Bradford datacentre with heat reuse gains planning consent

Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Fri, 15 May 2026 03:54:00 GMT https://www.computerweekly.com editor@computerweekly.com <p>Bradford is to be the site of one of the UK’s first projects to reuse waste heat from a <a href="https://www.computerweekly.com/resources/Data-Centre">datacentre</a>, after operator <a href="https://www.computerweekly.com/news/366566397/Octopus-Energy-invests-200m-in-datacentre-heat-reuse-startup-Deep-Green">Deep Green</a> this week gained planning consent for a 5.6MW facility. The datacentre will be built next to and integrate with heat generation at the under-construction Bradford Energy Centre.</p> <p>The site – near the junction of Listerhills Road and Thornton Road – aims to provide <a href="https://www.computerweekly.com/news/366639995/Enormous-AI-growth-zone-datacentre-gets-planning-approval">artificial intelligence (AI)-capable datacentre resources</a>, which are estimated to come on stream around the end of 2028, after a 24-month construction period.</p> <p>Instead of venting heat drawn away from computer equipment into the atmosphere, the Deep Green datacentre will transfer excess heat into the Bradford Energy Network and make it available to buildings in the area. </p> <p>The datacentre will use a closed-loop cooling system, which practically eliminates water wastage, and will enable the transfer of heat for further use. </p> <p>Deep Green hopes the Bradford site will provide high-density colocation capacity for universities, public sector bodies and businesses that want to run AI inference and data-intensive workloads.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The UK needs more datacentres. But it does not need more waste. Our model is simple – use the electrons twice. First to power AI and high-performance computing. Then to heat homes and buildings </figure> <figcaption> <strong>Mark Lee, Deep Green</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Reuse of heat from datacentres has made little progress in the UK. Elsewhere, Deep Green has a datacentre project in Greater Manchester that will provide heat for a nearby swimming pool. Meanwhile, in London, Vantage Data Centres has a project underway where datacentre heat could be used to warm up to 25,000 homes.</p> <p>Mark Lee, chief executive of Deep Green, said: “The UK needs more datacentres. But it does not need more waste. Our model is simple – use the electrons twice. First to power AI and high-performance computing. Then to heat homes and buildings.”</p> <p>Datacentres produce heat to practically the same level as they consume electricity for compute. So, for every megawatt expended on compute, that amount of heat is produced. In the not-too-distant future, <a href="https://www.computerweekly.com/news/366639658/Huge-grid-and-heat-challenges-ahead-as-Nvidia-set-for-1MW-rack">AI racks of 1MW each</a> – achievable by 2028, according to Nvidia’s roadmap – will produce the equivalent heat of 200 electric ovens. </p> <p>But there are challenges to using that heat. A major one is that the temperature of cooling water coming out of datacentre racks is not very hot in the power generation scheme of things. For that reason, it is not possible to generate electricity from it, so it can only really be used for a local heating scheme.</p> <p>There are almost none of these in the UK, so there is nothing for a datacentre that wants to reuse heat to link up to. </p> <p>The Bradford Energy Scheme is an exception. It is a large-scale heat pump with underground pipes that transport heat across the city, which were laid ahead of the recent pedestrianisation of Bradford city centre. They link to university and college buildings and Bradford City Hall, with the option for others in the city centre to connect in the coming years. </p> <p>Tracy Brabin, mayor of West Yorkshire, said: “Deep Green’s pioneering approach will power our businesses, heat our communities, support the creation of good jobs and help us meet our net-zero ambitions. As the UK’s youngest city and its leading producer of applied AI postgraduates, Bradford is perfectly placed to harness this opportunity and help us innovate to build a stronger, better off West Yorkshire.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about datacentres</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640447/Hit-the-north-UK-datacentre-focus-shifts-to-M62-and-points-north">UK datacentre focus shifts to M62 and points north</a>: Barbour ABI data shows 8GW of total datacentre pipeline with most big projects in the north and Scotland, while London and the M4 corridor are about 25% of projected capacity.</li> <li><a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">Data dive – UK government’s 2030 datacentre capacity targets look shaky</a>. We look at UK datacentre capacity – current and projected – and find DSIT’s 2030 target for 6GW of AI-capable capacity is currently out of reach, unless operators get a move on.</li> </ul> </div> </div> Deep Green’s 5.6MW AI datacentre will take 24 months to build and will link up to an energy centre to heat buildings across Bradford city centre via pre-laid pipes https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Bradford-Energy-Centre-CREDIT-LDRS-Norr-hero.jpg https://www.computerweekly.com/news/366643098/Bradford-datacentre-with-heat-reuse-gains-planning-consent Thu, 14 May 2026 09:31:00 GMT Bradford datacentre with heat reuse gains planning consent <p>Electricity grid “land grabs” to ensure capacity ahead of graphics processing unit (GPU) shipments. Additions to capacity as ever-larger <a href="https://www.computerweekly.com/resources/Data-centre-capacity-planning">datacentres switch on</a>. And the arrival, deployment and “burning in” of Hopper and Blackwell GPUs. </p> <p>These are some of the things we can see in <a href="https://ukpowernetworks.opendatasoft.com/explore/assets/ukpn-data-centre-demand-profiles/">data from electricity grid provider UK Power Networks (UKPN)</a>, which provides electricity utilisation rates taken half hourly for 96 datacentre sites within its region. This stretches from the datacentre hotspots of west London and Docklands, south-eastwards to Kent, Surrey and Sussex, and includes all of Essex and East Anglia. </p> <p>Computer Weekly research conducted in March 2026 analysed Electricity Performance Certificate data to <a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">identify datacentre locations and capacities</a>, finding 80 datacentres in the UKPN region with a combined capacity of 798MW.</p> <p>The UKPN dataset starts at the beginning of 2023 and runs to April 2026. Altogether, it comprises almost 5.4 million rows and covers datacentres categorised by the voltage they import from the grid: extra-high voltage (12 sites), high voltage (60), and low voltage (24).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f.jpg"> <img data-src="https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f_mobile.jpg" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f_mobile.jpg 960w,https://www.computerweekly.com/rms/computerweekly/UKPN-DC-demand-2023-2026-Adshead-1200px-f.jpg 1280w" alt="Chart shows datacentre power demand data from UK Power Networks" height="411" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Utilisation ratios are calculated by comparing actual electricity import – measured half-hourly by smart meter – against the maximum capacity booked by the customer. </p> <p>Site voltage corresponds to the likely size of the datacentre. Low-voltage (LV) sites are typically 400V connections for smaller enterprises, edge datacentres and server rooms. High voltage (HV) in the UKPN data likely refers to 11kV or 33kV connections to colocation hubs and mid-range datacentres. Extra-high-voltage (EHV) connections are 33kV, 66kV, or 132kV, and cover hyperscale campuses and emerging artificial intelligence (AI) factories.</p> <p>The average utilisation rate for all UKPN data is just over 20% of booked capacity. Extra-high-voltage sites use the least of their allotted supply (12%), while low-voltage sites use more (18%).</p> <p>We have taken the data points and split them by voltage levels that correspond to datacentre size. These are then shown in a chart where dips, plateaus, spikes, and so on are visible. These correspond to real-world events that include activation of new datacentre capacity, increases in booked capacity in advance of AI GPU deployments, the heatwave of July and August 2025, actual deployment and “burning in” of AI datacentre infrastructure, and a rush to beat Ofgem’s “use it or lose it” directive in early 2026.</p> <p>Bear in mind that the chart shows utilisation rate, so while in some cases the cause of a spike might be obvious – such as increased power draw for cooling during a heatwave – other changes might not be so obvious, such as an increase in booked capacity that changes the ratio.  </p> <p>Now let’s look at some of the key events that show up in the data. </p> <section class="section main-article-chapter" data-menu-title="Small sites can’t deal with the heatwave: July and August 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Small sites can’t deal with the heatwave: July and August 2025</h2> <p>One of the most pronounced spikes in the green (low-voltage site) data occurred in July and August 2025, when meteorological data shows the UK faced four distinct heatwaves between June and August. Temperatures reached 35.8°C in Kent on 1 July, while August saw sustained high night-time temperatures. </p> <p>The spikes in the chart show the electrical signature of smaller air-cooled datacentres and server rooms desperately trying to keep temperatures down. Unlike large hyperscale sites that use liquid cooling, smaller sites are the most vulnerable to climate stress.</p> <p>They typically rely on legacy direct expansion air-conditioning. When ambient temperatures exceed 30°C, these units draw two or three times their normal power just to maintain the status quo. Electricity utilisation ratio spikes here because total facility power skyrockets while IT load remains static, resulting in a temporary collapse of <a href="https://www.techtarget.com/searchdatacenter/definition/power-usage-effectiveness-PUE">power usage effectiveness (PUE)</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Capacity increases: Ratios decline – late 2023 into 2024"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Capacity increases: Ratios decline – late 2023 into 2024</h2> <p>Much of the story revealed by the data is that of large-scale sites adding capacity, and booking more electricity supply in anticipation of deliveries and deployment of GPUs. This started to happen in late 2023 and into 2024. </p> <p>The sudden drop-off in September and October 2023 for the largest datacentres – the red line – is likely the result of capacity coming online. </p> <p>So, when a hyperscale site activates a new phase, its import capacity – the total power booked from the grid (the denominator) – jumps instantly. But because the IT load (the numerator) only populates as servers are physically racked and “burned in” over subsequent months, the utilisation percentage appears to crash.</p> <p>At the same time, we see gradual (blue line) and more pronounced (green line) declines in late 2023 and into 2024. That’s a likely indication that larger, newer, more efficient facilities are pulling general-purpose workloads away from the older small and mid-range facilities.</p> <p>CBRE’s forecast for large-scale colocation take-up in London in 2024 was forecast to hit 130MW, and as this new, efficient capacity came online, it “emptied” the less efficient sites.</p> <p>The fact that the smallest datacentres (likely enterprise-owned or older retail colocation sites) took until May 2024 to settle from utilisation ratios of 0.2 to 0.15 indicates a longer migration period. Unlike the hyperscalers, which move workloads in massive, software-defined blocks, smaller organisations are more likely to be bound by physical hardware lifecycles. </p> <p>Sites that activated capacity in late 2023 included:</p> <ul class="default-list"> <li>Iron Mountain’s LON-2, with the first phase of its eventual 27MW of capacity in Slough, was confirmed as operational at the end of 2023. Its grid capacity was likely booked into the UKPN system in September 2023 as part of its pre-commissioning phase.</li> <li>Equinix’s LD11x/LD13 expansions, meanwhile, were specifically designed to lure the big three hyperscalers, and moved from construction to “available capacity” in late 2023.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="GPU supply constraint and the ‘West London land grab’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>GPU supply constraint and the ‘West London land grab’</h2> <p>From late 2023, the lead times on Nvidia GPU clusters became very lengthy, with Omdia reporting 36 to 52 weeks for H100-based servers. At the same time, datacentre operators scrambled for grid supply, often booking way beyond what they would immediately use so they could be ready to deploy Hopper GPUs when they finally arrived in mid- to late-2024. That’s another reason grid utilisation appears to plummet in late 2023 in the chart. </p> <p>In July 2022, the Greater London Authority (GLA) sent a warning to developers, stating that major new planning applications in Hillingdon, Ealing and Hounslow would face delays of up to a decade, with some connection dates pushed back as far as 2035 or 2037.</p> <p>That breaking point was triggered by the extreme concentration of datacentres along the M4 corridor. By mid-2023, datacentres accounted for 18% of total demand in West London. Transmission-level capacity and local distribution reached full capacity because developers had legally “reserved” future power capacity and left zero headroom for new housing or industrial projects.</p> <p>Financial reports from datacentre Real Estate Investment Trusts (REITs) like Equinix and Digital Realty back this up. In their 2023 annual reports, these firms noted record “backlog” levels, where capacity was signed and committed but not yet billing.</p> <p>In the data, a high backlog means the distribution network operator (UKPN) has allocated the power, but the servers aren’t spinning, and this matches the 2023-2024 trough where utilisation ratios settled at a lower baseline compared with the pre-AI land grab.</p> <p>The reason the ratio didn’t bounce back immediately is that AI density is more efficient than legacy density. A rack of H100s might draw 40kW, but it replaces dozens of legacy racks drawing 5kW each. As hopper GPUs finally arrived in mid- to late-2024, they filled that phantom capacity, but because grid capacity had been aggressively over-booked in 2023, utilisation ratios remained low. The industry effectively built a buffer that it is still filling today.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about datacentres</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">Data dive – UK government’s 2030 datacentre capacity targets look shaky</a>: We look at UK datacentre capacity – current and projected – and find DSIT’s 2030 target for 6GW of AI-capable capacity is currently out of reach, unless operators get a move on.</li> <li><a href="https://www.computerweekly.com/feature/Data-dive-A-new-American-Century-in-the-datacentre-pipeline">Data dive – a new American Century in the datacentre pipeline?</a> Looking at datacentre development internationally, we see how the UK faces apparent relative decline, how countries are responding to the AI age, and what MW vs GDP can tell us.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="GPU deployment, AI datacentre burn-in: 2024 and 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>GPU deployment, AI datacentre burn-in: 2024 and 2025</h2> <p>The peaks of mid-2024 fit with the likely deployment of Nvidia Hopper (H100/H200) GPUs. The Hopper generation was the first GPU to hit a 700W Thermal Design Power (TDP) – ie, the wattage for which its cooling had to be designed. An HGX H100 node of eight GPUs draws roughly 10.2kW. The spikes in the data from late-2024 likely represent the initiation of large-scale training runs where thousands of these units synchronise their power draw.</p> <p>These represented a shift in datacentre power dynamics, from the steady-state draws of the previous Ampere (A100) generation to highly volatile, high-density profiles.</p> <p>Late 2025 marked a pivot from Hopper to Blackwell’s high-density liquid-cooled requirements. This transition is reflected in the UKPN telemetry as a distinct shift from steady-state power draw to the volatile, “peaky” plateaus of large-scale Blackwell training epochs. </p> <p>The “mountain range” in the chart beginning in November 2025 marks the power-on month for the UK’s first Nvidia Blackwell (B200) clusters. This is the signature of initial model training, which is an extremely intensive, non-stop process.</p> <p>Each B200 GPU has a base 1,000W TDP, configurable up to 1,200W. The GB200 Grace-Blackwell Superchip, meanwhile – which shipped from late 2024 – mandated direct-to-chip liquid cooling to manage its extreme density. </p> <p>The smoking gun here is the launch of the Nebius AI Cloud cluster at Ark Data Centres’ Longcross Park in Surrey. This went live in November 2025 with several thousand Nvidia Blackwell GPUs and a 16MW signature. </p> <p>The EHV line remains elevated and jagged through March 2026, reflecting the high, sustained draw of “epochs” and “checkpoints” during frontier model pre-training.</p> </section> <section class="section main-article-chapter" data-menu-title="One final spike: Use it so they don’t lose it?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>One final spike: Use it so they don’t lose it?</h2> <p>The giant spike in late March 2026 coincides with the Ofgem Demand Connections Reform deadline of 13 March 2026. </p> <p>In the face of massive increases in electricity demand, not least by datacentre operators – and with the demand queue soaring to 125GW by June 2025 – Ofgem had proposed tougher financial tests and <a href="https://data.parliament.uk/DepositedPapers/Files/DEP2023-0906/connections.pdf">“use it or lose it”</a> rules to clear the queue. Large-scale operators with parked capacity were incentivised to show power draw to prove their projects were “viable” and “strategically important” before the new rules could claw back their unutilised megawatts.</p> </section> Electricity supply utilisation ratios show datacentre developer ‘land grab’, capacity switch-ons, the coming of Hopper and Blackwell GPUs, and usage ramping during training runs https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Fotolia_108959769_datacenter_cooling.jpg https://www.computerweekly.com/news/366642960/Data-dive-Power-grid-data-shows-birth-of-AI-in-UK-datacentres Wed, 13 May 2026 07:55:00 GMT Data dive: Power grid data shows birth of AI in UK datacentres <p>Artificial intelligence (AI) – and in particular agentic AI – can bring considerable increases in productivity to any organisation that uses it, with potential gains of £10 for every £1 spent. But achieving those rewards will require great effort to ensure AI becomes part of organisational culture.</p> <p>That’s the view shared by executives at a Node4 user day event in Nottingham this week, where the mid-market enterprise application, <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">software-as-a-service (SaaS) provider</a> and Microsoft partner showcased a range of AI-based solutions.</p> <p>According to Derby-based <a href="https://node4.co.uk/">Node4</a>, we are set to move past the era of “clunky” AI experiments and into a period where the technology is being industrialised at a rate that outpaces most corporate governance structures. Also showcased was agentic AI, but here, Node4 thinks it will be a year or so before customers trust it.</p> <p>Meanwhile, <a href="https://www.computerweekly.com/news/366642487/Cloud-and-data-sovereignty-caught-in-a-paradox">data sovereignty</a> is an everyday conversation for the company (<a href="#Sovereignty"><em>see box</em></a>).</p> <section class="section main-article-chapter" data-menu-title="The three rings of AI: From assistance to orchestration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The three rings of AI: From assistance to orchestration</h2> <p>Core to the thinking on AI are three stages of AI adoption: First, simple assistance, where users ask questions of a large language model (LLM) where once they would have used a web search tool. Second is co-work, where <a href="https://www.computerweekly.com/news/366639977/Microsoft-Cowork-One-data-store-for-all-your-M365-assets">co-pilot-type tools</a> in an environment help more directly, such as Claude Code. And third, there is orchestration via agentic AI, where agents that are built to carry out specific tasks can be invoked in a variety of settings, often autonomously by preset triggers.</p> <p>But while such capabilities already exist in almost all enterprise application environments, including, for example, in the Microsoft Dynamics 365 Business Central for which Node4 is a specialist, most customers have yet to make use of them. </p> <p>Mark Skelton, chief technology officer (CTO) at Node4 (<em>pictured, above</em>), said: “It’s something we’re struggling with. The challenge with AI at the moment is the consumerisation effect.</p> <p>“We did two roundtables last night, and we had probably 30 customers in those sessions. We asked them, where are you on your AI journey? Almost everyone in the room said, ‘Well, we’re nowhere’.</p> <p>“But when we asked the question, ‘Are you using OpenAI or ChatGPT or cloud?’ Most hands went up. So, what’s happening is business users are using this stuff on their personal accounts.”</p> <p>The concern here, said Skelton, is that if personal accounts are being used, business data is at risk of leaking out.</p> <p>Skelton said the Node4 solution is to help train customers and to showcase what’s possible with simple AI assistance, co-work and agentic AI by means of free-of-charge consulting sessions, “innovation factories” and showing customers how AI can help with real-world workloads.</p> <p>“One thing we do is automate board reports, for example,” said Skelton. “We have to do it every month. And there’s no reason why AI can’t do it. Every organisation will have to do a similar process.</p> <p>“You start with something like that. The customer goes, ‘OK, right, you’re solving a big problem. That’s a bunch of work and five days’ worth of someone’s time that I can now automate and free up their time’.”</p> </section> <section class="section main-article-chapter" data-menu-title="Agentic the future, but trust will take time"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Agentic the future, but trust will take time</h2> <p>Despite recognising the challenges of how to get there, Node4 executives envisage a future of agentic AI. At the event, it showcased pre-built agents and custom agent-building capabilities in Business Central, as well as a set of agents it develops, named “enhanced”, that tackle functions not covered by Microsoft.</p> <p>Currently, Node4 is keen to emphasise that there will be a human-in-the-loop for some time and that AI agents will not be off the leash and able to change or move corporate data.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> We’re probably [six months to a year] away from having [AI agents] committing stuff without human checking. I think that’s sensible because we are still in a phase where this stuff can hallucinate </figure> <figcaption> <strong>Mark Skelton, Node4</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>So, when will Node4 customers be able to trust an AI agent to make changes in a finance ledger or an enterprise resource planning database?</p> <p>“The technology is definitely capable,” said Skelton. “But I think we’re probably in a six-month-to-year window away from actually having these things committing stuff without human checking. I think that’s sensible because we are still in a phase where this stuff can hallucinate.</p> <p>“If it’s not designed right, it can be dangerous. So, I reckon about a year away, but whenever a CTO predicts these days, you can probably halve it because of the rate of innovation.</p> <p>“The human and the guardrails are still very important at this stage,” added Skelton. “Once you’ve built your model and built all the intelligence into the agent, it’s repeatable, and that’s where you get your value. But that starting point – understanding the process you’re trying to automate and execute – is critical, because if you get the input wrong, the output could be catastrophic.”</p> <p>Node4 has around 1,800 customers, of which 800 are users of the Microsoft Dynamics platform. Of those, 63% are on the fully SaaS Business Central, with the remainder on various legacy iterations of Navision.</p> <p>The company also runs its own cloud and datacentres, which can be used for sovereign capability should a customer require it.</p> </section> <section class="section main-article-chapter" data-menu-title="Customer base: Different sectors, different speeds"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Customer base: Different sectors, different speeds</h2> <p>About 1,200 customers are private sector, and 600 public sector. Node4 made north of £33m from the UK public sector for 2024-2025, according to Tussell figures, with its biggest UK government customer being the Department for the Environment, Food and Rural Affairs (£23m).</p> <p>Node4 customers that are not yet SaaS users comprise a fair chunk of the customer base. According to Skelton, it’s not that they don’t want to move. Many simply lack the time and resources to do so.</p> <p>He said: “Traditionally, it’s been very costly to move because the move from Navision to Business Central is not like a Windows upgrade where you click a button and it does it for you.</p> <p>“There are complexities around code conversion and workflow. These are traditionally big projects. They could be 200-day, 300-day projects – so very costly for businesses to do. Where you see this long Navision tail, it tends to be in the smaller organisations that don’t have the big IT departments.</p> <p>“Now, we’re using AI to automate a lot of this process. We’re using AI to do all the code conversion, the workflow remappings, all that kind of stuff. And then we’re going to look at future pipelines about how we automate all the testing.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="Sovereignty"></a>Data sovereignty ‘an everyday conversation’</h3> <p><a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Data sovereignty is a hot topic</a> in the current <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">geopolitical environment</a>. Meanwhile, Microsoft has said more than once that it can’t guarantee that customer data won’t be moved offshore. And in any case, if a US company were subject to a US court order, it would be compelled to provide access to data that stateside law enforcement asked for.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The art to [data sovereignty is] working out what is mission-critical data that [customers] really need sovereignty around versus non-critical </figure> <figcaption> <strong>Mark Skelton, Node4</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>So, how does Node4 navigate that conversation? </p> <p>“What’s going on in the world is having a major impact on how customers are thinking and where their data sits. Of course, with Microsoft, we have to be very careful. So, we design models that sit behind all these data platforms to understand where the data can actually go and put some restrictions and controls around it.”</p> <p>Skelton also pointed to the fact that Node4 also has its own datacentres in the UK.</p> <p>“Customers are now going, ‘I don’t feel comfortable with this data sitting in Microsoft or anywhere else. Can it be in a UK-centric datacentre owned by a UK company?’ We’re seeing a bit of an uptick in demand for our datacentre capability for that reason.”</p> <p>Skelton said Node4 can still work with the Microsoft ecosystem, with data or even AI models residing in its datacentres.</p> <p>That’s partly because customers aren’t usually worried about all their data from a sovereignty perspective.</p> <p>“It may be partial sets of data that are critical,” he said. “That’s the art to this; working out what is mission-critical data that they really need sovereignty around versus non-critical. The non-critical would sit in the Microsoft cloud system. The critical stuff sits in ours, and we create the plumbing and the controls between that to make sure all the data is controlled. But it’s a daily conversation.”</p> </div> </div> <p></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Microsoft and AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366639308/Microsoft-CEO-opens-up-London-AI-tour-with-Copilot-push">Microsoft CEO opens London AI Tour with Copilot push</a>: Microsoft CEO Satya Nadella used his event keynote to showcase how the artificial intelligence in M365 is a foundation for agentic AI in the enterprise.</li> <li><a href="https://www.computerweekly.com/news/366639977/Microsoft-Cowork-One-data-store-for-all-your-M365-assets">Microsoft Cowork – one data store for all your M365 assets</a>: Microsoft has revealed the next stage of its plans to place its software at the heart of enterprise data, which is now powered by agentic AI.</li> </ul> </div> </div> </section> UK mid-market supplier showcases the three stages of AI – assistance, co-work and orchestration – but faces a reality in which most users have yet to arrive at first base https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Node4-user-day-Nottingham-hero.jpg https://www.computerweekly.com/news/366642876/Node4-AI-and-agentic-the-future-but-culture-the-key-to-unlock-it Fri, 08 May 2026 04:55:00 GMT Node4: AI and agentic the future, but culture the key to unlock it <p>Hyperscaler cloud is incompatible with <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">data sovereignty</a>. That’s because, as US companies, the hyperscalers are potentially subject to US court orders that can compel them to exfiltrate overseas citizen data.</p> <p>The paradoxical situation for <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">hyperscaler clouds</a> is that they are inherently global and connected because that’s how they gain their economies of scale. </p> <p>Those conclusions result from a <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Computer Weekly investigation into data sovereignty</a> that asked the hyperscalers a set of questions aimed at discovering their ability – in technical terms – to withstand US court orders that compel eavesdropping on foreign citizens.</p> <p>We asked Amazon Web Services (AWS), Google Cloud, Microsoft, IBM and Oracle the following:</p> <ul class="default-list"> <li>How they would technically prevent a US court order that compelled them to access customer data.</li> <li>How they perform data-in-use functions on in-the-clear data if they say they don’t possess the keys to do so.</li> <li>Whether US-authored updates that contain US court-ordered “technical assistance” updates could bypass data controls and air gaps.</li> <li>Whether they could demonstrate they have a distinct UK region capable of operating all core services in total isolation from global infrastructure.</li> <li>Whether standard terms of service allow them to move customer data and metadata to other geographies.</li> </ul> <p>The context of the investigation is the heightened sense of risk in terms of <a href="https://www.computerweekly.com/feature/Go-big-or-go-home-Should-UK-IT-buyers-favour-US-clouds-or-homegrown-providers">data sovereignty in the current geopolitical situation</a>. In particular, it is focused on the powers of US courts to order US-headquartered companies to provide data held on their systems, wherever those systems are.</p> <p>Instruments for achieving this include the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, which compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if that data is held overseas. US courts can also enact non-disclosure orders that prohibit a company from telling the data subject that their information has been requested or handed over.</p> <p>In addition, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702 – due for renewal soon – can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens targeted therewith.</p> <p>Hyperscaler responses to our questions seemed largely to avoid core issues. When we asked about cloud services in general, they responded as though we’d asked about air-gapped and on-premise offers. When we asked about the potential use of backdoor access via updates ordered by US courts, they talked about the use of local staff (or air-gapping again). And when we asked about the possibility of harvesting data, they pointed to encryption and customer-held keys, but did not address that, for the most part, data is processed unencrypted. </p> <p>There are several difficulties with these responses, which you can <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">read for yourself here</a>.</p> <p>One of these difficulties is that, ultimately, a US court can compel “technical assistance” to gain foreign citizen data held in its systems, and that can occur via a compiled software update that would be unreadable by humans and would not contain obvious clues about its function.</p> <p>Another is that even in the rare cases where expensive and resource-intensive data-in-use encryption is used, it is still possible to scrape data from memory.</p> <p>A further difficulty is that in standard terms of service, hyperscalers routinely transit data to other geographies as part of <a href="https://www.computerweekly.com/news/366589152/Microsoft-admits-no-guarantee-of-sovereignty-for-UK-policing-data">follow-the-sun support</a>.</p> <p>The reality is that to achieve anything approaching data sovereignty, customers must opt out of standard cloud terms of service, or use air-gapped services, though none of these is technically 100% proofed against intrusion. </p> <p>All this is a key issue for the UK, given that in the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending. </p> <p>In the 2023-2024 financial year, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, according to <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">data from analyst firm Tussell</a>.</p> <p>Notable examples include <a href="https://www.computerweekly.com/news/366630792/Ministry-of-Defence-signs-400m-sovereign-cloud-deal-with-Google">Google’s £400m contract signed last year to supply the Ministry of Defence with “sovereign cloud” capability</a> based on its Google Distributed Cloud air-gapped offer. But that’s just one example. </p> <p>The UK public sector is densely connected to US hyperscaler infrastructure, and the UK’s Department for Science, Innovation and Technology (DSIT) <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">lacks a definition of data sovereignty</a>.  </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector. </li> </ul> </div> </div> We asked the hyperscalers how they would respond to US court-ordered eavesdropping on foreign citizen data – and got responses that highlight a paradoxical situation https://cdn.ttgtmedia.com/visuals/searchITChannel/systems_channel/itchannel_article_020.jpg https://www.computerweekly.com/news/366642487/Cloud-and-data-sovereignty-caught-in-a-paradox Wed, 06 May 2026 06:19:00 GMT Cloud and data sovereignty caught in a paradox <p>In the UK, giant cloud providers – Amazon Web Services (AWS), Google Cloud and Microsoft – run the systems we depend on for vital functionality in the public and private sectors. </p> <p>In the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending. </p> <p>In the financial year 2023/2024, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, including government departments, councils, police forces and NHS organisations, <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">according to data that comes from analyst Tussell</a>.</p> <p>This begs the question, if the UK’s key national infrastructure is run by foreign-owned companies, is the data of UK citizens secure should a court in the US compel a hyperscaler to provide it? Here lies <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">the nub of data sovereignty</a>. </p> <p>In this article, we provide a definition of data sovereignty, the ways it may be undermined from overseas – particularly by the US Cloud Act and FISA Section 702 – drill down into the detail of differing states of encryption and what they mean for security and sovereignty, and look at the inherently cross-border nature of cloud services and its impact on data sovereignty. </p> <p>Core to the article are questions we asked the hyperscalers that aimed to get at exactly how their services could be described as providing data sovereignty. </p> <p>These included how they could technically prevent US court-compelled snooping, the protection afforded by encryption, especially during processing, and how <a href="https://www.computerweekly.com/news/366632561/Court-dismisses-Apples-appeal-against-Home-Office-backdoor">court-compelled backdoors</a> might be injected into infrastructure updates. We also asked to what extent it is possible to offer a sovereign UK cloud region and whether standard cloud terms conflict with <a href="https://www.computerweekly.com/opinion/Data-is-a-sovereignty-issue-And-broader-than-just-the-hyperscalers">data sovereignty</a>.</p> <p>The results illustrate the paradox that lies at the heart of cloud services and data sovereignty.</p> <section class="section main-article-chapter" data-menu-title="Defining data sovereignty"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Defining data sovereignty</h2> <p>We live in a land where the government can’t define data sovereignty. <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">We asked</a> the UK Department for Science, Innovation and Technology (DSIT) in February about its progress towards a <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">definition of data sovereignty</a>, but it couldn’t give one or say when it would have one. </p> <p>But we can work out a definition.</p> <p>The idea of sovereignty as applied to states means the solely held power to govern or control a country.</p> <p>For example, if country A invades country B and establishes control over a swathe of land, where country B’s armed forces, police, and so on, no longer have any authority, then it can be said that country B no longer has sovereignty in the portion of its territory so affected. </p> <p>We can form a definition of data sovereignty based on the same principle. </p> <p>So, if a company headquartered in country A provides technology services in country B, and can effect access to data of citizens of that country, then country B cannot say the data of its citizens is sovereign.</p> <p>Country B may have laws that protect the data of its citizens. But if the country in which the tech company is headquartered has the ability to compel it to provide data held in its systems in another country, then those two sets of laws conflict. Or more to the point, the laws of country B are undermined, and are not sovereign. </p> <p>It’s a parallel to where a country has laws that govern its citizens, but the presence of foreign armed forces and the rules they impose nullify its writ. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector. </li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="The Cloud Act and FISA Section 702"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The Cloud Act and FISA Section 702</h2> <p>A good example of a law that compels companies headquartered within its jurisdiction to hand over data they possess is the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, passed into law during US President Donald Trump’s first term.</p> <p>Cloud here stands for Clarifying Lawful Overseas Use of Data. It was enacted in 2018 after Microsoft refused to hand over customer data held in a datacentre in Ireland, and it was determined that the US Department of Justice could not use domestic warrants to seize data held overseas. </p> <p>The Cloud Act compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if overseas. </p> <p>At the same time, a US court can issue a non-disclosure order alongside any order under the Cloud Act. That’s basically a gag order that prohibits a company from telling the data subject that their information has been requested or handed over.</p> <p>There are ways a company subject to a Cloud Act order can challenge the court. These include a challenge on grounds of “comity”, in which the user in question is not a US person and that disclosure would violate the laws of a “qualifying foreign country”, namely one that has a bilateral agreement with the US, like the UK or Australia.</p> <p>Also, the Cloud Act is considered to be “encryption neutral”, so companies can be compelled to hand over what they have, but it does not compel them to break their own encryption if they do not already have the keys.</p> <p>Having said all that, US government agencies have other laws in their toolbox. </p> <p>Namely, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702, which is up for an imminent vote to re-authorise it. Using this, the US government can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens who are targeted by provisions under the act.</p> <p>The European Court of Justice (ECJ) has twice struck down data-sharing agreements between the US and EU (<a href="https://www.computerweekly.com/feature/Max-Schrems-The-man-who-broke-Safe-Harbour">Schrems I</a> and <a href="https://www.computerweekly.com/opinion/How-Schrems-II-will-impact-data-sharing-between-the-UK-and-the-US">Schrems II</a>) because FISA Section 702 does not provide equivalent protection to EU citizens.</p> <p>Such “technical assistance” could take the form of compiled code in a software update that enabled the exfiltration of data. </p> </section> <section class="section main-article-chapter" data-menu-title="Does encryption protect citizen data?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Does encryption protect citizen data?</h2> <p>When we get to the responses of the hyperscalers to questions about data sovereignty, we will see an appeal to the fact that data in their systems is encrypted and that only customers hold the keys.</p> <p>We have also seen that the US Cloud Act does not compel a court-ordered company to hand over encryption keys, although FISA 702 can compel “technical assistance” to gain access to data.</p> <p>Here, it is important to drill down into encryption. </p> <p>Firstly, to say that for most data for most of the time, encryption is as good a protection as you can get. Current encryption standards dictate algorithms that are practically impenetrable.</p> <p>So, if you apply, for example, <a href="https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard">AES-256</a> to data-at-rest or data-in-transit, it cannot be read.</p> <p>The fly in the ointment comes when data is being processed. It’s also a problem for companies that argue that the data they hold is secure because it is encrypted.</p> <p>The problem is that – generally speaking – data-in-use must be unencrypted to be processed. And so, in theory, a foreign law enforcement agency that wanted to access data in a cloud system overseas could order data to be collected during processing.</p> <p>Memory scraping, in which malware scans active memory to steal unencrypted data, is possible, for example.</p> <p>It’s true that most data-in-use is unencrypted, although cloud providers do offer so-called confidential computing of some sort.</p> <p>For example, a <a href="https://www.techtarget.com/searchitoperations/definition/trusted-execution-environment-TEE">trusted execution environment (TEE)</a> in so-called confidential computing creates a hardware-encrypted “black box” inside the central processing unit (CPU), which means an unauthorised intruder cannot see inside it while data is being processed.</p> <p>TEEs are breakable, however. It is possible to “listen” to the CPU and measure power consumption or tiny timing fluctuations to guess the data being processed.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/homomorphic-encryption">Fully homomorphic encryption (FHE)</a> is the Holy Grail, however, because it allows for computation without decrypting data. But that also means it is computationally expensive and isn’t commonplace.</p> </section> <section class="section main-article-chapter" data-menu-title="Air gaps, updates and follow-the-sun"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Air gaps, updates and follow-the-sun</h2> <p>Hyperscaler clouds are an international web of regions and availability zones. They comprise a global operating system, almost entirely managed by artificial intelligence (AI) and orchestrated automation.</p> <p>Cloud networks are made up of regions and availability zones (AZs). Regions are geographically separate – and thus upon them rests the claim of sovereignty by the cloud providers – while AZs are datacentres within a region. AZs within a region are connected by high-bandwidth connections, whereas regions are all interconnected but not by the same low-latency connections.</p> <p>Clouds run on software-defined everything, with every component represented as code, where faults can be monitored and workloads shifted to a different location should issues be detected, and with rolling updates on a non-disruptive zone-by-zone basis.</p> <p>Follow-the-sun in support terms is when support teams hand off responsibility to teams elsewhere in the world to benefit from more convenient (ie, less costly) working hours than the region in question. </p> <p>Follow-the-sun in workload terms means the movement of workloads across the globe to take advantage of lower energy costs or cooler ambient temperatures.</p> <p>In both cases, there is potentially a risk to sovereignty, by dint of where data resides at any given time and the jurisdiction under which support staff may operate, although customers can specify that data permanently resides in a given region. </p> <p>If you sign a standard business or enterprise support contract with a hyperscaler, you are opting in to follow-the-sun by default. A standard agreement usually means you agree to terms that allow the provider to support your account from any global location to meet 24/7 uptime guarantees. </p> <p>It also allows them to route technical metadata (logs, access records, telemetry) to global hubs to maintain the cloud and to allow global administrators access for emergency maintenance, regardless of where those administrators are.</p> <p>The fact that it is metadata that moves potentially allows a provider to say, “We don’t move your data”, but the metadata may be enough for a FISA Section 702 investigation, for example. </p> <p>You can’t just uncheck a box in the settings to opt out of follow-the-sun. Instead, you have to move to a <a href="https://www.computerweekly.com/feature/Sovereign-cloud-and-AI-services-tipped-for-take-off-in-2026">sovereign cloud</a> or regulated industry contract – the AWS European Sovereign Cloud or Microsoft Sovereign Cloud, for example. These guarantee that support and operations are handled only in a specific region.</p> <p>There are also “sovereign cloud” solutions, in which the “cloud” is disconnected from the wide area network (WAN).</p> <p>Obviously, if a customer is on a standard contract, support has full oversight of maintenance and updates, and quite likely from anywhere in the world. You’d think that a local sovereign cloud would remove that scenario, but the cloud provider’s infrastructure must still be maintained, and it is via patching that that occurs. Here is where unwanted snooping could be introduced. </p> <p>Even if the UK staff are the only ones physically in the datacentre, the private keys used to sign “official” software updates likely reside in a hardware security module (HSM) in the US or its facility elsewhere.</p> <p>So, if a US court compels the company to sign an update that contains legally sanctioned spyware, UK “sovereign” staff have no technical way to verify that the code doesn’t contain a backdoor. </p> </section> <section class="section main-article-chapter" data-menu-title="Questions to the hyperscalers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Questions to the hyperscalers</h2> <p>We asked <a href="#AWS">AWS</a>, <a href="#Google">Google Cloud</a> and <a href="#Microsoft">Microsoft</a> five questions around data sovereignty. We also asked <a href="#IBM">IBM</a> and Oracle, because they are both fair-sized US-based suppliers to the UK public sector. </p> <p>The intention was to gauge the levels of exposure their customers could face with regard to data sovereignty.</p> <p>All responded except Oracle, whose PR representatives failed to reply to three emails. </p> <p>The questions were preceded by a preamble that drew attention to the US Cloud Act, non-disclosure orders and FISA Section 702, and the powers therein to compel a provider to grant access, forbid notifications to customers of a court order, compel “technical assistance”, and the possibility of updates authored in the US as a means to effect access to customer data. </p> <p>The questions asked about:</p> <ul class="default-list"> <li>The technical barriers, if any, in the provider’s cloud services that prevent a court order from forcing the use of encryption keys to decrypt customer data.</li> <li>The technical means by which data-in-use functions are carried out without cloud provider access to encryption keys.</li> <li>Whether the cloud provider can guarantee a US-authored software update that contains “technical assistance” aimed at gaining access to data cannot bypass air-gapped systems.</li> <li>Whether the cloud provider has a wholly distinct UK region with exclusively UK-resident support and engineering, including third-party contractors. </li> <li>Whether standard terms of cloud service allow for customer data to be moved offshore, or whether a customer can have 100% UK data residency without a bespoke contract.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Hyperscalers dodge the questions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hyperscalers dodge the questions</h2> <p>Here we summarise their responses. Full responses are available to view in the <a href="#QandAs">box at the end of this article</a>.</p> <p>Hyperscaler responses to our questions fall under the following categories.</p> <p><strong>“Don’t look there! Look at the air gap!”</strong> The subject of the questions was cloud services in general, but responses often shifted attention to specifically air-gapped offerings.</p> <p><a href="#Google">Google</a> opted to talk about its niche, air-gapped Google Distributed Cloud in response to nearly every question. Perhaps a tacit admission that standard cloud terms of service come nowhere near providing data sovereignty. </p> <p>Google wasn’t alone here, though; just the most dependent on the tactic. AWS also pointed to its AWS Dedicated Local Zones and Outposts managed on-premise offers when asked about cloud services.  </p> <p><strong>“Look! Local people!” </strong>A number of responses tried to distract from the inherent technical vulnerabilities that come with the global, linked nature of hyperscaler cloud. They instead drew attention to the residency or nationality of human operators rather than the reality that automated, US-signed code updates can bypass human gatekeepers entirely.</p> <p>It is virtually impossible for a locally resident operator to scan a multi-gigabyte compiled binary for a state-level backdoor. A backdoor in a modern cloud stack wouldn’t be a line of code that said, “<em>if (user == 'FBI') return data</em>”. It would be a subtle mathematical weakness in an encryption library or a port knocking sequence hidden in a network driver. </p> <p>Local operators can, at best, scan for known viruses, not state-level “technical assistance”.</p> <p><strong>Encryption? Of course. For data-in-use? Errr. </strong>All hyperscalers highlighted the use of encryption in customer data and customer key retention to imply total security. </p> <p>That works for “at-rest” and “in-transit” scenarios. But it glosses over data-in-use scenarios where data must, in most cases, be decrypted in memory. </p> <p>If a US-compelled “technical assistance” order under FISA Section 702 forces a US company to push a firmware update to its own HSMs or Nitro controllers, that update is signed by the US parent. Hardware isolation is only as sovereign as the person who holds the cryptographic signing key for the firmware.</p> <p>Also, in a software-as-a-service (SaaS) environment like M365, Microsoft provides the application and is the administrator. Here, customer-managed keys often break “search” and “discovery” features in SaaS. So, if a customer wants to search their emails in M365, the data must be decrypted by Microsoft’s service. </p> <p><strong>Is it sovereign? Of course; it’s in the EU. </strong>In some cases, hyperscalers responded by pointing to European sovereign solutions. <a href="#AWS">AWS</a>, for example, points to its <a href="https://www.computerweekly.com/news/366557158/AWS-to-open-European-sovereign-cloud-region">European Sovereign Cloud service</a>, which doesn’t locate data in the UK and is not technically sovereign anyway, given the EU is not a sovereign state. </p> <p>Meanwhile, if AWS Seattle has “control” over the AWS Germany subsidiary, which it does, financially and technically, a US court doesn’t care about the EU’s “Sovereign Cloud” label.</p> <p><strong>“Trust Me, Bro,” as a legal pledge.</strong> <a href="#Microsoft">Microsoft</a> majored on this one in its responses. It switches out technical proof of impossibility for corporate pledges to “challenge every government request” in court. This asks the customer to trust a legal process rather than a technical lock. </p> <p>Spoiler alert: There are zero known instances where a hyperscaler has successfully and permanently defied a final, non-appealable US court order to protect a non-US citizen’s data stored abroad.</p> <p>To sum all this up, the hyperscalers are essentially saying that standard cloud is not sovereign. To achieve a level of protection that would allow them to answer these questions with any level of integrity, a customer must move to isolated, air-gapped, or hardware-encrypted tiers that are significantly more expensive, regionally limited and functionally constrained. And would that be cloud?</p> </section> <section class="section main-article-chapter" data-menu-title="The paradox of data sovereignty in the cloud"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The paradox of data sovereignty in the cloud</h2> <p>At the end of the day, hyperscaler cloud is caught in a paradox when it comes to data sovereignty. If a cloud were truly sovereign – disconnected, local-only, human-managed – it would lose the cloud economics that make it attractive due to its global scale, automation and the accompanying economies. And so, “sovereign cloud” is really often a marketing term that means standard cloud with extra paperwork.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="QandAs"></a>The questions we asked and hyperscaler responses</h3> <p>We wanted to get to the bottom of just how sovereign hyperscaler cloud services are. The main article discusses the key issues and summarises the responses of hyperscalers to the questions put to them by Computer Weekly.</p> <p>Here we reproduce the questions in full, along with hyperscaler responses.</p> <p>We asked for “specific, technical” answers to questions, and hyperscalers were told general marketing statements or high-level policy positions would not be printed (though that’s what some responses amount to and are printed here).</p> <p>The goal of the questions was stated as: “To provide readers with a clear view of which sovereignty claims are backed by verifiable technical mechanisms and which remain matters of corporate policy.”</p> <p>The following context was also given, namely that under 18 USC 2705(b), federal courts can issue non-disclosure orders alongside US Cloud Act data warrants that legally forbid providers from notifying customers of a breach. </p> <p>Also, that when combined with the “technical assistance” provisions of FISA Section 702, the US government can compel a provider to facilitate access to data. </p> <p>Finally, a key assumption stated in the preamble to questions was that because cloud stacks rely on a global supply chain where code is authored and signed at a US headquarters, the “update” is a potential invisible vector for state-level intervention that is difficult to obstruct.</p> <h2>What we asked the hyperscalers</h2> <p><strong>Question 1:</strong> If your cloud services require access to data “in the clear” to perform processing tasks (such as indexing, AI inferencing, or analytics), how do you technically prevent a US-compelled warrant from forcing you to use the required cryptographic keys to decrypt and surreptitiously provide that data to law enforcement?</p> <p><strong>Question 2:</strong> If you claim to never have access to encrypted customer data, how do you technically perform “data-in-use” functions without possessing the keys to decrypt that data within your processing environment?</p> <p><strong>Question 3:</strong> If your sovereign cloud relies on a software supply chain authored and signed by a US-headquartered parent company, how can you technically guarantee that a US-compelled “technical assistance” update – issued under a mandatory gag order – could not silently bypass local air gaps and data controls?</p> <p><strong>Question 4:</strong> Can you provide evidence of a wholly distinct UK region capable of operating all core services in total isolation from your global infrastructure, managed exclusively by a 100% UK-resident support and engineering framework – including all third-party subcontractors?</p> <p><strong>Question 5:</strong> Do your standard terms of service grant you the discretion to move or “offshore” customer data and metadata for residency, resiliency, or global support purposes, and if so, how can a UK customer maintain 100% residency without a bespoke contract that breaks your global automation model?</p> <h2><a id="AWS"></a>The responses: AWS</h2> <p><strong>Computer Weekly commentary</strong></p> <p>Where the questions ask for “specific, technical” responses, AWS answers vaguely, such as when it refers to “a range of technical measures and operational controls” in questions 1 and 2. </p> <p>Also, when what has been asked is specifically technical, what appears as a sleight of hand is to refer to operator and staff access to data. In the context of a massive, automated technical environment, whether an individual has access to masses of compiled code in updates is irrelevant. </p> <p>We see that type of response in questions 1, 2 and 3. The effect here is to draw attention away from a potential scenario in which a US court forced AWS to provide “technical assistance” in an update script that would easily cross borders and bypass human gatekeeping. The idea that some update code is written in European countries is another irrelevance thrown in. </p> <p>When asked in question 4 about a discrete UK region isolated from the rest of AWS’s global infrastructure, the response refers to AWS-managed on-premise infrastructure. Such an offer might provide in-country capacity – although we don’t know whether updates come from elsewhere – but it isn’t really the cloud. </p> <p>When asked whether “standard Terms of Service grant you the discretion to move or ‘offshore’ customer data and metadata”, AWS points to its European Sovereign Cloud service, which doesn’t apply to the UK and is arguably not sovereign, given the EU is not a sovereign state.</p> <p><strong>AWS response to question 1: </strong></p> <p><em>AWS customers have a range of technical measures and operational controls to prevent access to data, and AWS has designed products and services that make sure that no one – not even AWS operators – has any technical means to access customer content.</em></p> <p><em>The Cloud Act does not create any new authority for law enforcement to compel service providers to decrypt communications.</em></p> <p><strong>AWS response to question 2: </strong></p> <p><em>AWS customers have a range of technical measures and operational controls to prevent access to data, and AWS has designed products and services that make sure that no one – not even AWS operators – has any technical means to access customer content.</em></p> <p><strong>AWS response to question 3: </strong></p> <p><em>Only AWS European Sovereign Cloud employees located in the EU and subject to EU law have deployment authority over software updates. Authorised EU-resident employees of the AWS European Sovereign Cloud also have independent access to a replica of the source code needed to maintain the AWS European Sovereign Cloud services.</em></p> <p><em>“The premise of this question is also misleading. Amazon is a global company that operates worldwide supply chains reliant on suppliers and teams from every part of the world. Some of our largest AWS development teams are located in Europe – with key centers in Dublin, Dresden, and Berlin – contributing to core AWS solutions including the AWS Nitro System that powers all modern EC2 instances, Amazon Linux, and Amazon CloudWatch.</em></p> <p><strong>AWS response to question 4:</strong></p> <p><em>AWS offers several products that help customers address UK-specific sovereignty requirements. AWS Dedicated Local Zones can be deployed in a chosen UK location with local AWS employee operations and security features for data isolation and compliance. AWS Outposts deploy in customer UK facilities with hardware-enforced isolation ensuring no AWS operator access to customer data. </em></p> <p><strong>AWS response to question</strong> <strong>5:</strong></p> <p><em>With AWS, customers own their data, control where it’s stored, and decide who can access it. AWS is transparent about how services process customer data, and customers can use tools like AWS Control Tower for management. The AWS European Sovereign Cloud allows customers to keep all metadata they create entirely in the EU, including sovereign Identity and Access Management (IAM), billing, and usage metering systems. </em></p> <h2><a id="Google"></a>The responses: Google Cloud</h2> <p><strong>Computer Weekly commentary</strong></p> <p>The questions were about hyperscaler cloud services. Google provided more information than the other providers, but responded to nearly all the questions as if it had been asked about one very specific and not particularly common offering, namely Google Distributed Cloud (GDC) air-gapped. </p> <p>GDC air-gapped is an on-premise solution, where – Google claims – any updates must be physically transported across the air gap and can be scanned by a trusted operator. Likewise, it says it literally could not comply with a US court order to spy on a customer or hand over data because it has no reach into their systems. That’s likely true for GDC air-gapped, but it’s not what it was asked about.</p> <p>But, Google – rather helpfully – provides information about its mainstream cloud offer that allows us to get a good idea about standard cloud services terms and conditions that the other hyperscalers don’t elaborate upon.</p> <p>For example, it says: “In a standard cloud, Google pushes updated code silently, and often multiple times in a day.” </p> <p>Similarly, it says: “Standard Terms of Service (ToS) that govern the public cloud . . . often include clauses for global load balancing, ‘follow-the-sun’ support, and data movement for resiliency.”</p> <p>And: “The standard ‘global support’ model relies on an engineer in any region being able to ‘see’ your project to troubleshoot.”</p> <p><strong>Google response to question 1:</strong></p> <p><em>In the context of Google Distributed Cloud (GDC) air-gapped, the solution to the compelled disclosure dilemma isn't just a policy promise – it is a fundamental architectural constraint. Because the air-gapped version of GDC is physically and logically isolated from the public internet and Google’s corporate network, the technical barriers to a US-compelled warrant are built into the "sovereignty by design" model.</em></p> <p><em>1. Physical and Network Isolation</em></p> <p><em>No Remote Access: GDC air-gapped does not have a backhaul connection to Google’s global infrastructure. There is no persistent management plane or "phone home" feature that Google can toggle to extract data.</em></p> <p><em>Hardware Ownership: The hardware resides in the customer's chosen location (or a partner's sovereign data center). Google employees generally do not have unescorted physical access to the site.</em></p> <p><em>2. Customer-Managed Encryption Keys (CMEK)</em></p> <p><em>While processing data “in the clear” requires keys, the ownership of those keys is the technical pivot point:</em></p> <p><em>Hardware Security Modules (HSM): In a GDC air-gapped environment, the keys are stored in local HSMs physically located within the air-gapped boundary.</em></p> <p><em>Root of Trust: The customer (or a designated sovereign partner) holds the root of trust. Google does not possess a master key or a remote mechanism to bypass the local HSM to decrypt data for indexing or AI tasks.</em></p> <p><em>3. Tactical Operational Sovereignty</em></p> <p><em>To prevent surreptitious access, GDC air-gapped utilizes a Sovereign Operations model:</em></p> <p><em>No Google Personnel Required: The day-to-day operations, including patching and AI model deployment, can be handled by the customer or a local, cleared third party.</em></p> <p><em>Auditability: Every action taken within the environment is logged locally. Since Google cannot access these logs remotely, they cannot hide a data extraction process from the customer’s own security operations center (SOC).</em></p> <p><em>From a legal standpoint, if Google is served a warrant for data residing in a GDC air-gapped instance, the technical response is “Inability to Comply.” Because Google does not have the network path to reach the data, the physical access to the servers, or the cryptographic keys to decrypt the disks, they cannot “surreptitiously” provide the data. Any attempt to gain that data would require a physical raid on the customer’s own facility – which falls under the customer's local laws and security protocols, not Google’s.</em></p> <p><strong>Google response to question 2:</strong></p> <p><em>In the context of Google Distributed Cloud (GDC) air-gapped, the claim of no access isn’t saying the data is never decrypted; it is saying that Google (the entity/personnel) never has access to the keys or the environment where decryption occurs. The distinction lies in the transition from Data-at-Rest to Data-in-Use within a boundary that Google cannot enter. Here is how that is technically achieved:</em></p> <p><em>1. Sovereign Boundary Logic</em></p> <p><em>In a standard public cloud, the provider manages the hypervisor and the orchestration layer. In GDC air-gapped, the entire stack, from the silicon to the AI workbench, is moved inside the customer’s perimeter.</em></p> <p><em>Local Decryption: When an AI model needs to “see” data in the clear to perform inferencing, the decryption happens on-premises using keys pulled from a local HSM </em></p> <p><em>Isolation of the Execution Environment: The decryption occurs within the customer’s air-gapped hardware. Because there is no network path back to Google, the “clear text” data exists only in the local RAM of the air-gapped servers.</em></p> <p><em>2. Customer-Controlled Key Access</em></p> <p><em>The software performing the processing must request the key from the local Key Management Service (KMS).</em></p> <p><em>Access Control Policies: The customer defines the Identity and Access Management (IAM) roles.</em></p> <p><em>Technically Barred: Google does not have an identity in the customer’s local air-gapped IAM system. Therefore, the processing environment can’t “ask” for a key on Google’s behalf, and Google cannot “push” a command to release a key to an unauthorized third party as these are Customer managed encryption keys (CMEK).</em></p> <p><strong>Google response to question 3:</strong></p> <p><em>In Google Distributed Cloud (GDC) air-gapped, this risk is mitigated through a combination of Customer-Led Updates, Binary Authorization, Third-Party Operations.</em></p> <p><em>1. No “Automatic” Updates</em></p> <p><em>In a standard cloud, Google pushes updated code silently, and often multiple times in a day. In GDC air-gapped, there is no physical connection to Google.</em></p> <p><em>The Manual Bridge: Updates are provided as signed container images and binaries. The customer (or their trusted sovereign partner) must download these to a separate secure workstation, scan them, and then physically move them across the “air-gap” via encrypted media.</em></p> <p><em>Technical Sovereignty: This creates a human-in-the-loop bottleneck. A US-compelled “silent” update is impossible because Google cannot “push” anything. The customer chooses when and if to ingest the update.</em></p> <p><em>2. The “Sovereign Operator” Audit</em></p> <p><em>A critical technical defense is who applies the update.</em></p> <p><em>Third-Party Managed: GDC can be operated entirely by a local, cleared partner (eg, STE in Singapore, Proximus in Belgium). These operators act as a “sovereign shield.”</em></p> <p><em>Inspection: Before the update is applied to the live environment, these operators can deploy it in an isolated “staging” air-gap. They monitor for “phone home” behavior (which would fail anyway due to the air-gap) or unauthorized data export attempts at the virtual network layer.</em></p> <p><em>3. Technical Assistance vs. Technical Impossibility</em></p> <p><em>A company can be compelled to provide “technical assistance,” but they cannot be forced to perform the “technically impossible.”</em></p> <p><em>Hardware Root of Trust: Because the keys are in your HSM, Google cannot remotely sign a command to “export” data.</em></p> <p><em>The Gag Order Paradox: Even if Google were under a gag order, they cannot physically enter your data center to plug in a USB drive. If the only way to execute the warrant is to walk a physical drive into a sovereign facility, the legal burden shifts to the local government and the physical security team at the door.</em></p> <p><strong>Google response to question 4:</strong></p> <p><em>Yes - this could be built for customers using Google Distributed Cloud Air Gapped, like the landmark deal we have announced for the MOD. In 2025, Google Cloud and the UK Ministry of Defence (MoD) formalized a landmark agreement for a sovereign, air-gapped cloud. [Link to press release]. </em></p> <p><em>Pasting the helpful info here: </em></p> <p><em>Google Distributed Cloud Air Gapped: The sovereign cloud environment will be built upon Google Distributed Cloud (GDC) air-gapped, a platform designed for workloads that require strict data residency and security controls. GDC provides a hardened, air-gapped environment, ensuring that the MOD’s critical data remains within UK sovereign territory and under their direct control. This platform will also enable the responsible integration of Google's advanced AI and machine learning tools, empowering the MOD with enhanced analytical capabilities to provide operational efficiencies.</em></p> <p><strong>Google response to question 5:</strong></p> <p><em>The short answer is no. In the context of Google Distributed Cloud (GDC) air-gapped, the standard Terms of Service (ToS) that govern the public cloud which often include clauses for global load balancing, “follow-the-sun” support, and data movement for resiliency do not apply. GDC air-gapped is governed by a separate, specific legal and technical framework designed to ensure that the global automation model is physically unable to move our customers’ data or metadata.</em></p> <p><em>1. Service-Specific Terms</em></p> <p><em>Instead of the standard online ToS, air-gapped customers use GDC Air-Gapped Service Specific Terms. These terms explicitly recognize the disconnected nature of the environment:</em></p> <p><em>Removal of “Offshoring” Discretion: Because the system is air-gapped, Google legally and technically removes its own ability to move data. The terms define the "Sovereign Boundary," stating that data and metadata (logs, telemetry, and configuration) must remain within the customer-controlled or partner-operated facility.</em></p> <p><em>2. Breaking Global Automation</em></p> <p><em>You do not need a “bespoke contract” to prevent data movement because the automation model itself is local.</em></p> <p><em>Local Management Plane: In the public cloud, the control plane lives in a global mesh. In GDC air-gapped, the control plane is physically located inside the rack in your UK data center.</em></p> <p><em>Hardware-Locked Metadata: Metadata like IP addresses, VM names, and audit logs are stored on local disks within the air-gapped environment. There is no automated routine that can “call” this metadata back to a global database because there is no network route to the outside world.</em></p> <p><em>3. Sovereign Operations vs. Global Support</em></p> <p><em>The standard “global support” model relies on an engineer in any region being able to “see” your project to troubleshoot. GDC air-gapped replaces this with Resident Support.</em></p> <p><em>100% Residency of Support: Support is provided by a UK-resident, cleared team. If they need to look at a log, they do it within the UK boundary.</em></p> <p><em>No Remote Access: Even if a US engineer wanted to help, they have no technical way to log into the system. The "automation" for support is localized to a secure UK-based operations center.</em></p> <p><em>4. How to Maintain 100% Residency Without “Breaking” the Cloud</em></p> <p><em>The innovation of GDC air-gapped is that it provides a cloud-native experience that is functionally identical to the public cloud but architecturally siloed.</em></p> <p><em>Local Resiliency: Instead of relying on a US region for backup, you achieve resiliency by deploying multiple GDC racks across different UK-only zones</em></p> <p><em>The Secure Supply Chain: Google provides the code (the binaries), but you provide the home. Once that code is installed, it operates as a “black box” that answers only to your local UK administrators.</em></p> <h2><a id="Microsoft"></a>The responses: Microsoft</h2> <p><strong>Computer Weekly commentary</strong></p> <p>Microsoft chose not to respond to the questions inline, so it’s not as easy to see what its answers respond to.</p> <p>Again, we see reference to “workloads in air-gapped or disconnected environments”, when that was not the subject of the questions. </p> <p>Where questions asked for “specific, technical” responses, we get bland answers. There’s also a long paragraph about encryption keys that appears to be about data-at-rest or in-transit, which we didn’t ask about.</p> <p>There is also reference to “UK customers . . . ability to store and process their data within UK datacenters . . . [That] includes compliance with local regulations and provides geo-redundant protection for business continuity”. </p> <p>Microsoft Azure does have a data-in-use encryption offer in Azure Confidential Computing, although it doesn’t mention it by name.</p> <p>In its final paragraph, Microsoft talks of its commitment to and “strong record” in challenging court orders. But really, it amounts to “Trust me, bro.”</p> <p><strong>Microsoft responses</strong></p> <p><em>Microsoft customers can deploy workloads in air-gapped or disconnected environments using Azure Local and Microsoft 365 Local, with full control over update management, monitoring, and lifecycle operations via a local control plane.</em></p> <p><em>External Key Management allows customers to use their own on-premises or third-party Hardware Security Modules (HSMs) for encryption, ensuring Microsoft does not have access to customer keys. Microsoft’s custom HSM is deployed globally. In addition, Azure Confidential Compute, Azure Key Vault, and Double Key Encryption, are designed, deployed, and operated such that Microsoft is incapable of accessing, using, or extracting data stored in the service, including cryptographic keys.</em></p> <p><em>Microsoft performs "Data-in-Use" functions without possessing customer encryption keys by leveraging a layered encryption model and customer-managed keys.</em></p> <p><em>Microsoft offers UK customers the ability to store and process their data within UK datacenters. This includes compliance with local regulations and provides geo-redundant protection for business continuity.</em></p> <p><em>Microsoft does not provide any government with direct, unfettered access to customer data. Any data access request is subject to rigorous review, according to a strict process, by internal and external legal teams to ensure it is legally valid and compulsory, compliant with all applicable law, and strictly limited to specific account identifiers.  Further, as part of our Defending Your Data initiative we’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so. We have a strong record of doing just that, including through litigation where necessary.</em></p> <h2><a id="IBM"></a>The responses: IBM</h2> <p><strong>Computer Weekly commentary</strong></p> <p>IBM considered that question 1 merged disparate issues, so it didn’t answer it.</p> <p>Like others, it answered questions as if it had been asked about air-gapped environments, when it wasn’t. </p> <p>When asked about data-in-use encryption, it refers to its new IBM Sovereign Core, which appears to be a product aimed at holding encryption keys in-country but doesn’t specifically mention in-memory encryption. It references the same product when asked about “a wholly distinct UK region”.</p> <p>IBM Sovereign Core is currently in tech preview and published materials are a little light on detail. We’d want to know more about in-use encryption and connections to IBM’s global network, updates, and so on.</p> <p><strong>IBM response to question 1:  </strong></p> <p><em>This question merges several distinct concepts that are technically separate. In modern software applications data‑in‑use processing, encryption key management and lawful access requests, are all designed and governed by different architectural and operational controls. Please refer to questions 2 and 3 for relevant information. </em></p> <p><strong>IBM response to question</strong> <strong>2:</strong></p> <p><em>IBM Sovereign Core processes data‑in‑use within the customer application’s trusted execution environment, where purpose‑bound application code determines when and how data is processed; decryption, where required, is transient, in‑memory, and under the application’s control with customer visibility. Capabilities like Keep Your Own Key encryption ensure keys are held and managed exclusively by the customer and are not accessible to IBM.</em></p> <p><strong>IBM response to question 3:</strong></p> <p><em>Software supply‑chain, execution in air‑gapped environments, and legal access frameworks are all independent by design, governed by separate technical and operational controls: our clients hold full technical authority in air gapped environments, and IBM technology places transparency and control in the hands of our clients, consistent with our publicly available data access principles and law‑enforcement transparency reports. </em></p> <p><strong>IBM response to question</strong> <strong>4: </strong></p> <p><em>IBM Sovereign Core enables UK enterprises to run and govern AI workloads within the UK jurisdictional boundaries, without relying on a global provider control plane, and with the flexibility to choose UK‑based operating partners. </em></p> <p><strong>IBM response to question</strong> <strong>5:</strong></p> <p><em>For more than a century, IBM has earned the trust of our clients by responsibly managing their most valuable data. IBM is transparent about how it handles client data and does so in accordance with all applicable laws.</em></p> </div> </div> </section> Hyperscaler cloud is inherently global. Does that make data sovereignty unattainable – especially given the powers US courts hold? We grilled the hyperscalers in an attempt to find out https://cdn.ttgtmedia.com/visuals/German/article/cloud-access-and-identity-2-adobe.jpg https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro Wed, 06 May 2026 06:18:00 GMT Is cloud data sovereignty all just a case of ‘Trust me, bro’? <p>Every organisation today is measured by two things: “exit velocity” and its “ability to pivot”.</p> <p>Exit velocity is how quickly you can move away from a technology, platform or contract the moment it stops serving you. Ability to pivot is how easily you can shift direction, technologically or operationally, without destabilising the business.</p> <p>Together, they define a company’s real digital resilience. And right now, most organisations don’t have either.</p> <p>This is the backdrop to new research findings:<a href="https://www.suse.com/navigating-digital-resilience-2026/"> 98% of IT</a> leaders now <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">prioritise digital sovereignty</a>, yet half still lack a formal strategy. Meanwhile,<a href="https://www.suse.com/navigating-digital-resilience-2026/"> 94% say open source</a> is very or extremely important to resilience. The intent is there but the ability to act is lagging. The gap between aspiration and execution reveals a deeper truth: knowing where your data sits is not the same as being in control of it.</p> <p>If you look at recent headlines and analysis on digital sovereignty, the discussion is mostly framed in terms of risk and the need for nation-states to exert greater control over their data and digital infrastructure. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>. We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.</li> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold: Responses to data sovereignty risk</a>. We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> </ul> </div> </div> <p>Commentators are heavily focused on the downsides of continued over-reliance on big tech, with the tone skewed towards "threats", "battlegrounds", "traps" and other significant concerns. Crucially, though, much of this commentary conflates two distinct dimensions of the problem and that conflation is itself a risk, because it allows jurisdictional measures to stand in for genuine technical independence.</p> <p><strong>Lack of control</strong></p> <p>So, what’s the problem? In a nutshell, organisations everywhere have built much of their critical infrastructure on platforms they don’t control. This is hardly surprising. The <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">outsourced as-a-service model</a> has delivered enormous performance and financial benefits everywhere it is available. </p> <p>The numbers don’t lie. The global cloud computing market was valued at over<a href="https://www.fortunebusinessinsights.com/cloud-computing-market-102697"> $780 billion</a> last year, with the sector continuing to trend upwards. And as we know, US-owned providers occupy a dominant position. </p> <p>And it’s precisely the issue of control, or the lack of it, which has given rise to the digital sovereignty movement. </p> <p>In Europe, <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">the regulatory wheels have been in motion</a> for some time. NIS2, DORA, and in the UK the Cyber Security and Resilience Bill, have tightened expectations around resilience and supply chain accountability in critical sectors. </p> <p>On an organisational level, many businesses believe they are addressing the underlying issues by moving to a national or regionally hosted cloud environment. The focus here is on ensuring data is stored under the governance of localised, relevant rules. After all, sovereignty is primarily about where data is stored, right?</p> <p>Well, not necessarily. The issue is that data location does not equate to control. In reality, even when the infrastructure is in the appropriate geographic location, the systems, software and underlying platforms often remain owned and governed by external providers.</p> <p>In these circumstances, legal jurisdiction and access rights can still sit outside the organisation, particularly as digital systems become more deeply embedded across operations and supply chains. The result is a growing mismatch between perceived sovereignty and actual control.</p> <p><strong>The hidden risks of outsourcing</strong></p> <p>These issues are nuanced. Organisations no longer simply store data in these environments. They run core operational systems on them. </p> <p>The risk here is one of usage vs control, where heavy reliance on third-party platforms is accompanied by limited visibility into how the underlying infrastructure and software actually operate. </p> <p>A good example is system updates and configurations, which typically sit with the provider, with customers dependent on decisions made outside their own governance structures. This introduces a dynamic in which critical systems are effectively governed externally, with vendor roadmaps or policy decisions having a direct, sometimes immediate, impact on operations. </p> <p>The issue is not just dependency <em>per se</em>, but concentrated dependency, with a small number of providers as stakeholders in a significant share of digital infrastructure across multiple sectors.</p> <p>The problems often only become apparent when a particular organisation needs to respond to new risks or when a change in regulation can’t be fully addressed because it lacks the required level of control. The point is that what appears to be a technology decision (ie, which cloud provider to use) actually adds to operational and regulatory risk.</p> <p><strong>Structural vulnerability</strong></p> <p>Is this anything more than a theoretical problem? The short answer is yes, because the implications of this model reach well beyond IT environments to mission-critical real-world systems in daily use.</p> <p>Take sectors such as energy, manufacturing, logistics and aviation, for example, where digital platforms support practically every key process. When control over these platforms is limited, the risk is not just technical but also extends to potential disruptions to services and outputs.</p> <p>In these and many other environments, concentrated reliance on a small number of non-domestic providers introduces a structural vulnerability, where issues that affect a single platform can have wide-reaching consequences across multiple organisations and sectors.</p> <p>This is particularly relevant in the context of unexpected or sudden shifts in policy or international relations that could affect access or service continuity. In these circumstances, organisations may find themselves exposed to risks beyond their direct control, despite meeting baseline compliance requirements. As we have all seen, government policies and ways of doing business can change rapidly and with little to no advance warning. Limiting exposure to such situations is important, including via tech infrastructure.</p> <p>The underlying risk, therefore, is a form of hidden fragility, where systems appear resilient on paper but are constrained in practice by external dependencies to the extent that digital sovereignty becomes an illusion. </p> <p>Sovereignty needs to be reframed so organisations can have complete confidence in how their outsourced systems and services are governed and changed. </p> <p>In practical terms, this means having sufficient visibility into services and dependencies to understand how they function and where risks sit. A key requirement is flexibility, particularly the ability to move workloads and data without being constrained by proprietary formats or tightly coupled architectures. </p> <p>Open standards, open source and containerisation are central to this approach because they decouple workloads from the underlying infrastructure, making it possible to move between providers or environments without being locked into a single vendor's ecosystem. This is common knowledge among IT teams, and now boardrooms and government offices are starting to realise. Without this kind of portability built in from the start, the freedom to act remains theoretical.</p> <p>Without this clarity and freedom of action, organisations remain dependent on external roadmaps and decisions that may not serve their own priorities. Sovereignty, ultimately, is not a legal status, it is a practical capability, measured by exit velocity and ability to pivot.</p> <p></p> Digital sovereignty is hugely important to IT leaders but in most cases systems have been built on foundations they don’t control. Open standards are key to organisational agility https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/surveillance-camera-security-spy-AlexeyAchepovsky-adobe.jpg https://www.computerweekly.com/opinion/The-illusion-of-digital-sovereignty-and-the-reality-of-control Wed, 06 May 2026 04:47:00 GMT The illusion of digital sovereignty and the reality of control <p>IT contractors are being forced to work through <a href="#Umbrellas">umbrella companies</a>. Often, they can’t determine whether those companies are tax compliant, and therefore frequently suffer from unknown deductions, late payments, and inaccurate and opaque payslip information.</p> <p>Those are among the findings of a survey by contracting authority ContractorCalculator ahead of a government consultation set to close on 1 May. </p> <p>The consultation – <a href="https://www.gov.uk/government/consultations/make-work-pay-modernising-the-agency-work-regulatory-framework">Make Work Pay: Modernising the Agency Work Regulatory Framework</a> – aims to modernise the Conduct Regulations that govern agency treatment of employees and <a href="https://www.computerweekly.com/news/366620175/IR35-Government-outlines-two-pronged-approach-to-umbrella-company-regulation">bring umbrella companies into clearer regulatory scope</a>, improve worker security and pay transparency.</p> <p>The <a href="https://www.contractorcalculator.co.uk/">Contractor Calculator</a> survey asked 730 contractors and freelancers about the impact of IR35 reforms, the role of umbrella companies, and ongoing transparency issues across the UK’s flexible workforce sector.</p> <p>The vast bulk of respondents indicated that the use of an umbrella company is effectively compulsory in most cases. Some 88% said being paid via an umbrella company was the only option in their most recent engagement, while 85% had been told they must use an umbrella company for certain roles.</p> <p>At the same time, contractors are deeply unhappy about being <a href="https://www.computerweekly.com/news/366553224/IT-contractors-forced-against-their-will-to-work-for-umbrella-companies-survey-finds">forced into this position</a>. Of those questioned, only 5% said they were happy to use an umbrella company, while 25% said they would never use one and 39% would only use one if forced to.</p> <p>The effect, said the survey commentary, is that a lack of choice is impacting the market, with contractors declining roles or leaving altogether, and so reducing access to talent for hiring firms.</p> <p>The survey also highlighted increased exposure faced by <a href="https://www.computerweekly.com/news/366614704/Autumn-Budget-Employment-agencies-to-take-on-PAYE-processing-from-umbrella-firms-from-April-2026">agencies and end clients</a> under Joint and Several Liability (JSL) rules that came into effect on 6 April 2026.</p> <p>Under these rules, organisations can be held responsible for unpaid tax where <a href="https://www.computerweekly.com/news/366610276/HMRC-could-lose-millions-in-unpaid-tax-as-non-compliant-umbrella-enters-pre-pack-administration">non-compliant umbrella companies</a> are used. But, according to the survey, JSL has not really reduced risk and is difficult to manage. </p> <p>The survey found 69% of contractors cannot determine whether an umbrella company is tax compliant, and in any case, 34% choose umbrellas based on the highest take-home pay rather than compliance. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="Umbrellas"></a>What are umbrella companies?</h3> <p>Umbrella companies are often used by recruitment agencies and end clients to run payroll procedures for contractors and freelance workers.</p> <p>The <a href="https://www.computerweekly.com/news/366621018/IR35-Research-highlights-rise-in-outside-IR35-engagements-among-contractors">number of contractors who provide services via umbrella companies is thought to have soared</a> in recent years, following changes to <a href="https://www.computerweekly.com/news/366632435/IR35-Conservative-Party-pledge-to-reform-off-payroll-rules-gets-lacklustre-response">IR35 tax avoidance rules</a> in the public and private sector.</p> <p>Under the reworked rules, end clients must determine how freelance workers they engage should be taxed, where previously this was the responsibility of the contractors themselves.</p> </div> </div> <p>Additionally, payslip complexity and unclear deductions remain widespread, with gaps that can leave contractors vulnerable to errors and potential exploitation.</p> <p>Half of those surveyed (50%) have discovered unexpected deductions, while 39% report being paid late. Meanwhile, only 30% can confirm payslip accuracy, and just 35% can calculate gross pay from an assignment rate. Assignment rates are the total amount an agency pays an umbrella company for a contractor’s services. </p> <p>Dave Chaplin, CEO of ContractorCalculator, said: “Our survey results strongly reinforce the direction of travel set out in the government’s Make Work Pay consultation. They highlight, in real terms, the lack of choice, transparency and understanding that contractors are currently facing across the agency and umbrella landscape.</p> <p>“Crucially, our survey shows just how widespread the issue of restricted choice has become, with many contractors being offered roles conditional on using a specific umbrella company. The proposal to remove this practice is essential. Giving contractors genuine freedom to choose how they work will help prevent the kind of market distortions that have previously led to workers being channelled into high-risk or non-compliant arrangements.” </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about IR35</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366620175/IR35-Government-outlines-two-pronged-approach-to-umbrella-company-regulation">IR35: Government outlines two-pronged approach to umbrella company regulation</a>. The government looks set to deliver on its long-promised vow to roll out regulation for umbrella companies. </li> <li><a href="https://www.computerweekly.com/news/366610695/HMRCs-list-of-known-tax-avoidance-schemes-and-non-compliant-umbrellas-nears-100-names">HMRC’s list of known tax avoidance schemes and non-compliant umbrellas nears 100 names</a>. The number of non-compliant umbrella companies and tax avoidance schemes on HMRC’s name and shame list has doubled in the past 12 months. </li> </ul> </div> </div> IT skills market impacted as contractors forced to use umbrellas or opt out altogether, while tax compliance remains deeply uncertain, with late payments and payslip inaccuracy rife https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/weather-rain-umbrella-climate-RomoloTavani-adobe.jpg https://www.computerweekly.com/news/366642498/Umbrella-companies-not-working-for-IT-contractors-survey-finds Thu, 30 Apr 2026 04:00:00 GMT Umbrella companies not working for IT contractors, survey finds <p>For decades, engineering teams treated code like a vintage Ferrari – expensive to build, painstakingly maintained and too precious to ever throw away. Every line represented a significant investment of human capital and time, and has led to a culture where code was cherished and its longevity was a marker of success.</p> <p>But at the AWS Summit in London this week, Ryan Cormack, principal engineer at online used car marketplace Motorway, consigned that philosophy to the scrapyard. In the age of <a href="https://www.computerweekly.com/resources/Software-development-tools">agentic artificial intelligence (AI-)driven software development</a>, he says, engineering teams can become more productive and are able to build, revise and maintain code at speeds previously unthinkable.</p> <p>In this article, we look at Motorway’s radical shift from manual coding to an AI-first development pipeline powered by AWS Kiro. Cormack talks about how the company achieved a 4x increase in engineering output, <a href="https://www.computerweekly.com/news/366640859/Advancing-to-the-next-frontier-of-AI">the challenges that come</a> with the ability to produce more code, why the future of software development lies in treating code as disposable, and the core benefits of codifying organisational culture into AI steering files.</p> <section class="section main-article-chapter" data-menu-title="The mindset shift: Disposability vs polish"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The mindset shift: Disposability vs polish</h2> <p>The most profound change at Motorway is speed of delivery but also a psychological break from the past. Historically, writing code was a “time-expensive process”, Cormack says, adding: “We wanted to have code that was so good that we could cherish it for years to come, because we had invested so much time into making it.”</p> <p>But since starting to use Kiro – <a href="https://www.computerweekly.com/blog/CW-Developer-Network/AWS-launches-Kiro-IDE-for-real-agentic-development-at-scale">AWS’s agentic AI-capable IDE</a> – that mindset became a bottleneck. “We shifted away from, ‘We need the most well-polished code for every line we write, all the time’, because we can rewrite it again tomorrow at a speed that’s never been possible before,” says Cormack.</p> <p>This has led to a strategy of “evaluation over production”. Motorway now generates vast amounts of code – a million lines a month – much of which may never reach a customer, says Cormack. Instead, it is used to test and evaluate multiple different ways to solve a problem before committing to it. </p> <p>The lesson for other organisations is clear. Don’t aim for a perfect first pass. Use AI to cycle through iterations, then use human expertise to refine exactly what you want from the options the AI helps provide.</p> </section> <section class="section main-article-chapter" data-menu-title="Managing the ‘volume crisis’: Rigour over speed"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Managing the ‘volume crisis’: Rigour over speed</h2> <p>While <a href="https://www.computerweekly.com/blog/CW-Developer-Network/When-AI-workflows-generate-vulnerabilities-too-fast-for-developers">a 4x increase in output</a> sounds like an engineering dream, it creates a real “review bottleneck”. If you write 400% more code but maintain 100% manual review processes, the system collapses. To combat this, Motorway hollowed out the “manual middle” of the development process and moved human energy to the ends of the process – namely, the spec and the review.</p> <p>“We find ourselves spending more time planning code and the whole process up front, and a little bit more time reviewing what comes out,” Cormack says. “But we lose all this time in the middle where we previously had to manually write all the code.”</p> <p>To ensure AI doesn’t just produce any code but “Motorway code”, the team utilises “steering files”. These files augment the AI’s system prompts with the company’s specific DNA. They are specific to Kiro and are markdown documents that contain instructions, standards and preferences to guide the AI behaviour and coding style. </p> <p>They include, for example, naming conventions that standardise how application programming interfaces (APIs) are labelled across Motorway’s 7,500-dealer network, and design patterns that enforce specific software architectures.</p> <p>By injecting these rules via the AI, generated code looks and feels like it was written by a veteran Motorway engineer. </p> <p>And AI isn’t just used for the build; it’s used for the full lifecycle. “We need to use AI to help us debug, analyse, understand, and evaluate systems as they run,” Cormack adds, noting that agents now monitor logs and metrics to help humans manage a massive fleet of services.</p> </section> <section class="section main-article-chapter" data-menu-title="The ‘Kiro’ engine and model agnosticism"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The ‘Kiro’ engine and model agnosticism</h2> <p>A critical component of Motorway’s success is that Kiro acts as an agentic loop rather than just a simple “autocomplete” tool. </p> <p>“Kiro knows how our CI pipelines work,” says Cormack. “It knows how our infrastructure is code-driven and it knows how our internal applications work together. It’s able to help guide us every step of the way.</p> <p>“We’re using Kiro across our full software development lifecycle. Our product and UX teams can ship real prototypes into our customers’ hands quicker than we’ve ever been able to before. What would take weeks now takes hours.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Motorway’s top tips for AI integration</h3> <ul class="default-list"> <li>Don’t automate in isolation: If your code volume increases 4x, your testing and monitoring must scale at the same rate, or you are simply building a larger pile of bugs.</li> <li>Codify your culture: Use steering files to ensure AI follows your specific organisational standards.</li> <li>Align the roadmap: AI speed means UX and product teams must be in lock-step. “What would take weeks now takes hours,” Cormack says, citing how UX teams now ship car-profiling prototypes directly into customers’ hands almost instantly.</li> </ul> </div> </div> <p>His team can leverage its model agnosticism too. Cormack explained they aren’t locked into a single LLM: “We use Kiro with Claude’s latest Opus 4.7 model, we use it with some of the open weight models, things like Meta’s Llama models ... we’re able to selectively pick the LLM that we know is going to be able to best perform the specific task.”</p> <p>This flexibility helps to mitigate the risk of hallucinations. Motorway relies on a spec-driven approach where the AI must think through the problem and generate a technical design before writing a single line.</p> <p>“It will help us write automated tests that are able to prove that each of these points has been accurately done,” Cormack says. This means the AI provides its own proof of work before a human ever touches it.</p> </section> <section class="section main-article-chapter" data-menu-title="Legacy transition from Heroku to AWS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Legacy transition from Heroku to AWS</h2> <p>Motorway wasn’t always this agile. The company was “born in the cloud”, on Heroku, which Cormack acknowledges was “great for scaling and getting going”. But as the company grew, it hit friction points.</p> <p>The transition to AWS was driven by a need for “flexibility, adaptability, and scalability”, says Cormack, who views their Kiro-enabled AI-first pipeline as the ultimate tool for such transitions. </p> <p>If he were to do things all over again, Cormack says he would “adopt this model of thinking much earlier on”. The ability to use AI to map migration logic and service dependencies would have saved months of manual effort during the move off their legacy platform, he believes.</p> </section> <section class="section main-article-chapter" data-menu-title="Lessons for the boardroom"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lessons for the boardroom</h2> <p>For organisations that want to replicate Motorway’s 250% increase in deployment frequency, Cormack warns against automating the grind of coding without also automating the rigour of testing.</p> <p>“If you try to build just by writing code faster, it doesn’t solve the problems,” he says. “I don’t think our customers necessarily want code; they want features and functionality.”</p> <p>The winners of the AI era won’t be the ones who write the most code, but the ones who build the most rigorous frameworks to manage its disposability. </p> <p>As Cormack says: “Kiro’s now writing over a million lines of code for us every single month. So, before we start any new piece of work, our engineering team chooses Kiro to help understand exactly what it is that we want to build.</p> <p>“The rigour at the start of this process helps enable the precision we want in our engineering at the end. So, every piece of work that we do starts with a spec, understanding the intent of what it is that we’re building and why.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI and software development</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366638839/Half-of-Googles-software-development-now-AI-generated">Half of Google’s software development now AI-generated</a>: In a bid to free up budget to spend on artificial intelligence infrastructure, Google parent Alphabet is using AI to improve operational efficiency.</li> <li><a href="https://www.computerweekly.com/news/366639364/How-AI-code-generation-is-pushing-DevSecOps-to-machine-speed">How AI code generation is pushing DevSecOps to machine speed</a>: Organisations should adopt shared platforms and automated governance to keep pace with the growing use of generative AI tools that are helping developers produce code at unprecedented volumes.</li> </ul> </div> </div> </section> We talk to Ryan Cormack of used car marketplace Motorway about how AI-driven development increases the speed and productivity of engineering and the challenges it brings https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Fotolia-cars.jpg https://www.computerweekly.com/feature/AI-drives-software-productivity-and-challenges-for-Motorway Thu, 23 Apr 2026 11:56:00 GMT AI drives software productivity – and challenges – for Motorway <p>The UK economy can unlock a £35bn productivity windfall, but only if businesses can bridge a widening “readiness gap” between basic and <a href="https://www.computerweekly.com/resources/Artificial-intelligence-automation-and-robotics">advanced artificial intelligence (AI) use</a>. That’s the core message of Amazon Web Services’s <em>Unlocking the UK’s AI potential</em> report, unveiled this week at its AWS Summit event in London.</p> <p>The research shows that while 64% of UK organisations have now adopted AI, the majority of users remain stalled at a rudimentary level. According to the report, a transition from basic tasks, such as document summarisation, to integration within core business processes could unlock £35bn in economic growth by 2030, a figure it said is roughly equivalent to the economy of Manchester.</p> <p>That was the essence of views put across by Alison Kay, vice-president and managing director of AWS UK & Ireland, who addressed an audience of more than 20,000 in London on Wednesday. Kay said that while AI adoption is growing at a rate of one new UK business every 40 seconds, the depth of adoption often stalls at a basic level, with only 21% of organisations saying they feel prepared for advanced AI.</p> <p>“AI is at a pivotal moment in the UK,” Kay said. “Organisations across the country are seeing tangible results from AI, from productivity gains to faster innovation. While this progress is encouraging to see, there’s still so much more to unlock, especially as we move from basic to advanced AI adoption.”</p> <p>According to Kay, the AWS research shows that advanced AI users report efficiency gains of 68%, compared to just 40% among basic users: “Most organisations are still in the early stages of adoption, employing productivity, basic automation and experimentation. Our research shows that the UK could unlock £35bn of productivity gains by 2030 if basic adopters moved to advanced AI.”</p> <p>However, this momentum is threatened by a critical <a href="https://www.computerweekly.com/news/366637838/UK-government-signs-more-partners-to-boost-AI-skills-across-the-country">shortage of skills</a>. Nearly half (49%) of UK organisations cited a lack of digital skills as a primary barrier to AI transformation, an increase from 46% last year. The “skills gap” has become so acute that businesses are now reporting an average eight-month wait to fill digital roles, with many prepared to pay a 41% salary premium for AI-literate talent.</p> <p>Kay pointed to AWS’s commitment to the Skills to Job Tech Alliance, which aims to train 100,000 UK learners by 2030. She said the company has already helped 60,000 students and contributed to a government-backed goal of equipping 10 million workers with AI skills over the next four years.</p> <p>The summit keynote also featured a technical deep-dive from Francesca Vasquez, AWS vice-president of professional services and agentic AI, who argued that the industry is moving from simple “inline completion” to autonomous “agentic AI”.</p> <p>Vasquez showcased <a href="https://www.computerweekly.com/blog/CW-Developer-Network/AWS-launches-Kiro-IDE-for-real-agentic-development-at-scale">Kiro, a Claude-powered AI agent-capable IDE</a> designed to automate software engineering. Vasquez said AWS recently rebuilt the inference engine for its Bedrock AI platform using six engineers and AI agents in 76 days, a task it estimated would have required 40 engineers for a full year without agentic assistance.</p> <p>Vasquez said: “Kiro gives developers structure and complete transparency. When you ask Kiro to build something, it thinks through the problem first. It gives you full user stories with acceptance criteria, technical design documents with architecture diagrams, sequence flows, discrete implementation tests, everything that you would normally spend hours documenting.”</p> <p>The report also noted that 78% of businesses said they would be more likely to adopt AI if they saw the government lead by example. The report pointed to <a href="https://www.gov.uk/government/publications/state-of-digital-government-review/state-of-digital-government-review">government research</a> showing full digitisation of public services could realise more than £45bn per year in savings.</p> <p>The report concludes that while the UK has the ingredients for leadership – including world-class research and a vibrant startup ecosystem – the transition to an AI-first economy requires a move away from “playing it safe”.</p> <p>This means, it said, closing the digital skills gap by investing in training, public-private partnerships and AI literacy; helping organisations move from adoption to transformation; and scaling AI across public services so government leads by example. </p> <p>AWS confirmed it is proceeding with an £8bn investment in UK datacentre infrastructure through 2028. This expansion is estimated to support 14,000 jobs annually and contribute £14bn to the UK’s GDP.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Getting-started-with-agentic-AI">Getting started with agentic AI</a>. We find out how organisations can take automation to the next level using agentic artificial intelligence. </li> <li><a href="https://www.computerweekly.com/podcast/AI-skills-for-IT-pros-A-Computer-Weekly-Downtime-Upload-podcast">AI skills for IT pros: A Computer Weekly Downtime Upload podcast</a>. Matt Stava, CEO and chairman of Spinnaker Support urges IT professionals to ‘retool’ their skillset.</li> </ul> </div> </div> The UK could unlock £35bn of productivity – equivalent to the economy of Manchester – if organisations can move from basic use of AI to productive, often agentic, modes of working https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/using-AI-agent-chatbot-Looker-Studio-adobe.jpg https://www.computerweekly.com/news/366641901/AI-adoption-is-rapid-but-many-stuck-at-basic-levels-says-AWS Thu, 23 Apr 2026 05:30:00 GMT AI adoption is rapid but many stuck at basic levels, says AWS <p>Consumers are being urged to replace passwords with passkeys as a simpler, more secure method of accessing online services.</p> <p>The National Cyber Security Centre (NCSC), part of the signals intelligence agency GCHQ, said today that it would no longer recommend that individuals use passwords for logging on where passkeys are available as an alternative.</p> <p><a href="https://www.techtarget.com/whatis/feature/Passkey-vs-password-What-is-the-difference">Passkeys</a>, which are securely stored on people’s phones, computers, or in third-party credential managers, are quicker and easier to use than passwords and offer stronger security.</p> <p>The NCSC’s recommendation follows a technical study that shows passkeys are at least as secure – and generally more secure – than a password combined with two-factor authentication, such as an authorisation code sent by SMS.</p> <section class="section main-article-chapter" data-menu-title="Resilience against phishing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Resilience against phishing</h2> <p>The agency claims that a move to passkeys would boost the UK’s resilience to phishing attacks and other hacking attempts, the majority of which rely on criminals stealing or compromising login details.</p> <p>The UK government <a href="https://www.computerweekly.com/news/366623776/UK-government-websites-to-replace-passwords-with-secure-passkeys">announced last year</a> that it would roll out passkey technology for digital services as an alternative to current SMS-based verification systems, which incur additional costs for sending SMS messages.</p> <p>The NHS became one of the first government organisations in the world to use passkeys to give patients secure access to hospital and pharmacy websites.</p> <p>Online service providers, including Google, eBay and PayPal, also support passkeys. According to Google, over 50% of active Google users in the UK have a registered passkey – the highest uptake. Microsoft is also introducing passkeys for Hotmail.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from CyberUK 2026</h3> <ul type="square" class="default-list"> <li><a href="https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros">CyberUK ’26: UK lagging on legal protections for cyber pros</a>: Ahead of next week's CyberUK conference, the CyberUp Campaign for reform of the UK's hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution</li> <li><a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief</a>: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference.</li> <li><a href="https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats">UK to build ‘national cyber shield’ to protect against AI cyber threats</a>: Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Better security than 2FA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Better security than 2FA</h2> <p>Passkeys offer a greater level of security than passwords and SMS two-factor authentication (2FA), both of which can be compromised by hackers.</p> <p>They allow people to log into websites securely, using their own mobile phones, tablets or laptops to verify their identity by entering a PIN or using facial recognition.</p> <p>The use of passwords with two-factor authentication for SMS can be vulnerable to “SIM swapping” attacks, where criminals allocate a victim’s phone number to a phone SIM card to intercept authentication keys.</p> <p>The NCSC said that it stopped short of endorsing passkeys last year because there were still key implementation challenges.</p> <p>However, it said that progress with the technology over the past year, including the ability to move passkeys between Android and Apple phones, has now made the technology viable.</p> </section> <section class="section main-article-chapter" data-menu-title="Passkeys not yet recommended for business"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Passkeys not yet recommended for business</h2> <p>The centre said it can now recommend passkey technology to the public as a more secure and user-friendly login method, and to businesses as the default authentication option for consumers.</p> <p>The NCSC is not yet recommending <a href="https://www.techtarget.com/searchsecurity/tip/How-to-roll-out-an-enterprise-passkey-deployment">passkeys for business applications</a>, which will take longer to phase in. Many organisations rely on old IT systems that do not support passkeys or two-factor authentication.</p> <p>The NCSC said that where services do not support passkeys, it advises consumers to create strong passwords and use two-factor authentication.</p> <p>Jonathon Ellison, director for national resilience at the NCSC, said moving to passkeys would accelerate the UK’s resilience against cyber attacks.</p> <p>“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in, where users migrate to passkeys – they are a user-friendly alternative, which provides stronger overall resilience,” he said.</p> <p>Phasing out passwords will be gradual, with the first step being for people to become comfortable with using passkeys. Big banks are expected to phase in the technology over the next three to five years.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">How passkeys work</h3> <p>When people sign up for accounts using passkeys, their device creates a private key, which remains on the device, and a public key, which is stored by the service they wish to access.</p> <p>The device will prove to the website that it has the correct private key when the owner signs into a service, without disclosing the private key to the service provider.</p> <p>Passkeys are designed to synchronise across different devices, so a passkey stored on an iPhone would be automatically shared with the owner’s iPad.</p> <p>If a person loses a device and does not have a copy of the passkey on a second device, they will be able to recover it by going through an account recovery process.</p> <p>Unlike passwords, passkeys are cryptographically generated and do not need to be changed regularly to remain secure.</p> <p>They are stored in a “secure enclave” on phones and computers, which means they cannot be accessed if the device is compromised or lost.</p> </div> </div> </section> UK National Cyber Security Centre is urging consumers to replace passwords and two-factor authentication with passkeys, following a technical study that shows they are more secure and easier to use https://cdn.ttgtmedia.com/visuals/German/article/easy-password-adobe.jpg https://www.computerweekly.com/news/366642156/NCSC-heralds-end-of-passwords-for-consumers-and-pushes-secure-passkeys Wed, 22 Apr 2026 19:01:00 GMT NCSC heralds end of passwords for consumers and pushes secure passkeys <p>The UK aims to build “national scale” cyber defence capabilities to respond to growing threats from hostile states and artificial intelligence (AI)-powered attacks.</p> <p>Security minister Dan Jarvis said today that defending against “<a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide">frontier AI</a>” will require a national effort from government and businesses.</p> <p>He said the government was “laying the groundwork” for a national capability, which has been dubbed the “national cyber shield”, to protect the UK against cyber threats, and called for AI companies to work directly with the government to develop AI to defend against automated cyber attacks.</p> <p>The government’s vision is to develop defensive AI technology that has the capability to identify and repair security vulnerabilities in software at machine speed. “Make no mistake, this is a generational endeavour, and it will test the absolute limits of our engineering and innovation,” Jarvis said in a speech in Glasgow.</p> <p>He was speaking following Anthropic’s decision to delay its Claude Mythos AI model from public release <a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide">after the technology uncovered thousands of previously known security vulnerabilities</a> across commonly used software applications.</p> <p>Mythos had uncovered “critical flaws that had gone unnoticed by human experts and automatic tools for over two decades”, said Jarvis.</p> <p>He said that protecting Critical National Infrastructure will require a “fundamentally different approach” in the age of AI. “We will not secure the central pillars of the UK state simply by purchasing off-the-shelf vendor solutions,” said Jarvis.</p> <section class="section main-article-chapter" data-menu-title="Cyber attacks more sophisticated"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber attacks more sophisticated</h2> <p>Jarvis said the nature of warfare had changed, and that attacks on British systems were increasing in “volume, sophistication and in ambition”.</p> <p>Hostile states have “worked out that the most effective way is not to confront us directly, but to quietly hollow us out”, he said.</p> <p>The National Cyber Security Centre (NCSC), part of GCHQ, handled over 200 nationally significant incidents last year, double that of the year before. <a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">The majority are attacks from hostile nation states</a>, including Russia, Iran and China.</p> <p>“That number tells me the frontline isn’t coming – it’s here,” said Jarvis. “The cyber security of British business is a matter of national security.”</p> <p>Hostile states were attacking logistics systems used to move goods, and were compromising high street business – a reference to the <a href="https://www.computerweekly.com/feature/One-year-on-from-the-MS-cyber-attack-What-did-we-learn">debilitating cyber attacks against Marks & Spencer and Co-op</a>.</p> <p>The <a href="https://www.computerweekly.com/news/366634441/Jaguar-Land-Rover-cyber-attack-costs-firm-485m-in-its-quarter">cyber attack against Jaguar Land Rover</a>, had it been caused by an old-school physical attack, “would have been the equivalent of hundreds of masked criminals turning up to dealerships across the country breaking glass, smashing up computers and driving cars right off the forecourt”.</p> </section> <section class="section main-article-chapter" data-menu-title="Business needs to step up"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Business needs to step up</h2> <p>Companies are most at risk from cyber attacks, not because attackers exploit vulnerabilities, but because companies have failed to keep their systems up to date, or to deploy base-line security measures such as multi-factor authentication.</p> <p>Jarvis said that while government can set standards, share intelligence and provide guidance, it was no substitute for businesses ensuring basic cyber security hygiene.</p> <p>“Basic cyber hygiene is no longer optional, but the baseline – the absolute minimum we should expect of any serious organisation operating in the modern economy,” he said.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber Resilience Pledge"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber Resilience Pledge</h2> <p>Jarvis said the government would be inviting organisations to sign a Cyber Resilience Pledge.</p> <p>Businesses will be invited to make a “public commitment” to investors, their customers and supply chains to make cyber security a board-level responsibility.</p> <p>They will also be urged to commit to meeting basic security standards through the NCSC’s Cyber Essentials programme.</p> <p>The pledge will accompany the government’s National Cyber Action Plan – a national strategy for cyber security – to be published in the summer.</p> <p>“The plan will demonstrate how we will tackle the growing threat, how we will strengthen our collective resilience, and how we will harness the opportunity for our world-leading cyber sector to secure the UK’s economic growth for years to come,” said Jarvis.</p> </section> <section class="section main-article-chapter" data-menu-title="More funding for small business"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More funding for small business</h2> <p>The security minister said the government was making £90m of investment to strengthen cyber resilience, to provide “practical targeted support” to small and medium-sized businesses.</p> <p>It will be distributed over the next three years through existing schemes run by the Department for Science, Innovation and Technology and the National Cyber Security Centre.</p> <p>Cyber security minister Baroness Lloyd said the government had written to the CEOs and chairs of over 180 of the UK’s leading businesses to encourage as many as possible to sign up to the pledge ahead of a formal launch later this year.</p> <p>“The cyber threat facing UK businesses is serious, growing and evolving fast,” she said. “AI is giving attackers capabilities that would have seemed extraordinary just a year ago, and no organisation can afford to be complacent.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from CyberUK 2026</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros">CyberUK ’26: UK lagging on legal protections for cyber pros</a>: Ahead of next week's CyberUK conference, the CyberUp Campaign for reform of the UK's hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution</li> <li><a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief</a>: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference.</li> </ul> </div> </div> </section> Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/IT-security-cyber-defence-fotolia.jpg https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats Wed, 22 Apr 2026 10:45:00 GMT UK to build ‘national cyber shield’ to protect against AI cyber threats <p>Service provider Blackbox Hosting has consolidated storage from two full racks down to just 8U of rack space following migration to Everpure FlashArray hardware. The move has allowed the provider to deliver <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">“sovereign” cloud services</a> with a 10:1 data reduction ratio and an 85% reduction in power utilisation.</p> <p>Blackbox Hosting evolved over 14 years from a single rack to supporting more than 1,500 virtual machines (VMs), and has datacentre capacity at Canary Wharf with a secondary site in Slough.</p> <p>The company operates a fully managed, sovereign (see box) model for major software suppliers including Iris Software Group, which supports payroll and financial management for approximately 60% of UK academies.</p> <p>Blackbox previously relied on HPE 3PAR 8400 <a href="https://www.computerweekly.com/resources/Flash-storage-and-solid-state-drives-SSDs">all-flash arrays</a>. However, as the hardware approached end-of-life, the company faced mounting challenges. </p> <p>“Support renewal costs were significant, and we had issues with HPE support,” said Matthew Burden, CEO at Blackbox Hosting. “We had a power supply failure in a <a href="https://www.computerweekly.com/feature/Disaster-recovery-As-a-service-vs-on-premise">DR site</a>, and despite a four-hour SLA [service-level agreement], it took nearly two weeks to replace. They also began charging for firmware updates that were previously included.”</p> <p>The 3PAR environment was cumbersome, said Burden, and required two full racks of hardware to manage the company’s near-petabyte scale.</p> <p>When it looked for a more performant and dense alternative, Blackbox turned to Pure Storage, which recently rebranded as Everpure.</p> <section class="section main-article-chapter" data-menu-title="High density; ‘one-second’ RPO"> <h2 class="section-title"><i class="icon" data-icon="1"></i>High density; ‘one-second’ RPO</h2> <p>Blackbox has deployed a range of Pure Storage FlashArray models across its two datacentres to support its active-passive high-availability design.</p> <p>The deployment includes two FlashArray//X50 R3s, two X50 R4s, and two FlashArray//C20 units for file clusters.</p> <p>The hardware supports predominantly Hyper-V and VMware VMs, running 90% Windows-based workloads, primarily SQL Server, plus Linux servers.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data storage</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Storage-explained-Consumption-models-of-storage-procurement">Storage explained: Consumption models of storage procurement</a>. We look at consumption models of storage purchasing and how cloud operating models have made them mainstream and supplanted the traditional three-year lift-and-shift datacentre refresh.</li> <li><a href="https://www.computerweekly.com/feature/Auditing-classifying-and-building-a-data-sovereignty-strategy">Auditing, classifying and building a data sovereignty strategy</a>. We look at data sovereignty – what it is and how to build a data sovereignty strategy around data auditing.</li> </ul> </div> </div> <p>The transition from 3PAR to Pure has seen a dramatic consolidation of physical space. “We went from two entire racks filled with disks to two 4U boxes,” said Burden. “Our total provisioned storage is 998TB and we get a total reduction of 10:1. 3PAR had deduplication, but not compression on SSDs.”</p> <p>Beyond space savings, the disaster recovery (DR) capabilities have seen a massive upgrade. Previously, the company’s <a href="https://www.computerweekly.com/feature/Define-RPO-and-RTO-tiers-for-storage-and-data-protection-strategy">recovery point objective</a> (RPO) was limited to 15 minutes. “With Pure Storage, it is one second,” said Durden. “We replicate all 1,500 VMs to our backup datacentre. For a customer with 1,000 VMs, we can spin those up for quarterly testing and they are only one second out from live data.”</p> </section> <section class="section main-article-chapter" data-menu-title="Performance and sustainability"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Performance and sustainability</h2> <p>The shift to non-volatile memory express-based flash has also provided a significant boost to the provider’s green credentials. Sustainability reports generated via Pure’s Evergreen dashboard show an 85% saving in power utilisation compared with the legacy HPE environment.</p> <p>For the end users – which include major corporate energy, finance and transport organisations – the benefit is felt in application speed. “We’ve had clients with huge databases that were always slow with previous providers,” said Justin Field, commercial director at Blackbox. “They can pull data significantly faster now, which is a big play for us when competing against hyperscalers.”</p> <p>Burden also highlighted the “zero-touch” operational simplicity of the new arrays. “The older arrays were very cumbersome; you had to know exactly what you were doing,” he said. “The Pure web interface is very simple, which makes the operational side much easier. Plus, with Evergreen, we don’t have to pull arrays out for upgrades. We can just put in new controllers as scale increases.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Sovereign cloud: A selling point</h3> <p>While hyperscalers like Amazon Web Services and Azure dominate the global market, Blackbox Hosting is attempting to carve out a niche as a UK-based sovereign cloud provider. For Blackbox, data sovereignty is defined by 100% UK ownership, UK-based staff, and physical data residency within UK borders (Telehouse South and Virtus Slough).</p> <p>“People are scratching their heads over the US Cloud Act and how it affects them and their customers,” said commercial director Justin Field. “It’s leading to a lot more kind of engagement with people that probably always just opted for that public cloud.</p> <p>“We’re not a worldwide provider, but we offer sovereignty to businesses within the UK,” he added.</p> <p>But in theory, if any data in transit is handled by any of the US companies, then it’s not sovereign. Does this affect Blackbox? For example, where Everpure has access to storage performance data via its Evergreen-as-a-service dashboard or its Pure1 telemetry? </p> <p>“Our storage and all of our hardware is 100% owned,” said Field. “All of our infrastructure is owned and managed by us. We don’t rely on outside support for our services. It’s all 100% UK staff. Everpure doesn’t process any data.”</p> <p>This “sovereign” status is increasingly seen as vital for Blackbox’s clients in the UK legal, financial and educational sectors.</p> </div> </div> </section> UK-based IaaS ‘sovereign’ provider, with multiple public sector-facing clients, replaced end-of-life 3PAR arrays with FlashArray storage that saw it reduce power consumption by 85% https://cdn.ttgtmedia.com/visuals/German/article/light-bulb-energy-powercut-idea-adobe.jpg https://www.computerweekly.com/news/366641940/Blackbox-replaces-two-racks-of-HPE-storage-with-8U-of-Everpure Wed, 22 Apr 2026 04:00:00 GMT Blackbox replaces two racks of HPE storage with 8U of Everpure <p>The UK is facing a “perfect storm” in cyber security as attacks driven by hostile states, combined with advances in artificial intelligence (AI), create new risks to UK infrastructure, the head of the UK’s National Cyber Security Centre (NCSC) will warn on Tuesday.</p> <p>Hostile nation states are now directly or indirectly responsible for the majority of <a href="https://www.computerweekly.com/news/366632664/NCSC-calls-for-action-after-rise-in-nationally-significant-cyber-incidents">“nationally significant” cyber security attacks</a> against the UK which run at an average of four per week, <a href="https://www.computerweekly.com/news/366616635/NCSC-boss-calls-for-sustained-vigilance-in-an-aggressive-world">Richard Horne, CEO of the NCSC</a>, is expected to say.</p> <p>A combination of technological change and rising geopolitical tension is creating “tumultuous uncertainty”, as well as opportunities in cyber security, he is expected to say at the <a href="https://www.cyberuk.uk/">NCSC’s CyberUK conference in Glasgow</a>.</p> <section class="section main-article-chapter" data-menu-title="Lessons from the battlefield"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lessons from the battlefield</h2> <p>Russia is taking cyber lessons learned during the war in Ukraine and is deploying “tactics and techniques honed in conflict” against western states, including the UK, Horne will tell conference attendees.</p> <p>That has led to sustained “hybrid” attacks, which incorporate physical and cyber disruption, targeting the UK and Europe.</p> <p>China’s intelligence and military agencies are capable of an “eye-watering level of sophistication” in offensive cyber operations.</p> <p>The Chinese hacking group Volt Typhoon has targeted multiple operators of critical national infrastructure (CNI) in Asia and across the US, as it pre-positions for future attacks, which <a href="https://www.computerweekly.com/news/366640484/UK-Cyber-Monitoring-Centre-plans-expansion-in-US-amid-risk-of-Category-5-attack">could rank among the most severe</a> experienced to date, Computer Weekly has previously reported.</p> <p>And Iran is “almost certainly” using cyber activity to support the repression of people in Britain who are seen as threats to the Iranian regime.</p> <p>Iranian state-linked hackers were also identified as being <a href="https://www.computerweekly.com/news/366640448/Cisa-tells-US-organisations-to-harden-endpoint-management-after-Stryker-attack">behind the cyber attack on the US medical technology firm, Stryker</a>, in March.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber is an integral part of conflict"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber is an integral part of conflict</h2> <p>Horne is expected to warn that cyber attacks are now an integral part of conflict, and as much a part of modern warfare as drones and missiles.</p> <p>Groups linked to Russian military and intelligence services were behind a series of <a href="https://www.computerweekly.com/news/366638859/Russias-cyber-attacks-on-Polish-utilities-draws-NCSC-alert">cyber attacks on Poland’s energy infrastructure</a> in December 2025, for example.</p> <p>They targeted two combined heat and <a href="https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure">power plants and an energy management system</a> for renewable energy.</p> <p>“Russia is taking the cyber lessons it has learnt in a theatre of war and is moving them beyond the battlefield,” he will say.</p> <p>Cyber security has become “integral to conflict” and will become a new “home front."</p> </section> <section class="section main-article-chapter" data-menu-title="Ransomware without the ransom"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ransomware without the ransom</h2> <p>In the event of conflict, or near conflict, the UK would likely face cyber attacks “at scale” that would cause similar disruption to ransomware attacks, but without the possibility of recovering data by paying a ransom.</p> <p><a href="https://www.computerweekly.com/news/366634441/Jaguar-Land-Rover-cyber-attack-costs-firm-485m-in-its-quarter">Ransomware attacks on Jaguar Land Rover</a> cost the UK an estimated £1.9bn, while <a href="https://www.computerweekly.com/news/366626336/MS-Co-op-attacks-a-Category-2-cyber-hurricane-say-UK-experts">attacks on Marks & Spencer and the Co-op</a> had estimated costs of between £270m and £440m, according to the <a href="https://www.computerweekly.com/news/366640484/UK-Cyber-Monitoring-Centre-plans-expansion-in-US-amid-risk-of-Category-5-attack">UK Cyber Monitoring Centre</a>.</p> <p>Horne will say that defending against such attacks will require every organisation to make cyber security part of their corporate mission and to “build defence in-depth” so that they can remain operational following a successful attack.</p> </section> <section class="section main-article-chapter" data-menu-title="Risks from Mythos and frontier AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Risks from Mythos and frontier AI</h2> <p>Anthropic’s AI model, <a href="https://www.computerweekly.com/news/366641763/Bank-cyber-teams-on-red-alert-as-Anthropic-promises-them-Mythos-next-week">Mythos</a>, has exposed widespread security vulnerabilities in legacy software that could be exploited by malicious attackers if they became known.</p> <p>Horne will warn that such “frontier AI” will quickly show where the fundamentals of cyber security need to be addressed.</p> <p>It will expose poor quality code shipped by software suppliers with significant vulnerabilities, organisations that are not patching their IT systems quickly or widely enough, and those that <a href="https://www.computerweekly.com/news/366638959/CIOs-discuss-friction-between-legacy-IT-and-innovation">fail to replace outdated legacy computer systems</a>.</p> <p>But Horne is expected to argue that there is an opportunity for AI to be a net positive for cyber defence.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber security in space"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber security in space</h2> <p>In the near future, organisations will need to expand cyber security to protect energy systems, production lines, robotics, space-based communications and autonomous AI agents.</p> <p>Technology that is physically integrated into the human body, including medical devices, will also need to be protected.</p> <p>Defending against cyber attacks requires a “cultural shift”, and for cyber security and resilience to be seen as a strategic investment, rather than a cost.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about nation-state attacks</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366639713/NCSC-No-increase-in-cyber-threat-from-Iran-but-be-prepared">NCSC: No increase in cyber threat from Iran, but be prepared</a>.</li> <li><a href="https://www.computerweekly.com/news/366641058/NCSC-warns-high-risk-individuals-of-Signal-and-WhatsApp-social-engineering-attacks">NCSC warns high-risk individuals of Signal and WhatsApp social engineering attacks</a>.</li> <li><a href="https://www.computerweekly.com/news/366632664/NCSC-calls-for-action-after-rise-in-nationally-significant-cyber-incidents">NCSC calls for action after rise in ‘nationally significant’ cyber incidents</a>.</li> <li><a href="https://www.computerweekly.com/news/366632649/China-responsible-for-rising-cyber-attacks-says-NCSC">NCSC: China responsible for rising cyber attacks</a>.</li> </ul> </div> </div> </section> The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/War-Missiles-Weapons-adobe.jpg https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief Tue, 21 Apr 2026 17:30:00 GMT Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief <p>Amid the artificial intelligence (AI) frenzy of investment and hype of across Big Tech these past two years there has been one overarching yet unanswered question on the lips of most AI industry executives:<a href="https://www.computerweekly.com/resources/Software-licensing"> “<em>How do we monetise this?</em>”</a></p> <p>That’s because the reality of the AI roll-out is that the “innovate and they will come” model that worked so well to drive cloud adoption hasn’t worked in quite the same way for AI. Not least because the market has multiple competing options that make enough headline news to make customers aware of their ability to choose.</p> <p>Ultimately, we will probably see consolidation and simplification of the market, but right now public awareness of AI is high, customer choice is wide, and the ability to convert tokens in the datacentre to cash in the bank isn’t playing out quite as investors may have hoped.</p> <p>There are some serious players in the market, including the big three hyperscalers, with all offering GPU-as-a-service type consumption models. Beyond that their services and approaches are quite differentiated.</p> <p><a href="https://www.computerweekly.com/news/366635460/AWS-CEO-Garmin-pitches-billions-of-agents-as-enterprise-AI-future">AWS principally offers</a> AI enablement: AI tooling for developers that fits their largely IaaS/PaaS model. This is powered by generally available LLMs and its own model – Nova – built on the voice-activated Alexa services most of us already have in our homes.</p> <p><a href="https://www.computerweekly.com/news/366624068/Google-I-O-LLM-capabilities-power-agentic-AI-search">Google has a broader range</a> of directly-embedded web services with integration to their search engine and workspace services. They also have three distinct variants of in-house models:  Gemini, Vertex and Gemini Enterprise.</p> <section class="section main-article-chapter" data-menu-title="Microsoft goes all in"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Microsoft goes all in</h2> <p>As usual, however, it is Microsoft that has gone all-in. They have AI everywhere; not just in their cloud services but also desktop operating systems and productivity software. </p> <p>Copilot is on every Windows PC in the world, every office suite, all M365 cloud services and is peppered through the Azure landscape. </p> <p>It is rapidly becoming pervasive. You literally cannot escape it, and even when not actively using Copilot you may be relying on its outputs in ways you hadn’t realised, as the <a href="https://www.theguardian.com/uk-news/2026/jan/14/west-midlands-police-chief-apologises-ai-error-maccabi-tel-aviv-ban">former chief constable of West Midlands Police recently found out to his cost</a>.</p> <p>Copilot may be software designed for entertainment purposes and not to be relied upon, as<a href="https://techcrunch.com/2026/04/05/copilot-is-for-entertainment-purposes-only-according-to-microsofts-terms-of-service/"> some reports of Microsoft caveats suggest</a>, but it’s also a multibillion-dollar revenue stream for Microsoft – or at least that appears to be the plan.</p> </section> <section class="section main-article-chapter" data-menu-title="Per-agent licensing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Per-agent licensing</h2> <p>The recent suggestion by Microsoft vice-president for Copilot and M365, Rajesh Jha, might prove to be the most lucrative change to licensing practices since vendors adopted subscription-based models. Namely, to <a href="https://www.computerweekly.com/news/366630464/Court-to-decide-whether-it-is-lawful-for-enterprises-to-sell-unwanted-software-licenses">force users to buy licences</a> for software sub-routines running inside the software they’ve already paid for.<br><br>Announcing plans to require user-type licences for AI agents to offset potential losses of revenue from staff downscaling due to AI, Jha has gifted Microsoft an idea to exploit the untapped licence value of AI. It’s one that should ring alarm bells for every enterprise locked into their product ecosystem.</p> <p>This is not just software licensing based on compute or storage resources – which already leads to unexpected bill inflation for many customers – but charging Microsoft customers by the sub-routine they run inside the software.</p> <p>As a company grows into AI and develops new streamlined ways of working, Microsoft’s revenues will actually increase. Every developer-created agent, every user AI request, will be captured, tracked and billed – not just on a consumption model, but also on a repeatable annual licence subscription, billed <em>per agent</em>.</p> </section> <section class="section main-article-chapter" data-menu-title="Genius move?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Genius move?</h2> <p>For Microsoft it’s potentially a genius move. And the new Microsoft Agent 365, and Microsoft 365 E7: The Frontier Suite products – which go live on 1 May – are the means for them to do this. </p> <p>This shouldn’t surprise us. The only thing secondary to Microsoft’s ability to create new products is their drive to gain revenue from them, which of course for a commercial entity like Microsoft is entirely to be expected. </p> <p>What won’t be expected by their customers is the likely impact on their purse. The very organisations rushing to adopt agentic AI in Microsoft Cloud and M365 are the same ones who will find their bills rising rapidly. </p> <p>I’ve no doubt the new Frontier Suite products bring amazingly detailed insights into how your organisation uses AI, and controls over its use. The security and management reporting value of that capability is self-evident. </p> <p>It’s also going to be a hugely necessary insight into how to manage your bills, and that’s required because Microsoft are changing the billing rules. They’ve found a way to tax innovation at source, and every single user of their AI services is going to pay for it, and will do so in ways we hadn’t even realised were possible.<br><br>Most of Microsoft’s users might still be waiting to enter the AI age, but software licensing is waiting for them to arrive.</p> </section> Microsoft seems to have a new wheeze: Charging per-agent. Having made Copilot pervasive in the Microsoft stack, it looks like customers may face per-agent billing https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/licences-paperwork-data-adobe.jpeg https://www.computerweekly.com/opinion/Welcome-to-agentic-AI-Welcome-to-per-agent-licensing Fri, 17 Apr 2026 04:56:00 GMT Welcome to agentic AI. Welcome to per-agent licensing <p>On 27 April, the government backed security certification scheme, <a href="https://www.ncsc.gov.uk/cyberessentials/overview">Cyber Essentials</a> v3.3, takes effect and <a href="https://www.techtarget.com/searchsecurity/tip/Multifactor-authentication-Examples-and-strategic-use-cases">multi-factor authentication</a> (MFA) becomes a pass-or-fail requirement for the first time.</p> <p>If a cloud service your organisation uses offers MFA and you have not enabled it, you fail. No discretion, no partial credit, no route to remediate inside the assessment cycle.</p> <p>This is the right call. I want to say that clearly, because what follows is a problem with the implementation, not the policy. MFA is the single most effective control against credential-based attacks, and the scheme has needed to stop tolerating its absence for a long time. The National Cyber Security Centre (NCSC), part of GCHQ, which developed <a href="https://www.computerweekly.com/news/366626069/Cyber-Essentials-certifications-rising-slowly-but-steadily">Cyber Essentials</a> and certification company, <a href="https://iasme.co.uk/">IASME</a> have got this decision right.</p> <p>But in the assessments we have conducted this year, I have seen two organisations that will hit a wall on 27 April, and I do not think they are unusual.</p> <section class="section main-article-chapter" data-menu-title="Train company could not deploy MFA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Train company could not deploy MFA</h2> <p>The first is a train operating company in the South East. Station operations rooms run on shared terminals where staff rotate through shifts in time-critical conditions. A transport union raised formal concerns that MFA would introduce delays at the keyboard that could affect train operations and, in their view, the safety of train movements.</p> <p>The company listened and chose not to enable MFA in those environments. Under v3.2 they passed, with the relevant questions marked as non-compliant but not fatal. Under <a href="https://iasme.co.uk/articles/upcoming-changes-to-the-cyber-essentials-scheme-april-2026-update/">Cyber Essentials v3.3</a> they will fail.</p> </section> <section class="section main-article-chapter" data-menu-title="Charity run by volunteers faces MFA hurdle"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Charity run by volunteers faces MFA hurdle</h2> <p>The second is a nationally known charity with hundreds of high street shops. The shops are staffed largely by volunteers many of whom work a few hours a week, and staff turnover is high.</p> <p>The cost and management overhead of enrolling every volunteer onto MFA, using personal phones they may not have and authenticator apps they would not keep, was considered prohibitive. So MFA was never switched on. Same story: they passed under v3.2. Under v3.3 they fail.</p> <p>Neither of these organisations is ignoring security. Both made considered decisions based on how their people actually work. The problem is not that they do not want to comply. It is that the standard toolkit of MFA methods, including SMS codes, authenticator apps on personal phones, and push notifications, does not fit a six-person shared terminal that has to be available in seconds, or a volunteer workforce that changes every week.</p> </section> <section class="section main-article-chapter" data-menu-title="FIDO2 could offer solutions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>FIDO2 could offer solutions</h2> <p>The frustrating part is that there is a solution, and it is already proven in healthcare, manufacturing and retail. <a href="https://www.techtarget.com/searchsecurity/feature/Apple-Microsoft-Google-expand-FIDO2-passwordless-support?">FIDO2 authentication</a> delivered through NFC badge-taps lets a staff member authenticate in under two seconds: tap a badge, enter a short PIN, session opens.</p> <p>It satisfies the MFA requirement by combining possession of the badge with knowledge of the PIN. It is faster than typing a password. Crucially, it is compliant, because each badge is enrolled as that individual's unique FIDO2 credential, so the Cyber Essentials requirement for unique user accounts is met. Shared keys or shared PINs would not work. Individual badges do.</p> </section> <section class="section main-article-chapter" data-menu-title="Need for better guidance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Need for better guidance</h2> <p>v3.3 explicitly recognises FIDO2 authenticators and passkeys as valid MFA methods. The compliance path is clear. What is missing is anyone telling the organisations most affected that this path exists.</p> <p>That is the gap that must close. The NCSC and IASME have made the right policy decision; the scheme would be weaker without it.</p> <p> But implementation guidance for shared-terminal, shift-based and high-turnover environments is thin, and these organisations are running out of time to find their way through it. Many of them hold Cyber Essentials because it is required for government contracts or in their supply chains; losing certification has a direct commercial cost.</p> <p>The answer is not to soften the requirement. The answer is to make sure no one fails for lack of information about how to meet it.</p> <p><i><a href="https://www.linkedin.com/in/jonathankrause/">Jonathan Krause</a> is Founder and Managing Director of Forensic Control</i></p> </section> Some organisations risk losing their Cyber Essentials certifications because of difficulties implementing multi-factor authentication, but there is a solution. https://cdn.ttgtmedia.com/visuals/German/Hero-Authentifizierung-By-Have-a-nice-day-Adobe-02.jpg https://www.computerweekly.com/news/366641782/Cyber-Essentials-closes-the-MFA-loophole-but-leaves-some-organisations-adrift Thu, 16 Apr 2026 09:03:00 GMT Cyber Essentials closes the MFA loophole but leaves some organisations adrift <p>Space services company SES has proclaimed a milestone in capability of its multi-orbit antenna for installation for <a href="https://www.boeing.com/">Boeing</a> aircraft, and inked a multi-orbit in-flight connectivity (IFC) deal with Japan Airlines (JAL) for its Airbus and Boeing long-haul fleet.</p> <p>Designed to operate across both <a href="https://www.computerweekly.com/news/366640878/Delta-in-flight-connectivity-takes-off-with-Amazon-Leo">low-Earth orbit</a> (LEO) and geostationary (GEO) satellite constellations, <a href="https://www.ses.com/">SES’s satellites</a> are designed to global coverage, redundancy and low-latency performance. Its multi-orbit electronically steered array (ESA) system already has 500 installations complete and 1,000 commitments in the pipeline. ESAs are low-profile and support multi-orbit operations, using both geostationary coverage and LEO partner constellations to deliver broad coverage and low latency.</p> <p>The deal with Boeing is intended to allow airlines to receive new aircraft with the onboard network in place and connectivity service available immediately after delivery through a modification provided by the leading aircraft manufacturer.</p> <p>Through this collaboration, Boeing will install the SES in-cabin hardware network on production aircraft during factory production, what is said to be the first key milestone towards offering its multi-orbit system as a fully line-fit connectivity offering across all Boeing commercial programmes.</p> <p>As part of this service, Boeing will install the complete in-cabin network and manage coordination of the external equipment installation. The offer will initially be introduced on Boeing 737 aircraft, followed by the 787 Dreamliner.</p> <p>“Our collaboration with SES reflects Boeing’s commitment to delivering advanced, reliable connectivity to our airline customers,” said Boeing director of airplane connectivity Destry Lucas. “We are making strong progress bringing multi-orbit connectivity into the production environment, enabling a more streamlined installation approach and supporting scalable, line-fit capable solutions.”</p> <p>Mike DeMarco, president of mobility at SES, added: “We are proud of our partnership with Boeing and this outstanding progress. We are on track for full line-fit offerability, giving airlines a seamless path to select and install the multi-orbit ESA antenna solution during aircraft factory production.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about inflight communications</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640878/Delta-in-flight-connectivity-takes-off-with-Amazon-Leo">Delta in-flight connectivity takes off with Amazon Leo</a>: Global airline looks to satellite provider to introduce connectivity on hundreds of aircraft, starting with an initial installation on 500 aircraft in 2028, working to expand its Wi‑Fi and seatback experiences.</li> <li><a href="https://www.computerweekly.com/news/366636351/Abra-launches-in-flight-connectivity-through-SES-multi-orbit-craft">Abra launches in-flight connectivity through SES multi-orbit craft</a>: Latin American airline strikes deal to be leading provider of satellite-powered broadband inflight service in region.</li> <li><a href="https://www.computerweekly.com/news/366634184/IAG-aircraft-to-take-off-with-Wi-Fi-Starlink-connectivity">IAG aircraft to take off with Wi-Fi Starlink connectivity</a>: Leading airline group announces strategic investment in satellite-based Wi-Fi connectivity for its aircraft starting from early 2026, with speeds claimed to enable fast downloads, smooth streaming and cloud-base activity.</li> <li><a href="https://www.computerweekly.com/news/366637031/Eutelsat-extends-Airbus-contract-for-further-low-Earth-orbit-OneWeb-satellites">Eutelsat extends Airbus contract for further low Earth orbit OneWeb satellites</a>: Satcoms constellation provider orders further 340 craft from space technology manufacturer to offer global connectivity services from LEO locations.</li> </ul> </div> </div> <p>Meanwhile, Japan Airlines has selected SES to deliver IFC for <a href="https://www.jal.com/en/corporate/air/aircraft.html">its Airbus and Boeing long-haul fleet</a>, supporting the airline’s stated commitment to an onboard experience that enables passengers to stay connected with fast, dependable internet access.</p> <p>Japan Airlines is a long-time SES customer, and believes the deal will enhance the customer experience on its international long-haul fleet, building on its prior order of SES’s multi-orbit ESA system for its Boeing 737-8 aircraft for which deliveries are expected to begin in 2027.</p> <p>Under the agreement, Japan Airlines will install SES’s multi-orbit ESA system on 20 Airbus A350-900 aircraft (linefit), 10 Boeing 787-9 aircraft (linefit) and 11 Boeing 787-9 aircraft (retrofit). Linefit deliveries are expected to begin in 2028.</p> <p>The airlines believes that its inflight connectivity evolution builds on more than a decade of continuous investment in onboard digital services. “SES has been a trusted partner of JAL since 2013,” said Junko Sakihara, deputy senior vice-president of customer experience at Japan Airlines.</p> <p>“We are proud to have been among the first airlines in the world to offer free service for all passengers flying on our domestic routes starting in 2017. Our decision to provide the SES in-flight connectivity to our long-haul passengers is due to the multi-orbit redundancy, reliability and continuous innovation.”</p> Satellite operator claims milestone towards line-fit offer for multi-orbit connectivity, with streamlined factory installation on Boeing craft and deal with Japanese carrier https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/aircraft-landing-plane-travel-adobe.jpeg https://www.computerweekly.com/news/366641666/SES-gains-altitude-for-in-flight-connectivity-with-Boeing-Japan-Airlines Tue, 14 Apr 2026 09:45:00 GMT SES gains altitude for in-flight connectivity with Boeing, Japan Airlines <p>Microsoft Azure is refusing capacity to <a href="https://www.computerweekly.com/resources/Cloud-computing-services">cloud customers</a> in the company’s UK South (UKS) region, with issues around the availability of Azure virtual machines (VMs) – especially in AMD-based compute, those aimed at HPC workloads and graphics processing unit (GPU)-equipped services.</p> <p>That’s according to comments made to Computer Weekly and in message board threads on Reddit, where many blame Microsoft’s drive to roll out datacentre resource-hungry <a href="https://www.computerweekly.com/news/366639308/Microsoft-CEO-opens-up-London-AI-tour-with-Copilot-push">Copilot AI</a> to the detriment of existing customer requirements.</p> <p><a href="https://www.reddit.com/r/AZURE/comments/1seqid8/uk_south_capacity_issues/">One commenter said</a>: “It’s well known to be terrible and apparently is waiting for more capacity to come online at the end of the year.”</p> <p>Another said: “Terrible capacity issues in UKS. It seems to be impacting one availability zone more than others, and AMD CPUs [central processing units] are far more scarce. We’ve been executing a migration and have faced a number of hurdles securing quota and capacity. I’m told Microsoft are in the process of moving their own internal services <a href="https://www.computerweekly.com/news/366639977/Microsoft-Cowork-One-data-store-for-all-your-M365-assets">such as M365</a> out of those datacentres to free up capacity for customers.”</p> <p>Azure’s UK South region has had capacity issues for some time. Earlier this year, <a href="https://www.reddit.com/r/AZURE/comments/1p3bo9y/uk_south_running_out_of_capacity/">one customer reported</a> being stuck part-way through an Azure Virtual Desktop migration due to not being able to secure capacity.</p> <p>“With 75% of our staff moved, and around 40 vCPU used, we are being denied all additional capacity requests, even after raising tickets and escalating,” they said. “Because of the nature of the apps that we use, low latency is vital (really, it prefers local LAN). We are also required by many of our clients to host data in the UK only due to the nature of what we do.</p> <p>“We’d successfully migrated around 75% of the company, and then when trying to increase quota to finish the job, found that we were denied capacity for everything we tried, v5 and v6 [Azure VMs], AMD, Intel. We escalated several tickets, and were told that our request would be backlogged and denied by the region owner due to capacity.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Microsoft Azure</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366633643/Microsoft-CEO-speaks-of-global-cloud-factory-as-Azure-stalls">Microsoft CEO speaks of global cloud factory as Azure stalls</a>: Alongside Microsoft’s posted cloud revenue of $49bn was a configuration error that caused a global outage affecting many customers. </li> <li><a href="https://www.computerweekly.com/news/366639143/Google-Cloud-supplants-Azure-as-Unilever-cloud-of-choice">Google Cloud supplants Azure as Unilever cloud of choice</a>: Microsoft Azure provided ‘the bulk’ of provision when Unilever went all-in on cloud in 2023, but now Google will be the ‘destination’ for the multinational’s cloud and data platform. </li> </ul> </div> </div> <p>Another commenter said they could get capacity for the platform as a service offering they work on, but could not be sure about future requests: “The service I work on has capacity in UK South – but what happens if we have to scale out further to make room for more resources?”</p> <p>UK South is one of two Azure regions in the UK. The other is UK West, based in south Wales.</p> <p>UK South can offer Availability Zones, which means operations are spread across three datacentres to offer resilience. Many UK South customers run primary operations there and use UK West – which is a single datacentre – as a disaster recovery failover location. </p> <p>Some disgruntled customers believe Microsoft has prioritised the roll-out of datacentre capacity for Copilot AI to the detriment of existing services. In other words, that roll-out of GPU-equipped servers – which are massively resource-hungry – have put a squeeze on datacentre capacity.</p> <p>“Reading between the lines, the rush to AI has f****d Microsoft’s bread and butter services,” said one commenter. “So, they’ve effectively shot themselves in their foot pushing out a product no one wants, to the detriment of one people do.</p> <p>“All resources are thrown into the AI abyss. It’s also created hardware shortages that don’t seem to have an end.</p> <section class="section main-article-chapter" data-menu-title="AI sales focus"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI sales focus</h2> <p><a href="https://www.computerweekly.com/opinion/Azure-Local-Disconnected-looks-the-part-for-sovereignty-It-isnt">Owen Sayers</a>, an independent consultant with decades of experience in delivering public sector IT, said: “In UK South, Microsoft offers 10 different types of GPU. In UK West, they have just two, and the A100 there is no spring chicken. Microsoft are focusing heavily on sales of AI, and if customers in the UK are buying GPU, it’s pretty much always going to be in UK South as their anchor tenancy.</p> <p>“That will increase heat, power and load,” he added. “Nothing restricts datacentre capacity more than a few hundred power-draining GPUs. Also, Microsoft wants to sell GPUs with everything, so perhaps their focus has drifted from traditional cloud towards AI and they aren’t managing capacity well as a result.”</p> <p>According to <a href="https://www.computerweekly.com/news/366640935/Data-dive-Government-2030-datacentre-capacity-targets-look-shaky">data from Barbour ABI and ComputerWeekly</a>, around 121MW of datacentre capacity is due to complete in 2026, in areas that come within Azure’s UK South and West regions. The bulk of that will be at a Virtus development in High Wycombe in Bucks, a Kao development at Harlow in Essex, and for Vantage Data Centres in Newport, South Wales, which would be within UK West and could allow capacity to be reallocated.</p> <p>Microsoft responded to a summary of complaints with the following: “Azure is delivered through a global network of around 80 regions worldwide, giving customers flexibility in how they deploy and scale workloads. As customer demand for Azure services in the UK remains strong, we continuously monitor and adjust how resources are allocated to ensure reliable support for existing customer workloads and maintain service availability and performance.”</p> </section> Microsoft customers report being refused capacity, migration projects stuck halfway, and accusations that AI is being prioritised over ‘bread and butter’ offerings https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/cloud-in-blue-sky-fotolia2.jpg https://www.computerweekly.com/news/366641533/Azure-customers-up-in-arms-over-full-UK-South-region Wed, 08 Apr 2026 10:30:00 GMT Azure customers up in arms over ‘full’ UK South region <p>Nearly one in eight young people in the UK aged 16 to 24, almost one million individuals, are not in education, employment, or training (Neet). For many, ambition alone isn’t enough. Opportunities often depend on who you know, not what you can do. This gap isn’t just a social challenge; it is a missed economic opportunity, especially for the UK’s growing digital economy.</p> <section class="section main-article-chapter" data-menu-title="From Croydon to coding: Angel’s journey"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From Croydon to coding: Angel’s journey</h2> <p>Angel, from Croydon, knows this reality all too well. Growing up in a single-parent household and balancing school with caring responsibilities, she wasn’t sure a career in technology was possible. “I didn’t even know people like me could work in <a href="https://www.techtarget.com/whatis/definition/software-engineering">software engineering</a>,” she recalls. “I thought jobs like that were only for people with connections or the right background. I wasn’t sure I would ever fit in.”</p> <p>That changed when Angel joined a mentorship and work experience program designed to support young people facing social mobility barriers. Through structured workshops, insight days at major firms like <a href="https://www.computerweekly.com/news/366628267/Interview-Kirsty-Roth-chief-operations-and-technology-officer-Thomson-Reuters">Thomson Reuters</a>, and a paid <a href="https://www.computerweekly.com/news/366639497/Atos-IT-services-staff-of-the-future-begin-apprenticeships">apprenticeship</a>, she gained hands-on experience and built professional networks. “Meeting mentors who believed in me and showing me what was possible completely changed my outlook,” she says. “I went from thinking I had no options to seeing a whole world of opportunities I didn’t know existed.”</p> <p>Today, Angel is pursuing a full-time Software Engineering Apprenticeship, earning while she learns, and building a future she once thought was out of reach. “I still remember my first day in the office,” she says. “I felt nervous, but also excited. For the first time, I felt like I belonged in a professional space, like I could really do this.”</p> <p>Angel’s story illustrates a larger trend. Mentorship and early industry exposure can be a game-changer. <a href="https://www.ons.gov.uk/.../may2025">Data from a 2025 alumni survey by Urban Synergy,</a> a youth empowerment and social mobility charity, shows that young people who participate in structured mentoring and work experience are twice as likely to reach full-time employment. Even more striking, just 5 percent are NEET, less than half the national average.</p> </section> <section class="section main-article-chapter" data-menu-title="Why tech needs social mobility"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why tech needs social mobility</h2> <p>For the UK technology sector, which faces chronic <a href="https://www.computerweekly.com/feature/Looming-retirements-and-the-skills-shortage">skills shortages</a> in AI, software engineering, and cybersecurity, these figures are more than social statistics. They highlight a vast, untapped talent pipeline. Traditional recruitment often favours candidates with existing professional networks, leaving high-potential individuals from disadvantaged backgrounds overlooked. Programs like these break that pattern and create a more resilient, committed workforce.</p> <p>The impact goes beyond employment. Among alumni, 36 percent come from families where neither parent attended university, over a third were eligible for free school meals, and a quarter grew up in single-parent households. Many reported increased confidence, new skills, and broader professional networks. Crucially, those who received long-term <a href="https://www.techtarget.com/searchhrsoftware/feature/How-to-start-an-inclusive-mentoring-program">mentoring</a> were significantly more likely to maintain stable employment and financial independence, helping lift families and strengthen communities.</p> </section> <section class="section main-article-chapter" data-menu-title="Hands-on stem experiences open doors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hands-on stem experiences open doors</h2> <p>Industry-led initiatives also help demystify technical careers. Programs like Copilot AI workshops at the London Stock Exchange Group give young people hands-on experience with emerging technologies, showing that roles in science technology engineering and mathematics (Stem) are accessible and achievable. By moving beyond classroom learning to real-world exposure, these programs help spark interest in tech careers before talent is lost to disengagement.</p> <p>Perhaps the most telling sign of long-term impact is the culture of giving back. Eighty-nine percent of alumni want to return as mentors, creating a self-sustaining ecosystem that strengthens both the workforce and society. Angel plans to be part of that. “I want to show other young people like me that it is possible,” she says. “If I can do it, anyone can. I want to give back because someone believed in me first.”</p> </section> <section class="section main-article-chapter" data-menu-title="Building a future-ready workforce at scale"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Building a future-ready workforce at scale</h2> <p>Scaling these models is now crucial. <a href="https://urbansynergy.com/">Urban Synergy</a> aims to support 50,000 young people by 2027, but wider integration between the third sector and corporate IT departments is essential to maximize impact. If the UK is to maintain its position as a global tech leader, it must look beyond traditional talent pools. Investing in mentorship and removing invisible barriers to entry is no longer optional; it is a strategic necessity.</p> <p>Angel’s journey from uncertainty to opportunity is a blueprint for what is possible when guidance, exposure, and belief meet ambition. “I never thought I’d be here,” she says. “Now I’m not just building a career; I’m building confidence, independence, and hope for the future.” By unlocking the potential of NEET youth, the UK can create a more diverse, skilled, and future-ready workforce, proving that social mobility isn’t just a moral imperative; it is an economic one.</p> </section> One in eight people in the UK are not in education, employment or training (Neet). For the UK technology sector, facing skill shortages in AI, software engineering, and cybersecurity, they are a vital untapped pool of talent. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/HR-recruitment-leadership-staff-workforce-fizkes-adobe-1.jpg https://www.computerweekly.com/news/366641132/How-the-UKs-Neet-youth-can-power-the-digital-economy Wed, 01 Apr 2026 07:04:00 GMT How the UK’s ‘Neet’ youth can power the digital economy <p>The Competition and Markets Authority (CMA) has announced it will launch a strategic market status (SMS) investigation into Microsoft’s business software ecosystem in May 2026 to address concerns about the company’s licensing putting restrictions on <a href="https://www.computerweekly.com/resources/Cloud-computing-services">competition in the cloud</a>.</p> <p>At the same time, the CMA announced that following engagement with Amazon Web Services (AWS) and Microsoft, the two companies have agreed to make changes to <a href="https://www.computerweekly.com/feature/Cloud-egress-costs-What-they-are-and-how-to-dodge-them">cloud egress fees</a> and product interoperability. </p> <p>Microsoft and AWS had been the subject of the CMA’s “cloud services market investigation”, which concluded last July and could have seen <a href="https://www.computerweekly.com/feature/The-CMA-anti-trust-investigation-into-AWS-and-Microsoft-explained-Everything-you-need-to-know">both companies designated with SMS</a>.</p> <p>The SMS designation investigation will last nine months. It will target concerns that Microsoft uses its dominant position in software (like Windows Server and SQL Server) to limit competition in the cloud market by making it more expensive or difficult to host these products on rival platforms such as AWS or Google Cloud.</p> <p>Meanwhile, AWS and Microsoft have agreed to take steps to remove or reduce egress fees –  the cost of moving data out of a cloud provider – and improve multi-cloud interoperability, with changes implemented through contract updates. The CMA board will review progress on these “in six months”. </p> <p>Microsoft and AWS have about 40% of <a href="https://www.computerweekly.com/news/366628071/Microsoft-reports-massive-cloud-uptick-as-CMA-questions-licensing">the UK cloud market</a> each, while Google Cloud comes some way behind with 10%.</p> <p>The CMA stated that while they are keeping all players under review, the specific issues regarding software licensing leverage were unique to Microsoft’s position, and that was why it was the only one subject to potential SMS designation.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the cloud services market</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/The-CMA-anti-trust-investigation-into-AWS-and-Microsoft-explained-Everything-you-need-to-know">The CMA anti-trust investigation into AWS and Microsoft explained: Everything you need to know</a>: After regulator Ofcom raised red flags about the anti-competitive behaviour of Amazon Web Services and Microsoft, the UK cloud market was referred to the Competition and Markets Authority – here’s why</li> <li><a href="https://www.computerweekly.com/news/366637816/UK-competition-regulator-looks-into-Googles-AI-search">UK competition regulator looks into Google’s AI search</a>: The CMA has proposed a number of steps to ensure publishers are treated fairly by search engine giant Google in regards to its AI Overview function. </li> </ul> </div> </div> <p>The CMA believes a major driver to act now is the rapid emergence of generative artificial intelligence (GenAI) and agentic AI tools. It says the market is currently open, but risks becoming closed if Microsoft’s ecosystem doesn’t allow for seamless interoperability with third-party AI innovators.</p> <p>Almost simultaneously with the CMA publicising its decision, <a href="https://www.aboutamazon.co.uk/news/aws/delivering-good-outcomes-for-uk-customers">AWS announced</a> “a new UK addendum” that aims to formalise a commitment to customer choice around multi-cloud adoption, data portability and switching processes.</p> <p>Not long after that, Microsoft <a href="https://blogs.microsoft.com/on-the-issues/2026/03/31/working-constructively-with-the-uk-cma-to-support-customer-choice-and-cloud-competition/">published a blog post</a> in which it set out its commitments to implementing changes set out by the CMA, and detailed measures taken in the areas of multi-cloud interoperability and data egress fees.</p> <p>The CMA decision was broadly welcomed, but with reservations over just how much “bite” the measures would have, and concerns that outcomes would be rigorously monitored.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">What they said</h3> <p><strong>Nicky Stewart, senior adviser to the Open Cloud Coalition:</strong></p> <p>“We welcome this further recognition from the CMA that unfair software licensing practices have broken the cloud market. The SMS investigation into Microsoft’s business software ecosystem must proceed without delay. We also urge the CMA to take swift action should Microsoft and AWS fail to meet their commitments on egress fees and interoperability, and to ensure those commitments are meaningful. Slow progress on these issues continues to hamper growth, innovation and resilience in the UK cloud marketplace.”</p> <p><strong>Bill McCluggage, director of IT strategy and policy in the Cabinet Office and deputy government CIO from 2009 to 2012:</strong></p> <p>“The CMA’s latest announcement signals intent, but not urgency. While an SMS investigation into Microsoft’s ecosystem and cloud licensing is welcome in principle, it risks becoming another procedural delay rather than decisive intervention. In the meantime, the dominance of Microsoft and AWS continues to solidify, with limited evidence that pricing or meaningful customer choice will improve.</p> <p>“Commitments on interoperability and egress are encouraging but lack transparency and immediacy. Without faster, firmer action, the outcome may simply reinforce the current duopoly, leaving UK businesses and the public sector exposed to long-term lock-in rather than genuine competition.”</p> <p><strong>Owen Sayers, an independent consultant with decades of experience in delivering public sector IT:</strong></p> <p>“The detailed undertakings from [AWS and Microsoft] suggest they’re taking this opportunity seriously, but a side by side comparison suggests that AWS are doing so more quickly than Microsoft. This may reflect the different technology landscape, where AWS are more likely able to meet the CMA required actions, such as opening up interconnectivity to GCP.</p> <p>“The biggest takeaway from this on the first reading is the SMS investigation into Microsoft’s Business Software ecosystem. This suggests that the SMS will extend beyond just their cloud practices to their whole stack, which of course it should.</p> <p>“Microsoft makes no clear distinction between cloud and desktop or on-premises services, and for many years have used – and some would say abused – their near-total monopoly of desktop, personal computer and enterprise products to build their cloud adoption pathway. Any CMA SMS investigation worthy of the name needs to look at the entirety of their delivery landscape, which the term ‘ecosystem’ suggests might now be what they will undertake.”</p> <p><strong>Statement from Cloud Infrastructure Service Providers in Europe (Cispe):</strong></p> <p>“It is good to finally see the CMA’s report, although as they admit, the market has moved on since the investigation was opened five years ago. Cispe’s complaint, negotiation and ultimate agreement with Microsoft delivered far more concrete solutions for European Cloud Infrastructure Service Providers, far faster. As an example, just last week, we achieved parity in ESU [Extended Security Updates] pricing between Microsoft software running on Azure and on other clouds.”</p> <p><strong>Kevin Dunn, vice-president and general manager for EMEA at cloud provider Wasabi Technologies:</strong></p> <p>“The CMA’s decision is a decisive step toward tackling long-standing barriers like complex and unpredictable pricing, high fees and contractual lock-in that limit customer choice. Cost predictability is fundamental to cloud economics, yet our data shows 46% of UK businesses have overspent their cloud budgets in the last year.</p> <p>“We look forward to understanding how the CMA will deliver the targeted remedies that improve transparency, and create a more competitive, customer-first cloud market.”</p> <p><strong>Mark Boost, CEO at UK sovereign cloud provider Civo:</strong></p> <p>“The decision made by CMA to investigate Microsoft is encouraging, but the decision to exclude AWS raises practical concerns with both providers being structured in the same way from a structural lock-in perspective, which could create a regulatory imbalance between the two parties that would keep one side unchallenged.</p> <p>“The actions proposed in Point 33 [detailed requirement regarding egress fees, multi-cloud, etc.] provide evidence of the desire to address such market imbalances. However, it is important ambition is met by additional, enforceable measures being implemented. Voluntary arrangements made with parties outside of the SMS framework will not provide real impact, and by delaying its final decision regarding Microsoft and excluding AWS altogether, there is a risk for CMA to unnecessarily prolong uncertainty and miss an opportunity to future-proof the UK’s digital infrastructure.”</p> </div> </div> CMA to investigate whether Microsoft should be given strategic market status. Amazon escaped, but both companies will need to make changes to egress fees and interoperability https://cdn.ttgtmedia.com/visuals/German/article/acquisition-monopoly-adobe.jpg https://www.computerweekly.com/news/366640828/CMA-to-launch-strategic-market-status-investigation-into-Microsoft-Amazon-Web-Services-off-the-hook Tue, 31 Mar 2026 11:30:00 GMT CMA to launch strategic market status investigation into Microsoft; Amazon Web Services off the hook <p>HSS ProService’s emergence as a fully digitised business has been underpinned by <a href="https://www.computerweekly.com/resources/Cloud-applications">a marketplace system</a> built on functional programming in Scala and Cats, plus agentic artificial intelligence (AI), to handle a complex hire-tracking environment.</p> <p>Last October, HSS Hire Group – which was established in 1947 – sold its physical rental operations, including 130 depots, to a private equity firm and became a pure-play digital conduit between <a href="https://www.computerweekly.com/feature/From-chaos-to-clarity-How-AI-is-redefining-construction-at-scale">construction customers</a> and suppliers.</p> <p>The newly branded HSS ProService became the digital hub of a newly “Uber-ified” business. It no longer maintains warehouses full of kit but is now a digital marketplace that pairs construction managers with a network of suppliers to provide tools, equipment, fuel, training and building materials.</p> <p>Underpinning its shift to becoming a zero-asset tech business is a custom-built, functional programming architecture <a href="https://www.computerweekly.com/feature/Skills-required-for-data-engineering-success">built with Scala and Cats</a> and designed to solve the kind of complex financial and operational chaos found in the construction industry.</p> <section class="section main-article-chapter" data-menu-title="No ‘checkout’ endpoint in hiring"> <h2 class="section-title"><i class="icon" data-icon="1"></i>No ‘checkout’ endpoint in hiring</h2> <p>Building services has long been a “notepad-and-paper” industry. For HSS to move away from this required more than just a website refresh. </p> <p>The move to a digital-only model was only possible by solving the industry’s most difficult problem. Namely, the non-linear nature of construction hire. Unlike standard e-commerce, where a transaction ends at the checkout, a hire journey is dynamic.</p> <p>“You don’t sell one item at one point in time,” said Daniele Turi, CTO of HSS ProService. “You take something on site, you deliver it, then after a few days or weeks or years, you go pick it up.</p> <p>“You might have issues along the way. You might also have issues with the various suppliers. You need also to have all the compliance associated with these items that you are delivering. So, it’s a much more difficult product life cycle than in a standard e-commerce setting.”</p> <p>Construction plans change constantly. A digger hired for three days might be needed for two weeks, triggering different rate structures. To handle this without manual reconciliation or “surprise invoices”, Turi’s team developed what they describe as a “self-healing” finance system.</p> <p>Built as part of a system – internally known as “Brenda” – the architecture tracks “daily revenue actuals”. Every day, the system looks at the full lifecycle of every contract. If a hire duration is extended, the system automatically recalculates the financial position for the entire duration of the contract in real time.</p> <p>“We have this self-healing finance system that tells us every day precisely what the customer will pay us and what we need to pay our suppliers,” Turi added.</p> </section> <section class="section main-article-chapter" data-menu-title="Underpinned by functional programming"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Underpinned by functional programming</h2> <p>To achieve this level of reliability in a “messy” real-world environment, Turi chose to use the Scala programming language, supported by the Cats library for functional programming in the back end. </p> <p>Turi opted for functional programming, which is often the choice in high-concurrency fintech environments, based on the need for “local reasoning” to provide the ability to test and change specific elements of code without causing a ripple effect across the entire distributed system.</p> <p>“The power of pure functional, particularly in this very messy setting, is that you can reason very locally about your elements of code,” said Turi. “Scala itself was built as a scalable language for big systems. With these extra layers, in Cats, you have pure functional, which makes it even simpler to reason about things, which makes it easier to maintain.”</p> <p>The stack is built on standard Postgres databases but relies heavily on Kafka for event streaming and OpenSearch for discovery. The entire infrastructure is headless and API-first, allowing HSS to integrate with suppliers who may still be using old-fashioned legacy systems.</p> </section> <section class="section main-article-chapter" data-menu-title="From trucks to AI agents"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From trucks to AI agents</h2> <p>The shift to a tech-first model has also paved the way for AI integration. Because much of the construction industry remains digitally immature, HSS uses AI to bridge the gap between unstructured communication and its structured API-based core.</p> <p>The company is currently developing an agentic AI architecture that can ingest emails from suppliers – such as proof of delivery or collection – and automatically turn them into API calls.</p> <p>“Instead of asking any technical effort from not very tech-savvy businesses, we are shifting our model,” said Turi. “That unstructured data today, it’s now possible to turn it into nice, structured data that we push into our system via APIs. Nothing changes at the core.”</p> </section> <section class="section main-article-chapter" data-menu-title="A new blueprint for the sector"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A new blueprint for the sector</h2> <p>The transformation of HSS represents a total pivot in corporate identity. </p> <p>By offloading its physical kit, HSS has repositioned itself as a data-driven broker. The platform now feeds demand data back to small suppliers, allowing them to buy and maintain relevant equipment based on real-time search trends from customers that range from enterprise to consumer scale.</p> <p>The HSS story serves as a case study in using cloud-native, functional architecture to bypass legacy technical debt. By treating the “hardest layer” – the financial exceptions and real-world logistics – as the starting point, the company has built a platform it hopes will help it expand into new verticals such as waste, fuel and cleaning.</p> <p>Turi said: “It was a long journey because, as usual, things are much more difficult from a human process perspective. It wasn’t the lack of the technology. It’s simply that you need to take people on the journey.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about digital transformation</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Culture-eats-technology-in-digital-transformation">Culture eats technology in digital transformation</a>. Digital transformation without culture change is an empty phrase, but get the balance right and you can reap rewards.</li> <li><a href="https://www.computerweekly.com/opinion/Balancing-act-Managing-business-needs-alongside-digital-transformation-and-innovation">Balancing act: Managing business needs alongside digital transformation and innovation</a>. How can IT leaders deliver on the challenging balancing act between innovation, cost control, and managing corporate expectations? </li> </ul> </div> </div> </section> HSS’s pivot from 130-depot hire business to a digital-only marketplace to handle messy transactions and old-school processes in the construction sector https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Vodafone-CityFibre-hero.jpg https://www.computerweekly.com/news/366640327/HSS-ProService-Uber-ifies-with-functional-programming-and-agentic-AI Thu, 19 Mar 2026 11:08:00 GMT HSS ProService ‘Uber-ifies’ with functional programming and agentic AI ComputerWeekly.com 60 editor@computerweekly.com