers don’t lie. The global cloud computing market was valued at over<a href="https://www.fortunebusinessinsights.com/cloud-computing-market-102697"> $780 billion</a> last year, with the sector continuing to trend upwards. And as we know, US-owned providers occupy a dominant position. </p> <p>And it’s precisely the issue of control, or the lack of it, which has given rise to the digital sovereignty movement. </p> <p>In Europe, <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">the regulatory wheels have been in motion</a> for some time. NIS2, DORA, and in the UK the Cyber Security and Resilience Bill, have tightened expectations around resilience and supply chain accountability in critical sectors. </p> <p>On an organisational level, many businesses believe they are addressing the underlying issues by moving to a national or regionally hosted cloud environment. The focus here is on ensuring data is stored under the governance of localised, relevant rules. After all, sovereignty is primarily about where data is stored, right?</p> <p>Well, not necessarily. The issue is that data location does not equate to control. In reality, even when the infrastructure is in the appropriate geographic location, the systems, software and underlying platforms often remain owned and governed by external providers.</p> <p>In these circumstances, legal jurisdiction and access rights can still sit outside the organisation, particularly as digital systems become more deeply embedded across operations and supply chains. The result is a growing mismatch between perceived sovereignty and actual control.</p> <p><strong>The hidden risks of outsourcing</strong></p> <p>These issues are nuanced. Organisations no longer simply store data in these environments. They run core operational systems on them. </p> <p>The risk here is one of usage vs control, where heavy reliance on third-party platforms is accompanied by limited visibility into how the underlying infrastructure and software actually operate. </p> <p>A good example is system updates and configurations, which typically sit with the provider, with customers dependent on decisions made outside their own governance structures. This introduces a dynamic in which critical systems are effectively governed externally, with vendor roadmaps or policy decisions having a direct, sometimes immediate, impact on operations. </p> <p>The issue is not just dependency <em>per se</em>, but concentrated dependency, with a small number of providers as stakeholders in a significant share of digital infrastructure across multiple sectors.</p> <p>The problems often only become apparent when a particular organisation needs to respond to new risks or when a change in regulation can’t be fully addressed because it lacks the required level of control. The point is that what appears to be a technology decision (ie, which cloud provider to use) actually adds to operational and regulatory risk.</p> <p><strong>Structural vulnerability</strong></p> <p>Is this anything more than a theoretical problem? The short answer is yes, because the implications of this model reach well beyond IT environments to mission-critical real-world systems in daily use.</p> <p>Take sectors such as energy, manufacturing, logistics and aviation, for example, where digital platforms support practically every key process. When control over these platforms is limited, the risk is not just technical but also extends to potential disruptions to services and outputs.</p> <p>In these and many other environments, concentrated reliance on a small number of non-domestic providers introduces a structural vulnerability, where issues that affect a single platform can have wide-reaching consequences across multiple organisations and sectors.</p> <p>This is particularly relevant in the context of unexpected or sudden shifts in policy or international relations that could affect access or service continuity. In these circumstances, organisations may find themselves exposed to risks beyond their direct control, despite meeting baseline compliance requirements. As we have all seen, government policies and ways of doing business can change rapidly and with little to no advance warning. Limiting exposure to such situations is important, including via tech infrastructure.</p> <p>The underlying risk, therefore, is a form of hidden fragility, where systems appear resilient on paper but are constrained in practice by external dependencies to the extent that digital sovereignty becomes an illusion. </p> <p>Sovereignty needs to be reframed so organisations can have complete confidence in how their outsourced systems and services are governed and changed. </p> <p>In practical terms, this means having sufficient visibility into services and dependencies to understand how they function and where risks sit. A key requirement is flexibility, particularly the ability to move workloads and data without being constrained by proprietary formats or tightly coupled architectures. </p> <p>Open standards, open source and containerisation are central to this approach because they decouple workloads from the underlying infrastructure, making it possible to move between providers or environments without being locked into a single vendor's ecosystem. This is common knowledge among IT teams, and now boardrooms and government offices are starting to realise. Without this kind of portability built in from the start, the freedom to act remains theoretical.</p> <p>Without this clarity and freedom of action, organisations remain dependent on external roadmaps and decisions that may not serve their own priorities. Sovereignty, ultimately, is not a legal status, it is a practical capability, measured by exit velocity and ability to pivot.</p> <p></p> Digital sovereignty is hugely important to IT leaders but in most cases systems have been built on foundations they don’t control. Open standards are key to organisational agility https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/surveillance-camera-security-spy-AlexeyAchepovsky-adobe.jpg https://www.computerweekly.com/opinion/The-illusion-of-digital-sovereignty-and-the-reality-of-control Wed, 06 May 2026 04:47:00 GMT The illusion of digital sovereignty and the reality of control <p><a href="https://www.computerweekly.com/news/366619039/Google-drops-pledge-not-to-develop-AI-weapons">Google AI workers</a> in the UK have launched a pioneering unionisation bid to end use of their technology by Israel and the US military.</p> <p>The British-based Google DeepMind employees – who aim to become the <a href="https://www.computerweekly.com/resources/Artificial-intelligence-automation-and-robotics">first frontier artificial intelligence (AI) lab</a> worldwide to unionise – sent a letter to management this week to request recognition of the Communication Workers Union (CWU) and Unite the Union as their official representatives. In a vote of CWU members at DeepMind, 98% backed the move.</p> <p>John Chadfield, CWU national officer for tech workers, said: “This is a really important moment where tech workers at Google’s frontier AI lab are connecting with some of the most oppressed people in communities around the world in meaningful ways, based on foundational values of solidarity and trade unionism.</p> <p>“By exercising their rights to collectivise they are in a strong position to demand their employer stop circling the ethical drain of military-industrial contracts, echoing the sentiment of many working people in the UK and elsewhere.”</p> <p>The workers are part of a wider campaign, with <a href="https://www.computerweekly.com/news/366636163/Google-DeepMind-partners-with-UK-government-to-deliver-AI">DeepMind</a> staff globally considering in-person protests and “research strikes” – where they abstain from work expected to significantly improve core products such as the Gemini AI assistant.</p> <p>Google employees have previously protested the ethics of contracts such as Project Nimbus, a joint programme with Amazon to make cloud computing and <a href="https://www.computerweekly.com/news/366626968/Tech-firms-complicit-in-economy-of-genocide-says-UN-rapporteur">AI tools available to Israel</a> during its campaign in Gaza, which saw upwards of 70,000 dead. Meanwhile, Maven, a US government project from which Google withdrew in 2019 after staff protests, has reportedly been used in targeting in the Iran war.</p> <p>The unionising DeepMind workers are seeking an end to use of Google AI by Israel and the US military. Their demands also include restoring a scrapped commitment not to make AI weapons or surveillance tools, the creation of an independent ethics oversight body, and the individual right to refuse to contribute to projects on moral grounds.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about worker and community protests</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/252524426/Google-workers-oppose-cloud-contract-with-Israeli-government">Google workers oppose cloud contract with Israeli government</a>: Google workers and Palestinian rights activists call on company to divest from involvement in cloud and artificial intelligence contract with Israeli government and military, following allegations the tech giant has retaliated against an employee for being publicly critical of the deal.</li> <li><a href="https://www.computerweekly.com/news/366639449/UK-to-see-weekend-protests-against-dirty-datacentres">UK to see weekend protests against ‘dirty datacentres’</a>: Environmental charity Global Action Plan UK is coordinating a campaign effort to bring attention to wider concerns about datacentre electricity demand, water use and environmental impacts.</li> </ul> </div> </div> <p>A DeepMind employee said: “We don’t want our AI models complicit in violations of international law, but they already are aiding Israel’s genocide of Palestinians. Even if our work is only used for administrative purposes, as leadership has repeatedly told us, it is still helping make genocide cheaper, faster and more efficient. That must end immediately, as must harm to Iranians and human lives anywhere.”</p> <p>Google recently agreed to let the US Department of Defense use its AI models for classified work, a move opposed by over 600 employees. Google staff worry how the technology will be used given the deal could reportedly open the door to autonomous weapons and mass surveillance of US citizens, red-line issues that previously saw the Pentagon impose restrictions on competitor Anthropic.</p> <p>The unionisation bid aims to gain representation for at least 1,000 staff tied to Google DeepMind’s London office. The employees’ letter gave management 10 working days to voluntarily recognise the CWU and Unite, or take other steps such as agreeing to mediated negotiations, before a formal legal process is launched to force recognition. Google DeepMind is headquartered in London, but has about a dozen offices across North America and Europe.</p> <p>“I hope that recourse to the statutory procedure will not prove necessary,” CWU official Chadfield wrote in the letter. “We look forward to working with you in a spirit of co-operation on behalf of the workforce.”</p> <p>The CWU branch for DeepMind staff is United Tech and Allied Workers.</p> Unions send letter to management requesting recognition for Google DeepMind employees, in particular over the company’s involvement in hi-tech systems used in Gaza and Iran wars https://cdn.ttgtmedia.com/visuals/German/article/revolution-protest-adobe.jpg https://www.computerweekly.com/news/366642677/Google-AI-workers-vote-to-unionise-over-IDF-and-US-military-tech Tue, 05 May 2026 06:30:00 GMT Google AI workers vote to unionise over IDF and US military tech <p>We are set to see artificial intelligence (AI) shift from experimental and piecemeal use cases to <a href="https://www.computerweekly.com/resources/Artificial-intelligence-automation-and-robotics">factory automation levels of productivity</a>. That’s equivalent to the 19th century transition when electricity became available to factories – first it lit them and made working hours longer and safer, then it powered assembly lines and machinery to bring a step change in production.</p> <p>That’s the view of IBM CEO <a href="https://newsroom.ibm.com/Arvind-Krishna">Arvind Krishna</a>, who spoke to the press from this week’s <a href="https://www.ibm.com/events/think">IBM Think</a> event in Boston, where he predicted a 40% increase in enterprise productivity by 2030, using AI.</p> <p>At the event, IBM majored on announcements around an <a href="https://www.computerweekly.com/feature/Getting-started-with-agentic-AI">agent-based operating environment</a> that it said would enable organisations to develop and run swarms of autonomous agents, but bounded by policy-driven guardrails.</p> <p>It also made announcements around <a href="https://www.computerweekly.com/news/366640318/Funding-and-procurement-to-target-UK-quantum-innovation">quantum computing</a> and the general availability of its <a href="https://www.techtarget.com/searchitoperations/news/366637343/IBM-prepares-hybrid-cloud-twist-for-sovereign-AI">Sovereign Core</a> offering.</p> <p>Core to the product offer around agentic AI from IBM are:</p> <ul class="default-list"> <li> <p>Watsonx Orchestrate: A centralised control plane to deploy and govern thousands of AI agents that focuses on auditability and policy enforcement across multi-supplier agent environments.</p> </li> <li> <p>IBM Bob: A specialised agentic development environment with built-in security and cost guardrails, that includes a “Premium Package for Z” to bring agentic AI to mainframe IBM Z environments.</p> </li> <li> <p>IBM Concert: An AI-powered operations platform that provides a single pane of glass for infrastructure, network and security, without requiring rip-and-replace of legacy tools.</p> </li> <li> <p>Concert Secure Coder: An autonomous security agent that identifies vulnerabilities, executes remediation code, verifies the fix, and manages the pull request process.</p> </li> </ul> <p>IBM’s chief commercial officer, <a href="https://newsroom.ibm.com/Rob-Thomas">Rob Thomas</a>, said Orchestrate is already in use by a number of customers. “We’ve had companies like ServiceNow, Salesforce, Adobe, just to name a few, who have taken their agents, enabled those onto Watson X Orchestrate. Lockheed Martin is federating 80 different data sources using Orchestrate and then building custom agents on top.”</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> AI in enterprises is [like] a light bulb ... it’s useful, but it’s not really redefining how the company runs. The AI operating model is about moving beyond light bulbs to things that are more fundamental to how a company operates </figure> <figcaption> <strong>Arvind Krishna, IBM</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Krishna likened the current phase of AI to previous generations of computing, where debate and competition move from core technologies to how they are orchestrated.</p> <p>“Take the example of the PC era,” he said. “It began with a debate on the microprocessor. A dozen companies competed, and then one architecture – in that case, x86 – won out. It then very quickly moves to the operating system on top. We can put the foundation models and the models in that category, and you can see right now the amount of money that’s going into the infrastructure layer. The real value in every one of these comes with the applications and the deployment into enterprises and consumer.” </p> <p>Krishna added: “Think of the difference between the light bulb, which is useful, and the assembly line, which actually changed manufacturing productivity and growth in the world forever.</p> <p>“AI in enterprises is more of a light bulb. It’s email summaries. It’s document creation. It’s meeting preparation. It’s useful, but it’s not really redefining how the company runs. When we talk about the AI operating model, this is about moving beyond light bulbs to things that are more fundamental to how a company operates, and you can see it in the data.”</p> <p>According to the IBM CEO, AI will bring productivity gains of up to “40, 50, 60, 70%” and will allow businesses to “take those savings and put them back into R&D and into sales that allow us to drive more revenue”.</p> <p>The executives also announced the general availability of IBM Sovereign Core, which allows for an on-premise air-gapped IBM environment, but is also deliverable with Dell hardware and graphics processing units (GPUs).</p> <section class="section main-article-chapter" data-menu-title="Quantum computing ‘just around the corner’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Quantum computing ‘just around the corner’</h2> <p>Krishna also declared <a href="https://www.computerweekly.com/news/366634198/Government-showcases-UK-quantum-computing-pledge">quantum computing</a> to be “literally just around the corner” and talked about the Cleveland Clinic, which, he said, can now model a 12,000-atom protein. “That tells you that quantum is no longer a science lab experiment. People are doing real use cases of significant scale,” he said.</p> <p>“We think the time period is 2028 or 2029, and the reason is quite simple. Right now, these machines have got hundreds of qubits [the fundamental unit of information in quantum computing] and can do thousands of gate operations or compute steps before they begin to get decoherent and fall into a noise,” said Krishna.</p> <p>“We think those thousands will be in the tens of millions in three years. The moment it is that much – ie three orders of magnitude more compute – we believe [it will] allow people to tackle a lot more real-life problems.” </p> <p>He added that IBM offers a fleet of quantum computers that clients can access from the cloud and a free level where people can get up to 10 minutes a month. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about enterprise AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640193/Why-real-time-data-is-key-for-enterprise-AI">Why real-time data is key for enterprise AI</a>: Moving AI from experiment to production requires high-quality, real-time data streaming. Australia tech leaders from Confluent, Bendigo Bank, Telstra, and Coles share how they are turning systems of record into systems of action.</li> <li><a href="https://www.computerweekly.com/feature/Moving-agentic-AI-from-innovation-theatre-to-enterprise-production">Moving agentic AI from innovation theatre to enterprise production</a>: As enterprises move from prompting chatbots to orchestrating AI agents, IT leaders must rethink governance, data architecture and cost management to avoid chaotic deployments and runaway cloud bills. </li> </ul> </div> </div> </section> Enterprises are set to make productivity gains as business shifts from point use cases for artificial intelligence to orchestrated, policy-driven deployment of agentic AI, says IBM CEO https://cdn.ttgtmedia.com/visuals/searchEnterpriseAI/ai-tech/searchEnterpriseAI_007.jpg https://www.computerweekly.com/news/366642706/IBM-Enterprise-AI-to-shift-from-light-bulb-to-electric-motor-era Tue, 05 May 2026 05:50:00 GMT IBM: Enterprise AI to shift from ‘light bulb’ to ‘electric motor’ era <p>Cloud-native, or containerised, applications are now mainstream. As many as 82% of enterprises now have Kubernetes in production, according to the <a href="https://www.computerweekly.com/blog/Open-Source-Insider/CNCF-Kubernetes-now-de-facto-operating-system-for-AI">Cloud Native Computing Forum (CNCF)</a>. That is up from 66% in 2023. And a full 98% of organisations have at least some cloud-native applications, the industry body says.</p> <p>But moving applications to cloud-native environments does not just mean creating new code. It also means adapting infrastructure. Compute, networking and data storage all need to work with container environments. By no means can all systems do this out of the box, especially when it comes to on-premise hardware.</p> <p>At the same time, enterprise IT architects need to consider the requirements of legacy applications and virtual machines (VMs) that are not being updated.  And enterprises will want to make the most efficient use of their storage hardware, regardless of their application environments.</p> <p>Moving to containers means adapting a technology that was <a href="https://www.computerweekly.com/news/366633394/Container-storage-Five-key-things-you-need-to-know">not designed for persistent storage</a> to handle business-critical data. </p> <section class="section main-article-chapter" data-menu-title="Stateless states"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Stateless states</h2> <p>Containerised applications started out as stateless, or ephemeral. The designers never intended containers to hold persistent data. They expected that microservices or containerised applications would use no non-volatile storage and discard the contents of memory, and even their settings, once they had completed their tasks. </p> <p>Instead, containerised applications rely on an external data store, usually a database or cache. </p> <p>There are advantages to this approach. These include simpler deployment, easier scaling, fault tolerance and recovery, and application portability. But most business applications, if not the majority, need persistent data. </p> <p>“Most business applications require storage. In reality, unless you’re converting Fahrenheit to Celsius and back, you’re storing something somewhere,” says Dan Ciruli, vice-president and general manager for cloud native at Nutanix. </p> <p>And the need to work with persistent data is all the more important, as enterprises look to containers as an alternative to conventional virtual machines.</p> <p>But this means rethinking the way applications work. And it requires IT architects to update their storage systems to support modernised, cloud-native applications. This can be directly, where array manufacturers support containers, or through a control plane such as Nutanix or Everpure’s Portworx.</p> <p>Almost inevitably, changes are being driven by AI, as enterprises look to support its data-heavy workloads in modern, cloud-native environments. But there are other drivers, too, including a trend to move virtualised applications to containers and the need for cost controls.</p> <p>“Kubernetes might be over a decade old, but it’s continuing to evolve as AI transforms the way we handle data. Already, Kubernetes has moved beyond the days when it was built only for ephemeral, stateless applications,” says Michael Cade, global field chief technology officer at Veeam Software.</p> <p>“Today, stateful applications such as databases, machine learning pipelines and streaming systems are now being treated as first-class citizens [in containerised environments] and have been given the specialised tools they need to thrive.” </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about persistent storage</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Container-storage-in-the-AI-age-Block-vs-object-and-CSI-vs-container-native">Container storage in the AI age</a> – block vs object and CSI vs container-native: Key choices when it comes to providing storage for containerised applications and whether to choose block, file or object storage.</li> <li>Storage implications of a <a href="https://www.computerweekly.com/feature/Storage-implications-of-a-modern-IT-architecture">modern IT architecture</a>: One of the challenges when migrating older applications to a cloud-native, modern IT architecture is how to provide persistent storage.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Storage connections"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Storage connections</h2> <p>Connecting storage to Kubernetes, though, relies on support from both application developers and hardware suppliers. </p> <p>The main way to connect storage to container environments is through the <a href="https://www.techtarget.com/searchitoperations/tip/Manage-application-storage-with-Kubernetes-and-CSI-drivers">container storage interface (CSI)</a>. CSI needs to be supported directly by the storage provider, be that the hardware manufacturer, a cloud service, or a software-defined storage (SDS) supplier. </p> <p>As the CNCF’s Kubernetes page notes: “CSI was developed as a standard for exposing arbitrary block and file storage systems to containerised workloads on container orchestration systems like Kubernetes.” CSI allows third-party storage providers to write, and deploy, plug-ins for storage without changing the core Kubernetes code. </p> <p>SDS technologies, for their part, also use CSI drivers, but run on commodity hardware rather than dedicated storage arrays, as well as hyper-converged infrastructure. It also includes open source options, such as OpenEBS, Longhorn and Ceph. </p> <p>“Every environment needs a storage back end, with a CSI driver that connects it to Kubernetes. It’s up to the storage provider to provide the CSI driver,” says Nigel Poulton, an author and independent expert in Kubernetes and containers. </p> <p>“Most CSI drivers create at least one StorageClass that maps to a tier of storage and its capabilities. For example, a CSI driver might create a StorageClass called ‘fast-replicated’ that maps to high-speed flash storage automatically replication to a remote location. Any application using this class automatically gets that tier and set of capabilities,” he adds. </p> <p>This level of abstraction is highly useful for application developers, as they no longer have to worry about the physical capabilities of the storage system. That is handled by the CSI drivers. </p> <p>“The CSI drivers enable us to give access to storage from the containerised application, but [for firms to] still administer the storage the way they do the storage that’s running under their VMs,” says Nutanix’s Ciruli. “And that’s a big advantage.” He also sees customers installing Kubernetes on bare metal clusters. </p> <p>This also maintains separation between the Kubernetes workloads and the underlying storage hardware. On paper at least, enterprises can move their containerised applications to a different platform or supplier, or new storage hardware, without rewriting code and with minimal disruption. </p> <p>In practice, large-scale moves of Kubernetes applications between platforms are still relatively rare. Enterprises tend to develop applications to run on <a href="https://www.computerweekly.com/news/366627572/AWS-bolsters-security-tools-to-help-customers-manage-AI-risks">Amazon Web Services (AWS)</a>, Google Cloud Platform (GCP), Microsoft Azure, or <a href="https://www.computerweekly.com/news/366637421/Sovereign-and-edge-AI-drive-return-to-on-premise-Kubernetes">local hardware</a>, depending on their business requirements.  </p> <p>Application portability, supported by CSI, is a useful insurance, even if there are enough differences between platforms to suggest caution.</p> <p>“We really don’t need to become an expert in how EBS [Elastic Block Store] works versus Azure disk, or local SSD [solid-state drives] and how that works,” says Greg Muscarella, general manager for Portworx at Everpure. “If you have to manage those things, it becomes somewhat complex. Companies tend to focus on a single cloud environment.”</p> <p>Few organisations, he suggests, have code where they could “push a button and move it to a different cloud”, not least because of differences between storage architectures from both hardware suppliers and cloud providers. However, enterprises are moving more applications to <a href="https://www.techtarget.com/searchcloudcomputing/opinion/Decipher-the-true-meaning-of-cloud-native">cloud-native environments</a>. And this increasingly includes databases and applications that previously ran in conventional virtual machines.</p> </section> <section class="section main-article-chapter" data-menu-title="New platforms"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New platforms </h2> <p>One of the most significant trends in application modernisation is to move both virtual machines and database-driven applications to containers. Cost, avoiding supplier lock-in and the need to consolidate on fewer platforms are all drivers. </p> <p>“The line between ‘containerised’ and ‘virtualised’ is blurring,” suggests Veeam’s Cade. “For a long time, containers and VMs were seen as two separate siloes. But as stateful applications have developed, and since VMs are essentially a typical stateful workload, we’re seeing a significant rise in businesses running them directly within Kubernetes using platforms such as Red Hat OpenShift Virtualization.” </p> <p>Poulton agrees. He sees more organisations moving virtualised workloads to containers, via tools such as KubeVirt. But, although organisations are porting over virtualised applications, and databases, IT architects need to be sure that all the application’s requirements are met by the storage layer. </p> <p>“Databases have much more demanding requirements, including ordered startup, replication, automated failover and backup,” he cautions. “The two biggest changes are ensuring a CSI driver exists for the storage system and potentially deploying an operator.” </p> <p>A Kubernetes operator provides details about a database’s specific requirements, and sometimes storage, too. Operator support is essential to allow databases to deliver enterprise workloads over Kubernetes. Again, the operator supports the modern application goal of separating the code from the storage array or cloud storage service. </p> <p>Percona, for example, provides operators for MySQL, PostgreSQL and MongoDB, as well as Everest. “The operators are basically the game changers,” says Kate Obiidykhata, the company’s general manager for cloud native. “They encode the human DBA knowledge into the software, and you have all those most important resilience components, backup, failover, replication and upgrades automated.”</p> <p>Operators, she adds, help enterprises to adopt hybrid architectures or multicloud strategies, allowing data portability without the need to rewrite applications. But workloads that operate on VMs will not automatically run on containers, she says. Firms will need to plan, and test, their deployments with care. </p> <p>“There are specific playbooks that you should apply and methodologies that are obviously different from the classic database setup on VMs,” says Obiidykhata. “But it’s all doable, and many companies are now running those databases on Kubernetes. They just have a different playbook to mitigate those issues.”</p> <p>Firms also need to factor in how they run their ported applications in production. Development, understandably, attracts much of the attention. But how systems run from “day two” onwards is critical. This includes storage provisioning and tiering, as well as backup, recovery and security.</p> <p>The CSI drivers take care of much of the hard work, but enterprises are likely to look to invest in new hardware, or even storage from suppliers focused on cloud-native environments, to ease the migration to containers.</p> <p>“This is usually by deploying new storage architectures, either via new storage products from existing vendors, but increasingly by engaging with new vendors,” says Poulton. Enterprises, he adds, might still be running older hardware systems, but they are unlikely to use them for Kubernetes. </p> </section> A detailed understanding of how containerised applications work with data storage is needed to migrate enterprise IT to a cloud-native architecture https://cdn.ttgtmedia.com/visuals/German/article/container-illustration-adobe.jpg https://www.computerweekly.com/feature/How-a-cloud-native-architecture-handles-persistent-storage Mon, 04 May 2026 04:00:00 GMT How a cloud-native architecture handles persistent storage <p>As countless case studies published on Computer Weekly have shown through the years, every minute and every penny that a Formula 1 team is spending on <a href="https://www.computerweekly.com/feature/How-Oracle-Red-Bull-Racing-is-driving-Formula-1-into-the-future-with-cloud-AI-and-data" target="_blank" rel="noopener">research, development and testing</a> is precious and only grudgingly wasted.</p> <p>In a cost-capped sport that is as much an engineering competition as it is one of driver skill, victory – whether in the drivers’ or constructors’ championships – often comes down to the finest of margins.</p> <p>This season, the world of F1 is also dealing with a once-in-a-decade overhaul of the sporting regulations that have essentially forced a ground-up redesign of its cars. For some, like <a href="https://www.computerweekly.com/news/366635192/Mercedes-AMG-Petronas-F1-revs-up-testing-with-augmented-reality" target="_blank" rel="noopener">Mercedes-AMG Petronas</a>, this has paid off big time. But for <a href="https://www.redbullracing.com/int-en" target="_blank" rel="noopener">Oracle Red Bull Racing</a>, the past few weeks have been rough ones.</p> <p>The team’s drivers, former world champ Max Verstappen and his new partner Isack Hadjar, may not have much to show for it as they head to Miami for the fourth round of the season, but at HQ in Milton Keynes, its engineers are working flat out and morale is good.</p> <p>When it comes to testing parts and components in its wind tunnel, a recent engagement with identity and access management specialist 1Password is paying dividends, with the team’s technicians now able to work much more efficiently.</p> <p>In a world like cyber security, success can be hard to quantify. Sometimes it can even be dangerous to say too much, lest you speak candidly and give a watching threat actor something to go on. But in this instance, Oracle Red Bull Racing can definitively state that after adopting <a href="https://1password.com/" target="_blank" rel="noopener">1Password</a>, it has slashed its wind tunnel recovery time from an hour to two minutes – that’s a cut of 97%  – during the test and development process.</p> <p>But why is that the statistic we’re running with? And how does identity and access management (IAM) technology apply to wind tunnels? It seems an unlikely link on the surface, but Matt Cadieux, team CIO, explains why it matters.</p> <p>“The guys who are developing and improving the tunnel and its software push boundaries. The models are bigger, the complexity is bigger, and sometimes when you’re running that load for the first time, the infrastructure is not capable enough,” says Cadieux. “Probably once a every few months we have an outage, and it’s largely due to pushing boundaries with our tools and methods.”</p> <section class="section main-article-chapter" data-menu-title="A challenging customer"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A challenging customer</h2> <p>Ian Brunton heads up software development at Oracle Red Bull Racing’s Aerodynamics team. He takes up the story.</p> <p>“The people I work with are essentially responsible for writing the software used across the teams of engineers that design the car. We plug into commercial <a href="https://www.techtarget.com/searcherp/podcast/Cloud-CAD-software-helps-usher-in-digital-manufacturing-era" target="_blank" rel="noopener">CAD</a> [Computer Aided Design] packages and tie them up to the <a href="https://www.sciencedirect.com/topics/materials-science/computational-fluid-dynamics" target="_blank" rel="noopener">CFD</a> [Computational Fluid Dynamics] estate so that we can iterate quickly in those early stages,” he says.</p> <p>“We also support the wind tunnel … We’re currently building a new wind tunnel here which is a significantly challenging project, but I think will pay a dividend in helping us build, ultimately, the fastest car on the planet.”</p> <p>Brunton describes his team as challenging customers when it comes to IT. He sets high standards and expectations, and by his own admission is harsh in their application. “We’re aiming to provide high uptime,” he says, “and the last thing we need is any system, regardless of what it is, not operating as it is expected to.”</p> <p>The need for uptime becomes even more important because the wind tunnel environment is a highly regulated one in terms of the number of hours the team is allowed to do testing, as well as the number of experiments that it can run.</p> <p>“We basically have an eight-week period in which we have to audit what we’ve done in that period, and we have a budget to use in that period,” says Brunton. “To some extent, the pressure is on – it’s almost worse in the wind tunnel than it is at the track … Generally, at the track, you have components that are well manufactured, you know they’re going to fit together and you have a limited number of options in which to configure and build the car.</p> <p>“But when you’re at the tunnel, it’s effectively an experiment in what we think is going to add performance. There might be parts that maybe don’t completely fit; engineers are discovering, as they’re going, how to design that part.</p> <p>“[With] the pressure that those guys are under to build the car in that timeframe, they can’t afford any downtime – [we don’t want to waste] time, or waste runs in terms of that experiment. Losing that budget is criminal in the sense that it has a direct impact on the performance of the car on the track.”</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> It’s about trying to optimise the amount of time that the people working at the tunnel can focus on just working at the tunnel </figure> <figcaption> <strong>Ian Brunton Oracle Red Bull Racing</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>From Brunton’s perspective, a failure in an inherently complex system – with close to 20 services running across multiple clusters using multiple <a href="https://kafka.apache.org/intro/" target="_blank" rel="noopener">Kafka topics</a> and different databases, that has caused the tunnel to shut down before completion, wasting time and slows development – is a big problem.</p> <p>“If something happens and the system needs to be reset, it relies on someone at the tunnel realising there’s a problem and getting on the phone to someone like me – and that can be in the middle of the night because the tunnel runs 24 hours a day – I’ve got to take the call, get onto my machine, figure out the problem and start bringing that system back online,” says Brunton.</p> <p>In essence, what 1Password enables him to do is to automate returning the systems to a known steady state, so that someone who is technical in terms of car design and engineering but may not know what Kubernetes is or what a SQL database does can effectively hit a big red button and get things moving again.</p> <p>With 1Password, service restoration is fully automated with <a href="https://www.techtarget.com/searchitoperations/definition/Ansible" target="_blank" rel="noopener">Ansible</a> and RunDeck, and a complete redeploy can be triggered in around two minutes with the playbook authenticating via a dedicated, rotatable token to retrieve the secrets it needs at runtime.</p> <p>“It’s about trying to optimise the amount of time that the people working at the tunnel can focus on just working at the tunnel,” says Brunton.</p> </section> <section class="section main-article-chapter" data-menu-title="ID control plane"> <h2 class="section-title"><i class="icon" data-icon="1"></i>ID control plane</h2> <p>But the engagement doesn’t begin and end with wind tunnel uptime; the efficiencies go much deeper.</p> <p>In moving its secrets into 1Password, Oracle Red Bull Racing has created a single, trusted control plane for credentials spanning <a href="https://www.techtarget.com/searchitoperations/tip/Strategies-for-Kubernetes-multi-cluster-management" target="_blank" rel="noopener">Kubernetes clusters</a>, environments, namespaces, factory, wind tunnel and simulation workloads.</p> <p>Developers now access shared vaults with clear ownership and repeatable patterns to make sure that they can retain predictable access during redeployments or workflow changes, while human and automation access are segregated into dedicated vaults with limited user access for critical Kubernetes workloads – this includes Aero clusters and Kubernetes deployments.</p> <p>The team is now using 1Password’s Kubernetes Operator, authenticated via 1Password Connect Server, to pull values from 1Password items and create Kubernetes secrets for workloads. If items change, the operator can update the secret and trigger a roll-out to allow workloads to pick up the new values.</p> <p>In Brunton’s Aerodynamics unit alone, for example, five vaults hold almost 100 entries for cluster credentials, SQL passwords, client secrets, access tokens and Windows Virtual Machine (VM) logins. Meanwhile, his colleagues in Vehicle Performance and Powertrains maintain more than 150 entries. Now that new deployments default to 1Password, the two teams can reduce the time they spend coordinating access, limit potentially dangerous ad hoc sharing, and understand what credentials are current when developers are in the process of modifying (or restoring) workloads.</p> <p>For simulation workflows, Oracle Red Bull Racing is using the 1Password command line interface (CLI) to retrieve SQL connection strings and <a href="https://www.techtarget.com/searchwindowsserver/tip/Test-conditional-access-with-Microsoft-Entra-ID-What-If-tool" target="_blank" rel="noopener">Microsoft Entra ID</a> credentials to access their needed services. Now that these secrets are centralised, they can replace plaintext credentials with secret references from a shared and governed source instead of having to embed secrets in code or configuration files – another risk.</p> <p>Since their applications now rely on secret references, this means users can safely change out their credentials and support both safer automation and earlier application programming interface (API) adoption. The results are improved fidelity and capability much earlier in the simulation process, when changes are much easier to manage – and more affordable – than doing it outside of simulation.</p> </section> <section class="section main-article-chapter" data-menu-title="Going trackside"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Going trackside</h2> <p>“We’re always trying to raise the bar with our cyber posture and credential management,” says Cadieux. “Everyone here is part of a team and tries to do the right thing – and if you tap someone on the shoulder, it usually corrects the behaviour quite quickly – so having early visibility and being able to nip problems in the bud with a simple tap is helpful.”</p> <p>Having standardised secrets and access across engineering, Oracle Red Bull Racing is now looking to take 1Password trackside. On a given race weekend, it runs multiple advanced Monte Carlo (<a href="https://en.wikipedia.org/wiki/Monte_Carlo_method">the mathematical model</a>, not the Grand Prix) simulations to evaluate different scenarios and support on-the-fly strategy decisions.</p> <p>It is now exploring the application of these same patterns to its Oracle Cloud Infrastructure (OCI)-based trackside systems – including credential and certificate management – through which it can achieve consistent automation at race-day pressure.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about technology in F1</h3> <ul class="default-list"> <li>Vistance Networks-owned communications technology provider becomes official networking partner of the TGR Haas F1 Team, delivering purpose‑driven, AI‑enhanced connectivity <a href="https://www.computerweekly.com/news/366637618/Ruckus-gears-up-for-networking-partnership-with-TGR-Haas-F1-Team" target="_blank" rel="noopener">across team headquarters, trackside operations and hospitality</a>.</li> <li>Mercedes-AMG Petronas switches from paper guides to incorporate AR designs into its workflow and see quickly how parts form car assemblies resulting in gains in team’s operations that add up to <a href="https://www.computerweekly.com/news/366635192/Mercedes-AMG-Petronas-F1-revs-up-testing-with-augmented-reality" target="_blank" rel="noopener">improved performance on the racetrack</a>.</li> <li>Learn how the technical teams behind Formula One are using Salesforce’s tools to enhance fan activation and engagement at 24 races across the world, and how they are bringing AI into play <a href="https://www.computerweekly.com/news/366616475/F1-heightens-fan-experiences-with-the-power-of-Salesforce" target="_blank" rel="noopener">with Agentforce capabilities</a>.</li> </ul> </div> </div> </section> Oracle Red Bull Racing massively improved the efficiency of its aerodynamics testing procedures after implementing new identity technology from 1Password. Learn more about this unlikely link https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Oracle-Red-Bull-Racing-car-hero.jpg https://www.computerweekly.com/news/366642593/IAM-tools-help-Oracle-Red-Bull-Racing-keep-pace-with-strict-F1-regs Fri, 01 May 2026 11:54:00 GMT IAM tools help Oracle Red Bull Racing keep pace with strict F1 regulations <p>In early April, Chi Onwurah, chair of the Science, Innovation and Technology Select Committee, <a href="https://www.computerweekly.com/news/366642254/Science-Innovation-and-Technology-committee-chair-questions-UKs-tech-sovereignty-approach">made some pointed remarks</a> about the UK government’s technology strategy, or its relative lack thereof.</p> <p>Her argument centred on our dependency on a small number of Big Tech providers, principally Microsoft and AWS, with Palantir receiving mention due to their NHS and military contracts, along with legitimately framed concerns over UK dependencies on foreign supply chains.</p> <p>There was much to agree with in Onwurah’s article, with just one jarring point – her definition of sovereignty. Namely that, “it means exactly what you want it to mean.” Such a formulation might be political shorthand; the politician making a soundbite of complex concepts for public consumption, but for digital and data sovereignty it’s dangerous to over-simplify.<br><br>Politicians sometimes choose to be imprecise, but it’s important to be unambiguous here. Digital sovereignty requires that the only legislation acting on a piece of sovereign data is that of its parent country, or if you prefer; “the laws a country accepts to provide judicial primacy”.</p> <section class="section main-article-chapter" data-menu-title="Sovereignty an active digital battleground"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Sovereignty an active digital battleground</h2> <p>Despite this, Onwurah’s article was a call to action on a topic many readers probably didn’t realise was an issue. Make no mistake, sovereignty is already an active digital battleground for Big Tech and hyperscalers. It is likely to be the defining factor of technology delivery in the UK, Europe and globally for the next few years.</p> <p>The digital sovereignty issue is largely a product of public cloud, and more directly<a href="https://www.bbc.co.uk/news/technology-53418898"> high-profile court cases such as Schrems II</a>, which sought to control personal data transfers to regimes deemed less likely to protect it than our own. Before public hyperscale cloud, nearly all domestic and government data processing was performed in datacentres in-country.</p> <p>Non-sovereign IT or software providers occasionally required remote engineer access for support, but most access to your data was physically, as well as logically and digitally, limited to in-country.</p> <p>Cloud adoption, and in particular the UK’s decision to adopt US-headquartered public cloud services, broke down those sovereign walls.</p> <p>Mandated sovereign processes and contracts gave way to as-a-service models while supplier-defined terms of service allowed data offshoring, and it’s the effect of those that have led to pan-European calls for digital sovereignty.</p> <p>Sovereignty is therefore commonly suggested to be a hyperscaler issue, but it’s actually broader than that. All non-sovereign (which principally means US) service providers must adjust. </p> <p>So, the term hyperscaler isn’t a useful frame for these discussions. Others like IBM, Oracle, HPE need to adapt too, and all the various approaches to sovereign cloud and IT services now distinctly fall into three types that don’t neatly meet the hyperscaler-or-not classification.</p> <p>That means that a hyperscaler-specific focus when it comes to sovereign cloud and AI is counterproductive. Each provider needs to be considered independently on their own merits and approaches.</p> </section> <section class="section main-article-chapter" data-menu-title="Geopolitical tension and offshoring worries"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Geopolitical tension and offshoring worries</h2> <p>Sovereignty worries have also been driven by a period of unusually high geopolitical tension. Whilst the US remains a valued European ally, threats and posturing from the White House have caused concern amongst UK and EU leaders. The result is a swing in the pendulum, with European nations seeking more sovereign control after years of increasing reliance on US-based cloud providers. The IT industry is responding, but not all providers are making the changes they must to operate in markets defined by sovereignty rather than scalability.</p> <p>Of the big three, Microsoft were the first to think about sovereign capabilities. They built a German M365 outpost years ago, though that went defunct in 2022 and they appear to be struggling most with the transition now.</p> <p>Their global public cloud services (Azure and M365) <a href="https://www.computerweekly.com/news/366632040/Microsoft-hides-key-data-flow-information-in-plain-sight">operate in more than 100 countries</a> that support UK and some European services, so to restructure that into sovereign-first operating models will take some work.  Conversely, AWS and GCP, who both use offshore processing, but are principally regional in nature, are adapting more quickly.</p> <p>Another issue for Microsoft is historic lack of transparency around global data flows and exactly how their platform works. Last year <a href="https://www.computerweekly.com/news/366629871/Microsoft-refuses-to-divulge-data-flows-to-Police-Scotland">Redmond was unable to give information on data flows when requested to do so</a> by the Scottish Police Authority (a legal requirement under Data Protection laws). And more recently ProPublica<a href="https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government"> revealed that US FedRAMP authorities</a> had encountered exactly the same issues trying to certify Microsoft cloud services for US government use.</p> <p>ProPublica claimed that after five years of trying and failing to get core information about Microsoft’s security and data processing in Microsoft’s US Government Community Cloud High platform, they had to give up.</p> <p>This raises a question unique to Microsoft. Can they actually re-model their complex global-by-default services to deliver pure in-country sovereign cloud delivery?</p> <p>They look to be struggling so far. Their commitment to deliver CoPilot in-country AI inference by the end of 2025 for the UK has<a href="https://www.microsoft.com/en-us/microsoft-365/blog/2025/11/04/microsoft-offers-in-country-data-processing-to-15-countries-to-strengthen-sovereign-controls-for-microsoft-365-copilot/"> just been rolled back to the end of 2026</a>, whilst EU nations will now apparently only get regional, and not sovereign inference.</p> </section> <section class="section main-article-chapter" data-menu-title="Sovereignty Levels 1 and 2"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Sovereignty Levels 1 and 2</h2> <p>Instead of national capabilities, Microsoft is trying to focus buyers’ minds on re-defining what sovereignty means to fit their existing product stack; a strategy that previously sufficed but is unlikely to be successful again.</p> <p>This is the Sovereignty Level 1 response: Adapt the definition to better align with existing product architectures.</p> <p>Most non-sovereign providers have introduced “data boundary” constructs, supported by additional technical controls, though these may not fully satisfy stricter interpretations of sovereignty from data protection authorities.</p> <p>Microsoft leans on this more than AWS or Google, who both have this in their sovereignty catalogue but have already moved most customer discussions on to Sovereignty Level 2.</p> <p>That approach is to partner regionally and work with a local partner through a sovereign operating model.</p> <p>This can improve customer confidence, but where the control plane or ultimate corporate control remains offshore, sovereignty concerns may still persist depending on the implementation.</p> <p>The AWS approach centres on this option, namely that their European Sovereign Cloud is a regional platform they claim fully adheres to EU rules and regulations but fails in the basic respect that the EU is a collective, not a sovereign, entity. </p> <p>EU alignment also creates a political barrier to non-EU members like the UK. Ceding digital sovereignty to EU controls might be too much for the government to accept. It’s also not yet fully clear that corporate control is 100% vested in the AWS German representatives and Cloud Act jurisdiction might still apply.<br><br>Microsoft’s efforts to build in-country sovereign cloud in Germany and France are yet to achieve full operation, and moves by both governments to reduce Microsoft dependency may further impact their realisation.</p> </section> <section class="section main-article-chapter" data-menu-title="Google and S3NS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Google and S3NS<strong><br></strong></h2> <p>Google’s in-country partner approach has had more success. In a <a href="https://www.computerweekly.com/news/252525925/Google-Cloud-fleshes-out-sovereign-cloud-capabilities-for-European-enterprises">joint venture with Thales, named S3NS</a>, they’ve taken a hands-off position. S3NS now offers assured France-specific air-gapped capabilities, a fundamental requirement for sovereign cloud or AI services. Platforms that periodically “phone home” for upgrades, licence checks, or processing do not pass the sovereignty test.</p> <p>S3NS bridges the gap from the Level 2 to the Level 3 approach with fully air-gapped operations, wholly under local control to give self-evident sovereign cloud.</p> <p>AWS and Microsoft have air-gapped options on the table, but Google Distributed Cloud Air-Gapped (GDC-AG) is currently the most well developed and capable, despite still lacking some services that are in their public cloud platform.</p> <p>It’s not particularly cheap – isolated working carries a premium – but the MOD’s announcement of a <a href="https://www.computerweekly.com/news/366630792/Ministry-of-Defence-signs-400m-sovereign-cloud-deal-with-Google">£400m contract</a> over five years, and others of similar size in Nato and the German military attest to their trust in its sovereignty.</p> <p>AWS’s alternative, LocalStack, works for development purposes but is not rated for production workloads. <a href="https://www.computerweekly.com/opinion/Azure-Local-Disconnected-looks-the-part-for-sovereignty-It-isnt">My previous analysis of Microsoft’s Azure Local Disconnected</a> product makes that look distinctly beta-like in comparison.<br><br>The landscape of hyperscaler offers for sovereign cloud is thus immature. Google has found a way to deliver locally, AWS is yet to break out of the EU-region model, and Microsoft is already slipping on sovereign commitments it made for AI.</p> <p>Meanwhile, as sovereignty becomes increasingly important, local cloud providers can become viable recipients of investment once again. They will however need time, government support and forward-looking investors to grow. Even then, some will likely fail.</p> <p>One logical answer is a future of hybrid, partnership-led solutions. That requires a technology-neutral, cloud-ready procurement approach from government that makes portability, switching, and multi-vendor operation possible in practice. The big providers also need to be willing to make that work and may need to do so with country specific partnerships.<br><br>Google’s approach in France through S3NS provides insight into what a national cloud and hyperscale collaboration could look like; a scalable “hyper-core” under national management with flexible in-country SME delivery partners for the edge.  </p> <p>If we’re serious about digital sovereignty across Europe and UK, it’s about time we started these conversations.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>. We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.</li> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold: Responses to data sovereignty risk</a>. We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> </ul> </div> </div> <ul class="default-list"></ul> <p></p> </section> As data sovereignty comes under scrutiny the more chimera-like it looks, but ventures like Google’s S3NS in France show potential https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/UK-border-control-passport-travel-getty.jpg https://www.computerweekly.com/opinion/Data-is-a-sovereignty-issue-And-broader-than-just-the-hyperscalers Thu, 30 Apr 2026 11:27:00 GMT Data is a sovereignty issue. And broader than just the hyperscalers ComputerWeekly.com 60 editor@computerweekly.com