Nowhere are the stakes of digital transformation higher than in the public sector. The decisions made today around data infrastructure and cloud procurement will define how the UK public sector operates for decades to come. But as we embrace digital transformation, we must ask ourselves: who holds the keys to our digital future?
Up until now, convenience has been the main deciding factor in public sector cloud procurement, with a handful of hyperscalers winning the majority of contracts. These platforms offered scale, speed, and attractive upfront credits. But only now are we waking up to the cost of that convenience. Today, around 70% of Europe’s cloud market sits under U.S. jurisdiction, exposing sensitive data to foreign laws such as the CLOUD Act.
This leaves the UK’s public sector with somewhat of a paradox. On one hand, AI sits at the heart of Britain’s plan for economic growth and leadership in digital services. However, if we keep handing over the keys to foreign hyperscale cloud providers, how will the UK’s tech sector ever get a fair chance to compete? What’s more, by placing so much reliance on businesses headquartered outside the UK, we are completely undermining our digital sovereignty and weakening our ability as a nation to shape the future of AI on our own terms.
AI has made the sovereignty conversation impossible to ignore. Modern AI models are only as powerful as the data that feeds them. If that data is stored and processed by foreign companies, questions around ownership, governance, and accountability become unavoidable.
Our own research shows that 68% of UK IT leaders will only use AI services where they have complete certainty over data ownership. Without jurisdictional clarity, trust in AI outcomes, and the ability to comply with regulation, completely breaks down.
In the public sector, this risk is amplified. Trust in government starts with how it protects citizen data. Losing control of that data risks not only compliance breaches but also public confidence. We saw this fall apart when Microsoft admitted that it could not guarantee the sovereignty of Scottish Policing data held on its servers. More recently, in a moment of complete déjà-vu, Microsoft told the French Parliament it cannot guarantee data sovereignty for customers in France, and, by extension, across the European Union, if the Trump administration were to demand access to information stored on its servers.
It is important to clarify that digital sovereignty is not about shutting out international partnerships or innovation. Instead, it is about ensuring that the UK maintains full legal and operational control over critical infrastructure. For the public sector, this translates into three main priorities:
Sovereignty is not only about keeping sensitive data within the right jurisdiction; it’s also about ensuring that governments and public bodies retain the freedom to choose and switch providers. Yet for too long, hidden charges and restrictive contracts have made switching expensive, complex, and sometimes near impossible.
The EU Data Act, taking effect this year, forces cloud providers to make data more portable. It clamps down on inflated egress fees and opens the door to multi-cloud strategies. In turn, we’re starting to see signs of progress. Google has launched its Data Transfer Essentials service, offering free data movement across the EU and UK. Microsoft and AWS have followed with at-cost options. It’s certainly not perfect - barriers still remain, and the biggest providers continue to shape the rules of the game. But regulation is beginning to tip the scales.
The UK is facing the same challenge. Just last month, the UK’s Competition and Markets Authority’s cloud investigation concluded that “competition is not working well.” That verdict goes to the heart of the sovereignty debate. Without genuine competition, the UK cannot claim real control over its digital infrastructure.
And this is where the distinction matters: data residency is not the same as data sovereignty. Storing information on servers physically located in the UK may tick a compliance box, but if those servers are owned and operated by foreign providers, control ultimately lies elsewhere.
The UK has the talent, the infrastructure, and the ambition to build a more sovereign digital future. But to achieve this, our government has to take the first step. Public sector procurement must move beyond short-term cost savings and prioritise long-term resilience and competition. Sovereign-first and open-source approaches, such as those now emerging across Europe, offer credible alternatives.
By leading with sovereignty, the UK public sector has a chance to set an example not just for business, but for citizens. It can demonstrate that digital transformation need not come at the cost of control or trust.