Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Fri, 08 May 2026 05:17:59 GMT https://www.computerweekly.com editor@computerweekly.com <p>Artificial intelligence (AI) is being woven into everyday working life. It is also becoming a gateway to economic participation. But for nearly eight million people in the UK who <a href="https://www.computerweekly.com/news/366640721/UK-government-boosts-digital-access-for-more-than-a-million-people">lack basic digital skills</a> - that gateway has become a barrier.</p> <p>Consider a capable candidate applying for a job. The role suits their experience, but the digital process is layered with logins, verification steps and AI-driven prompts that feel opaque. In an era of scams and deepfakes, requests for personal information can trigger hesitation rather than reassurance. The system may be designed for efficiency, but for some users it can feel risky or overwhelming.</p> <p><a href="https://www.computerweekly.com/opinion/Diversity-Think-Tank-Inclusion-matters-heres-why-you-should-care">Digital exclusion</a> can be quiet. It shows up as abandoned forms, unfinished applications and services avoided. With around 90% of jobs now advertised online and essential services increasingly digital-first, hesitation translates directly into reduced participation in the labour market.</p> <section class="section main-article-chapter" data-menu-title="AI at the front end of business services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI at the front end of business services</h2> <p>As advanced AI moves from experimentation to infrastructure, it now sits at the front end of many core business services - hiring funnels, learning platforms, customer service journeys and financial verification processes. These are no longer back-office systems. They serve as digital gateways to jobs and essential services. If complexity is hard-wired into these journeys, and now with AI layered onto fragmented processes, organisations will spend the next decade trying to retrofit inclusion at far greater cost.</p> </section> <section class="section main-article-chapter" data-menu-title="More than a skills issue"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More than a skills issue</h2> <p>It is tempting to frame Britain’s challenge as a straightforward <a href="https://www.computerweekly.com/news/366544238/FutureDotNow-debuts-roadmap-to-guide-UK-through-closing-digital-skills-gap">digital skills gap</a>. But the latest research and work with communities show that what holds many people back is not a lack of ability, but a lack of confidence.</p> <p>Fear of fraud and impersonation, cognitive overload from cluttered interfaces, and processes that strip away autonomy by forcing reliance on others all play a role.</p> <p>For business leaders focused on growth, this means a narrower recruitment pool, higher drop-off rates in applications and rising demand for assisted services. Facing these constraints in a tight labour market because your digital front door feels intimidating is not a social issue. It is a commercial one.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> AI has the potential to deliver a double-digit uplift in productivity across the UK economy - but these gains depend on whether people have the skills and confidence to participate in an AI-shaped economy </figure> <figcaption> <strong>Dal Channa, Accenture</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Yet many organisations treat AI deployment as a technical roll-out, measuring success through adoption rates, chatbot usage or efficiencies. Far less attention is paid to whether people can complete tasks independently, feel in control of the interaction, or know how to recover when something goes wrong - or to tracking reductions in assisted interactions, rather than adoption alone.</p> <p>Through our work, alongside our charity partners, Good Things Foundation and Generation UK<i>,</i> we have seen <a href="https://www.computerweekly.com/news/366619507/Government-launches-Digital-Inclusion-Action-Plan">how digital inclusion can work</a>.</p> <p>Short, supported sessions allow people to experiment with AI tools in safe environments where mistakes are recoverable. They help people to overcome hesitancy and feel more eager to use the technology. Systems that are simplified before automation is layered in prove far easier to navigate. Tools delivered through trusted institutions -employers, banks and public services - generate far greater willingness to engage than platforms alone.</p> <p>Those who are most likely to hesitate often expose design flaws faster than any internal test lab. Building for them improves the system for everyone.</p> </section> <section class="section main-article-chapter" data-menu-title="Participation is the point"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Participation is the point</h2> <p>Digital inclusion matters because the prize is real. Generative AI has the potential to deliver a <a href="https://www.accenture.com/content/dam/accenture/final/accenture-com/document-3/Accenture-Accelerating-The-UKs-Generative-AI-Reinvention.pdf#zoom=40">double-digit uplift in productivity</a> across the UK economy. But those gains are not automatic. They depend on whether people have the skills and confidence to participate in an AI-shaped economy.</p> <p>That is why building AI literacy matters just as much as investment in the technology itself. Through Accenture’s <a href="https://newsroom.accenture.co.uk/english-uk/news/2024/accenture-to-help-tackle-the-digital-inclusion-gap-in-disadvantaged-areas-across-the-uk">Regenerative AI</a> initiative, which aims to empower over one million people in the UK with digital access, skills and AI literacy, we are seeing how small, human-centred interventions can unlock meaningful gains in participation and independence.</p> <p>For AI’s potential to be realised, humans need to remain in the lead. That means ensuring people have access to the support they need to build confidence. The digital world should not feel locked behind complexity. It should be secure and accessible so people can engage independently.</p> <p><i>Dal Channa is Accenture’s corporate citizenship lead in the UK &amp; Ireland.</i></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about digital inclusion</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/opinion/Diversity-Think-Tank-Divesting-from-inclusion-is-a-tech-business-mistake">Divesting from inclusion is a tech business mistake</a> - Even without recent news in the US, diversity, equity and inclusion (DEI) initiatives were dialled back in UK businesses last year due to tight budgets and economic uncertainty.</li> <li><a href="https://www.computerweekly.com/opinion/The-future-is-inclusive-How-technology-can-democratise-access-to-opportunity">The future is inclusive: How technology can democratise access to opportunity</a> - IT leaders need to play their part in using technology to create a more inclusive future for businesses - the benefits for all will be significant.</li> <li><a href="https://www.computerweekly.com/news/366611263/UN-body-urges-globally-inclusive-and-distributed-AI-governance">UN body urges ‘globally inclusive and distributed’ AI governance</a> - A United Nations body set up to investigate the international governance of AI says the nature of how the technology currently operates requires a global approach to regulation that prioritises equity and inclusion.</li> </ul> </div> </div> </section> AI is increasingly being woven into every aspect of our lives - but the technology's full potential cannot be delivered without addressing shortcomings in digital inclusion https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/diversity-inclusion-Fokussiert-adobe.jpg https://www.computerweekly.com/opinion/Realising-Britains-AI-ambitions-rests-on-digital-confidence-and-inclusion Thu, 07 May 2026 07:46:00 GMT <p><em>Inside FDP is an exclusive series of articles written by the former deputy director of data engineering at NHS England, Tom Bartlett, who led the 150-person team that built the <a href="https://www.computerweekly.com/news/366620412/NHS-chief-data-officers-concerned-with-FDP-roll-out">Federated Data Platform</a> (FDP), the <a href="https://www.computerweekly.com/news/366640417/Health-workers-call-for-Palantir-to-be-booted-from-NHS-contracts">controversial Palantir-supplied system</a> linking data across the health and care service. His insights into the challenges facing NHS data, and the solutions available to resolve them, make essential reading for anyone who wishes to understand what’s really happening with FDP in the NHS. This is part 2 of the series - read part 1 here:<a href="https://www.computerweekly.com/opinion/Inside-FDP-part-1-Understanding-the-problems-facing-NHS-data"> Inside FDP - Understanding the problems facing NHS data.</a></em></p> <p>For decades, <a href="https://www.computerweekly.com/feature/Electronic-health-records-are-still-creating-issues-for-patients">NHS data</a> investment has followed a reporting-first approach. Leaders want visibility into one of the largest organisations in the world, for legitimate reasons, at a time when the pace of technology has been extraordinary. They have poured investment into back-office data teams - expensive engineering and analytical staff, expensive software, expensive consultancies.</p> <p>But they have hardly invested in frontline data capability. Some NHS Trusts have retained a small team to tailor the <a href="https://www.computerweekly.com/news/252514807/Electronic-Patient-Records-key-to-NHS-digital-transformation">electronic patient record</a> (EPR) and add bolt-on modules for popular use cases, such as ward observations, but that was never going to address the scale of the problems created by retrofitted data plumbing.</p> <p>The result is an estate with thousands of manual cross-organisational data flows. Entire national programmes are dedicated to burden reduction and data flow transformation, programmes that exist solely because the current model creates the burden in the first place.</p> <p>Analytical infrastructure is duplicated at every level of the system.&nbsp;And the cost of shadow IT is absorbed invisibly by clinical staff time that should be spent on patients.</p> <p>None of this was obvious at the time those decisions were made. Technology was moving fast, the demands on the NHS were relentless, and it was genuinely hard to step back and see that the reporting-first approach was creating the very problems it was being asked to solve.</p> <section class="section main-article-chapter" data-menu-title="Data vision"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data vision</h2> <p>The vision that NHS England's leadership wanted to realise, but rarely articulated in public, was to stop treating data as something extracted from the frontline and start treating it as something that serves the frontline - this is what I call a Frontline-First approach.</p> <p>My understanding of that vision can be defined through seven dimensions of value, each with a direct impact on what patients experience: operational tools at the point of care; frontline participation in development; enrichment of data at the point of need; AI-driven analytics at the frontline; live integration through the platform; cross-setting collaboration; and scalable portable products available to every Trust. The first two are the foundation. The rest build on them.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic1a.png"> <img data-src="https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic1a_mobile.png" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic1a_mobile.png 960w,https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic1a.png 1280w" alt="Chart showing the seven key elements of NHS data architecture supported by FDP" data-credit="Bartlett Data" height="336" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>NHS data architecture - how FDP supports the seven dimensions of data value </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="1. Operational tools at the point of care"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Operational tools at the point of care</h2> <p>Picture the scene. A discharge coordinator in a busy acute Trust is managing 30 patients across four wards. Their tool is an Excel spreadsheet, updated manually after each phone call to the ward, each conversation with the family, each check on community services availability. Nothing is linked to the EPR. Nothing is visible to the bed management team. Nothing feeds the board’s dashboard. The data exists only on that spreadsheet and in the coordinator's head.</p> <p>Now picture the alternative. Instead of the spreadsheet, an FDP application tracks the patient through the discharge pathway, prompts the right actions at the right times, and integrates with bed management. Instead of the theatre scheduler working from a whiteboard, an FDP application holds the session list with live links to the waiting list, the surgeon's availability and the equipment booking.</p> <p>The data captured by these tools enters the formal data estate for the first time, visible to the analyst, the board dashboard and the commissioner, rather than locked in a local file nobody else can see.</p> <p>The cost of leaving these workflows on shadow IT is real. A delayed discharge costs a Trust roughly £400 per day in excess bed days. Every unnecessary day in hospital increases the risk of healthcare-associated infection, deconditioning, falls, and loss of independence, particularly for frail elderly patients. Optica, the FDP discharge application, has delivered a 28% reduction in average delay days across adopting Trusts. The patient impact? They get home sooner, to a more therapeutic environment, with lower risk of hospital-acquired harm.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Frontline participation in development"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Frontline participation in development</h2> <p>These tools do not have to be built centrally by NHS England. The platform allows frontline teams, data engineers working alongside clinicians and operational staff, to build their own applications for their own workflows. The nationally developed products like Optica and the Care Coordination Solutions are the starting point, not the ceiling. A Trust team that knows its discharge pathway better than any national programme ever could, can build an application that fits that pathway precisely, capture data that would otherwise live on a spreadsheet, and then share the application with other Trusts through the Solution Exchange.</p> <p>Foundry – the <a href="https://www.computerweekly.com/news/252529075/NHS-data-platform-costing-480m-to-supersede-Covid-19-data-store-underway">Palantir software at the heart of FDP</a> - includes no-code tools for building applications and data transformations without engineering skills. On top of this, Palantir's AI capabilities allow clinicians and operational staff to describe what they need in plain language and have the platform generate a working pro-code application. Part 3 of this series explains how this works in more detail.</p> <p>For CIOs managing development backlogs that stretch years into the future, this is a route to clearing demand that traditional software development cannot match.</p> <p>The patient impact? The gap between an operational need being recognised and a working tool being available shrinks from months or years to days or weeks. This capability will need quality assurance and governance as it scales, because frontline-led development without standards risks creating a new form of technical debt - but the answer is to govern it well, not to prevent it from happening.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Data enrichment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Data enrichment</h2> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> This is enrichment [of data] by reasoning, not just enrichment by visibility, and it represents a step change in what a data platform can do for a clinician at the point of care </figure> <figcaption> <strong>Tom Bartlett</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Once a clinician is working through an FDP application rather than a disconnected EPR, the platform can enrich the data they see with information from elsewhere in the system.</p> <p>This is the logic layer - the platform does not just store data, it connects it and surfaces what is relevant at the moment a decision is being made. The clinician's field of view expands beyond what they personally know and what is in front of them to include what the system knows.</p> <p>A clinician considering an onward referral can see that the receiving service has a six-week wait while an alternative has a two-week wait, and can make a better decision for the patient in the room.</p> <p>A discharge coordinator can see that the community team has already arranged a package of care, rather than duplicating the call.</p> <p>A consultant completing a procedure record gets an immediate comparison - consultants with your case mix at similar Trusts achieve a complication rate of X, yours is Y.</p> <p>A mental health clinician reviewing a patient can see that the same patient attended A&amp;E twice last week, information that sits in a different organisation's data but is now visible through the platform.</p> <p>In every case, the act of recording stops being a bureaucratic overhead and starts being a moment where the clinician learns something useful. Good data becomes a by-product of useful work rather than a chore imposed from above.</p> <p>But enrichment is not just about making more data visible. It is about applying logic to the data in real time.</p> <p>If a patient has a high frailty score and three or more A&amp;E attendances in the last 90 days, surface them for proactive review before the next admission.</p> <p>If a discharge is planned but no community care package is in place, flag it before the patient leaves the ward.</p> <p>If a prescribed medication conflicts with an allergy recorded in another care setting, send an alert.</p> <p>None of this is new to business intelligence (BI) teams. They build these alerts already, in dashboards, in near-real-time reports, in exception lists emailed to service managers. But the clinician still has to work across the BI report, the EPR, and the shadow IT spreadsheet to act on what the alert tells them.</p> <p>What changes with a Frontline-First approach is the level of integration - the alert is inside the operational tool, at the point of the decision, connected to the action the clinician needs to take. The logic and the workflow are in the same place.</p> <p>As the platform matures, large language models (LLMs) will extend this further. Where rule-based logic handles known patterns with defined thresholds, LLMs can reason across unstructured and structured data together, identifying that a combination of symptoms, test results, and medication changes over several months resembles a deterioration pathway that no single data point would flag.</p> <p>This is enrichment by reasoning, not just enrichment by visibility, and it represents a step change in what a data platform can do for a clinician at the point of care.</p> <p>The best existing example of enrichment for clinicians illustrates what changes. The National Consultant Information Programme (NCIP), part of Getting It Right First Time (GIRFT), provides consultant-level benchmarking across 12 surgical specialties. It is clinically led, well designed, and widely used. But it is a reporting-first approach to enrichment.</p> <p>The consultant visits a separate portal, reviews quarterly data drawn from Hospital Episode Statistics, and takes the insight back to their practice. On FDP, the same enrichment would be integrated into the operational tool the consultant already uses, updated in near-real-time rather than quarterly, and extended beyond surgical specialties to mental health, community, primary care and ambulance through the Canonical Data Model (CDM). The difference is not the insight - it is when and where the clinician receives it.</p> <p>The patient impact? Clinicians make better decisions because they see what the system knows, not just what is in front of them. Unnecessary referrals are avoided. Duplicate work is eliminated. Variation in clinical practice is surfaced and addressed in real time rather than discovered years later through audit. Harm is prevented by logic that connects data across settings before the clinician has to ask.</p> </section> <section class="section main-article-chapter" data-menu-title="4. AI-driven analytics at the frontline"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. AI-driven analytics at the frontline</h2> <p>Today, when a ward manager wants to know their current caseload, or a service lead wants to understand their team's referral patterns, or a clinical director wants to see how their specialty compares to peers, they send a request to the BI team. The BI team, already stretched, adds it to the queue. The answer comes back days or weeks later as a spreadsheet or a static report. By the time the frontline has the information, the question has moved on.</p> <p>A new tool in development at NHS England called Ask FDP changes this. Using large language models connected to the Trust's data through the ontology, frontline staff can query the data estate in plain English and get straight answers without going through the BI team.</p> <p>What is my caseload? Which patients on my ward have been here longer than seven days? How does our readmission rate compare to the national average? These are not complex analytical questions. They are the everyday operational queries that currently consume a disproportionate amount of BI team capacity.</p> <p>There is a further shift that matters. When a BI team responds to these queries today, they typically produce a set of charts or data tables that require further interpretation. Is that variation genuine or within the range of normal fluctuation? What is driving the trend? The person who asked the question is left looking at 30 graphs wondering what is going on.</p> <p>Ask FDP does not just return the data. It synthesises the analysis, explains what the numbers mean, and flags what requires attention. Analytical skills are in shorter supply than BI dashboards. An AI-powered analyst that can interpret as well as present is a step change in how quickly the frontline can act on what the data is telling them.</p> <p>The consequence is a cultural shift in how data is used.</p> <p>The BI team can pivot away from ad-hoc reporting and toward the higher-value work of building Frontline-First tools, maintaining data quality, and developing the ontology.</p> <p>The frontline gets instant, informed answers from an AI analytical capability that knows the Trust's data.</p> <p>The culture moves from manual analysis of data provided by a busy central team to self-service intelligence at the point of need. The patient impact? Clinical decisions are informed by data in real time rather than waiting for a report that may arrive too late to matter.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Live integration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Live integration</h2> <p>In the current architecture, data moves between layers through overnight extracts, monthly submissions, and manual uploads. A change in one system is not reflected in another until someone runs a process to move it.</p> <p>Within a Foundry tenant, the ontology changes this. Data on the platform is connected in real time.</p> <p>When a theatre session is cancelled, every linked concept updates immediately - the waiting list entry, the bed allocation, the consultant's schedule, the utilisation dashboard. There is no overnight feed, no reconciliation, no delay. For an average Trust with over 250 different clinical teams, this means all of those teams are working from the same live picture of the organisation for the first time.</p> <p>This matters for the timeliness problem described in Part 1 of this series. When data is live on the platform rather than extracted in batches, the information available to the clinician, the manager and the analyst is the same and it is current. Cross-Trust integration requires additional architectural mechanisms which are described in Part 3, but the direction of travel is clear - from monthly extracts and manual submissions toward a connected, live data estate.</p> <p>The patient impact? Decisions are informed by data that reflects what is happening now, not what happened weeks or months ago.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Cross-setting collaboration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Cross-setting collaboration</h2> <p>A mental health patient turns up in A&amp;E. In the current model, the A&amp;E clinician has no way of knowing about the community mental health history unless they happen to have access to the shared care record and think to look.</p> <p>On FDP with the national Canonical Data Model, the mental health data and the acute data sit on the same platform with the same definitions. New FDP apps that are bespoke to the intersection of those care settings become possible at a larger scope than point-to-point record sharing. But visibility is only the starting point.</p> <p>In this hypothetical FDP app, the A&amp;E clinician can also see capacity in the receiving mental health service, request an admission informed by the full clinical picture, and have that request received and accepted by the ward team with all the relevant detail attached.</p> <p>The same applies to out-of-area placements, where a receiving Trust currently has no visibility of the placing Trust's clinical intent, risk assessment, or care plan.</p> <p>This is not just data sharing. It is clinical teams collaborating across organisational boundaries through a shared platform, informed by consistent data, in real time. The patient impact? They are treated by clinicians who know their history and can coordinate their care across settings rather than working in the dark.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Scalable, portable products"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Scalable, portable products</h2> <p>Over time, the first six dimensions produce something the NHS has never had - a growing library of operational tools, built by the people closest to the work, available to any Trust on the same platform.</p> <p>The mechanism for this is the Solution Exchange, a commercial and technical framework that allows FDP applications to be packaged, quality-assured, and made available to other Trusts.</p> <p>This is not limited to applications built by NHS teams. Third-party healthtech companies can build products on the platform and distribute them through the Solution Exchange, creating a marketplace for NHS operational tools.</p> <p>NHS England is currently working with invited early adopters this year to establish the framework and the first wave of commercially available products. In 10 years, there could be thousands of these products, all portable across Trusts because they share the same data model. The current handful of nationally built products is like the calculator app on a smartphone. The platform can run anything.</p> <p>The marketplace model introduces something the NHS has rarely had in its data tooling - genuine competition between products on the basis of clinical usefulness.</p> <p>Where multiple products address the same workflow, clinical teams will prefer the one that works best for them. The better product gets adopted more widely. The weaker product either improves or is replaced. This creates incentives for innovation and brings the urgency to improve that is often absent when tools are nationally commissioned and centrally maintained. The NHS remains the commissioner and the governor. The energy to build, iterate, and improve comes from teams and companies who are motivated to make something clinicians actually want to use.</p> <p>The cost of switching from one product to another is also reduced, because every product runs on the same platform with the same data model. A Trust is not locked into a product the way it is locked into a bespoke system that took years to integrate.</p> <p>The patient impact? A tool that works well in one Trust becomes available to every Trust, so improvements in care are shared nationally rather than staying local.</p> </section> <section class="section main-article-chapter" data-menu-title="Frontline-First in practice: a real national collection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Frontline-First in practice: a real national collection</h2> <p>These seven dimensions are abstract until you see them working together. The Mental Health Services Data Set (MHSDS) illustrates what the shift from reporting-first to Frontline-First would look like in practice, because it shows both the scale of the current problem and the potential of a different approach.</p> <p>Today, the MHSDS is a national collection built on the reporting-first culture that has dominated NHS data investment for decades. Someone nationally said, "I want to know what is happening in mental health services," found some money, and built an entire reporting industry that is almost entirely separate from the frontline.</p> <p>Clinicians in mental health trusts are required to record data to the MHSDS specification in their EPR. Much of what they record is not directly useful to their clinical work. It creates friction. The data feeds into a submission process that still relies on Microsoft Access databases as an intermediate stage, is processed centrally, and arrives at the national level months after the clinical event.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The FDP programme has achieved remarkably fast-paced progress under sustained political and media pressure that would have stalled most national programmes entirely </figure> <figcaption> <strong>Tom Bartlett</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>From the clinician's perspective, the MHSDS is a black hole. Data goes in. Nothing useful comes back.</p> <p>There is a further inefficiency. The MHSDS, while quite a comprehensive analytical base, is almost always entirely separate from the analytical base held within the Trust's own data team. The same data is extracted, transformed, and stored twice: once for the national collection and once for local reporting. The local version is almost always more accurate, because it has not had to be translated into a national specification that is in many places distant from the local data structures.</p> <p>This duplication exists because of semantic inconsistencies in the data and the inconsistent platform technology deployed across Trusts and NHS England. It is pure waste. Part 4 of this series explores this semantic gap in more detail.</p> <p>A critic might say the answer is to make the EPR better - configure it to capture the MHSDS data more naturally. But the EPR is a monolithic system that tries to serve every clinical setting with the same application. A crisis team, a rehabilitation ward, a community Child and Adolescent Mental Health Services (CAMHS) service, an early intervention in psychosis team - these are vastly different clinical settings with vastly different workflows. Forcing them all through the same EPR interface is part of why clinicians find recording burdensome and why shadow IT emerges to fill the gaps.</p> <p>A Frontline-First approach would look fundamentally different. As well as the monolithic EPR, you would build a fleet of FDP apps, each tailored to the specific workflow of the team using it.</p> <p>The crisis team gets an app designed for rapid assessment and handover. The rehab ward gets an app designed for long-stay progress tracking and outcomes. The CAMHS service gets an app designed for managing referrals and family work.</p> <p>Each app is modular, built close to the clinical team it serves, and captures data in a way that makes sense for that team's work. The sum of the data captured across all of these apps flows to MHSDS automatically, because each app is built on the same platform with the same CDM.</p> <p>The national collection becomes a by-product of useful clinical work rather than an administrative overhead imposed from above. The archaic Access-database submission process disappears because the data is already on the platform in a nationally consistent format.</p> <p>This is what Frontline-First means in concrete terms. The clinician gets a tool they want to use, designed for their workflow rather than a generic compromise. The data quality improves because the recording is clinically meaningful rather than bureaucratically mandated. Modular apps built for specific workflows can also capture data in structured fields that the generic EPR progress note cannot, making data like DIALOG scores accessible to the data estate for the first time rather than buried in free text.</p> <p>The national collection gets better data, faster, with less processing. The duplication between local and national analytical bases disappears because both draw from the same dataset on the same platform, harmonised through the CDM. The patient gets a service that is tracking their outcomes and learning from the comparison with peers. Every layer benefits, and the starting point is a useful tool at the point of care rather than a data extraction requirement.</p> </section> <section class="section main-article-chapter" data-menu-title="The production evidence"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The production evidence</h2> <p>Two things need to be evidenced before the Frontline-First argument can stand.</p> <p>The first is that FDP can host operational applications that produce measurable outcomes.</p> <p>The second is that it is feasible for frontline teams to build their own tools on the platform, because if every FDP application has to be nationally commissioned and centrally built, the approach will never cover the breadth of shadow IT that exists across the NHS.</p> <p>On the first, NHS England publishes quarterly figures on FDP uptake and benefits. The Inpatient Care Coordination Solution (IP CCS) reports an average 6.6% increase in booked theatre utilisation across adopting Trusts. Unused theatre time is cancelled elective procedures, longer waiting lists, patients waiting in pain or at risk of deterioration.</p> <p>The Outpatient Care Coordination Solution validates waiting lists and removes unnecessary appointments. Optica reports a 28% reduction in average delay days across adopting Trusts.</p> <p>These figures should be read with caution. The journey is still at an early stage and the production evidence is still building. There will be challenges and limitations, and some are already being publicly stated. An independent three-year evaluation by Imperial College Projects, commissioned by NHS England at a cost of £700,000, began in March 2026 with findings expected in 2029.</p> <p>I would welcome that evaluation going further than measuring the benefits of the current products. It should seek to understand the true comparator costs and relative benefits of a Frontline-First approach versus the reporting-first approach the NHS has followed for decades. Without that comparison, neither the advocates nor the critics of FDP have the evidence they need.</p> <p>The figures I cite in this series are NHS England's published cross-trust numbers. This is the beginning of the journey, and as the platform matures these problems will be addressed if the programme keeps its focus on the Frontline-First vision.</p> <p>On the second, the Build with FDP event in October 2025 offered the most direct evidence that frontline-led development is feasible on the platform. Some 120 NHS staff - a mix of data engineers, developers, clinical and operational staff - spent two days building working operational tools on FDP. The winning team built an Ambulance to Ward handover product. The runner-up built a clinical coding AI assistant. The next event runs in Leeds in May 2026, and the best applications from previous events are being sponsored by NHS England for national rollout.</p> </section> <section class="section main-article-chapter" data-menu-title="How these dimensions address the data problems"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How these dimensions address the data problems</h2> <p>The following table shows how the seven Frontline-First dimensions address each of the eight problems described in Part 1.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic2a.png"> <img data-src="https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic2a_mobile.png" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic2a_mobile.png 960w,https://www.computerweekly.com/rms/computerweekly/FDP2-Tom-Bartlett-pic2a.png 1280w" alt="Chart showing how the seven dimensions of value address each of the eight key data problems facing the NHS" data-credit="Bartlett Data" height="317" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>How the seven dimensions of value address each of the eight key data problems facing the NHS </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="The financial case"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The financial case</h2> <p>There is also a practical dimension that matters to any Trust finance director or CIO.</p> <p>Trusts that adopt FDP as their core data infrastructure can replace their local data warehouse entirely. The licensing costs for SQL Server, Databricks or similar, the staff costs to maintain bespoke infrastructure, and the analyst time spent manually extracting and uploading national submissions all reduce significantly. National submissions can happen automatically through the platform rather than through the monthly grind of manual extracts.</p> <p>FDP is centrally funded, cloud-hosted, and already in place. For a Trust paying £100,000 or more a year in data platform licensing alone, before staff costs, the financial case for adoption is straightforward.</p> <p>There has been hesitancy among CIOs about what happens to funding arrangements after the current contract ends. This is understandable but should not be a reason to delay adoption. The savings from warehouse replacement, automated submissions, and reduced duplication will over time far outweigh the local implementation costs, and in my view central funding is extremely likely to continue given the strategic significance of the platform.</p> <p>Trusts are expected to invest in ensuring FDP runs well and is developed within their organisation. The implementation costs should not be understated, but they are not new costs unique to FDP. They are the kinds of costs Trusts routinely incur when adopting operational tools: a System Coordination Centre, a data warehouse capability, a job planning system. All of these require staff, training, configuration, and ongoing support.</p> <p>The investment varies significantly depending on approach. Trusts that have embedded FDP adoption into their existing transformation programmes, treating it as a set of tools to deliver improvements the Trust was already planning, rather than running it as a standalone digital programme, have found costs significantly lower than those that stood up dedicated teams.</p> <p>The major investment for most Trusts is the data warehouse migration, which would apply to any platform change regardless of supplier. These costs should be weighed against the costs of maintaining duplicated data infrastructure, manual submission processes, and the shadow IT that a Frontline-First approach is designed to replace.</p> </section> <section class="section main-article-chapter" data-menu-title="What the programme has achieved, and what it costs to transform at this scale"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What the programme has achieved, and what it costs to transform at this scale</h2> <p>The FDP programme has achieved remarkably fast-paced progress under sustained political and media pressure that would have stalled most national programmes entirely. It has had the ambition to tackle the biggest problem in NHS informatics, one that has sat in the "too difficult" box for decades.</p> <p>The NHS is the seventh largest organisation in the world. A transformation of this scale will inevitably create losers as well as winners, and even despite the pace, some things will not be done fast enough to prevent genuinely avoidable loss. There will not be enough focus, enough shared knowledge, or enough capacity to avoid every mistake that should have been avoided. That is the price of transformation at this scale. The best hope is that as the programme matures it can reduce this cost, and the evidence from the ground suggests it is already doing so.</p> <p>Many Trusts have invested significantly in their own data infrastructure, such as on-premise SQL Server estates, and in some cases cloud-based BI stacks on Azure or AWS. These investments have genuine merit and have delivered real value within their scope.</p> <p>At regional level, Greater Manchester and London have both built excellent data infrastructure, and the people who built them are some of the most capable data leaders in the NHS.</p> <p>Shared care records have gone further, giving clinicians visibility of patient records from other care settings at the point of care.</p> <p>These are genuine achievements. Some regional teams are going further still, linking data across acute, primary, and community care settings, applying population-level risk scores, and beginning to extend into operational use cases with write-back into clinical systems. This work is real, well-governed, and in some cases ahead of what FDP has delivered nationally.</p> <p>But visibility is not the same as integration. Shared care records let a clinician see what happened elsewhere. They do not let the clinician act on it through the same platform, create new data, or collaborate with teams in other organisations through shared operational tools. The Frontline-First approach requires all of these.</p> <p>The regional and local platforms were designed to analyse data, not to host the operational applications that create it. FDP was designed to do both on the same platform, with the same data model, the same access controls, and the same national consistency layer. That is the architectural distinction that makes Frontline-First possible, and the next post explains the architecture in detail.</p> <p>Trusts with strong existing BI estates will benefit from FDP adoption not by discarding what they have built, but by connecting it to a national platform that addresses what their local infrastructure cannot.</p> <p>Local data leaders who invested in infrastructure as NHS England previously directed, and who now feel that investment is being overridden by a national programme they had no role in shaping, have legitimate cause for frustration. That frustration needs to be heard and addressed, not dismissed as resistance to change.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the NHS Federated Data Platform</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640417/Health-workers-call-for-Palantir-to-be-booted-from-NHS-contracts">Health workers call for Palantir to be booted from NHS contracts</a> - Health justice charity Medact warns that Palantir’s involvement in NHS data systems is a threat to patients and healthcare organisations.</li> <li><a href="https://www.computerweekly.com/news/366620412/NHS-chief-data-officers-concerned-with-FDP-roll-out">NHS chief data officers concerned by FDP roll-out</a> - The Chief Data and Analytical Officers Network has raised concerns over the way the NHS Federated Data Platform is being implemented and NHS England’s approach to its adoption.</li> <li><a href="https://www.computerweekly.com/news/366616320/NHS-Federated-Data-Platform-celebrates-first-birthday">NHS Federated Data Platform celebrates first birthday</a> - In its first year, more than 100 NHS organisations have signed up to the controversial platform, aiming to bring together data from different IT systems.</li> </ul> </div> </div> <p>The frustration is sharpest where mature, operationally proven products already exist. The NHS has System Coordination Centre tools that have been managing urgent and emergency care flows since 2013. Job planning systems embedded in Trust workforce processes. Locally built operational tools with years of frontline refinement behind them, trusted by the staff who use them. In some cases, the national programme has built FDP products that overlap with existing functionality rather than integrating what already works.</p> <p>The Solution Exchange model described above should be the answer to this - bringing mature third-party products onto the platform so that Trusts retain what works while gaining the benefits of a shared data model and national portability.</p> <p>Getting this right matters, because if Trusts feel their existing tools are being displaced rather than integrated, they will resist adoption, and they will have a point. This is an avoidable loss, and it is within the programme's power to fix.</p> <p>There is a practical step that would help. While I have elaborated, named and communicated the Frontline-First concept, I did not create it. Leaders in NHS England did, and so NHS England should publicly name the Frontline-First vision, explain it to the wider data community, and invite collaborative development of the operational application roadmap.</p> <p>The <a href="https://www.computerweekly.com/news/366620412/NHS-chief-data-officers-concerned-with-FDP-roll-out">concern about "programme drift" that has been expressed by senior NHS data leaders</a> is essentially a concern that nobody has told them what FDP is for. They signed up for a data federation capability and feel they are being given operational software modules instead.</p> <p>If the programme had clearly stated from the outset that FDP's purpose is to put useful tools at the point of care, with good data as a by-product, the conversation would be about how to make that work locally rather than about whether the programme has drifted from its original brief. The drift is in the communication, not in the architecture.</p> </section> <section class="section main-article-chapter" data-menu-title="The investment case"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The investment case</h2> <p>A true Frontline-First approach needs significant investment. Consider the context - even over the last five years.</p> <p>EPR investment alone has come to around £2bn. One single geography will spend £200m on an electronic health record (EHR) upgrade and nobody blinks.</p> <p>In that context, a £330m contract to address the data plumbing looks like what it is - a modest beginning of a much larger endeavour. The cost of FDP is criticised, and the total cost of ownership is genuinely unknown. But the cost of the alternative, continuing with the reporting-first approach, is also unquantified, and it is almost certainly higher.</p> <p>If the NHS data problems described in Part 1 had been properly addressed 10 years ago, instead of investing further in centralised data collection and reporting, the NHS would have a far more effective data estate than it does now. Criticism of FDP's cost is incomplete without the comparator.</p> </section> <section class="section main-article-chapter" data-menu-title="Why Foundry?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why Foundry?</h2> <p>The next post explains why Palantir's Foundry is the only platform I have seen that is capable of delivering a Frontline-First approach at NHS scale.</p> <p><em>Read <a href="https://www.computerweekly.com/opinion/Inside-FDP-part-1-Understanding-the-problems-facing-NHS-data">part 1 of Inside FDP:&nbsp;Understanding the problems facing NHS data</a></em></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about NHS data</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Electronic-health-records-are-still-creating-issues-for-patients">Electronic health records are still creating issues for patients</a> - Almost every NHS trust will have moved onto a digital system by this spring. Experts have cautioned many patients are still struggling to access their own health data.</li> <li><a href="https://www.computerweekly.com/news/366639993/Child-rapist-could-have-profiled-victims-through-unaudited-access-to-NHS-databases">Child rapist could have profiled victims through unaudited access to NHS databases</a> - NHS analyst’s conviction for child sexual abuse offences raises concerns over unaudited access to patient data.</li> <li><a href="https://www.computerweekly.com/news/366574914/Women-In-Data-panel-NHS-needs-to-get-data-basics-right-before-rushing-into-AI">NHS needs to get data basics right before rushing into AI</a> - During a panel discussion at a Women in Data event, speakers from across the public healthcare sector outlined the groundwork that has to be laid for artificial intelligence to take the NHS by storm.</li> <li><a href="https://www.computerweekly.com/news/366620174/NHS-investigating-how-API-flaw-exposed-patient-data">NHS investigating how API flaw exposed patient data</a> - NHS patient data was left vulnerable by a flaw in an application programming interface used at online healthcare provider Medefer.</li> <li><a href="https://www.computerweekly.com/news/366641178/NHS-digital-drive-hit-by-usability-gaps-despite-progress-national-survey-finds">NHS digital drive hit by usability gaps despite progress, national survey finds</a> - The shift from analogue to digital across the NHS is hindered by usability issues in electronic patient record (EPR), but the newly launched frontline productivity programme could be the answer.</li> </ul> </div> </div> </section> In the second of an exclusive series of articles by the former deputy director of data engineering at NHS England, we examine the key elements of the data architecture that supports the Federated Data Platform programme https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/healthcare-doctor-tablet-1-adobe.jpeg https://www.computerweekly.com/opinion/Inside-FDP-part-2-Delivering-on-the-NHS-vision-for-data Thu, 07 May 2026 07:00:00 GMT <p>As institutions like the United Nations (U.N.) call on people and organizations around the globe to come together to take action before the climate crisis worsens, climate terminology comes to the forefront, as well as how certain terms differ from one another.</p> <p>For example, <i>greenhouse gas emissions</i> and <i>carbon emissions</i> are often used interchangeably, but they have important distinctions.</p> <section class="section main-article-chapter" data-menu-title="What are greenhouse gas emissions?"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_1ijkdj1d3vke"></a>What are greenhouse gas emissions?</h2> <p>Put simply, a <a href="https://www.techtarget.com/whatis/definition/greenhouse-gas">greenhouse gas</a> (GHG) is a type of vaporous matter -- or gas -- in a planet's atmosphere that traps heat. There are several greenhouse gas types. On Earth, these include carbon dioxide, methane, nitrous oxide, fluorinated gases and water vapor.</p> <p>Emissions are the release of such gases into the atmosphere.</p> <p>So, greenhouse gas emissions are the release of greenhouse gases such as carbon dioxide and methane into Earth's atmosphere, which is meant to protect it from space.</p> </section> <section class="section main-article-chapter" data-menu-title="What are carbon emissions?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are carbon emissions?</h2> <p>In the simplest terms, carbon emissions are just a specific category -- carbon dioxide emissions -- of greenhouse gas emissions. Carbon emissions are sometimes referred to as carbon pollution.</p> </section> <section class="section main-article-chapter" data-menu-title="Why do people confuse the terms?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why do people confuse the terms?</h2> <p>The reason people might confuse terms such as <i>greenhouse gas emissions</i>, <i>GHGs</i>, <i>carbon emissions</i>, <i>carbon dioxide</i> and <i>carbon pollution</i> has to do with two main areas:</p> <ul class="default-list"> <li>Carbon as the main driver of rising greenhouse gas emissions.</li> <li>How most people best understand concepts around climate change.</li> </ul> <h3>Carbon emissions drive rising GHGs</h3> <p>Carbon emissions, which come primarily from burning fossil fuels, receive so much attention because they're the main driver of climate change and global warming. Because of that, <i>carbon</i> is often used as shorthand to mean greenhouse gas emissions.</p> <p>Here is a cheat sheet for some common carbon-related terms:</p> <ul class="default-list"> <li><b>Carbon.</b> The shortened way to refer to carbon dioxide.</li> <li><b>Carbon dioxide equivalent.</b> A common unit to describe different greenhouse gases based on their global warming potential; also called <a href="https://www.techtarget.com/sustainability/feature/CO2-vs-CO2e-What-is-the-difference-and-why-does-it-matter">CO2e</a>.</li> <li><b>Carbon emissions.</b> The discharge of carbon dioxide into the atmosphere.</li> <li><b>Carbon footprint.</b> The total amount of greenhouse gases that an individual or organization generates.</li> <li><b>CO2.</b> Scientific shorthand for the chemical compound carbon dioxide.</li> </ul> <h3>Confusion around climate change communication</h3> <p>People who become familiar with climate change terminology might forget to tailor their communication in a way their audience will best understand.</p> <p>For example, although the terms <i>greenhouse gas emissions</i>, <i>carbon emissions</i> and <i>carbon pollution</i> all appear in association with climate change, people in the U.S. associate the terms <i>carbon emissions</i> and <i>carbon pollution</i> more with human and environmental harm, compared with the term <i>greenhouse gas emissions</i>, according to the 2023 study "Evaluating Terms Americans Use to Refer to 'Carbon Emissions,'" published in the journal <i>Environmental Communication</i>.</p> <p>People are also more likely to understand that fossil fuels create carbon pollution and emissions, rather than greenhouse gas emissions.</p> <p>Studies like this suggest that language matters, and <a href="https://www.techtarget.com/sustainability/feature/Key-sustainability-communications-strategies-for-businesses">explaining sustainability issues</a> in terms that a nonscientific public can understand is critical.</p> </section> <section class="section main-article-chapter" data-menu-title="How GHGs and carbon emissions heat the planet"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How GHGs and carbon emissions heat the planet</h2> <p>Greenhouse gases, such as methane, nitrous oxide, fluorinated gases and carbon dioxide, are increasing and are responsible for global warming and climate change.</p> <p>Here's how it works: Greenhouse gases trap heat in the atmosphere by absorbing and reemitting infrared radiation back toward Earth's surface, which then keeps the planet warmer than it would be otherwise. This is what's known as the greenhouse effect.</p> <p>In an actual greenhouse, sunlight can pass through the glass walls, enabling the plants within to absorb it. The plants and soil then emit some of the absorbed heat energy as infrared radiation, which the glass absorbs and emits back into the greenhouse. This helps the greenhouse retain heat and stay warmer than it otherwise would be.</p> <p>Greenhouse gases such as methane and carbon work similarly. The sun's radiation passes through the atmosphere and is absorbed by Earth's surface. Some of that energy is emitted back into the atmosphere as infrared radiation. Some of the radiation passes back into space. But GHGs absorb some of the radiation and reflect it back to Earth again to heat the planet.</p> <p>Ideally, greenhouse gases keep Earth's temperature balanced -- not too cold and not too warm.</p> <p>The problem is that with the start of the Industrial Age, around the mid-1700s, people have increasingly mined, extracted and burned fossil fuels such as coal, oil and natural gas. These fossil fuels have increased and disrupted the level of greenhouse gases and, in turn, driven climate change.</p> <p>The scientific community is virtually united in agreement that climate change is real, that humans have caused and continue to worsen it, and that all stakeholders must take decisive and major action.</p> <p>The Intergovernmental Panel on Climate Change, a U.N. global scientific body commonly known as the IPCC, calls on everyone to <a target="_blank" href="https://www.un.org/en/actnow/ten-actions" rel="noopener">get involved</a> in addressing climate change to secure a livable future.</p> <p>Business and IT professionals, in particular, have a number of ways to get involved, including <a href="https://www.techtarget.com/sustainability/tip/Ways-to-reduce-an-organizations-digital-carbon-footprint">reducing the digital carbon footprint</a>, creating a <a href="https://www.techtarget.com/sustainability/feature/Green-office-ideas-businesses-can-explore">more sustainable office</a> and implementing solid <a href="https://www.techtarget.com/sustainability/tip/How-companies-can-improve-their-carbon-accounting-practices">carbon accounting practices</a>.</p> <p><i>Diann Daniel is a former executive editor who oversaw a number of sites within Informa TechTarget's Enterprise Software and Services group, including Sustainability and ESG.</i></p> <p><i>Jacob Roundy is a freelance writer and editor with more than a decade of experience in a variety of tech topics, such as data centers, business intelligence and sustainability.</i></p> </section> The terms 'greenhouse gas' and 'carbon' are often used interchangeably. Learn what the meaning of each is and how the two relate to climate change and global warming. https://cdn.ttgtmedia.com/rms/onlineimages/esg_g1440816946.jpg https://www.techtarget.com/sustainability/feature/Understand-greenhouse-gas-emissions-vs-carbon-emissions Thu, 07 May 2026 00:00:00 GMT <p>Amid sky-high levels of fraud and financial crime, and the as-yet unknown real-world impacts <a href="https://www.techtarget.com/searchenterpriseai/news/366642478/Claude-Mythos-Preview-and-the-new-rules-of-cybersecurity" target="_blank" rel="noopener">of Anthropic’s Claude Mythos</a>, the inaugural UK Financial Services Security Hackathon has brought together representatives of UK banks, fintechs, software and technology companies, and regulators for a security competition testing incident readiness, decision-making under fire, and skill at defending financial infrastructure against cyber attack.</p> <p>A total of 33 two-strong teams representing 16 organisations took part in the competition, hosted by <a href="https://www.lloydsbankinggroup.com/" target="_blank" rel="noopener">Lloyds Banking Group</a>, <a href="https://cloud.google.com/security" target="_blank" rel="noopener">Google Cloud Security</a>, and penetration testing and vulnerability discovery experts <a href="https://www.hackthebox.com/" target="_blank" rel="noopener">Hack The Box</a>.</p> <p>“This event demonstrated how simulated real-life exercises help organisations strengthen defensive capabilities, improve readiness under pressure, and build stronger collaboration across the wider financial services ecosystem,” said Lloyds Banking Group chief security officer Matt Rowe. “In a highly connected sector, resilience depends not only on individual organisations, but on how effectively we prepare and respond together.”</p> <p>Hack The Box chief operating officer Nikos Fountas added: “Cyber security is not just about what teams know, it is about what they can do when it matters most. Exercises like this move organisations from static training to proving real-world readiness. They prepare security professionals, test judgement under pressure, and benchmark performance against peers across the industry.”</p> <p>The contest itself saw participants tackle challenges in areas such as web vulnerability exploitation, digital forensics, OSINT investigations, cryptography and payment systems security, and vulnerability discovery.</p> <p>The organisers said the hackathon also highlighted how important measurable cyber readiness is in the financial sector, where highly interconnected systems, ever-evolving threats, and rapid incident escalation mean that how cyber pros perform in the earliest stages of a cyber incident can be critical.</p> <p>And reflecting <a href="https://www.computerweekly.com/news/366641763/Bank-cyber-teams-on-red-alert-as-Anthropic-promises-them-Mythos-next-week" target="_blank" rel="noopener">the advent of Anthropic’s Claude Mythos frontier AI model</a>, which may yet be a game changer in terms of vulnerability discovery and exploitation, and its <a href="https://www.computerweekly.com/news/366641830/More-finance-firms-join-FCAs-AI-testing-initiative" target="_blank" rel="noopener">potential impact on the financial services sector</a>, the challenges reflected the role of AI in both offensive and defensive capacities, with teams combining their own technical cyber expertise with emerging capabilities.</p> <p>The AI question, and more specifically the value of human expertise in security, was underscored by the eventual winners of the contest, Nine Lives With Zero Days – comprising a machine learning expert and a senior pen tester.</p> <p>Although AI can clearly speed-up repetitive, or well-defined and scoped tasks, real-world cyber defence work cannot be bound by such simplistic definitions, said the organisers. It relies instead on factors such as context, judgment, adaptability and the ability to navigate many possible pathways. Moreover, hands-on security experience is vital to build the instincts and decision-making abilities that AI will never truly have.</p> <p>Fountas said: “As AI becomes more capable, the human element is still critical. It is much like chess. Although machines can outperform humans, people continue to study and play because the value lies in the thinking process – the pattern recognition, creativity and decision-making. In cyber security, it is these instincts and the ability to make the right decisions under pressure that ultimately strengthen resilience.”</p> <p>The winning team said they were both “shocked and thrilled” to win at the end of a challenging two days.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about fintech</h3> <ul class="default-list"> <li>As AI drives deeper personalisation in financial services, CIOs are under pressure to deliver growth while ensuring models remain <a href="https://www.techtarget.com/searchcio/feature/Safe-by-design-AI-personalization-in-fintech" target="_blank" rel="noopener">explainable, secure and compliant</a>.</li> <li>UK government announces open banking strategies during London Fintech Week, including regulation <a href="https://www.computerweekly.com/news/366642036/UK-government-beats-drum-for-fintech-industry-at-London-Fintech-Week" target="_blank" rel="noopener">and £1m investment</a>.</li> <li>Standard Chartered’s technology and security chief, Alvaro Garrido, says AI will transform finance, but the industry’s biggest vulnerabilities <a href="https://www.computerweekly.com/news/366641549/In-the-AI-race-a-global-bank-bets-on-the-human-touch" target="_blank" rel="noopener">lie outside its own walls</a>.</li> </ul> </div> </div> Teams of security pros from UK financial services organisations came together at the end of April to participate in a hackathon exercise https://cdn.ttgtmedia.com/visuals/German/article/ethical-hacker-adobe.jpg https://www.computerweekly.com/news/366642669/UK-financial-security-experts-participate-in-sector-wide-hackathon Wed, 06 May 2026 15:52:00 GMT <p>A <a href="https://www.computerweekly.com/news/366639704/Police-do-not-have-to-explain-to-lawyer-Fahad-Ansari-why-they-seized-his-phone-data-says-court">solicitor, whose mobile phone containing legally privileged material was seized</a> and downloaded by police, was wrongly identified in a police risk assessment as a Hamas member.</p> <p>Fahad Ansari, who specialises in national security cases, argues that police unlawfully stopped and questioned him because they wrongly “equated” him acting as a lawyer for Hamas with being a member of the proscribed organisation.</p> <p>The case is believed to be the first targeted use of Schedule 7 powers against a practising solicitor. Under Schedule 7 legislation, police can stop and question people and seize their electronic devices, without the need for suspicion, to determine whether they appear to be involved in terrorism.</p> <p>The Court of Appeal ordered an immediate stay on Tuesday of a judicial review brought by Ansari while it considers whether <a href="https://www.computerweekly.com/news/366639704/Police-do-not-have-to-explain-to-lawyer-Fahad-Ansari-why-they-seized-his-phone-data-says-court">police should be required by law to disclose details of their case against him</a>.</p> <p>Ansari, an Irish solicitor who is representing Hamas in a legal appeal to have its proscribed status overturned in the UK, was stopped and questioned by police in August 2025 while travelling home with his family from Ireland to Holyhead.</p> <section class="section main-article-chapter" data-menu-title="Police risk assessment stated ‘Hamas’ membership"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Police risk assessment stated ‘Hamas’ membership</h2> <figure class="main-article-image half-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/North-Wales-Police-risk-assessment-Fahad-Ansari-800px.jpg"> <img data-src="https://www.computerweekly.com/rms/computerweekly/North-Wales-Police-risk-assessment-Fahad-Ansari-800px_half_column_mobile.jpg" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/North-Wales-Police-risk-assessment-Fahad-Ansari-800px_half_column_mobile.jpg 960w,https://www.computerweekly.com/rms/computerweekly/North-Wales-Police-risk-assessment-Fahad-Ansari-800px.jpg 1280w" alt="Image shows police risk review document, with solicitor Fahad Ansari identified as a Hamas member" height="412" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Police risk review identified solicitor Fahad Ansari as a Hamas member </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>A police officer who completed a risk assessment made a handwritten note under the heading “membership of a known group” stating “Hamas”.</p> <p>According to a legal submission from Ansari’s barrister for a <a href="https://www.computerweekly.com/news/366630116/Hamas-lawyer-challenges-police-after-they-seized-legal-files-from-phone-in-Schedule-7-stop">judicial review</a> – originally due to be held today (6 May 2026), the police officer was “essentially” equating Ansari, who is not a member of Hamas, with his client.</p> <p>The police officer confirmed in a witness statement that his note was inaccurate. “What I had intended to write was that Mr Ansari worked as a solicitor for Hamas, and not that he was a member of the group,” he said.</p> <p>The officer added that no other officers involved in the stop or the examination of Ansari’s phone saw the note and that it did not affect any of the decisions made by other officers. “Everyone clearly understood the position that Mr Ansari was the solicitor for Hamas,” he wrote.</p> </section> <section class="section main-article-chapter" data-menu-title="Ansari not questioned in earlier stop"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ansari not questioned in earlier stop</h2> <p>It emerged that Ansari had been stopped previously, in 2024, under Schedule 7 of the Terrorism Act, before he represented Hamas, in what appeared to be a random stop.</p> <p>He identified himself as a solicitor and was not asked any questions about Hamas or Palestine. He did not have his mobile phone seized, downloaded or copied on that first occasion, unlike his later Schedule 7 stop, barrister Hugh Southey KC wrote in a skeleton argument.</p> <p>He said the significant difference between the two Schedule 7 stops was that Ansari had made an application on behalf of Hamas before the second stop.</p> <p>The chief constable of North Wales Police has made contradictory statements about the reasons for stopping Ansari in 2025.</p> <p>In January 2026, she stated that “there was an underlying reason or reason for the stop: it was not random”. The chief constable now states that she has “not confirmed” that the stop was a “targeted stop”.</p> <p>It appears that the chief constable has approached litigation heard in open court in a “confused, contradictory and less than candid manner”, Southey wrote.</p> </section> <section class="section main-article-chapter" data-menu-title="Legally privileged material"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Legally privileged material</h2> <p>The phone seized by North Wales Police contained legally privileged material, including communications with clients, their families, witnesses and experts, along&nbsp;with documents, financial information and internet research related to clients.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/Fahad-Ansari-solicitor-800px-h.jpg"> <img data-src="https://www.computerweekly.com/rms/computerweekly/Fahad-Ansari-solicitor-800px-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/Fahad-Ansari-solicitor-800px-h_half_column_mobile.jpg 960w,https://www.computerweekly.com/rms/computerweekly/Fahad-Ansari-solicitor-800px-h.jpg 1280w" alt="Photo shows solicitor Fahad Ansari, who was stopped under Schedule 7 powers" height="302" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Solicitor Fahad Ansari is seeking a judicial review against North Wales Police </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>A police officer subsequently prepared a list of keywords, including names of UK proscribed organisations and words based on research the officer had conducted into Ansari, to allow an independent counsel to “sift and review” data on the solicitor’s phone.</p> <p>Ansari argues that the safeguards, including using an independent counsel to assess the contents of the phone, were inadequate to protect legally privileged material, and that he has no way of knowing whether such material was accessed by investigators.</p> <p>The chief constable wrote to Ansari in March this year, stating that the police had completed their examination of his work phone. Ansari has sought confirmation of whether police officers had inadvertently seen privileged material from the phone.</p> </section> <section class="section main-article-chapter" data-menu-title="Lack of rights"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lack of rights</h2> <p>The consequence of the approach taken by the chief constable of North Wales Police is that Ansari would be entitled to greater safeguards if he were investigated for having committed an offence, and where there had already been a judicial warrant, Southey wrote in the skeleton argument.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> This is not Belfast in the 1980s when such messages were delivered by bullets, but the intention feels uncomfortably similar: represent clients and face consequences </figure> <figcaption> <strong>Fahad Ansari, solicitor</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Ansari said that the Court of Appeal had recognised that his argument for greater disclosure from the police had merit.</p> <p>“Previously, the High Court allowed the police to rely on secret evidence. In situations like this, it’s normally expected that at least a summary of the allegations is shared to allow a semblance of a fair hearing,” he wrote in a post on LinkedIn.</p> <p>The police’s apparent lack of distinction between being a member of Hamas and being a legal representative of Hamas raises “serious concerns” and would deter lawyers from representing proscribed groups, he added.</p> <p>“This is not Belfast in the 1980s when such messages were delivered by bullets, but the intention feels uncomfortably similar: represent clients and face consequences,” he said.</p> </section> <section class="section main-article-chapter" data-menu-title="Phantom Parrot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Phantom Parrot</h2> <p>A document leaked by whistleblower Edward Snowden in 2013 raised concerns that information collected from phones during Schedule 7 searches was being covertly collected at UK borders under GCHQ’s “Phantom Parrot” programme.</p> <p>Ansari said North Wales Police had declined to say whether information from his phone had been shared with any other organisations.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the case</h3> <ul type="square" class="default-list"> <li><a href="https://www.computerweekly.com/news/366639704/Police-do-not-have-to-explain-to-lawyer-Fahad-Ansari-why-they-seized-his-phone-data-says-court">Police do not have to explain to lawyer Fahad Ansari why they seized his phone data</a>, says court: A High Court judge has ruled that police do not have to give reasons to lawyer, who acts for Hamas, why they seized his mobile phone data&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li> <li><a href="https://www.computerweekly.com/news/366633407/Hamas-lawyer-seeks-appeal-following-polices-seizure-of-his-phone-at-Welsh-port">Hamas lawyer seeks appeal following police’s seizure of his phone at Welsh port</a>: Police ordered to give reasons in closed court for seizing phone of UK Hamas lawyer.</li> <li><a href="https://www.computerweekly.com/news/366639704/Police-do-not-have-to-explain-to-lawyer-Fahad-Ansari-why-they-seized-his-phone-data-says-court">Police say that solicitors cannot have a ‘cast iron defence’ to protect their electronic devices from ever being searched</a>: London court orders police to disclose reasons for seizing and copying the contents of a phone belonging to a UK lawyer who represented Hamas, but refuses an injunction to prevent police from reviewing the phone until after judicial review</li> <li><a href="https://www.computerweekly.com/news/366630116/Hamas-lawyer-challenges-police-after-they-seized-legal-files-from-phone-in-Schedule-7-stop">Hamas lawyer challenges police after they seized legal files from phone in Schedule 7 stop</a>: A UK solicitor hired by Hamas to challenge its proscription in the UK as a terrorist organisation argues police acted unlawfully by seizing a phone containing confidential legally privileged material about his clients.</li> </ul> </div> </div> <ul type="square" class="default-list"></ul> </section> A police officer wrongly described a solicitor acting for Hamas in an appeal against its proscribed status in the UK as a Hamas member during Schedule 7 phone seizure https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/UK-border-control-passport-travel-getty.jpg https://www.computerweekly.com/news/366642804/Police-wrongly-identified-solicitor-Fahad-Ansari-as-Hamas-member-during-Schedule-7-phone-seizure Wed, 06 May 2026 12:54:00 GMT <p>Broadcom has unveiled the latest update to <a href="https://www.computerweekly.com/news/366630396/How-Metrobank-is-tapping-VMware-Cloud-Foundation">VMware Cloud Foundation (VCF)</a>, which it says offers a secure and cost-effective infrastructure platform for production artificial intelligence (AI) workloads. Broadcom said VCF 9.1 delivers an AI and Kubernetes native private cloud platform with integrated security and mixed compute infrastructure support across AMD, Intel and Nvidia.</p> <p>The company is positioning VCF as the platform to run enterprise AI in private clouds. Half of organisations (56%) that responded to a recent Broadcom poll said they are running or planning to run production inferencing in a private cloud.</p> <p>“As more enterprises turn to AI for driving competitive advantage, they face three critical challenges: data and IP privacy concerns, surging infrastructure costs, and their readiness for the world of agentic AI,” said Krish Prasad, senior vice-president and general manager of the VMware Cloud Foundation division at Broadcom.</p> <p>“VCF 9.1 is a single unified platform that addresses all three and delivers one of the most advanced infrastructures for private AI. We enable zero-trust security for AI, reduce costs through intelligent infrastructure optimisation and hardware choice, and provide the flexibility to run both agentic workflows and accelerated inferencing on the same platform,” added Prasad.</p> <p>The Broadcom survey also found that 62% of IT leaders are “very” or “extremely” concerned about generative AI infrastructure costs, while 36% said AI is driving new requirements for data protection, privacy, security controls and risk management.</p> <p>The company, which has made significant <a href="https://www.computerweekly.com/news/366638927/Tesco-vs-VMware-Dell-weighs-in-on-VMware-contractual-obligation">changes to VMware licensing</a> since it acquired the company in 2022, claims the new version will help customers reduce their server hardware total cost of ownership by as much as 40%. Broadcom has come under scrutiny as a result of its strategy to move from <a href="https://www.techtarget.com/searchvmware/news/366617317/Broadcom-ATT-settle-lawsuit-over-VMware-support">perpetually licensed software to a VCF subscription bundle</a>, which has seen VMware costs increase dramatically for some customers.</p> <p>Tackling hardware cost is something that VMware server virtualisation has always been able to do, by reducing the need to deploy one physical server per enterprise application and thereby enabling organisations to consolidate their server estate, and Broadcom now appears to be pivoting to a position where it is now looking to demonstrate the value of the VCF subscription charge.</p> <p>The new version includes vSphere Topology-aware scheduling, which Broadcom said utilises chip-aware logic to optimise non-uniform memory architecture (NUMA) placement and reduce page-migration costs. What this means, according to Broadcom, is that with vSphere Topology-aware scheduling, even the most resource-intensive applications maintain peak responsiveness. Complementing this is Parallel Processing of DRS vMotion, which Broadcom said removes sequential bottlenecks during cluster balancing. It achieves this by allowing multiple migrations to occur simultaneously.</p> <p>“VMware Cloud Foundation 9.1 is engineered to address these market pressures: a private cloud platform designed to run production AI at the lowest cost per workload, under enterprise sovereignty, without compromising security or delivery velocity,” Sabina Anja, chief technologist for VMware Cloud Foundation at Broadcom, <a href="https://blogs.vmware.com/cloud-foundation/2026/05/05/vcf-9-1-secure-cost-effective-private-cloud-platform-for-production-ai/">wrote in a blog post</a>.</p> <p>Broadcom said vSphere in VCF 9.1 represents a fundamental shift in infrastructure economics. Along with maximising existing hardware through NVMe memory tiering, it also claims to lower operational overhead by supporting fast patching and elastic provisioning, eliminating performance bottlenecks through intelligent offloading, and maintaining continuous operations through live patching. Broadcom claims these enhancements enable organisations to transform infrastructure from a cost centre into a strategic advantage.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about VMware Cloud Foundation</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366631478/Should-you-run-VMware-7-unsupported">Should you run VMware 7</a> unsupported? In just a few weeks, VMware version 7 reaches end of life, which means Broadcom will no longer issue patches.</li> <li>New <a href="https://www.techtarget.com/searchitoperations/news/366630312/New-VMware-private-AI-infrastructure-rethinks-Tanzu-again">VMware private AI infrastructure</a> rethinks Tanzu, again: Broadcom’s VMware finally abandons a long effort to unify Kubernetes with Cloud Foundry as it battles cloud and virtualisation rivals on multiple fronts.</li> </ul> </div> </div> VMware is being repositioned as a platform to lower the total cost of hosting artificial intelligence workloads in private clouds https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/public-private-cloud-fotolia.jpg https://www.computerweekly.com/news/366642853/Broadcom-updates-VCF-to-address-on-premise-AI Wed, 06 May 2026 12:15:00 GMT <p>The Netherlands is not waiting for Big Tech to solve its artificial intelligence (AI) problem. Since late February, five organisations have been running feasibility studies with the beta <a href="https://www.computerweekly.com/news/366558412/Netherlands-starts-building-its-own-AI-language-model">version of GPT-NL</a>, a national <a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM?_gl=1*n9nwxv*_ga*MTEwNzM2MTI5My4xNzQyODE4ODQ3*_ga_TQKE4GS5P9*czE3NzczNzkxOTgkbzQwOSRnMSR0MTc3NzM4MjIxMyRqMTMkbDAkaDA.">language model</a> developed by applied research organisation <a target="_blank" href="https://www.tno.nl/en/" rel="noopener">TNO</a>, the&nbsp;<a target="_blank" href="https://www.forensicinstitute.nl/" rel="noopener">Netherlands Forensic Institute</a>&nbsp;and&nbsp;<a target="_blank" href="https://www.surf.nl/en" rel="noopener">SURF</a>, the IT cooperative of Dutch educational and research institutions.</p> <p>The number is set to grow to 10 by spring 2026, with a broader commercial roll-out planned for the second half of the year.</p> <p>The move marks a significant shift for a project that, when it <a href="https://www.computerweekly.com/news/366558412/Netherlands-starts-building-its-own-AI-language-model">launched in late 2023</a>, was met with healthy scepticism. With a starting budget that is a rounding error by Big Tech standards, the question was always whether GPT-NL could deliver something genuinely useful – not just a research artefact, but a model that organisations could deploy. The <a href="https://gpt-nl.nl/nieuws/progress-report-2/">progress report</a> published in February 2026 suggests the project is closing in on that goal.</p> <section class="section main-article-chapter" data-menu-title="From pre-training to practice"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From pre-training to practice</h2> <p>Pre-training of the model is complete. According to GPT-NL <a href="https://www.linkedin.com/in/frank-brinkkemper/">R&amp;D manager Frank Brinkkemper</a> in the progress report, early benchmark results are encouraging: on summarisation tasks, GPT-NL already outperforms older models such as GPT-3 – notable given the difference in resources. Standard benchmarks including EuroEval are being used to measure performance, with corrections applied where benchmarks are not fully calibrated for Dutch.</p> <p>The feasibility studies now under-way are designed to answer the harder question: does the model hold up in practice, on real infrastructure, for real tasks? Each launching customer works with a TNO team that installs the model on-premise, runs a series of tests over three to six months and then iterates towards specific use cases. The customers pay for the research programme – covering staff hours, licensing and an optional community fee – while final pricing for the broader market has yet to be set.</p> <p>The first five participants are, notably, not from the open market. Three use cases are financed by the Dutch Ministry of the Interior and Kingdom Relations, with TNO and the NFI as the other two. That proximity to the project’s own initiators is a pragmatic choice, but it does mean the claim of broad sectoral relevance will be tested more rigorously in the next phase.</p> <p>The applications being tested span a range of public sector functions. One pilot involves Gem, a virtual municipal assistant already used by nearly 30 Dutch municipalities, which handled close to 70,000 conversations in 2024. The question being investigated is whether GPT-NL improves the quality of Gem’s responses to citizen queries compared to currently deployed models.</p> <p>A second use case centres on HIP, a communication assistant whose name translates roughly as Clear, Intelligent and Productive. The tool helps civil servants draft government letters in plain language, which is a persistent challenge in Dutch public administration, where correspondence on debt and benefits can be notoriously hard for citizens to understand. GPT-NL is being benchmarked against the currently deployed commercial model.</p> <p>At the NFI, the model is being fine-tuned on forensic data to improve classification performance in investigations involving terabytes of evidence, a domain where processing speed and precision have direct consequences for criminal proceedings. TNO is also testing GPT-NL internally for its own classified and privacy-sensitive research projects, under a “Copilot, unless” policy, meaning commercial AI tools are the default, but GPT-NL steps in where data sensitivity demands it.</p> </section> <section class="section main-article-chapter" data-menu-title="A global first in copyright licensing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A global first in copyright licensing</h2> <p>Perhaps the most internationally significant development in the past year is not technical but legal. GPT-NL has secured a licensing agreement with <a href="https://www.ndpnieuwsmedia.nl/">NDP</a>, the Dutch association of commercial news publishers – covering national newspapers, platforms including NU.nl and RTL News, and broadcaster BNR. GPT-NL claims to be the first AI initiative anywhere in the world to have reached paid, consensual agreements with all major publishers in a single market for the use of their content in model training.</p> <p>The deal did not come easily. News media have more to lose than most in the large language model (LLM) era: their content has been scraped at scale without permission, then used to generate outputs that compete directly with journalism.</p> <p>“We set a precedent that strengthens the position of journalism in the Netherlands over the long term,” said <a href="https://www.linkedin.com/in/rien-van-beemen-4580724/">Rien van Beemen, chair of NDP Nieuwsmedia</a>, in the report. “AI innovation can happen ethically, without large-scale unlawful use of journalists’ work.”</p> <p>To address publisher concerns about content re-emerging from the model, GPT-NL has built in technical measures to prevent licensed material from being extracted via prompting. All licensing terms are publicly documented, and the framework allows for content withdrawal – though the team is candid that continuous model retraining on demand is not technically feasible. Instead, data providers who exit the project continue receiving compensation until a new model version is released.</p> <p>According to GPT-NL’s product manager Saskia Lensink, the approach has attracted attention from beyond the Netherlands: “Other European member states are asking how the ecosystem of public and private collaborating parties is legally and organisationally structured. We are the first country in the world to have succeeded in reaching an agreement with the publishers collectively.”</p> </section> <section class="section main-article-chapter" data-menu-title="The sovereignty argument"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The sovereignty argument</h2> <p>Underpinning GPT-NL is a strategic argument about digital autonomy. Europe’s governments, public institutions and businesses run largely on non-European cloud platforms, office software and AI tools. GPT-NL is anchored in non-profit, public-sector organisations – TNO, SURF, NFI – which, as Lensink pointedly notes, will never become American companies.</p> <p><a href="https://www.linkedin.com/in/lokkemoerel/">Lokke Moerel, professor of Global ICT Law at Tilburg University</a> and a partner at Morrison Foerster who has advised the project on legal architecture, frames it as a strategic necessity. “If you only make rules for technology that others build, you will always be chasing events,” she says in the report. “You need to build technology yourself, otherwise you remain dependent on foreign suppliers and have no negotiating position.”</p> <p>Moerel is also realistic about where the project stands. “This is still a startup in some ways. The real challenge begins now: how do you make this something scalable, something that structurally becomes part of society?”</p> <p>She points to a pattern she observes in the Netherlands more broadly: strong at experimenting, reluctant to follow through with sustained investment. “This is precisely the moment to push forward,” she adds.</p> <p>That tension between ambition and resources is tangible. A team of around 25 people, spread across multiple organisations, has built something that now performs respectably on standard benchmarks, but scaling it to complement or compete with frontier models will require a level of continued investment that €13.5m cannot cover. The model’s weights are not fully open source: they are available on request, with costs structured to recover ongoing operational expenses as required by the subsidy conditions.</p> <p>The second half of 2026 is the target for a broader roll-out via professional licensing, with a hosted software-as-a-service (SaaS) option also under development. The team is also exploring a next-generation model with multilingual capabilities and enhanced speech support. In the near term, improved retrieval-augmented generation (RAG) functionality is on the roadmap.</p> <p>The training dataset for GPT-NL v1.0 is set to be published on <a href="https://huggingface.co/">HuggingFace</a>, including metadata on copyrighted content used, to provide full transparency about the composition of the training data. Separately, a broad coalition including NDP Nieuwsmedia, TNO, <a href="https://www.vno-ncw.nl/en">VNO-NCW</a> and the <a href="https://www.kb.nl/en">National Library</a> has called on the Dutch cabinet to develop a formal vision on data policy to accelerate the adoption of responsible AI.</p> <p>Whether a small team with a modest budget can make that case stick will depend on what the next wave of pilots delivers. The publisher deal has shown that the Netherlands can do something no one else has managed. Now the question is whether the model itself is good enough to make organisations choose it over the alternatives – not out of principle, but out of performance.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about digital innovation in the Netherlands</h3> <ul class="default-list"> <li>The Netherlands’ ambitious talk of <a href="https://www.computerweekly.com/news/366626105/Dutch-cloud-pioneers-face-the-hard-limits-of-digital-sovereignty">digital independence meets the unforgiving economics of global cloud dominance</a>.</li> <li>The Netherlands risks falling behind in crucial digital innovations such as <a href="https://www.computerweekly.com/news/366618158/Power-grid-constraints-threaten-Dutch-digital-innovation-ambitions">artificial intelligence as power grid congestion reaches critical levels across the country</a>.</li> <li>A <a href="https://www.computerweekly.com/news/366634491/Dutch-voters-grasp-digital-urgency-better-than-their-politicians">grassroots campaign has propelled digitally competent candidates into the Dutch Parliament</a>, despite party leaders placing them low on electoral lists.</li> </ul> </div> </div> </section> Dutch national language model enters real-world testing with a €13.5m public budget and a project-claimed world-first licensing deal with national news publishers https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/LLM-language-models-adobe.jpg https://www.computerweekly.com/news/366642524/Netherlands-moves-GPT-NL-from-lab-to-live-first-pilots-under-way Wed, 06 May 2026 09:06:00 GMT <p>In the high-stakes environment of the <a href="https://www.computerweekly.com/resources/Healthcare-and-NHS-IT">operating theatre</a>, the surgeon’s steady hand (or the robotic scalpel) is literally the sharp end of the process. But in their train lies the invisible grind of hospital logistics, where incredibly valuable surgery resources are often deployed less than optimally as humans try to apply subjective estimation to theatre scheduling and planning.</p> <p>For years, the promise of digital health has been synonymous with telepresence, often in the form of a “Zoom for surgeons” that allowed remote observation during procedures in the operating room (OR).&nbsp;</p> <p>But as healthcare moves into 2026, the focus is shifting to “intelligence-first” surgery. By treating the operating theatre as <a href="https://www.computerweekly.com/feature/Work-is-broken-Can-agentic-AI-fix-it">an “unbounded” problem</a> that can be reasoned through at scale, technologists are solving the logistical challenges that have limited optimal working.</p> <p>By utilising computer vision as an instrument of measure, and generative artificial intelligence (GenAI) as a tool for predictive scheduling, AWS customer Proximie is transforming the operating theatre from a black box into a data-rich environment.&nbsp;</p> <p>We spoke to Proximie at AWS’s recent London Summit, and found out how the company manages 120TB of unstructured video data across a hybrid edge-to-cloud architecture, the technical guardrails they have built to <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">protect patient data sovereignty</a>, and why the future of surgery relies on AI becoming an invisible “texture” <a href="https://www.computerweekly.com/news/366632366/How-the-UAE-is-using-AI-to-transform-healthcare">in the hospital environment</a>.</p> <section class="section main-article-chapter" data-menu-title="The ‘hanging around’ problem"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The ‘hanging around’ problem</h2> <p>The starting point for Proximie isn’t surgery itself, but the five billion people worldwide who lack access to safe procedures.&nbsp;</p> <p>Richard Carter, CTO at Proximie, argues that because building new hospitals and training staff takes decades, the key thing is to get more out of existing resources. “Healthcare is largely a logistics and communications challenge,” Carter says. “The time is not in getting surgeons to work faster; the time is to minimise the hanging around time.”</p> <p>To solve this, Proximie uses ceiling-mounted sensors to create a statement of fact around OR workflows. Unlike human recall, which Carter describes as fragile and subjective, computer vision provides an objective record of exactly when a patient enters the anaesthetic room and when they depart the procedure room. By removing sentiment from the discussion, hospitals can identify exactly where the “dead time” exists.</p> </section> <section class="section main-article-chapter" data-menu-title="The predictive scheduler"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The predictive scheduler</h2> <p>This data collection allows Proximie to tackle one of the most difficult variables in hospital management – elective list scheduling. If a scheduler underestimates a procedure, the entire day’s list falls behind, putting immense pressure on staff. If they overestimate, valuable capacity is wasted.</p> <p>By analysing three years of Electronic Health Record (EHR) data, Proximie’s AI can now outperform human schedulers. It correlates variables that are often too complex for manual calculation, such as the statistical link between a patient’s BMI, age&nbsp; and the specific surgeon-anaesthetist combination.&nbsp;</p> <p>The real-world impact is significant. Thoracic surgeons at St Thomas’ in London have successfully added one extra major case per day simply by using this real-time data to tighten their schedules.</p> </section> <section class="section main-article-chapter" data-menu-title="From ‘Zoom for surgeons’ to unbounded AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From ‘Zoom for surgeons’ to unbounded AI</h2> <p>During the pandemic, Proximie was often described as “Zoom for surgeons”. While telepresence was a vital off-ramp that normalised digital entry into the OR, Carter explains that video access has now become a feature, not the product. The real challenge is the “unstructured” nature of video and audio data, which historically was impossible to process at scale.</p> <p>“If you’re playing a game of chess, although it is very large, there is a finite number of chess positions,” Carter says. “With healthcare, it is absolutely infinite, because we are all unique as individuals.”&nbsp;</p> <p>He defines healthcare as an unbounded problem, but that 2026-era AI can finally reason around these infinite variables. The goal is for AI to become a texture within the hospital – an invisible layer that removes the “grunt work and grind” rather than acting as a standalone gadget.</p> </section> <section class="section main-article-chapter" data-menu-title="Technical architecture – edge vs cloud"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Technical architecture – edge vs cloud</h2> <p>Managing 120TB of unstructured data globally requires a sophisticated hybrid model to navigate latency and data privacy.</p> <p>Edge devices, mounted on the OR ceilings, handle privacy at the source. They obfuscate and redact sensitive information on the device before any data ever leaves the room. Carter is adamant that no unobscured data ever leaves the OR. Once redacted, the data is sent to the AWS cloud for massive, asynchronous processing. Carter argues that on-premise solutions are economically unviable because they lack the upgrade path and cross-system visibility that a cloud provider such as AWS offers.</p> <p>Meanwhile, in real time frame-by-frame analysis, certain procedures, such as laparoscopy – which is entirely hypothetical, says Carter – the system will only have 18 milliseconds to analyse a frame at 60fps. This makes edge computing necessary for tasks where latency would have a practical impact.</p> </section> <section class="section main-article-chapter" data-menu-title="The encryption moat"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The encryption moat</h2> <p>When operating across different jurisdictions, data sovereignty is a non-negotiable requirement. Proximie utilises AWS Global Accelerator to ensure data is routed and stored strictly within a user’s jurisdiction. “The user doesn’t have to decide where to put data,” Carter says. “The workflow obligates it.”</p> <p>Addressing concerns regarding the US Cloud Act – which potentially allows US courts to demand data from US-headquartered companies – Carter offers a pragmatic technical defence.</p> <p>While Proximie would comply with legal obligations, their encryption standards serve as a “shield”. He suggests that the data would be “inaccessible in the form in which it would be provided”, effectively rendering any legal surrender moot because raw, readable data remains technically impenetrable to outside parties.</p> </section> <section class="section main-article-chapter" data-menu-title="Safeguarding against hallucinations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Safeguarding against hallucinations</h2> <p>In a flesh and blood environment, the risk of AI hallucinations must be zero. Proximie manages this through a human-in-the-loop governance model. The AI provides recommendations, such as a “win of the day” or highlighting the greatest opportunity for efficiency, but it is never allowed to be executive.</p> <p>Crucially, the system requires the AI to state its reasoning. It cannot just give a recommendation, but must show the specific data points used to reach that conclusion. This traceability allows theatre managers and clinicians – whom Carter notes are not shy about challenging colleagues – to maintain final control over the workflow.</p> </section> <section class="section main-article-chapter" data-menu-title="The future of surgical logistics"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The future of surgical logistics</h2> <p>As Proximie scales, the roadmap is focused on making AI even more of a background utility. By solving the core infrastructure and logistics questions that even the most skilled humans struggle with, the company aims to move closer to its mission of providing safe surgery for the five billion people currently without it.</p> <p>The transition from a telepresence tool to an intelligence-first operating system is, in Carter’s view, the only way to meet the infinite demands of global healthcare. By leveraging the scale of the cloud and the privacy of the edge, the OR is finally moving beyond the limitations of human recall and into an era of objective, data-driven efficiency.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about use of AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366642040/Digital-twin-of-athletes-heart-to-demonstrate-future-of-healthcare">Digital twin of athlete’s heart to demonstrate future of healthcare</a>. IT services firm opens a window to the future of healthcare and physical training as tech advancements converge.</li> <li><a href="https://www.computerweekly.com/news/366633420/NHS-could-save-millions-of-hours-a-year-using-AI-pilot-shows">NHS could save millions of hours a year using AI, pilot shows</a>. A Microsoft Copilot AI trial in 90 NHS organisations found that a national roll-out could save up to 400,000 hours per month.</li> </ul> </div> </div> </section> AWS customer Proximie delivers AI-driven operating theatre logistics and tele-surgery. We spoke to its engineering vice-president about the challenges of cloud in a life or death environment https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/healthcare-doctor-tablet-1-adobe.jpeg https://www.computerweekly.com/feature/Beyond-telesurgery-How-Proximie-uses-AI-to-optimise-surgery-logistics Wed, 06 May 2026 08:36:00 GMT <p>Hyperscaler cloud is incompatible with <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">data sovereignty</a>. That’s because, as US companies, the hyperscalers are potentially subject to US court orders that can compel them to exfiltrate overseas citizen data.</p> <p>The paradoxical situation for <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">hyperscaler clouds</a> is that they are inherently global and connected because that’s how they gain their economies of scale.&nbsp;</p> <p>Those conclusions result from a <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Computer Weekly investigation into data sovereignty</a>&nbsp;that asked the hyperscalers a set of questions aimed at discovering their ability – in technical terms – to withstand US court orders that compel eavesdropping on foreign citizens.</p> <p>We asked Amazon Web Services (AWS), Google Cloud, Microsoft, IBM and Oracle the following:</p> <ul class="default-list"> <li>How they would technically prevent a US court order that compelled them to access customer data.</li> <li>How they perform data-in-use functions on in-the-clear data if they say they don’t possess the keys to do so.</li> <li>Whether US-authored updates that contain US court-ordered “technical assistance” updates could bypass data controls and air gaps.</li> <li>Whether they could demonstrate they have a distinct UK region capable of operating all core services in total isolation from global infrastructure.</li> <li>Whether standard terms of service allow them to move customer data and metadata to other geographies.</li> </ul> <p>The context of the investigation is the heightened sense of risk in terms of <a href="https://www.computerweekly.com/feature/Go-big-or-go-home-Should-UK-IT-buyers-favour-US-clouds-or-homegrown-providers">data sovereignty in the current geopolitical situation</a>. In particular, it is focused on the powers of US courts to order US-headquartered companies to provide data held on their systems, wherever those systems are.</p> <p>Instruments for achieving this include the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, which compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if that data is held overseas. US courts can also enact non-disclosure orders that prohibit a company from telling the data subject that their information has been requested or handed over.</p> <p>In addition, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702 – due for renewal soon – can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens targeted therewith.</p> <p>Hyperscaler responses to our questions seemed largely to avoid core issues. When we asked about cloud services in general, they responded as though we’d asked about air-gapped and on-premise offers. When we asked about the potential use of backdoor access via updates ordered by US courts, they talked about the use of local staff (or air-gapping again). And when we asked about the possibility of harvesting data, they pointed to encryption and customer-held keys, but did not address that, for the most part, data is processed unencrypted.&nbsp;</p> <p>There are several difficulties with these responses, which you can <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">read for yourself here</a>.</p> <p>One of these difficulties is that, ultimately, a US court can compel “technical assistance” to gain foreign citizen data held in its systems, and that can occur via a compiled software update that would be unreadable by humans and would not contain obvious clues about its function.</p> <p>Another is that even in the rare cases where expensive and resource-intensive data-in-use encryption is used, it is still possible to scrape data from memory.</p> <p>A further difficulty is that in standard terms of service, hyperscalers routinely transit data to other geographies as part of <a href="https://www.computerweekly.com/news/366589152/Microsoft-admits-no-guarantee-of-sovereignty-for-UK-policing-data">follow-the-sun support</a>.</p> <p>The reality is that to achieve anything approaching data sovereignty, customers must opt out of standard cloud terms of service, or use air-gapped services, though none of these is technically 100% proofed against intrusion.&nbsp;</p> <p>All this is a key issue for the UK, given that in the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending.&nbsp;</p> <p>In the 2023-2024 financial year, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, according to <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">data from analyst firm Tussell</a>.</p> <p>Notable examples include <a href="https://www.computerweekly.com/news/366630792/Ministry-of-Defence-signs-400m-sovereign-cloud-deal-with-Google">Google’s £400m contract signed last year to supply the Ministry of Defence with “sovereign cloud” capability</a> based on its Google Distributed Cloud air-gapped offer. But that’s just one example.&nbsp;</p> <p>The UK public sector is densely connected to US hyperscaler infrastructure, and the UK’s Department for Science, Innovation and Technology (DSIT) <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">lacks a definition of data sovereignty</a>.&nbsp;&nbsp;</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.&nbsp;</li> </ul> </div> </div> We asked the hyperscalers how they would respond to US court-ordered eavesdropping on foreign citizen data – and got responses that highlight a paradoxical situation https://cdn.ttgtmedia.com/visuals/searchITChannel/systems_channel/itchannel_article_020.jpg https://www.computerweekly.com/news/366642487/Cloud-and-data-sovereignty-caught-in-a-paradox Wed, 06 May 2026 06:19:00 GMT <p>In the UK, giant cloud providers – Amazon Web Services (AWS), Google Cloud and Microsoft – run the systems we depend on for vital functionality in the public and private sectors.&nbsp;</p> <p>In the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending.&nbsp;</p> <p>In the financial year 2023/2024, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, including government departments, councils, police forces and NHS organisations, <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">according to data that comes from analyst Tussell</a>.</p> <p>This begs the question, if the UK’s key national infrastructure is run by foreign-owned companies, is the data of UK citizens secure should a court in the US compel a hyperscaler to provide it? Here lies <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">the nub of data sovereignty</a>.&nbsp;</p> <p>In this article, we provide a definition of data sovereignty, the ways it may be undermined from overseas – particularly by the US Cloud Act and FISA Section 702 – drill down into the detail of differing states of encryption and what they mean for security and sovereignty, and look at the inherently cross-border nature of cloud services and its impact on data sovereignty.&nbsp;</p> <p>Core to the article are questions we asked the hyperscalers that aimed to get at exactly how their services could be described as providing data sovereignty.&nbsp;</p> <p>These included how they could technically prevent US court-compelled snooping, the protection afforded by encryption, especially during processing, and how <a href="https://www.computerweekly.com/news/366632561/Court-dismisses-Apples-appeal-against-Home-Office-backdoor">court-compelled backdoors</a> might be injected into infrastructure updates. We also asked to what extent it is possible to offer a sovereign UK cloud region and whether standard cloud terms conflict with <a href="https://www.computerweekly.com/opinion/Data-is-a-sovereignty-issue-And-broader-than-just-the-hyperscalers">data sovereignty</a>.</p> <p>The results illustrate the paradox that lies at the heart of cloud services and data sovereignty.</p> <section class="section main-article-chapter" data-menu-title="Defining data sovereignty"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Defining data sovereignty</h2> <p>We live in a land where the government can’t define data sovereignty. <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">We asked</a> the UK Department for Science, Innovation and Technology (DSIT) in February about its progress towards a <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">definition of data sovereignty</a>, but it couldn’t give one or say when it would have one.&nbsp;</p> <p>But we can work out a definition.</p> <p>The idea of sovereignty as applied to states means the solely held power to govern or control a country.</p> <p>For example, if country A invades country B and establishes control over a swathe of land, where country B’s armed forces, police, and so on, no longer have any authority, then it can be said that country B no longer has sovereignty in the portion of its territory so affected.&nbsp;</p> <p>We can form a definition of data sovereignty based on the same principle.&nbsp;</p> <p>So, if a company headquartered in country A provides technology services in country B, and can effect access to data of citizens of that country, then country B cannot say the data of its citizens is sovereign.</p> <p>Country B may have laws that protect the data of its citizens. But if the country in which the tech company is headquartered has the ability to compel it to provide data held in its systems in another country, then those two sets of laws conflict. Or more to the point, the laws of country B are undermined, and are not sovereign.&nbsp;</p> <p>It’s a parallel to where a country has laws that govern its citizens, but the presence of foreign armed forces and the rules they impose nullify its writ.&nbsp;</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.&nbsp;</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="The Cloud Act and FISA Section 702"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The Cloud Act and FISA Section 702</h2> <p>A good example of a law that compels companies headquartered within its jurisdiction to hand over data they possess is the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, passed into law during US President Donald Trump’s first term.</p> <p>Cloud here stands for Clarifying Lawful Overseas Use of Data. It was enacted in 2018 after Microsoft refused to hand over customer data held in a datacentre in Ireland, and it was determined that the US Department of Justice could not use domestic warrants to seize data held overseas.&nbsp;</p> <p>The Cloud Act compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if overseas.&nbsp;</p> <p>At the same time, a US court can issue a non-disclosure order alongside any order under the Cloud Act. That’s basically a gag order that prohibits a company from telling the data subject that their information has been requested or handed over.</p> <p>There are ways a company subject to a Cloud Act order can challenge the court. These include a challenge on grounds of “comity”, in which the user in question is not a US person and that disclosure would violate the laws of a “qualifying foreign country”, namely one that has a bilateral agreement with the US, like the UK or Australia.</p> <p>Also, the Cloud Act is considered to be “encryption neutral”, so companies can be compelled to hand over what they have, but it does not compel them to break their own encryption if they do not already have the keys.</p> <p>Having said all that, US government agencies have other laws in their toolbox.&nbsp;</p> <p>Namely, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702, which is up for an imminent vote to re-authorise it. Using this, the US government can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens who are targeted by provisions under the act.</p> <p>The European Court of Justice (ECJ) has twice struck down data-sharing agreements between the US and EU (<a href="https://www.computerweekly.com/feature/Max-Schrems-The-man-who-broke-Safe-Harbour">Schrems I</a> and <a href="https://www.computerweekly.com/opinion/How-Schrems-II-will-impact-data-sharing-between-the-UK-and-the-US">Schrems II</a>) because FISA Section 702 does not provide equivalent protection to EU citizens.</p> <p>Such “technical assistance” could take the form of compiled code in a software update that enabled the exfiltration of data.&nbsp;</p> </section> <section class="section main-article-chapter" data-menu-title="Does encryption protect citizen data?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Does encryption protect citizen data?</h2> <p>When we get to the responses of the hyperscalers to questions about data sovereignty, we will see an appeal to the fact that data in their systems is encrypted and that only customers hold the keys.</p> <p>We have also seen that the US Cloud Act does not compel a court-ordered company to hand over encryption keys, although FISA 702 can compel “technical assistance” to gain access to data.</p> <p>Here, it is important to drill down into encryption.&nbsp;</p> <p>Firstly, to say that for most data for most of the time, encryption is as good a protection as you can get. Current encryption standards dictate algorithms that are practically impenetrable.</p> <p>So, if you apply, for example, <a href="https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard">AES-256</a> to data-at-rest or data-in-transit, it cannot be read.</p> <p>The fly in the ointment comes when data is being processed. It’s also a problem for companies that argue that the data they hold is secure because it is encrypted.</p> <p>The problem is that – generally speaking – data-in-use must be unencrypted to be processed. And so, in theory, a foreign law enforcement agency that wanted to access data in a cloud system overseas could order data to be collected during processing.</p> <p>Memory scraping, in which malware scans active memory to steal unencrypted data, is possible, for example.</p> <p>It’s true that most data-in-use is unencrypted, although cloud providers do offer so-called confidential computing of some sort.</p> <p>For example, a <a href="https://www.techtarget.com/searchitoperations/definition/trusted-execution-environment-TEE">trusted execution environment (TEE)</a> in so-called confidential computing creates a hardware-encrypted “black box” inside the central processing unit (CPU), which means an unauthorised intruder cannot see inside it while data is being processed.</p> <p>TEEs are breakable, however. It is possible to “listen” to the CPU and measure power consumption or tiny timing fluctuations to guess the data being processed.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/homomorphic-encryption">Fully homomorphic encryption (FHE)</a> is the Holy Grail, however, because it allows for computation without decrypting data. But that also means it is computationally expensive and isn’t commonplace.</p> </section> <section class="section main-article-chapter" data-menu-title="Air gaps, updates and follow-the-sun"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Air gaps, updates and follow-the-sun</h2> <p>Hyperscaler clouds are an international web of regions and availability zones. They comprise a global operating system, almost entirely managed by artificial intelligence (AI) and orchestrated automation.</p> <p>Cloud networks are made up of regions and availability zones (AZs). Regions are geographically separate – and thus upon them rests the claim of sovereignty by the cloud providers – while AZs are datacentres within a region. AZs within a region are connected by high-bandwidth connections, whereas regions are all interconnected but not by the same low-latency connections.</p> <p>Clouds run on software-defined everything, with every component represented as code, where faults can be monitored and workloads shifted to a different location should issues be detected, and with rolling updates on a non-disruptive zone-by-zone basis.</p> <p>Follow-the-sun in support terms is when support teams hand off responsibility to teams elsewhere in the world to benefit from more convenient (ie, less costly) working hours than the region in question.&nbsp;</p> <p>Follow-the-sun in workload terms means the movement of workloads across the globe to take advantage of lower energy costs or cooler ambient temperatures.</p> <p>In both cases, there is potentially a risk to sovereignty, by dint of where data resides at any given time and the jurisdiction under which support staff may operate, although customers can specify that data permanently resides in a given region.&nbsp;</p> <p>If you sign a standard business or enterprise support contract with a hyperscaler, you are opting in to follow-the-sun by default. A standard agreement usually means you agree to terms that allow the provider to support your account from any global location to meet 24/7 uptime guarantees.&nbsp;</p> <p>It also allows them to route technical metadata (logs, access records, telemetry) to global hubs to maintain the cloud and to allow global administrators access for emergency maintenance, regardless of where those administrators are.</p> <p>The fact that it is metadata that moves potentially allows a provider to say, “We don’t move your data”, but the metadata may be enough for a FISA Section 702 investigation, for example.&nbsp;</p> <p>You can’t just uncheck a box in the settings to opt out of follow-the-sun. Instead, you have to move to a <a href="https://www.computerweekly.com/feature/Sovereign-cloud-and-AI-services-tipped-for-take-off-in-2026">sovereign cloud</a> or regulated industry contract – the AWS European Sovereign Cloud or Microsoft Sovereign Cloud, for example. These guarantee that support and operations are handled only in a specific region.</p> <p>There are also “sovereign cloud” solutions, in which the “cloud” is disconnected from the wide area network (WAN).</p> <p>Obviously, if a customer is on a standard contract, support has full oversight of maintenance and updates, and quite likely from anywhere in the world. You’d think that a local sovereign cloud would remove that scenario, but the cloud provider’s infrastructure must still be maintained, and it is via patching that that occurs. Here is where unwanted snooping could be introduced.&nbsp;</p> <p>Even if the UK staff are the only ones physically in the datacentre, the private keys used to sign “official” software updates likely reside in a hardware security module (HSM) in the US or its facility elsewhere.</p> <p>So, if a US court compels the company to sign an update that contains legally sanctioned spyware, UK “sovereign” staff have no technical way to verify that the code doesn’t contain a backdoor.&nbsp;</p> </section> <section class="section main-article-chapter" data-menu-title="Questions to the hyperscalers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Questions to the hyperscalers</h2> <p>We asked <a href="#AWS">AWS</a>, <a href="#Google">Google Cloud</a> and <a href="#Microsoft">Microsoft</a> five questions around data sovereignty. We also asked <a href="#IBM">IBM</a> and Oracle, because they are both fair-sized US-based suppliers to the UK public sector.&nbsp;</p> <p>The intention was to gauge the levels of exposure their customers could face with regard to data sovereignty.</p> <p>All responded except Oracle, whose PR representatives failed to reply to three emails.&nbsp;</p> <p>The questions were preceded by a preamble that drew attention to the US Cloud Act, non-disclosure orders and FISA Section 702, and the powers therein to compel a provider to grant access, forbid notifications to customers of a court order, compel “technical assistance”, and the possibility of updates authored in the US as a means to effect access to customer data.&nbsp;</p> <p>The questions asked about:</p> <ul class="default-list"> <li>The technical barriers, if any, in the provider’s cloud services that prevent a court order from forcing the use of encryption keys to decrypt customer data.</li> <li>The technical means by which data-in-use functions are carried out without cloud provider access to encryption keys.</li> <li>Whether the cloud provider can guarantee a US-authored software update that contains “technical assistance” aimed at gaining access to data cannot bypass air-gapped systems.</li> <li>Whether the cloud provider has a wholly distinct UK region with exclusively UK-resident support and engineering, including third-party contractors.&nbsp;</li> <li>Whether standard terms of cloud service allow for customer data to be moved offshore, or whether a customer can have 100% UK data residency without a bespoke contract.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Hyperscalers dodge the questions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hyperscalers dodge the questions</h2> <p>Here we summarise their responses. Full responses are available to view in the <a href="#QandAs">box at the end of this article</a>.</p> <p>Hyperscaler responses to our questions fall under the following categories.</p> <p><strong>“Don’t look there! Look at the air gap!”</strong> The subject of the questions was cloud services in general, but responses often shifted attention to specifically air-gapped offerings.</p> <p><a href="#Google">Google</a> opted to talk about its niche, air-gapped Google Distributed Cloud in response to nearly every question. Perhaps a tacit admission that standard cloud terms of service come nowhere near providing data sovereignty.&nbsp;</p> <p>Google wasn’t alone here, though; just the most dependent on the tactic. AWS also pointed to its AWS Dedicated Local Zones and Outposts managed on-premise offers when asked about cloud services.&nbsp;&nbsp;</p> <p><strong>“Look! Local people!” </strong>A number of responses tried to distract from the inherent technical vulnerabilities that come with the global, linked nature of hyperscaler cloud. They instead drew attention to the residency or nationality of human operators rather than the reality that automated, US-signed code updates can bypass human gatekeepers entirely.</p> <p>It is virtually impossible for a locally resident operator to scan a multi-gigabyte compiled binary for a state-level backdoor. A backdoor in a modern cloud stack wouldn’t be a line of code that said, “<em>if (user == 'FBI') return data</em>”. It would be a subtle mathematical weakness in an encryption library or a port knocking sequence hidden in a network driver.&nbsp;</p> <p>Local operators can, at best, scan for known viruses, not state-level “technical assistance”.</p> <p><strong>Encryption? Of course. For data-in-use? Errr. </strong>All hyperscalers highlighted the use of encryption in customer data and customer key retention to imply total security.&nbsp;</p> <p>That works for “at-rest” and “in-transit” scenarios. But it glosses over data-in-use scenarios where data must, in most cases, be decrypted in memory.&nbsp;</p> <p>If a US-compelled “technical assistance” order under FISA Section 702 forces a US company to push a firmware update to its own HSMs or Nitro controllers, that update is signed by the US parent. Hardware isolation is only as sovereign as the person who holds the cryptographic signing key for the firmware.</p> <p>Also, in a software-as-a-service (SaaS) environment like M365, Microsoft provides the application and is the administrator. Here, customer-managed keys often break “search” and “discovery” features in SaaS. So, if a customer wants to search their emails in M365, the data must be decrypted by Microsoft’s service.&nbsp;</p> <p><strong>Is it sovereign? Of course; it’s in the EU. </strong>In some cases, hyperscalers responded by pointing to European sovereign solutions. <a href="#AWS">AWS</a>, for example, points to its <a href="https://www.computerweekly.com/news/366557158/AWS-to-open-European-sovereign-cloud-region">European Sovereign Cloud service</a>, which doesn’t locate data in the UK and is not technically sovereign anyway, given the EU is not a sovereign state.&nbsp;</p> <p>Meanwhile, if AWS Seattle has “control” over the AWS Germany subsidiary, which it does, financially and technically, a US court doesn’t care about the EU’s “Sovereign Cloud” label.</p> <p><strong>“Trust Me, Bro,” as a legal pledge.</strong> <a href="#Microsoft">Microsoft</a> majored on this one in its responses. It switches out technical proof of impossibility for corporate pledges to “challenge every government request” in court. This asks the customer to trust a legal process rather than a technical lock.&nbsp;</p> <p>Spoiler alert: There are zero known instances where a hyperscaler has successfully and permanently defied a final, non-appealable US court order to protect a non-US citizen’s data stored abroad.</p> <p>To sum all this up, the hyperscalers are essentially saying that standard cloud is not sovereign. To achieve a level of protection that would allow them to answer these questions with any level of integrity, a customer must move to isolated, air-gapped, or hardware-encrypted tiers that are significantly more expensive, regionally limited and functionally constrained. And would that be cloud?</p> </section> <section class="section main-article-chapter" data-menu-title="The paradox of data sovereignty in the cloud"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The paradox of data sovereignty in the cloud</h2> <p>At the end of the day, hyperscaler cloud is caught in a paradox when it comes to data sovereignty. If a cloud were truly sovereign – disconnected, local-only, human-managed – it would lose the cloud economics that make it attractive due to its global scale, automation and the accompanying economies. And so, “sovereign cloud” is really often a marketing term that means standard cloud with extra paperwork.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="QandAs"></a>The questions we asked and hyperscaler responses</h3> <p>We wanted to get to the bottom of just how sovereign hyperscaler cloud services are. The main article discusses the key issues and summarises the responses of hyperscalers to the questions put to them by Computer Weekly.</p> <p>Here we reproduce the questions in full, along with hyperscaler responses.</p> <p>We asked for “specific, technical” answers to questions, and hyperscalers were told general marketing statements or high-level policy positions would not be printed (though that’s what some responses amount to and are printed here).</p> <p>The goal of the questions was stated as: “To provide readers with a clear view of which sovereignty claims are backed by verifiable technical mechanisms and which remain matters of corporate policy.”</p> <p>The following context was also given, namely that under 18 USC 2705(b), federal courts can issue non-disclosure orders alongside US Cloud Act data warrants that legally forbid providers from notifying customers of a breach.&nbsp;</p> <p>Also, that when combined with the “technical assistance” provisions of FISA Section 702, the US government can compel a provider to facilitate access to data.&nbsp;</p> <p>Finally, a key assumption stated in the preamble to questions was that because cloud stacks rely on a global supply chain where code is authored and signed at a US headquarters, the “update” is a potential invisible vector for state-level intervention that is difficult to obstruct.</p> <h2>What we asked the hyperscalers</h2> <p><strong>Question 1:</strong> If your cloud services require access to data “in the clear” to perform processing tasks (such as indexing, AI inferencing, or analytics), how do you technically prevent a US-compelled warrant from forcing you to use the required cryptographic keys to decrypt and surreptitiously provide that data to law enforcement?</p> <p><strong>Question 2:</strong> If you claim to never have access to encrypted customer data, how do you technically perform “data-in-use” functions without possessing the keys to decrypt that data within your processing environment?</p> <p><strong>Question 3:</strong> If your sovereign cloud relies on a software supply chain authored and signed by a US-headquartered parent company, how can you technically guarantee that a US-compelled “technical assistance” update – issued under a mandatory gag order – could not silently bypass local air gaps and data controls?</p> <p><strong>Question 4:</strong> Can you provide evidence of a wholly distinct UK region capable of operating all core services in total isolation from your global infrastructure, managed exclusively by a 100% UK-resident support and engineering framework – including all third-party subcontractors?</p> <p><strong>Question 5:</strong> Do your standard terms of service grant you the discretion to move or “offshore” customer data and metadata for residency, resiliency, or global support purposes, and if so, how can a UK customer maintain 100% residency without a bespoke contract that breaks your global automation model?</p> <h2><a id="AWS"></a>The responses: AWS</h2> <p><strong>Computer Weekly commentary</strong></p> <p>Where the questions ask for “specific, technical” responses, AWS answers vaguely, such as when it refers to “a range of technical measures and operational controls” in questions 1 and 2.&nbsp;</p> <p>Also, when what has been asked is specifically technical, what appears as a sleight of hand is to refer to operator and staff access to data. In the context of a massive, automated technical environment, whether an individual has access to masses of compiled code in updates is irrelevant.&nbsp;</p> <p>We see that type of response in questions 1, 2 and 3. The effect here is to draw attention away from a potential scenario in which a US court forced AWS to provide “technical assistance” in an update script that would easily cross borders and bypass human gatekeeping. The idea that some update code is written in European countries is another irrelevance thrown in.&nbsp;</p> <p>When asked in question 4 about a discrete UK region isolated from the rest of AWS’s global infrastructure, the response refers to AWS-managed on-premise infrastructure. Such an offer might provide in-country capacity – although we don’t know whether updates come from elsewhere – but it isn’t really the cloud.&nbsp;</p> <p>When asked whether “standard Terms of Service grant you the discretion to move or ‘offshore’ customer data and metadata”, AWS points to its European Sovereign Cloud service, which doesn’t apply to the UK and is arguably not sovereign, given the EU is not a sovereign state.</p> <p><strong>AWS response to question 1:&nbsp;</strong></p> <p><em>AWS customers have a range of technical measures and operational controls to prevent access to data, and AWS has designed products and services that make sure that no one – not even AWS operators – has any technical means to access customer content.</em></p> <p><em>The Cloud Act does not create any new authority for law enforcement to compel service providers to decrypt communications.</em></p> <p><strong>AWS response to question 2:&nbsp;</strong></p> <p><em>AWS customers have a range of technical measures and operational controls to prevent access to data, and AWS has designed products and services that make sure that no one – not even AWS operators – has any technical means to access customer content.</em></p> <p><strong>AWS response to question 3:&nbsp;</strong></p> <p><em>Only AWS European Sovereign Cloud employees located in the EU and subject to EU law have deployment authority over software updates. Authorised EU-resident employees of the AWS European Sovereign Cloud also have independent access to a replica of the source code needed to maintain the AWS European Sovereign Cloud services.</em></p> <p><em>“The premise of this question is also misleading. Amazon is a global company that operates worldwide supply chains reliant on suppliers and teams from every part of the world. Some of our largest AWS development teams are located in Europe – with key centers in Dublin, Dresden, and Berlin – contributing to core AWS solutions including the AWS Nitro System that powers all modern EC2 instances, Amazon Linux, and Amazon CloudWatch.</em></p> <p><strong>AWS response to question 4:</strong></p> <p><em>AWS offers several products that help customers address UK-specific sovereignty requirements. AWS Dedicated Local Zones can be deployed in a chosen UK location with local AWS employee operations and security features for data isolation and compliance. AWS Outposts deploy in customer UK facilities with hardware-enforced isolation ensuring no AWS operator access to customer data.&nbsp;</em></p> <p><strong>AWS response to question</strong> <strong>5:</strong></p> <p><em>With AWS, customers own their data, control where it’s stored, and decide who can access it. AWS is transparent about how services process customer data, and customers can use tools like AWS Control Tower for management. The AWS European Sovereign Cloud allows customers to keep all metadata they create entirely in the EU, including sovereign Identity and Access Management (IAM), billing, and usage metering systems.&nbsp;</em></p> <h2><a id="Google"></a>The responses: Google Cloud</h2> <p><strong>Computer Weekly commentary</strong></p> <p>The questions were about hyperscaler cloud services. Google provided more information than the other providers, but responded to nearly all the questions as if it had been asked about one very specific and not particularly common offering, namely Google Distributed Cloud (GDC) air-gapped.&nbsp;</p> <p>GDC air-gapped is an on-premise solution, where – Google claims – any updates must be physically transported across the air gap and can be scanned by a trusted operator. Likewise, it says it literally could not comply with a US court order to spy on a customer or hand over data because it has no reach into their systems. That’s likely true for GDC air-gapped, but it’s not what it was asked about.</p> <p>But, Google – rather helpfully – provides information about its mainstream cloud offer that allows us to get a good idea about standard cloud services terms and conditions that the other hyperscalers don’t elaborate upon.</p> <p>For example, it says: “In a standard cloud, Google pushes updated code silently, and often multiple times in a day.”&nbsp;</p> <p>Similarly, it says: “Standard Terms of Service (ToS) that govern the public cloud . . . often include clauses for global load balancing, ‘follow-the-sun’ support, and data movement for resiliency.”</p> <p>And: “The standard ‘global support’ model relies on an engineer in any region being able to ‘see’ your project to troubleshoot.”</p> <p><strong>Google response to question 1:</strong></p> <p><em>In the context of Google Distributed Cloud (GDC) air-gapped, the solution to the compelled disclosure dilemma isn't just a policy promise – it is a fundamental architectural constraint. Because the air-gapped version of GDC is physically and logically isolated from the public internet and Google’s corporate network, the technical barriers to a US-compelled warrant are built into the "sovereignty by design" model.</em></p> <p><em>1. Physical and Network Isolation</em></p> <p><em>No Remote Access: GDC air-gapped does not have a backhaul connection to Google’s global infrastructure. There is no persistent management plane or "phone home" feature that Google can toggle to extract data.</em></p> <p><em>Hardware Ownership: The hardware resides in the customer's chosen location (or a partner's sovereign data center). Google employees generally do not have unescorted physical access to the site.</em></p> <p><em>2. Customer-Managed Encryption Keys (CMEK)</em></p> <p><em>While processing data “in the clear” requires keys, the ownership of those keys is the technical pivot point:</em></p> <p><em>Hardware Security Modules (HSM): In a GDC air-gapped environment, the keys are stored in local HSMs physically located within the air-gapped boundary.</em></p> <p><em>Root of Trust: The customer (or a designated sovereign partner) holds the root of trust. Google does not possess a master key or a remote mechanism to bypass the local HSM to decrypt data for indexing or AI tasks.</em></p> <p><em>3. Tactical Operational Sovereignty</em></p> <p><em>To prevent surreptitious access, GDC air-gapped utilizes a Sovereign Operations model:</em></p> <p><em>No Google Personnel Required: The day-to-day operations, including patching and AI model deployment, can be handled by the customer or a local, cleared third party.</em></p> <p><em>Auditability: Every action taken within the environment is logged locally. Since Google cannot access these logs remotely, they cannot hide a data extraction process from the customer’s own security operations center (SOC).</em></p> <p><em>From a legal standpoint, if Google is served a warrant for data residing in a GDC air-gapped instance, the technical response is “Inability to Comply.” Because Google does not have the network path to reach the data, the physical access to the servers, or the cryptographic keys to decrypt the disks, they cannot “surreptitiously” provide the data. Any attempt to gain that data would require a physical raid on the customer’s own facility – which falls under the customer's local laws and security protocols, not Google’s.</em></p> <p><strong>Google response to question 2:</strong></p> <p><em>In the context of Google Distributed Cloud (GDC) air-gapped, the claim of no access isn’t saying the data is never decrypted; it is saying that Google (the entity/personnel) never has access to the keys or the environment where decryption occurs. The distinction lies in the transition from Data-at-Rest to Data-in-Use within a boundary that Google cannot enter. Here is how that is technically achieved:</em></p> <p><em>1. Sovereign Boundary Logic</em></p> <p><em>In a standard public cloud, the provider manages the hypervisor and the orchestration layer. In GDC air-gapped, the entire stack, from the silicon to the AI workbench, is moved inside the customer’s perimeter.</em></p> <p><em>Local Decryption: When an AI model needs to “see” data in the clear to perform inferencing, the decryption happens on-premises using keys pulled from a local HSM&nbsp;</em></p> <p><em>Isolation of the Execution Environment: The decryption occurs within the customer’s air-gapped hardware. Because there is no network path back to Google, the “clear text” data exists only in the local RAM of the air-gapped servers.</em></p> <p><em>2. Customer-Controlled Key Access</em></p> <p><em>The software performing the processing must request the key from the local Key Management Service (KMS).</em></p> <p><em>Access Control Policies: The customer defines the Identity and Access Management (IAM) roles.</em></p> <p><em>Technically Barred: Google does not have an identity in the customer’s local air-gapped IAM system. Therefore, the processing environment can’t “ask” for a key on Google’s behalf, and Google cannot “push” a command to release a key to an unauthorized third party as these are Customer managed encryption keys (CMEK).</em></p> <p><strong>Google response to question 3:</strong></p> <p><em>In Google Distributed Cloud (GDC) air-gapped, this risk is mitigated through a combination of Customer-Led Updates, Binary Authorization, Third-Party Operations.</em></p> <p><em>1. No “Automatic” Updates</em></p> <p><em>In a standard cloud, Google pushes updated code silently, and often multiple times in a day. In GDC air-gapped, there is no physical connection to Google.</em></p> <p><em>The Manual Bridge: Updates are provided as signed container images and binaries. The customer (or their trusted sovereign partner) must download these to a separate secure workstation, scan them, and then physically move them across the “air-gap” via encrypted media.</em></p> <p><em>Technical Sovereignty: This creates a human-in-the-loop bottleneck. A US-compelled “silent” update is impossible because Google cannot “push” anything. The customer chooses when and if to ingest the update.</em></p> <p><em>2. The “Sovereign Operator” Audit</em></p> <p><em>A critical technical defense is who applies the update.</em></p> <p><em>Third-Party Managed: GDC can be operated entirely by a local, cleared partner (eg, STE in Singapore, Proximus in Belgium). These operators act as a “sovereign shield.”</em></p> <p><em>Inspection: Before the update is applied to the live environment, these operators can deploy it in an isolated “staging” air-gap. They monitor for “phone home” behavior (which would fail anyway due to the air-gap) or unauthorized data export attempts at the virtual network layer.</em></p> <p><em>3. Technical Assistance vs. Technical Impossibility</em></p> <p><em>A company can be compelled to provide “technical assistance,” but they cannot be forced to perform the “technically impossible.”</em></p> <p><em>Hardware Root of Trust: Because the keys are in your HSM, Google cannot remotely sign a command to “export” data.</em></p> <p><em>The Gag Order Paradox: Even if Google were under a gag order, they cannot physically enter your data center to plug in a USB drive. If the only way to execute the warrant is to walk a physical drive into a sovereign facility, the legal burden shifts to the local government and the physical security team at the door.</em></p> <p><strong>Google response to question 4:</strong></p> <p><em>Yes - this could be built for customers using Google Distributed Cloud Air Gapped, like the landmark deal we have announced for the MOD. In 2025, Google Cloud and the UK Ministry of Defence (MoD) formalized a landmark agreement for a sovereign, air-gapped cloud. [Link to press release].&nbsp;</em></p> <p><em>Pasting the helpful info here:&nbsp;</em></p> <p><em>Google Distributed Cloud Air Gapped: The sovereign cloud environment will be built upon Google Distributed Cloud (GDC) air-gapped, a platform designed for workloads that require strict data residency and security controls. GDC provides a hardened, air-gapped environment, ensuring that the MOD’s critical data remains within UK sovereign territory and under their direct control. This platform will also enable the responsible integration of Google's advanced AI and machine learning tools, empowering the MOD with enhanced analytical capabilities to provide operational efficiencies.</em></p> <p><strong>Google response to question 5:</strong></p> <p><em>The short answer is no. In the context of Google Distributed Cloud (GDC) air-gapped, the standard Terms of Service (ToS) that govern the public cloud which often include clauses for global load balancing, “follow-the-sun” support, and data movement for resiliency do not apply. GDC air-gapped is governed by a separate, specific legal and technical framework designed to ensure that the global automation model is physically unable to move our customers’ data or metadata.</em></p> <p><em>1. Service-Specific Terms</em></p> <p><em>Instead of the standard online ToS, air-gapped customers use GDC Air-Gapped Service Specific Terms. These terms explicitly recognize the disconnected nature of the environment:</em></p> <p><em>Removal of “Offshoring” Discretion: Because the system is air-gapped, Google legally and technically removes its own ability to move data. The terms define the "Sovereign Boundary," stating that data and metadata (logs, telemetry, and configuration) must remain within the customer-controlled or partner-operated facility.</em></p> <p><em>2. Breaking Global Automation</em></p> <p><em>You do not need a “bespoke contract” to prevent data movement because the automation model itself is local.</em></p> <p><em>Local Management Plane: In the public cloud, the control plane lives in a global mesh. In GDC air-gapped, the control plane is physically located inside the rack in your UK data center.</em></p> <p><em>Hardware-Locked Metadata: Metadata like IP addresses, VM names, and audit logs are stored on local disks within the air-gapped environment. There is no automated routine that can “call” this metadata back to a global database because there is no network route to the outside world.</em></p> <p><em>3. Sovereign Operations vs. Global Support</em></p> <p><em>The standard “global support” model relies on an engineer in any region being able to “see” your project to troubleshoot. GDC air-gapped replaces this with Resident Support.</em></p> <p><em>100% Residency of Support: Support is provided by a UK-resident, cleared team. If they need to look at a log, they do it within the UK boundary.</em></p> <p><em>No Remote Access: Even if a US engineer wanted to help, they have no technical way to log into the system. The "automation" for support is localized to a secure UK-based operations center.</em></p> <p><em>4. How to Maintain 100% Residency Without “Breaking” the Cloud</em></p> <p><em>The innovation of GDC air-gapped is that it provides a cloud-native experience that is functionally identical to the public cloud but architecturally siloed.</em></p> <p><em>Local Resiliency: Instead of relying on a US region for backup, you achieve resiliency by deploying multiple GDC racks across different UK-only zones</em></p> <p><em>The Secure Supply Chain: Google provides the code (the binaries), but you provide the home. Once that code is installed, it operates as a “black box” that answers only to your local UK administrators.</em></p> <h2><a id="Microsoft"></a>The responses: Microsoft</h2> <p><strong>Computer Weekly commentary</strong></p> <p>Microsoft chose not to respond to the questions inline, so it’s not as easy to see what its answers respond to.</p> <p>Again, we see reference to “workloads in air-gapped or disconnected environments”, when that was not the subject of the questions.&nbsp;</p> <p>Where questions asked for “specific, technical” responses, we get bland answers. There’s also a long paragraph about encryption keys that appears to be about data-at-rest or in-transit, which we didn’t ask about.</p> <p>There is also reference to “UK customers . . . ability to store and process their data within UK datacenters . . . [That] includes compliance with local regulations and provides geo-redundant protection for business continuity”.&nbsp;</p> <p>Microsoft Azure does have a data-in-use encryption offer in Azure Confidential Computing, although it doesn’t mention it by name.</p> <p>In its final paragraph, Microsoft talks of its commitment to and “strong record” in challenging court orders. But really, it amounts to “Trust me, bro.”</p> <p><strong>Microsoft responses</strong></p> <p><em>Microsoft customers can deploy workloads in air-gapped or disconnected environments using Azure Local and Microsoft 365 Local, with full control over update management, monitoring, and lifecycle operations via a local control plane.</em></p> <p><em>External Key Management allows customers to use their own on-premises or third-party Hardware Security Modules (HSMs) for encryption, ensuring Microsoft does not have access to customer keys. Microsoft’s custom HSM is deployed globally. In addition, Azure Confidential Compute, Azure Key Vault, and Double Key Encryption, are designed, deployed, and operated such that Microsoft is incapable of accessing, using, or extracting data stored in the service, including cryptographic keys.</em></p> <p><em>Microsoft performs "Data-in-Use" functions without possessing customer encryption keys by leveraging a layered encryption model and customer-managed keys.</em></p> <p><em>Microsoft offers UK customers the ability to store and process their data within UK datacenters. This includes compliance with local regulations and provides geo-redundant protection for business continuity.</em></p> <p><em>Microsoft does not provide any government with direct, unfettered access to customer data. Any data access request is subject to rigorous review, according to a strict process, by internal and external legal teams to ensure it is legally valid and compulsory, compliant with all applicable law, and strictly limited to specific account identifiers.&nbsp; Further, as part of our Defending Your Data initiative we’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so. We have a strong record of doing just that, including through litigation where necessary.</em></p> <h2><a id="IBM"></a>The responses: IBM</h2> <p><strong>Computer Weekly commentary</strong></p> <p>IBM considered that question 1 merged disparate issues, so it didn’t answer it.</p> <p>Like others, it answered questions as if it had been asked about air-gapped environments, when it wasn’t.&nbsp;</p> <p>When asked about data-in-use encryption, it refers to its new IBM Sovereign Core, which appears to be a product aimed at holding encryption keys in-country but doesn’t specifically mention in-memory encryption. It references the same product when asked about “a wholly distinct UK region”.</p> <p>IBM Sovereign Core is currently in tech preview and published materials are a little light on detail. We’d want to know more about in-use encryption and connections to IBM’s global network, updates, and so on.</p> <p><strong>IBM response to question 1:&nbsp;&nbsp;</strong></p> <p><em>This question merges several distinct concepts that are technically separate. In modern software applications data‑in‑use processing, encryption key management and lawful access requests, are all designed and governed by different architectural and operational controls. Please refer to questions 2 and 3 for relevant information.&nbsp;</em></p> <p><strong>IBM response to question</strong> <strong>2:</strong></p> <p><em>IBM Sovereign Core processes data‑in‑use within the customer application’s trusted execution environment, where purpose‑bound application code determines when and how data is processed; decryption, where required, is transient, in‑memory, and under the application’s control with customer visibility. Capabilities like Keep Your Own Key encryption ensure keys are held and managed exclusively by the customer and are not accessible to IBM.</em></p> <p><strong>IBM response to question 3:</strong></p> <p><em>Software supply‑chain, execution in air‑gapped environments, and legal access frameworks are all independent by design, governed by separate technical and operational controls: our clients hold full technical authority in air gapped environments, and IBM technology places transparency and control in the hands of our clients, consistent with our publicly available data access principles and law‑enforcement transparency reports.&nbsp;</em></p> <p><strong>IBM response to question</strong> <strong>4:&nbsp;</strong></p> <p><em>IBM Sovereign Core enables UK enterprises to run and govern AI workloads within the UK jurisdictional boundaries, without relying on a global provider control plane, and with the flexibility to choose UK‑based operating partners.&nbsp;</em></p> <p><strong>IBM response to question</strong> <strong>5:</strong></p> <p><em>For more than a century, IBM has earned the trust of our clients by responsibly managing their most valuable data. IBM is transparent about how it handles client data and does so in accordance with all applicable laws.</em></p> </div> </div> </section> Hyperscaler cloud is inherently global. Does that make data sovereignty unattainable – especially given the powers US courts hold? We grilled the hyperscalers in an attempt to find out https://cdn.ttgtmedia.com/visuals/German/article/cloud-access-and-identity-2-adobe.jpg https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro Wed, 06 May 2026 06:18:00 GMT <p>Every organisation today is measured by two things: “exit velocity” and its “ability to pivot”.</p> <p>Exit velocity is how quickly you can move away from a technology, platform or contract the moment it stops serving you. Ability to pivot is how easily you can shift direction, technologically or operationally, without destabilising the business.</p> <p>Together, they define a company’s real digital resilience. And right now, most organisations don’t have either.</p> <p>This is the backdrop to new research findings:<a href="https://www.suse.com/navigating-digital-resilience-2026/"> 98% of IT</a> leaders now <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">prioritise digital sovereignty</a>, yet half still lack a formal strategy. Meanwhile,<a href="https://www.suse.com/navigating-digital-resilience-2026/"> 94% say open source</a> is very or extremely important to resilience. The intent is there but the ability to act is lagging. The gap between aspiration and execution reveals a deeper truth: knowing where your data sits is not the same as being in control of it.</p> <p>If you look at recent headlines and analysis on digital sovereignty, the discussion is mostly framed in terms of risk and the need for nation-states to exert greater control over their data and digital infrastructure.&nbsp;</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>. We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.</li> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold: Responses to data sovereignty risk</a>. We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> </ul> </div> </div> <p>Commentators are heavily focused on the downsides of continued over-reliance on big tech, with the tone skewed towards "threats", "battlegrounds", "traps" and other significant concerns. Crucially, though, much of this commentary conflates two distinct dimensions of the problem and that conflation is itself a risk, because it allows jurisdictional measures to stand in for genuine technical independence.</p> <p><strong>Lack of control</strong></p> <p>So, what’s the problem? In a nutshell, organisations everywhere have built much of their critical infrastructure on platforms they don’t control. This is hardly surprising. The <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">outsourced as-a-service model</a> has delivered enormous performance and financial benefits everywhere it is available.&nbsp;</p> <p>The numbers don’t lie. The global cloud computing market was valued at over<a href="https://www.fortunebusinessinsights.com/cloud-computing-market-102697"> $780 billion</a> last year, with the sector continuing to trend upwards. And as we know, US-owned providers occupy a dominant position.&nbsp;</p> <p>And it’s precisely the issue of control, or the lack of it, which has given rise to the digital sovereignty movement.&nbsp;</p> <p>In Europe, <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">the regulatory wheels have been in motion</a> for some time. NIS2, DORA, and in the UK the Cyber Security and Resilience Bill, have tightened expectations around resilience and supply chain accountability in critical sectors.&nbsp;</p> <p>On an organisational level, many businesses believe they are addressing the underlying issues by moving to a national or regionally hosted cloud environment. The focus here is on ensuring data is stored under the governance of localised, relevant rules. After all, sovereignty is primarily about where data is stored, right?</p> <p>Well, not necessarily. The issue is that data location does not equate to control. In reality, even when the infrastructure is in the appropriate geographic location, the systems, software and underlying platforms often remain owned and governed by external providers.</p> <p>In these circumstances, legal jurisdiction and access rights can still sit outside the organisation, particularly as digital systems become more deeply embedded across operations and supply chains. The result is a growing mismatch between perceived sovereignty and actual control.</p> <p><strong>The hidden risks of outsourcing</strong></p> <p>These issues are nuanced. Organisations no longer simply store data in these environments. They run core operational systems on them.&nbsp;</p> <p>The risk here is one of usage vs control, where heavy reliance on third-party platforms is accompanied by limited visibility into how the underlying infrastructure and software actually operate.&nbsp;</p> <p>A good example is system updates and configurations, which typically sit with the provider, with customers dependent on decisions made outside their own governance structures. This introduces a dynamic in which critical systems are effectively governed externally, with vendor roadmaps or policy decisions having a direct, sometimes immediate, impact on operations.&nbsp;</p> <p>The issue is not just dependency <em>per se</em>, but concentrated dependency, with a small number of providers as stakeholders in a significant share of digital infrastructure across multiple sectors.</p> <p>The problems often only become apparent when a particular organisation needs to respond to new risks or when a change in regulation can’t be fully addressed because it lacks the required level of control. The point is that what appears to be a technology decision (ie, which cloud provider to use) actually adds to operational and regulatory risk.</p> <p><strong>Structural vulnerability</strong></p> <p>Is this anything more than a theoretical problem? The short answer is yes, because the implications of this model reach well beyond IT environments to mission-critical real-world systems in daily use.</p> <p>Take sectors such as energy, manufacturing, logistics and aviation, for example, where digital platforms support practically every key process. When control over these platforms is limited, the risk is not just technical but also extends to potential disruptions to services and outputs.</p> <p>In these and many other environments, concentrated reliance on a small number of non-domestic providers introduces a structural vulnerability, where issues that affect a single platform can have wide-reaching consequences across multiple organisations and sectors.</p> <p>This is particularly relevant in the context of unexpected or sudden shifts in policy or international relations that could affect access or service continuity. In these circumstances, organisations may find themselves exposed to risks beyond their direct control, despite meeting baseline compliance requirements. As we have all seen, government policies and ways of doing business can change rapidly and with little to no advance warning. Limiting exposure to such situations is important, including via tech infrastructure.</p> <p>The underlying risk, therefore, is a form of hidden fragility, where systems appear resilient on paper but are constrained in practice by external dependencies to the extent that digital sovereignty becomes an illusion.&nbsp;</p> <p>Sovereignty needs to be reframed so organisations can have complete confidence in how their outsourced systems and services are governed and changed.&nbsp;</p> <p>In practical terms, this means having sufficient visibility into services and dependencies to understand how they function and where risks sit. A key requirement is flexibility, particularly the ability to move workloads and data without being constrained by proprietary formats or tightly coupled architectures.&nbsp;</p> <p>Open standards, open source and containerisation are central to this approach because they decouple workloads from the underlying infrastructure, making it possible to move between providers or environments without being locked into a single vendor's ecosystem. This is common knowledge among IT teams, and now boardrooms and government offices are starting to realise. Without this kind of portability built in from the start, the freedom to act remains theoretical.</p> <p>Without this clarity and freedom of action, organisations remain dependent on external roadmaps and decisions that may not serve their own priorities. Sovereignty, ultimately, is not a legal status, it is a practical capability, measured by exit velocity and ability to pivot.</p> <p></p> Digital sovereignty is hugely important to IT leaders but in most cases systems have been built on foundations they don’t control. Open standards are key to organisational agility https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/surveillance-camera-security-spy-AlexeyAchepovsky-adobe.jpg https://www.computerweekly.com/opinion/The-illusion-of-digital-sovereignty-and-the-reality-of-control Wed, 06 May 2026 04:47:00 GMT <p>The Post Office ignored a subpostmaster’s calls for help when she experienced accounting shortfalls while using its ECCO+ system.</p> <p>The software, which was used in Crown branches (larger branches owned and run by the Post Office) and hundreds of sub-Post Offices (small branches owned and run by subpostmasters) in the 1990s, had flaws that could have caused unexplained losses that users were blamed for.</p> <p>In a recent meeting with former subpostmaster Janette Armour, as part of its review of ECCO+, the Post Office revealed it has copies of letters she sent in the early 1990s when she was struggling to balance her branch accounts using the software. At the time, her branch in Scotland was losing hundreds of pounds every week.</p> <p><a href="https://www.computerweekly.com/news/366614435/Federation-requests-government-investigation-into-third-Post-Office-branch-system">Concerns over ECCO+ were raised</a> by the National Federation of Subpostmasters (NFSP) in October 2024 on the back of revelations in the <a href="https://www.computerweekly.com/feature/Post-Office-Horizon-scandal-explained-everything-you-need-to-know">Post Office Horizon</a> scandal, as well as emerging <a href="https://www.computerweekly.com/news/366568092/MP-demands-answers-from-government-minister-over-second-faulty-Post-Office-IT-system">stories related to the Capture system</a> and its flaws.</p> <p>ECCO+ was used in Crown branches in the 1990s, and there were also hundreds of branches converted to sub-Post Offices, which used ECCO+ at some point, according to the NFSP.</p> <p>During last week’s meeting with the Department for Business and Trade (DBT), the Post Office revealed it had copies of Armour’s correspondence about ECCO+ from the 1990s.</p> <p>“I knew I wasn’t making a mistake. I knew there was something wrong,” she told Computer Weekly.</p> <p>Armour was a subpostmaster in Scotland. From 1977, she worked in Crown branches and was promoted to the Post Office headquarters in Glasgow, before buying a sub-Post Office branch near the city with her husband.</p> <p>They were later asked if they would be interested in taking over a Crown branch in East Kilbride, which they did in 1994. ECCO+ was used in the branch, which had six counters.</p> <p>She estimates that she and her husband personally covered at least £16,000 worth of shortfalls a year, for two-and-a-half years.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/ECCO-keyboard-800px-CREDIT-The-Postal-Museum-h.jpg"> <img data-src="https://www.computerweekly.com/rms/computerweekly/ECCO-keyboard-800px-CREDIT-The-Postal-Museum-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/ECCO-keyboard-800px-CREDIT-The-Postal-Museum-h_half_column_mobile.jpg 960w,https://www.computerweekly.com/rms/computerweekly/ECCO-keyboard-800px-CREDIT-The-Postal-Museum-h.jpg 1280w" alt="Photo of ECCO+ keyboard" data-credit="The Postal Museum" height="195" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Keyboard used with the Post Office’s ECCO+ software </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The losses took their toll, and Armour and her husband were eventually advised to sell their smaller Post Office branch. After losing more money, they had to sell their Crown branch as well. On the last day at the branch, it was revealed to Armour that even Post Office staff knew ECCO+ was problematic.</p> <p>She said the software didn’t work properly from the day it was installed.</p> <p>NFSP CEO Calum Greenhow, who attended the meeting with Armour, said there was a recognition that she had been harmed. “They actually have evidence that Janette was writing to them, telling them that it was a problem,” he said.</p> <p>A Post Office spokesperson said: “We are in contact with the Department for Business and Trade about ECCO/ECCO+, and there is still very limited information, so it is important that any issues are raised so they can be properly reviewed. We encourage anyone who believes they may have been affected by accounting problems linked to ECCO/ECCO+ to come forward to the Department for Business and Trade, or, if they prefer, the NFSP.”</p> <p>A government spokesperson said: “We are grateful to Mrs Armour for sharing her story and issues when using the ECCO+ system. We will continue to work with the Post Office and postmasters to understand the wider implications of ECCO+ and encourage anyone who had similar issues to come forward.”</p> <p>Former Post Office worker and campaigner for subpostmasters Rupert Lloyd Thomas said: “Sooner or later, both the Post Office and DBT are going to have to accept that ECCO+ was defective.</p> <p>Lloyd Thomas, along with Armour and Greenhow, will meet the DBT and the Post Office to discuss ECCO+ further.</p> <p>He told Computer Weekly: “ECCO+ was chronically unreliable, it was a cheap and nasty system. I had a lot to do with work trying to get that system fixed,” said&nbsp;<a href="https://www.computerweekly.com/news/366570054/Post-Office-IT-insider-and-the-software-decision-that-lit-the-Horizon-scandal">Lloyd Thomas, who worked at the Post Office for 27 years</a>.</p> <p>But there are significant gaps in the evidence so far, as the bulk of users – Crown branch employees between 1992 and 1999 – are not part of the NFSP, which has been seeking information.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the Post Office’s ECCO+ software</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366614435/Federation-requests-government-investigation-into-third-Post-Office-branch-system">Federation requests government investigation into third Post Office branch system</a>.</li> <li><a href="https://www.computerweekly.com/news/366616319/Government-looking-into-third-faulty-Post-Office-IT-system">Government looking into third faulty Post Office IT system</a>.</li> <li><a href="https://www.computerweekly.com/news/366621800/Post-Office-Capture-and-ECCO-users-asked-to-make-contact-with-Scottish-statutory-body">Post Office Capture and Ecco+ users asked to make contact with Scottish statutory body</a>.</li> <li><a href="https://www.computerweekly.com/news/366620854/Minister-asks-for-evidence-of-Post-Office-ECCO-system-problems">Minister asks for evidence of Post Office ECCO+ system problems</a>.</li> <li><a href="https://www.computerweekly.com/news/366638929/Email-from-1999-reveals-Post-Office-ECCO-system-crash-problems">Email from 1999 reveals Post Office ECCO+ system crash problems</a>.</li> </ul> </div> </div> A former subpostmaster repeatedly asked the Post Office for help when unexplained shortfalls occurred in her branch while using ECCO+ software, with evidence of her requests still in the organisation’s possession https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/software-code-error-Bigc-Studio-adobe.jpg https://www.computerweekly.com/news/366642657/Post-Office-acknowledges-ECCO-users-calls-for-help-three-decades-ago Tue, 05 May 2026 12:00:00 GMT <p>Incomplete guidance and data quality challenges are making it difficult for financial services firms to meet the rules of the EU’s Anti-Money Laundering (AML) Package regulations, according to PwC research.</p> <p>A survey carried out by PwC Luxembourg found that only a third of the 500 firms questioned across 40 EMEA countries will be ready for the July 2027 <a href="https://www.techtarget.com/searchenterpriseai/feature/Using-AI-in-AML-fights-fraud-while-protecting-privacy?_gl=1*sggnmj*_ga*MTEwNzM2MTI5My4xNzQyODE4ODQ3*_ga_TQKE4GS5P9*czE3Nzc5NzQzNTIkbzQyOSRnMSR0MTc3Nzk3NTMyNSRqNjAkbDAkaDA.">AML</a> regulation deadline.</p> <p>PwC found that companies are struggling because full guidelines on the regulations, known as regulatory technical standards (RTS), are not yet available and, from a technological point of view, they are finding it difficult to provide the data demanded by regulators.</p> <p>“The regulation has a very aggressive timeline and there is a lot of work in progress on the specific details while the [compliance] deadline is not moving,” said <a href="https://www.linkedin.com/in/weismichael/">Michael Weis, anti-financial crime leader at PwC Luxembourg</a>.</p> <p>But, while incomplete guidance from regulators is cited as a reason for firms falling short of compliance, Weis urged them to do what they can now.</p> <p>“When part of the regulation or part of the details are not known yet, it’s not a good reaction to say, ‘Let’s wait and see, let’s wait until we know everything before we start analysing’,” Weis told Computer Weekly.&nbsp;</p> <p>“Don’t lose time,” he warned.</p> <p>The EU AML Package was adopted in 2024 in an attempt to harmonise anti-money laundering rules across Europe. It established a new central authority –AMLA, based in Frankfurt</p> <p>“Our findings show many institutions are still in the early stages of preparing for the EU AML Package, with readiness varying widely across sectors and jurisdictions,” said Weis. “As implementation advances, the key test will be whether firms can translate the new rulebook and related RTS documents into scalable operating models supported by strong data and technology foundations.”</p> <section class="section main-article-chapter" data-menu-title="Data quality challenge"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data quality challenge</h2> <p>Data quality continues to be the most important barrier to advanced technology and artificial intelligence (AI) adoption, according to 89% of electronic and virtual payments firms, 64% of banks and insurance companies, and 52% of asset and wealth management (AWM) companies in the EMEA region.</p> <p>The PwC figures revealed that 30% of banks believe they will need a significant change in their overall data structure to meet regulations, with 46% of AWM firms facing the same challenges, along with 39% of insurers and 43% of e-payment service providers.</p> <p>Weis said there is a “spectrum of information” being demanded by regulators as part of the EU AML Package. This includes transaction volumes, data on alerts that are generated for suspicious activity, and the breakdown of risk profiles – high-, medium- and low-risk customers, and the type of customers.</p> <p>Weis said part of the challenge for big banks is the existence of <a href="https://www.computerweekly.com/news/366541565/Banks-still-investing-heavily-in-legacy-payments-systems">“massive legacy systems”</a>, with the data sitting across different systems. “You first need to develop the extraction and the reporting,” he added.</p> <p>Other survey findings revealed that over half of financial institutions across the EMEA region anticipate “significant operational disruption” due to sustained compliance pressure. About a third expect costs to rise by 10% to 30% in the coming years.</p> <p>The survey also revealed that 61% of banks and 57% of AWM firms in the EMEA region plan to introduce <a href="https://www.computerweekly.com/news/366565061/Fighting-money-laundering-with-AI">new technologies in transaction monitoring</a> to support their compliance with the regulations.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about anti-money laundering technology</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/365530101/Estonian-anti-money-laundering-platform-used-to-fight-APP-fraud">A real-time data-sharing platform originally built to identify money laundering is also being applied to the fight against authorised push payment fraud</a>.</li> <li><a href="https://www.computerweekly.com/news/252513230/UK-second-in-money-laundering-hall-of-shame">Banks need to step up their anti-money laundering processes if billions of pounds’ worth of criminal activity is to be prevented</a>.</li> <li><a href="https://www.computerweekly.com/news/252507903/NatWest-admits-to-weaknesses-in-anti-money-laundering-systems">Bank pleads guilty to failures concerning the laundering of hundreds of millions of pounds, but says it has since improved its anti-money laundering systems</a>.</li> </ul> </div> </div> </section> Two-thirds of finance firms in the European Union are at risk of missing next year’s deadline to comply with anti-money laundering regulations https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/money-finance-cash-euros-notes-andreyphoto63-adobe.jpg https://www.computerweekly.com/news/366642629/EU-finance-firms-urged-to-get-on-with-anti-money-laundering-compliance Tue, 05 May 2026 10:21:00 GMT <p>Microsoft is the latest tech provider to prioritise tech investment over people. Its so-called workforce optimisation plan is focused on building high-performing teams and investing in artificial intelligence (AI) and cloud infrastructure. According to Bloomberg, this will mean a 7% reduction in the Microsoft workforce.</p> <p>During <a href="https://www.computerweekly.com/news/366642583/Microsoft-explains-value-of-E7-usage-based-pricing">Microsoft’s latest earnings call</a>, chief financial officer Amy Hood said: “We continue to evolve how we operate to increase our pace and agility, and therefore, we expect headcount will decrease year-over-year. Operating expense growth will be in the mid to high single digits, reflecting ongoing investments in R&amp;D, inclusive of AI investment in compute, data and talent, to accelerate product innovation.”</p> <p>Meanwhile, Reuters has reported that Meta is expected to cut 10% of its workforce later this month. Like Microsoft, Meta said the job cuts are part of its strategy to improve operational efficiency and offset substantial investments in infrastructure and AI.</p> <p>During Meta’s <a href="https://www.computerweekly.com/news/366642489/Meta-ramps-up-AI-spend-as-it-pushes-advanced-models">latest quarterly earnings call</a>, chief financial officer Susan Li said: “We remain committed to operating efficiently, and we recently shared internally that we plan to reduce the size of our employee base in May. We believe a leaner operating model will allow us to move more quickly while also helping to offset the substantial investments we’re making.”</p> <p>It has also been reported that an estimated 30,000 employees are losing their jobs at Oracle. This comes at a time when the company claims to have $533bn in orders to fulfil.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> We continue to evolve how we operate to increase our pace and agility, and therefore, we expect headcount will decrease year-over-year </figure> <figcaption> <strong>Amy Hood, Microsoft</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>In <a href="https://www.computerweekly.com/news/366641177/Whats-driving-Oracles-latest-job-cuts">March, Oracle co-CEO Mike Sicilia</a> spoke about AI helping the company to deliver software more quickly. “The use of AI coding tools inside Oracle is enabling smaller engineering teams to deliver more complete solutions to our customers more quickly,” he said during the company’s third quarter 2026 earnings call.</p> <p>In January, <a href="https://www.aboutamazon.com/news/company-news/amazon-layoffs-corporate-jan-2026">Beth Galetti</a>, senior vice-president of people experience and technology at Amazon, said the company would be reducing headcount by 16,000 – a decision, she said, that would strengthen the organisation by reducing layers, increasing ownership and removing bureaucracy.</p> <p>Amazon’s latest quarterly earnings call shows that the company will continue to invest heavily in AI, which it sees as a major business opportunity.</p> <section class="section main-article-chapter" data-menu-title="AI investment over people investment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI investment over people investment</h2> <p>It is not just the tech giants that are trying to use AI and automation to drive up efficiency and reduce headcount. Research from analyst Gartner, based on a survey of 350 executives, found that CEOs are under pressure to show returns on AI investments (ROI). The analyst firm found that layoffs dominate early thinking. The poll found that over a third (39%) of CEOs view AI agents as employees.</p> <p>Among organisations piloting or deploying autonomous business capabilities, Gartner’s survey found that roughly 80% report workforce reductions. For most, those reductions fall in the 1% to 15% range. The Gartner survey also found that all autonomous business practices lead to reported workforce reductions. Augmented management and autonomous operations resulted in an average workforce reduction of 14%, according to Gartner.</p> <p>Despite business leaders’ appetite to reduce their workforce as AI takes on roles traditionally done by people, Gartner warned that organisations risk overinvesting in autonomy as a labour replacement and underinvesting in the people needed to make autonomous business a success.</p> <p>In its <em>AI layoffs aren’t paying off; People amplification is</em> report, Gartner noted a scalability problem that occurs because AI can scale fast, but organisations are unable to keep pace. “Without the skills, the roles and the governance that allow autonomy to take hold, even advanced AI plateaus quickly, creating a widening gap between technical capability and real business impact,” the report authors warned.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Many CEOs turn to layoffs to demonstrate quick AI returns; however, this disposition is misplaced. Workforce reductions may create budget room, but they do not create return </figure> <figcaption> <strong>Helen Poitevin, Gartner</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>“Many CEOs turn to layoffs to demonstrate quick AI returns; however, this disposition is misplaced,” said Helen Poitevin, distinguished vice-president analyst at Gartner. “Workforce reductions may create budget room, but they do not create return.”</p> <p>Organisations that improve ROI are not those that eliminate the need for people, but those that amplify them by aggressively investing more in skills, roles and operating models that allow humans to guide and scale autonomous systems.”</p> <p>While the survey data shows that there are indeed job losses arising from greater use of AI and automation, Gartner believes that autonomous business will be a net-positive job creator by 2028 to 2029, driven by new forms of work that AI cannot absorb.</p> <p>“Long term, autonomous business will create more work for humans, not less. Lasting structural factors such as demographic decline and high-stakes, trust-dependent consumer moments will ensure human talent remains central to running, governing and scaling autonomous business,” said Poitevin.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI in the workplace</h3> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchhrsoftware/news/366620894/AI-in-the-workplace-Businesses-brace-for-new-rules">AI in the workplace</a> – businesses brace for new rules: States are tightening rules on AI in the workplace, while the federal government pushes for deregulation, setting up a battle over hiring and bias laws.</li> <li>How organisations should handle <a href="https://www.techtarget.com/searchenterpriseai/tip/How-organizations-should-handle-AI-in-the-workplace">AI in the workplace</a>: When implementing AI in the workplace, organisations must build a comprehensive strategy aligned with business values. Failing to do so could lead to the emergence of shadow AI.</li> </ul> </div> </div> </section> Tech leaders are making big changes to their labour force as artificial intelligence advances. Business leaders are following this trend. But are their businesses ready? https://cdn.ttgtmedia.com/visuals/German/article/HR-employer-job-adobe.jpg https://www.computerweekly.com/news/366642756/Tech-sector-job-losses-show-AI-replacement-in-action Tue, 05 May 2026 08:45:00 GMT <p><a href="https://www.computerweekly.com/news/366619039/Google-drops-pledge-not-to-develop-AI-weapons">Google AI workers</a> in the UK have launched a pioneering unionisation bid to end use of their technology by Israel and the US military.</p> <p>The British-based Google DeepMind employees – who aim to become the <a href="https://www.computerweekly.com/resources/Artificial-intelligence-automation-and-robotics">first frontier artificial intelligence (AI) lab</a> worldwide to unionise – sent a letter to management this week to request recognition of the Communication Workers Union (CWU) and Unite the Union as their official representatives. In a vote of CWU members at DeepMind, 98% backed the move.</p> <p>John Chadfield, CWU national officer for tech workers, said: “This is a really important moment where tech workers at Google’s frontier AI lab are connecting with some of the most oppressed people in communities around the world in meaningful ways, based on foundational values of solidarity and trade unionism.</p> <p>“By exercising their rights to collectivise they are in a strong position to demand their employer stop circling the ethical drain of military-industrial contracts, echoing the sentiment of many working people in the UK and elsewhere.”</p> <p>The workers are part of a wider campaign, with <a href="https://www.computerweekly.com/news/366636163/Google-DeepMind-partners-with-UK-government-to-deliver-AI">DeepMind</a> staff globally considering in-person protests and “research strikes” – where they abstain from work expected to significantly improve core products such as the Gemini AI assistant.</p> <p>Google employees have previously protested the ethics of contracts such as Project Nimbus, a joint programme with Amazon to make cloud computing and <a href="https://www.computerweekly.com/news/366626968/Tech-firms-complicit-in-economy-of-genocide-says-UN-rapporteur">AI tools available to Israel</a> during its campaign in Gaza, which saw upwards of 70,000 dead. Meanwhile, Maven, a US government project from which Google withdrew in 2019 after staff protests, has reportedly been used in targeting in the Iran war.</p> <p>The unionising DeepMind workers are seeking an end to use of Google AI by Israel and the US military. Their demands also include restoring a scrapped commitment not to make AI weapons or surveillance tools, the creation of an independent ethics oversight body, and the individual right to refuse to contribute to projects on moral grounds.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about worker and community protests</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/252524426/Google-workers-oppose-cloud-contract-with-Israeli-government">Google workers oppose cloud contract with Israeli government</a>: Google workers and Palestinian rights activists call on company to divest from involvement in cloud and artificial intelligence contract with Israeli government and military, following allegations the tech giant has retaliated against an employee for being publicly critical of the deal.</li> <li><a href="https://www.computerweekly.com/news/366639449/UK-to-see-weekend-protests-against-dirty-datacentres">UK to see weekend protests against ‘dirty datacentres’</a>: Environmental charity Global Action Plan UK is coordinating a campaign effort to bring attention to wider concerns about datacentre electricity demand, water use and environmental impacts.</li> </ul> </div> </div> <p>A DeepMind employee said: “We don’t want our AI models complicit in violations of international law, but they already are aiding Israel’s genocide of Palestinians. Even if our work is only used for administrative purposes, as leadership has repeatedly told us, it is still helping make genocide cheaper, faster and more efficient. That must end immediately, as must harm to Iranians and human lives anywhere.”</p> <p>Google recently agreed to let the US Department of Defense use its AI models for classified work, a move opposed by over 600 employees. Google staff worry how the technology will be used given the deal could reportedly open the door to autonomous weapons and mass surveillance of US citizens, red-line issues that previously saw the Pentagon impose restrictions on competitor Anthropic.</p> <p>The unionisation bid aims to gain representation for at least 1,000 staff tied to Google DeepMind’s London office. The employees’ letter gave management 10 working days to voluntarily recognise the CWU and Unite, or take other steps such as agreeing to mediated negotiations, before a formal legal process is launched to force recognition. Google DeepMind is headquartered in London, but has about a dozen offices across North America and Europe.</p> <p>“I hope that recourse to the statutory procedure will not prove necessary,” CWU official Chadfield wrote in the letter. “We look forward to working with you in a spirit of co-operation on behalf of the workforce.”</p> <p>The CWU branch for DeepMind staff is United Tech and Allied Workers.</p> Unions send letter to management requesting recognition for Google DeepMind employees, in particular over the company’s involvement in hi-tech systems used in Gaza and Iran wars https://cdn.ttgtmedia.com/visuals/German/article/revolution-protest-adobe.jpg https://www.computerweekly.com/news/366642677/Google-AI-workers-vote-to-unionise-over-IDF-and-US-military-tech Tue, 05 May 2026 06:30:00 GMT <p>We are set to see artificial intelligence (AI) shift from experimental and piecemeal use cases to <a href="https://www.computerweekly.com/resources/Artificial-intelligence-automation-and-robotics">factory automation levels of productivity</a>. That’s equivalent to the 19th century transition when electricity became available to factories – first it lit them and made working hours longer and safer, then it powered assembly lines and machinery to bring a step change in production.</p> <p>That’s the view of IBM CEO <a href="https://newsroom.ibm.com/Arvind-Krishna">Arvind Krishna</a>, who spoke to the press from this week’s <a href="https://www.ibm.com/events/think">IBM Think</a> event in Boston, where he predicted a 40% increase in enterprise productivity by 2030, using AI.</p> <p>At the event, IBM majored on announcements around an <a href="https://www.computerweekly.com/feature/Getting-started-with-agentic-AI">agent-based operating environment</a> that it said would enable organisations to develop and run swarms of autonomous agents, but bounded by policy-driven guardrails.</p> <p>It also made announcements around <a href="https://www.computerweekly.com/news/366640318/Funding-and-procurement-to-target-UK-quantum-innovation">quantum computing</a> and the general availability of its <a href="https://www.techtarget.com/searchitoperations/news/366637343/IBM-prepares-hybrid-cloud-twist-for-sovereign-AI">Sovereign Core</a> offering.</p> <p>Core to the product offer around agentic AI from IBM are:</p> <ul class="default-list"> <li> <p>Watsonx Orchestrate: A centralised control plane to deploy and govern thousands of AI agents that focuses on auditability and policy enforcement across multi-supplier agent environments.</p> </li> <li> <p>IBM Bob: A specialised agentic development environment with built-in security and cost guardrails, that includes a “Premium Package for Z” to bring agentic AI to mainframe IBM Z environments.</p> </li> <li> <p>IBM Concert: An AI-powered operations platform that provides a single pane of glass for infrastructure, network and security, without requiring rip-and-replace of legacy tools.</p> </li> <li> <p>Concert Secure Coder: An autonomous security agent that identifies vulnerabilities, executes remediation code, verifies the fix, and manages the pull request process.</p> </li> </ul> <p>IBM’s chief commercial officer, <a href="https://newsroom.ibm.com/Rob-Thomas">Rob Thomas</a>, said Orchestrate is already in use by a number of customers. “We’ve had companies like ServiceNow, Salesforce, Adobe, just to name a few, who have taken their agents, enabled those onto Watson X Orchestrate. Lockheed Martin is federating 80 different data sources using Orchestrate and then building custom agents on top.”</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> AI in enterprises is [like] a light bulb ... it’s useful, but it’s not really redefining how the company runs. The AI operating model is about moving beyond light bulbs to things that are more fundamental to how a company operates </figure> <figcaption> <strong>Arvind Krishna, IBM</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Krishna likened the current phase of AI to previous generations of computing, where debate and competition move from core technologies to how they are orchestrated.</p> <p>“Take the example of the PC era,” he said. “It began with a debate on the microprocessor. A dozen companies competed, and then one architecture – in that case, x86 – won out. It then very quickly moves to the operating system on top. We can put the foundation models and the models in that category, and you can see right now the amount of money that’s going into the infrastructure layer. The real value in every one of these comes with the applications and the deployment into enterprises and consumer.”&nbsp;</p> <p>Krishna added: “Think of the difference between the light bulb, which is useful, and the assembly line, which actually changed manufacturing productivity and growth in the world forever.</p> <p>“AI in enterprises is more of a light bulb. It’s email summaries. It’s document creation. It’s meeting preparation. It’s useful, but it’s not really redefining how the company runs. When we talk about the AI operating model, this is about moving beyond light bulbs to things that are more fundamental to how a company operates, and you can see it in the data.”</p> <p>According to the IBM CEO, AI will bring productivity gains of up to “40, 50, 60, 70%” and will allow businesses to “take those savings and put them back into R&amp;D and into sales that allow us to drive more revenue”.</p> <p>The executives also announced the general availability of IBM Sovereign Core, which allows for an on-premise air-gapped IBM environment, but is also deliverable with Dell hardware and graphics processing units (GPUs).</p> <section class="section main-article-chapter" data-menu-title="Quantum computing ‘just around the corner’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Quantum computing ‘just around the corner’</h2> <p>Krishna also declared <a href="https://www.computerweekly.com/news/366634198/Government-showcases-UK-quantum-computing-pledge">quantum computing</a> to be “literally just around the corner” and talked about the Cleveland Clinic, which, he said, can now model a 12,000-atom protein. “That tells you that quantum is no longer a science lab experiment. People are doing real use cases of significant scale,” he said.</p> <p>“We think the time period is 2028 or 2029, and the reason is quite simple. Right now, these machines have got hundreds of qubits [the fundamental unit of information in quantum computing] and can do thousands of gate operations or compute steps before they begin to get decoherent and fall into a noise,” said Krishna.</p> <p>“We think those thousands will be in the tens of millions in three years. The moment it is that much – ie three orders of magnitude more compute – we believe [it will] allow people to tackle a lot more real-life problems.”&nbsp;</p> <p>He added that IBM offers a fleet of quantum computers that clients can access from the cloud and a free level where people can get up to 10 minutes a month.&nbsp;</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about enterprise AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640193/Why-real-time-data-is-key-for-enterprise-AI">Why real-time data is key for enterprise AI</a>: Moving AI from experiment to production requires high-quality, real-time data streaming. Australia tech leaders from Confluent, Bendigo Bank, Telstra, and Coles share how they are turning systems of record into systems of action.</li> <li><a href="https://www.computerweekly.com/feature/Moving-agentic-AI-from-innovation-theatre-to-enterprise-production">Moving agentic AI from innovation theatre to enterprise production</a>: As enterprises move from prompting chatbots to orchestrating AI agents, IT leaders must rethink governance, data architecture and cost management to avoid chaotic deployments and runaway cloud bills.&nbsp;</li> </ul> </div> </div> </section> Enterprises are set to make productivity gains as business shifts from point use cases for artificial intelligence to orchestrated, policy-driven deployment of agentic AI, says IBM CEO https://cdn.ttgtmedia.com/visuals/searchEnterpriseAI/ai-tech/searchEnterpriseAI_007.jpg https://www.computerweekly.com/news/366642706/IBM-Enterprise-AI-to-shift-from-light-bulb-to-electric-motor-era Tue, 05 May 2026 05:50:00 GMT In this week’s Computer Weekly, we look at how digital twins of the human body are helping athletes prepare for the London Marathon. We find out how AI is set to deliver new driving experiences in the latest cars. And we speak to a 146-year-old bank about taking an entrepreneurial approach to tackling legacy IT. Read the issue now. https://www.computerweekly.com/ezine/Computer-Weekly/Mastering-a-marathon-with-the-future-of-healthtech Tue, 05 May 2026 04:00:00 GMT <p>Whether or not Anthropic’s Claude Mythos frontier AI model is going to be a game changer for <a href="https://www.techtarget.com/searchenterpriseai/news/366642478/Claude-Mythos-Preview-and-the-new-rules-of-cybersecurity" target="_blank" rel="noopener">software vulnerability discovery</a> – or whether it is a load of hot air – remains to be seen, but the broader subject is of gathering concern to the UK’s National Cyber Security Centre (NCSC), which has warned that a tsunami of costly and time-consuming technical issues is bearing down on all organisations.</p> <p><a href="https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave" target="_blank" rel="noopener">Writing on the NCSC’s website</a>, the agency’s chief technology officer Ollie Whitehouse said the industry has prioritised short-term gains over building resilient products and services, and that with the advent of AI-driven vulnerability discovery, their chickens are about to come home to roost.</p> <p>“Artificial intelligence, when used by sufficiently skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem,” wrote Whitehouse.</p> <p>“As a result, the NCSC expect[s] there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary and software as a service.</p> <p>“This is why we are encouraging all organisations to prepare now for when a ‘patch wave’ arrives; a rush of software updates that will need to be applied across the technology stack to address the disclosure of new vulnerabilities.”</p> <p>Considering how chief information security officers (CISOs), security leaders and teams should respond to this sea-change, the NCSC has publicised guidance centred on three core pillars.</p> <section class="section main-article-chapter" data-menu-title="Prioritise external surfaces"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prioritise external surfaces</h2> <p>The first of these pillars is the prioritisation of external attack surfaces. Security teams should work to identify any attack surfaces that are exposed to the public internet as soon as possible. Teams should start with technology on the perimeter of the network and then work their way inwards, via cloud instances, to on-premise environments.</p> <p>When vulnerabilities come to light, in instances where updates cannot be applied across the entire environment, security teams should prioritise external attack surfaces, and hey should lead with critical security systems where capacity extends beyond external surfaces.</p> <p>However, it is important to remember that patching by itself will not always be enough. There may – indeed, there very probably is – still technical debt in end-of-life or legacy systems that can’t be patched. If these cannot be brought back within support, they need to be replaced.</p> </section> <section class="section main-article-chapter" data-menu-title="Prepare to patch faster and more regularly"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prepare to patch faster and more regularly&nbsp;</h2> <p>The second pillar concerns patch management. Here, organisations should plan to deploy vital software updates quicker, more often and at scale, including within their supply chains. The NCSC said it is expecting an influx of updates to address flaws at varying levels of severity – many of them are likely to be critical.</p> <p>The agency recommends organisations priorities activating supplier-provided automatic, secure hot-patching features that don’t involve service disruption – this will have the pleasant side-effect of reducing the security team’s workload.</p> <p>But if automated patching is not available, security leaders will need to plan to ensure processes and risk appetites support frequent, scaled updates, accounting for the inevitable trade-offs around disruption. Risk-based approaches, such as the <a target="_blank" href="https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc" rel="noopener">Stakeholder Specific Vulnerability Categorisation (SSVC) system</a>&nbsp;can be used to prioritise installing the updates.</p> <p>Of course, this assumes that critical flaws aren’t under active exploitation – those that do present as zero-days, especially those affecting external-facing systems, will need to have their update schedules brought forward.</p> </section> <section class="section main-article-chapter" data-menu-title="Prioritise the basics"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prioritise the basics</h2> <p>The third and final pillar is to look beyond simply updating vulnerable software. Patching alone won’t address the systemic cyber security problems faced by the overwhelming majority of organisations.</p> <p>The NCSC renewed its appeal to technology firms to ensure systemic technical debt is minimised through memory safety and containment technologies where appropriate.</p> <p>At end-user organisations, CISOs should keep focus on the fundamentals of cyber security to improve their overall resilience and reduce the impact of breaches through whatever means they originate – whether that be through a vulnerable product or something else. Such an approach should include seeking <a href="https://www.ncsc.gov.uk/cyberessentials/overview" target="_blank" rel="noopener">Cyber Essentials</a> certification, or running the <a href="https://www.ncsc.gov.uk/collection/cyber-assessment-framework" target="_blank" rel="noopener">Cyber Assessment Framework</a>&nbsp;for essential services operators.</p> <p>“[The] NCSC advise[s] all organisations, irrespective of size, to plan and prepare for the vulnerability patch wave. A good place to start is by reading the NCSC’s updated&nbsp;<a href="https://www.ncsc.gov.uk/collection/vulnerability-management" target="_blank" rel="noopener">Vulnerability Management guidance</a>,” said Whitehouse.</p> <p>“For larger organisations, we also recommend working to&nbsp;<a href="https://www.ncsc.gov.uk/collection/assess-supply-chain-cyber-security" target="_blank" rel="noopener">gain assurance from your supply chains</a>&nbsp;both commercial and open source, so that they are prepared to navigate any required response.”</p> <p>Lionel Litty, CISO at <a href="https://www.menlosecurity.com/" target="_blank" rel="noopener">Menlo Security</a>, said: “This is a timely update from the NCSC. It makes two important points: the external attack surface needs to be prioritised and we need to go beyond software updates and look at containment technologies to reduce the impact of breaches.</p> <p>“For the majority of users, the web browser is where most of the external attack surface exists. To make this more concrete: just last week, Mozilla announced that it fixed 271 vulnerabilities in the Firefox browser. These vulnerabilities were found using Claude Mythos, Anthropic’s latest AI model. This is up from 22 vulnerabilities found by the previous iteration of Claude.</p> <p>“This highlights the need not only to ensure that your organisation can rapidly and comprehensively deploy browser updates, but also to fundamentally reduce the risk,” said Litty. “Technology such as remote browser isolation can move the attack surface off the user's endpoint, minimising the damage if a user is exposed before their browser is patched.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Anthropic's Claude Mythos model</h3> <ul class="default-list"> <li>During the annual CETaS showcase in London, experts discussed the potential cyber risk of tools <a href="https://www.computerweekly.com/news/366642508/Cyber-experts-take-an-optimistic-view-of-AI-powered-hacking" target="_blank" rel="noopener">such as Claude Mythos</a>.</li> <li>Technology secretary Liz Kendall urges Britain’s business community to sit up and pay attention to emerging AI threats, following the debut of <a href="https://www.computerweekly.com/news/366641649/UK-businesses-must-face-up-to-AI-threat-says-government" target="_blank" rel="noopener">Anthropic’s new frontier model, Mythos</a>.</li> <li>Letting probabilistic AI models autonomously operate inside production networks creates real safety and auditability issues, and that core security validation still needs deterministic guardrails. <a href="https://www.computerweekly.com/opinion/Anthropics-Mythos-raises-the-stakes-for-security-validation" target="_blank" rel="noopener">And Anthropic just raised the stakes</a>.</li> </ul> </div> </div> </section> Vulnerability discovery and mitigation continues to exercise the top minds at Britain’s NCSC as cyber experts continue to debate the impact of frontier AI models such as Mythos https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/software-code-developer-adobe.jpeg https://www.computerweekly.com/news/366642625/UKs-NCSC-warns-of-wave-of-patches Mon, 04 May 2026 12:09:00 GMT <p>Cloud-native, or containerised, applications are now mainstream. As many as 82% of enterprises now have Kubernetes in production, according to the <a href="https://www.computerweekly.com/blog/Open-Source-Insider/CNCF-Kubernetes-now-de-facto-operating-system-for-AI">Cloud Native Computing Forum (CNCF)</a>. That is up from 66% in 2023. And a full 98% of organisations have at least some cloud-native applications, the industry body says.</p> <p>But moving applications to cloud-native environments does not just mean creating new code. It also means adapting infrastructure. Compute, networking and data storage all need to work with container environments. By no means can all systems do this out of the box, especially when it comes to on-premise hardware.</p> <p>At the same time, enterprise IT architects need to consider the requirements of legacy applications and virtual machines (VMs) that are not being updated.&nbsp; And enterprises will want to make the most efficient use of their storage hardware, regardless of their application environments.</p> <p>Moving to containers means adapting a technology that was <a href="https://www.computerweekly.com/news/366633394/Container-storage-Five-key-things-you-need-to-know">not designed for persistent storage</a>&nbsp;to handle business-critical data.&nbsp;</p> <section class="section main-article-chapter" data-menu-title="Stateless states"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Stateless states</h2> <p>Containerised applications started out as stateless, or ephemeral. The designers never intended containers to hold persistent data. They expected that microservices or containerised applications would use no non-volatile storage and discard the contents of memory, and even their settings, once they had completed their tasks.&nbsp;</p> <p>Instead, containerised applications rely on an external data store, usually a database or cache.&nbsp;</p> <p>There are advantages to this approach. These include simpler deployment, easier scaling, fault tolerance and recovery, and application portability. But most business applications, if not the majority, need persistent data.&nbsp;</p> <p>“Most business applications require storage. In reality, unless you’re converting Fahrenheit to Celsius and back, you’re storing something somewhere,” says Dan Ciruli, vice-president and general manager for cloud native at Nutanix.&nbsp;</p> <p>And the need to work with persistent data is all the more important, as enterprises look to containers as an alternative to conventional virtual machines.</p> <p>But this means rethinking the way applications work. And it requires IT architects to update their storage systems to support modernised, cloud-native applications. This can be directly, where array manufacturers support containers, or through a control plane such as Nutanix or Everpure’s Portworx.</p> <p>Almost inevitably, changes are being driven by AI, as enterprises look to support its data-heavy workloads in modern, cloud-native environments. But there are other drivers, too, including a trend to move virtualised applications to containers and the need for cost controls.</p> <p>“Kubernetes might be over a decade old, but it’s continuing to evolve as AI transforms the way we handle data. Already, Kubernetes has moved beyond the days when it was built only for ephemeral, stateless applications,” says Michael Cade, global field chief technology officer at Veeam Software.</p> <p>“Today, stateful applications such as databases, machine learning pipelines and streaming systems are now being treated as first-class citizens [in containerised environments] and have been given the specialised tools they need to thrive.”&nbsp;</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about persistent storage</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Container-storage-in-the-AI-age-Block-vs-object-and-CSI-vs-container-native">Container storage in the AI age</a> – block vs object and CSI vs container-native: Key choices when it comes to providing storage for containerised applications and whether to choose block, file or object storage.</li> <li>Storage implications of a <a href="https://www.computerweekly.com/feature/Storage-implications-of-a-modern-IT-architecture">modern IT architecture</a>: One of the challenges when migrating older applications to a cloud-native, modern IT architecture is how to provide persistent storage.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Storage connections"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Storage connections</h2> <p>Connecting storage to Kubernetes, though, relies on support from both application developers and hardware suppliers.&nbsp;</p> <p>The main way to connect storage to container environments is through the <a href="https://www.techtarget.com/searchitoperations/tip/Manage-application-storage-with-Kubernetes-and-CSI-drivers">container storage interface (CSI)</a>. CSI needs to be supported directly by the storage provider, be that the hardware manufacturer, a cloud service, or a software-defined storage (SDS) supplier.&nbsp;</p> <p>As the CNCF’s Kubernetes page notes: “CSI was developed as a standard for exposing arbitrary block and file storage systems to containerised workloads on container orchestration systems like Kubernetes.” CSI allows third-party storage providers to write, and deploy, plug-ins for storage without changing the core Kubernetes code.&nbsp;</p> <p>SDS technologies, for their part, also use CSI drivers, but run on commodity hardware rather than dedicated storage arrays, as well as hyper-converged infrastructure. It also includes open source options, such as OpenEBS, Longhorn and Ceph.&nbsp;</p> <p>“Every environment needs a storage back end, with a CSI driver that connects it to Kubernetes. It’s up to the storage provider to provide the CSI driver,” says Nigel Poulton, an author and independent expert in Kubernetes and containers.&nbsp;</p> <p>“Most CSI drivers create at least one StorageClass that maps to a tier of storage and its capabilities. For example, a CSI driver might create a StorageClass called ‘fast-replicated’ that maps to high-speed flash storage automatically replication to a remote location. Any application using this class automatically gets that tier and set of capabilities,” he adds.&nbsp;</p> <p>This level of abstraction is highly useful for application developers, as they no longer have to worry about the physical capabilities of the storage system. That is handled by the CSI drivers.&nbsp;</p> <p>“The CSI drivers enable us to give access to storage from the containerised application, but [for firms to] still administer the storage the way they do the storage that’s running under their VMs,” says Nutanix’s Ciruli. “And that’s a big advantage.” He also sees customers installing Kubernetes on bare metal clusters.&nbsp;</p> <p>This also maintains separation between the Kubernetes workloads and the underlying storage hardware. On paper at least, enterprises can move their containerised applications to a different platform or supplier, or new storage hardware, without rewriting code and with minimal disruption.&nbsp;</p> <p>In practice, large-scale moves of Kubernetes applications between platforms are still relatively rare. Enterprises tend to develop applications to run on <a href="https://www.computerweekly.com/news/366627572/AWS-bolsters-security-tools-to-help-customers-manage-AI-risks">Amazon Web Services (AWS)</a>, Google Cloud Platform (GCP), Microsoft Azure, or <a href="https://www.computerweekly.com/news/366637421/Sovereign-and-edge-AI-drive-return-to-on-premise-Kubernetes">local hardware</a>, depending on their business requirements. &nbsp;</p> <p>Application portability, supported by CSI, is a useful insurance, even if there are enough differences between platforms to suggest caution.</p> <p>“We really don’t need to become an expert in how EBS [Elastic Block Store] works versus Azure disk, or local SSD [solid-state drives] and how that works,” says Greg Muscarella, general manager for Portworx at Everpure. “If you have to manage those things, it becomes somewhat complex. Companies tend to focus on a single cloud environment.”</p> <p>Few organisations, he suggests, have code where they could “push a button and move it to a different cloud”, not least because of differences between storage architectures from both hardware suppliers and cloud providers. However, enterprises are moving more applications to <a href="https://www.techtarget.com/searchcloudcomputing/opinion/Decipher-the-true-meaning-of-cloud-native">cloud-native environments</a>. And this increasingly includes databases and applications that previously ran in conventional virtual machines.</p> </section> <section class="section main-article-chapter" data-menu-title="New platforms"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New platforms&nbsp;</h2> <p>One of the most significant trends in application modernisation is to move both virtual machines and database-driven applications to containers. Cost, avoiding supplier lock-in and the need to consolidate on fewer platforms are all drivers.&nbsp;</p> <p>“The line between ‘containerised’ and ‘virtualised’ is blurring,” suggests Veeam’s Cade. “For a long time, containers and VMs were seen as two separate siloes. But as stateful applications have developed, and since VMs are essentially a typical stateful workload, we’re seeing a significant rise in businesses running them directly within Kubernetes using platforms such as Red Hat OpenShift Virtualization.”&nbsp;</p> <p>Poulton agrees. He sees more organisations moving virtualised workloads to containers, via tools such as KubeVirt. But, although organisations are porting over virtualised applications, and databases, IT architects need to be sure that all the application’s requirements are met by the storage layer.&nbsp;</p> <p>“Databases have much more demanding requirements, including ordered startup, replication, automated failover and backup,” he cautions. “The two biggest changes are ensuring a CSI driver exists for the storage system and potentially deploying an operator.”&nbsp;</p> <p>A Kubernetes operator provides details about a database’s specific requirements, and sometimes storage, too. Operator support is essential to allow databases to deliver enterprise workloads over Kubernetes. Again, the operator supports the modern application goal of separating the code from the storage array or cloud storage service.&nbsp;</p> <p>Percona, for example, provides operators for MySQL, PostgreSQL and MongoDB, as well as Everest. “The operators are basically the game changers,” says Kate Obiidykhata, the company’s general manager for cloud native.&nbsp;“They encode the human DBA knowledge into the software, and you have all those most important resilience components, backup, failover, replication and upgrades automated.”</p> <p>Operators, she adds, help enterprises to adopt hybrid architectures or multicloud strategies, allowing data portability without the need to rewrite applications. But workloads that operate on VMs will not automatically run on containers, she says. Firms will need to plan, and test, their deployments with care.&nbsp;</p> <p>“There are specific playbooks that you should apply and methodologies that are obviously different from the classic database setup on VMs,” says Obiidykhata. “But it’s all doable, and many companies are now running those databases on Kubernetes. They just have a different playbook to mitigate those issues.”</p> <p>Firms also need to factor in how they run their ported applications in production. Development, understandably, attracts much of the attention. But how systems run from “day two” onwards is critical. This includes storage provisioning and tiering, as well as backup, recovery and security.</p> <p>The CSI drivers take care of much of the hard work, but enterprises are likely to look to invest in new hardware, or even storage from suppliers focused on cloud-native environments, to ease the migration to containers.</p> <p>“This is usually by deploying new storage architectures, either via new storage products from existing vendors, but increasingly by engaging with new vendors,” says Poulton. Enterprises, he adds, might still be running older hardware systems, but they are unlikely to use them for Kubernetes.&nbsp;</p> </section> A detailed understanding of how containerised applications work with data storage is needed to migrate enterprise IT to a cloud-native architecture https://cdn.ttgtmedia.com/visuals/German/article/container-illustration-adobe.jpg https://www.computerweekly.com/feature/How-a-cloud-native-architecture-handles-persistent-storage Mon, 04 May 2026 04:00:00 GMT <p>As countless case studies published on Computer Weekly have shown through the years, every minute and every penny that a Formula 1 team is spending on <a href="https://www.computerweekly.com/feature/How-Oracle-Red-Bull-Racing-is-driving-Formula-1-into-the-future-with-cloud-AI-and-data" target="_blank" rel="noopener">research, development and testing</a> is precious and only grudgingly wasted.</p> <p>In a cost-capped sport that is as much an engineering competition as it is one of driver skill, victory – whether in the drivers’ or constructors’ championships – often comes down to the finest of margins.</p> <p>This season, the world of F1 is also dealing with a once-in-a-decade overhaul of the sporting regulations that have essentially forced a ground-up redesign of its cars. For some, like <a href="https://www.computerweekly.com/news/366635192/Mercedes-AMG-Petronas-F1-revs-up-testing-with-augmented-reality" target="_blank" rel="noopener">Mercedes-AMG Petronas</a>, this has paid off big time. But for <a href="https://www.redbullracing.com/int-en" target="_blank" rel="noopener">Oracle Red Bull Racing</a>, the past few weeks have been rough ones.</p> <p>The team’s drivers, former world champ Max Verstappen and his new partner Isack Hadjar, may not have much to show for it as they head to Miami for the fourth round of the season, but at HQ in Milton Keynes, its engineers are working flat out and morale is good.</p> <p>When it comes to testing parts and components in its wind tunnel, a recent engagement with identity and access management specialist 1Password is paying dividends, with the team’s technicians now able to work much more efficiently.</p> <p>In a world like cyber security, success can be hard to quantify. Sometimes it can even be dangerous to say too much, lest you speak candidly and give a watching threat actor something to go on. But in this instance, Oracle Red Bull Racing can definitively state that after adopting <a href="https://1password.com/" target="_blank" rel="noopener">1Password</a>, it has slashed its wind tunnel recovery time from an hour to two minutes – that’s a cut of 97% &nbsp;– during the test and development process.</p> <p>But why is that the statistic we’re running with? And how does identity and access management (IAM) technology apply to wind tunnels? It seems an unlikely link on the surface, but Matt Cadieux, team CIO, explains why it matters.</p> <p>“The guys who are developing and improving the tunnel and its software push boundaries. The models are bigger, the complexity is bigger, and sometimes when you’re running that load for the first time, the infrastructure is not capable enough,” says Cadieux. “Probably once a every few months we have an outage, and it’s largely due to pushing boundaries with our tools and methods.”</p> <section class="section main-article-chapter" data-menu-title="A challenging customer"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A challenging customer</h2> <p>Ian Brunton heads up software development at Oracle Red Bull Racing’s Aerodynamics team. He takes up the story.</p> <p>“The people I work with are essentially responsible for writing the software used across the teams of engineers that design the car. We plug into commercial <a href="https://www.techtarget.com/searcherp/podcast/Cloud-CAD-software-helps-usher-in-digital-manufacturing-era" target="_blank" rel="noopener">CAD</a> [Computer Aided Design] packages and tie them up to the <a href="https://www.sciencedirect.com/topics/materials-science/computational-fluid-dynamics" target="_blank" rel="noopener">CFD</a> [Computational Fluid Dynamics] estate so that we can iterate quickly in those early stages,” he says.</p> <p>“We also support the wind tunnel … We’re currently building a new wind tunnel here which is a significantly challenging project, but I think will pay a dividend in helping us build, ultimately, the fastest car on the planet.”</p> <p>Brunton describes his team as challenging customers when it comes to IT. He sets high standards and expectations, and by his own admission is harsh in their application. “We’re aiming to provide high uptime,” he says, “and the last thing we need is any system, regardless of what it is, not operating as it is expected to.”</p> <p>The need for uptime becomes even more important because the wind tunnel environment is a highly regulated one in terms of the number of hours the team is allowed to do testing, as well as the number of experiments that it can run.</p> <p>“We basically have an eight-week period in which we have to audit what we’ve done in that period, and we have a budget to use in that period,” says Brunton. “To some extent, the pressure is on – it’s almost worse in the wind tunnel than it is at the track … Generally, at the track, you have components that are well manufactured, you know they’re going to fit together and you have a limited number of options in which to configure and build the car.</p> <p>“But when you’re at the tunnel, it’s effectively an experiment in what we think is going to add performance. There might be parts that maybe don’t completely fit; engineers are discovering, as they’re going, how to design that part.</p> <p>“[With] the pressure that those guys are under to build the car in that timeframe, they can’t afford any downtime – [we don’t want to waste] time, or waste runs in terms of that experiment. Losing that budget is criminal in the sense that it has a direct impact on the performance of the car on the track.”</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> It’s about trying to optimise the amount of time that the people working at the tunnel can focus on just working at the tunnel </figure> <figcaption> <strong>Ian Brunton Oracle Red Bull Racing</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>From Brunton’s perspective, a failure in an inherently complex system – with close to 20 services running across multiple clusters using multiple <a href="https://kafka.apache.org/intro/" target="_blank" rel="noopener">Kafka topics</a> and different databases, that has caused the tunnel to shut down before completion, wasting time and slows development – is a big problem.</p> <p>“If something happens and the system needs to be reset, it relies on someone at the tunnel realising there’s a problem and getting on the phone to someone like me – and that can be in the middle of the night because the tunnel runs 24 hours a day – I’ve got to take the call, get onto my machine, figure out the problem and start bringing that system back online,” says Brunton.</p> <p>In essence, what 1Password enables him to do is to automate returning the systems to a known steady state, so that someone who is technical in terms of car design and engineering but may not know what Kubernetes is or what a SQL database does can effectively hit a big red button and get things moving again.</p> <p>With 1Password, service restoration is fully automated with <a href="https://www.techtarget.com/searchitoperations/definition/Ansible" target="_blank" rel="noopener">Ansible</a> and RunDeck, and a complete redeploy can be triggered in around two minutes with the playbook authenticating via a dedicated, rotatable token to retrieve the secrets it needs at runtime.</p> <p>“It’s about trying to optimise the amount of time that the people working at the tunnel can focus on just working at the tunnel,” says Brunton.</p> </section> <section class="section main-article-chapter" data-menu-title="ID control plane"> <h2 class="section-title"><i class="icon" data-icon="1"></i>ID control plane</h2> <p>But the engagement doesn’t begin and end with wind tunnel uptime; the efficiencies go much deeper.</p> <p>In moving its secrets into 1Password, Oracle Red Bull Racing has created a single, trusted control plane for credentials spanning <a href="https://www.techtarget.com/searchitoperations/tip/Strategies-for-Kubernetes-multi-cluster-management" target="_blank" rel="noopener">Kubernetes clusters</a>, environments, namespaces, factory, wind tunnel and simulation workloads.</p> <p>Developers now access shared vaults with clear ownership and repeatable patterns to make sure that they can retain predictable access during redeployments or workflow changes, while human and automation access are segregated into dedicated vaults with limited user access for critical Kubernetes workloads – this includes Aero clusters and Kubernetes deployments.</p> <p>The team is now using 1Password’s Kubernetes Operator, authenticated via 1Password Connect Server, to pull values from 1Password items and create Kubernetes secrets for workloads. If items change, the operator can update the secret and trigger a roll-out to allow workloads to pick up the new values.</p> <p>In Brunton’s Aerodynamics unit alone, for example, five vaults hold almost 100 entries for cluster credentials, SQL passwords, client secrets, access tokens and Windows Virtual Machine (VM) logins. Meanwhile, his colleagues in Vehicle Performance and Powertrains maintain more than 150 entries. Now that new deployments default to 1Password, the two teams can reduce the time they spend coordinating access, limit potentially dangerous ad hoc sharing, and understand what credentials are current when developers are in the process of modifying (or restoring) workloads.</p> <p>For simulation workflows, Oracle Red Bull Racing is using the 1Password command line interface (CLI) to retrieve SQL connection strings and <a href="https://www.techtarget.com/searchwindowsserver/tip/Test-conditional-access-with-Microsoft-Entra-ID-What-If-tool" target="_blank" rel="noopener">Microsoft Entra ID</a> credentials to access their needed services. Now that these secrets are centralised, they can replace plaintext credentials with secret references from a shared and governed source instead of having to embed secrets in code or configuration files – another risk.</p> <p>Since their applications now rely on secret references, this means users can safely change out their credentials and support both safer automation and earlier application programming interface (API) adoption. The results are improved fidelity and capability much earlier in the simulation process, when changes are much easier to manage – and more affordable – than doing it outside of simulation.</p> </section> <section class="section main-article-chapter" data-menu-title="Going trackside"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Going trackside</h2> <p>“We’re always trying to raise the bar with our cyber posture and credential management,” says Cadieux. “Everyone here is part of a team and tries to do the right thing – and if you tap someone on the shoulder, it usually corrects the behaviour quite quickly – so having early visibility and being able to nip problems in the bud with a simple tap is helpful.”</p> <p>Having standardised secrets and access across engineering, Oracle Red Bull Racing is now looking to take 1Password trackside. On a given race weekend, it runs multiple advanced Monte Carlo (<a href="https://en.wikipedia.org/wiki/Monte_Carlo_method">the mathematical model</a>, not the Grand Prix) simulations to evaluate different scenarios and support on-the-fly strategy decisions.</p> <p>It is now exploring the application of these same patterns to its Oracle Cloud Infrastructure (OCI)-based trackside systems – including credential and certificate management – through which it can achieve consistent automation at race-day pressure.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about technology in F1</h3> <ul class="default-list"> <li>Vistance Networks-owned communications technology provider becomes official networking partner of the TGR Haas F1 Team, delivering purpose‑driven, AI‑enhanced connectivity <a href="https://www.computerweekly.com/news/366637618/Ruckus-gears-up-for-networking-partnership-with-TGR-Haas-F1-Team" target="_blank" rel="noopener">across team headquarters, trackside operations and hospitality</a>.</li> <li>Mercedes-AMG Petronas switches from paper guides to incorporate AR designs into its workflow and see quickly how parts form car assemblies resulting in gains in team’s operations that add up to <a href="https://www.computerweekly.com/news/366635192/Mercedes-AMG-Petronas-F1-revs-up-testing-with-augmented-reality" target="_blank" rel="noopener">improved performance on the racetrack</a>.</li> <li>Learn how the technical teams behind Formula One are using Salesforce’s tools to enhance fan activation and engagement at 24 races across the world, and how they are bringing AI into play <a href="https://www.computerweekly.com/news/366616475/F1-heightens-fan-experiences-with-the-power-of-Salesforce" target="_blank" rel="noopener">with Agentforce capabilities</a>.</li> </ul> </div> </div> </section> Oracle Red Bull Racing massively improved the efficiency of its aerodynamics testing procedures after implementing new identity technology from 1Password. Learn more about this unlikely link https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Oracle-Red-Bull-Racing-car-hero.jpg https://www.computerweekly.com/news/366642593/IAM-tools-help-Oracle-Red-Bull-Racing-keep-pace-with-strict-F1-regs Fri, 01 May 2026 11:54:00 GMT 60 editor@computerweekly.com