Europe Is Leaving. The UK Is Sleepwalking. And Nobody in Charge Seems Bothered.
I have been in IT for more than 40 years. Mainframes, minicomputers, client-server, web, cloud, whatever comes next. Across all of that, one pattern repeats itself with depressing reliability: the UK adopts technology faster than it understands the strategic implications, then spends the next decade cleaning up the mess.
We are doing it again.
This week on the blog, we have covered the CLOUD Act, your business's cloud vendor dependency, the practical audit you should be doing, and the Switzerland-UK divergence on Palantir. Today, I want to step back from the specifics and say something that has been building for months.
The UK has no digital sovereignty strategy. None. And the gap between what European governments are doing and what the UK is not doing has become the most dangerous blind spot in British cybersecurity.
What Europe Has Done in the Last 18 Months
Let me lay this out, because the scale of European action is staggering when you list it.
France, January 2026: banned all non-European videoconferencing from government use. Zoom, Teams, Google Meet, all gone. Replaced by a sovereign platform. Target: 250,000 government users by 2027. Estimated savings: €1 million per year per 100,000 users.
France, May 2024: enacted the Loi SREN, making ANSSI SecNumCloud-qualified hosting legally mandatory for sensitive government data. The first EU member state to legislate this.
Germany, Schleswig-Holstein: migrating 30,000 government workstations from Microsoft to LibreOffice. 80% complete. Exchange replaced by Open-Xchange. SharePoint replaced by Nextcloud. Teams decommissioned entirely. Savings: €15 million annually against a one-time €9 million investment.
Denmark, June 2025: Ministry of Digital Affairs migrating from Microsoft 365 to LibreOffice. Minister Caroline Stage Olsen stated they must never make themselves so dependent on so few that they can no longer act freely.
The Netherlands, March 2025: Parliament passed eight motions demanding the government end reliance on US cloud, build a national cloud under "full Dutch management," develop exit strategies, and give European companies preferential treatment in public tenders.
Switzerland, November 2025: Privatim declared US cloud services unsuitable for sensitive government data. Canton of Zurich banned American cloud services outright.
The EDPS, March 2024: found the European Commission itself violated data protection law through Microsoft 365 use. Ordered data flows to non-adequacy countries suspended.
Austria, January 2026: ruled Microsoft illegally tracked students through Microsoft 365 Education. Ordered tracking to cease within four weeks.
Germany, France, Italy, Netherlands, July 2025: established the European Digital Infrastructure Consortium to jointly develop sovereign tools as alternatives to US platforms.
That is not a trend. That is a continent-wide strategic realignment. Governments at every level, from municipal to federal to EU institutional, are reassessing their dependence on US technology platforms and taking concrete, funded, measurable action.
What the UK Has Done
I will keep this section brief, because there is not much to write.
The CMA published its cloud services market investigation in July 2025 finding that competition is "not working well." AWS and Microsoft each hold 30 to 40% of a £10.5 billion market. Fewer than 1% of customers switch. The CMA recommended considering Strategic Market Status investigations. A decision is expected in Q1 2026. That is a competition intervention, not a sovereignty strategy.
The ICO updated its international transfers guidance in January 2026. Good. But it does not mention the CLOUD Act by name, and no enforcement action has tested CLOUD Act exposure for UK organisations.
The NCSC published Cloud Security Principles. Helpful. But Principle 2 merely notes that organisations should understand the legal circumstances of unauthorised data access. It does not address the CLOUD Act specifically.
There is no UK government sovereign cloud programme. No migration pilot. No equivalent of France's SecNumCloud. No NCSC guidance on assessing US jurisdictional risk to commercial data. No publicly stated position on whether UK businesses should be factoring CLOUD Act exposure into their risk assessments.
The UK government, with more than 20,000 orders issued under the bilateral CLOUD Act agreement, is an active user of the mechanism it has done nothing to help UK businesses understand.
Why This Matters for Your Business
Here is the bit that makes me properly cross.
European governments are not doing this because they are paranoid. They are doing it because they ran the numbers, assessed the legal risk, and concluded that deep dependency on US platforms creates a strategic vulnerability.
Those same European governments are your trading partners, your clients' regulators, and increasingly, your customers' customers. When a German manufacturer requires its suppliers to demonstrate GDPR-compliant data handling, and your data sits on a US platform with CLOUD Act exposure you have never assessed, you have a problem. When a French public body requires SecNumCloud-equivalent assurances from its supply chain, and you cannot explain your data sovereignty posture, you lose the contract.
The UK government's silence on this issue does not protect UK businesses. It exposes them. Every European regulator, every European procurement framework, and every European trading partner is raising the bar on data sovereignty. UK businesses that have not assessed their position will find themselves locked out of markets they currently take for granted.
56% of UK small businesses use cloud services. 71% back up via cloud. Microsoft 365 has more than 400 million paid seats globally. The overwhelming majority of UK SMBs have never been told that their choice of email provider carries jurisdictional implications. Their IT providers have never raised it. Their accountants have never asked about it. Their lawyers probably do not understand it.
That is a failure of the entire UK professional infrastructure around small businesses. Not just the government. Not just the ICO. The whole ecosystem that is supposed to help businesses make informed decisions has collectively failed to mention that "which country's courts can compel your cloud provider to hand over your data" is a question that exists.
The Open-Source Elephant in the Room
I want to say something about the European open-source migrations, because they are routinely dismissed by UK IT managers as impractical idealism.
Schleswig-Holstein is not a university experiment. It is a state government with 30,000 workstations, civil servants with the same spreadsheet addictions as everyone else, and real deadlines. They are 80% through their LibreOffice migration. The Exchange-to-Open-Xchange migration has handled 40,000+ mailboxes. They have decommissioned Teams entirely.
Their numbers: €15 million in annual savings against €9 million one-time investment. Payback in under eight months.
Denmark's Ministry of Digital Affairs is following the same path. The International Criminal Court switched from Microsoft to OpenDesk after US sanctions affected its Microsoft account access. Not a hypothetical. A real operational disruption caused by dependence on a US platform.
Element/Matrix (a UK company, incidentally) is deployed by governments in more than 25 countries. France's Tchap messenger has 360,000 monthly active users across the civil service. The Bundeswehr runs its messaging on Matrix. NATO ACT uses it. The European Commission has an active deployment. Germany's healthcare system is rolling it out for 74 million citizens.
These are not toys. They are production systems handling state-level workloads. The UK's own technology sector is building the sovereign alternatives that European governments are buying, while the UK government remains firmly wedded to US platforms. There is something genuinely absurd about that.
What I Think Should Happen
I am not a policy person. I fix computers and shout at people who do not patch them. But I have been watching this space long enough to know what a gap looks like before it becomes a crisis.
The NCSC should publish explicit guidance on CLOUD Act exposure for UK commercial organisations. Not buried in a cloud security principle. A standalone, plainly written assessment that helps businesses understand the jurisdictional risk of US cloud providers. The French ANSSI does this. The Swiss NCSC equivalent does this. Ours does not.
The ICO should clarify its position on CLOUD Act exposure within Transfer Risk Assessments. The updated January 2026 guidance is a step forward, but the absence of any mention of the CLOUD Act, by far the most significant extraterritorial data access mechanism affecting UK organisations, is a hole you could drive a lorry through.
The UK government should develop a proportionate sovereign cloud strategy. Not a rip-and-replace programme. A framework that identifies which categories of government and public sector data should not sit on platforms subject to foreign legal jurisdiction, with a realistic migration pathway and funded alternatives.
Trade bodies should incorporate data sovereignty into business advice. The FSB, IoD, CBI, and sector-specific bodies should be helping their members understand this risk. Currently, none of them are.
How to Turn This Into a Competitive Advantage
The UK government's inaction creates a first-mover advantage for businesses that act independently.
Position yourself as "sovereignty-ready." When European procurement frameworks tighten (and they will), businesses that have already assessed their data sovereignty posture, documented their CLOUD Act exposure, and implemented proportionate protections will be eligible for contracts that competitors cannot bid for.
Lead your sector's conversation. If you are the first firm in your industry to publish a data sovereignty statement, you define what "responsible" looks like. Everyone else has to follow your standard.
Build relationships with European-headquartered alternatives now. You do not need to migrate today. You need to have evaluated the options, tested one or two, and be ready to move if conditions change. That preparation has near-zero cost and significant strategic value.
How to Sell This to Your Board
The headline: "European governments are actively restricting US cloud services. UK regulation is heading in the same direction but has not arrived yet. We have a window to prepare before it becomes a requirement."
The risk: "If we wait for UK regulation to catch up with European action, we will be reacting under pressure alongside every other UK business. Preparing now costs one afternoon. Reacting later costs significantly more."
The opportunity: "Being demonstrably prepared for data sovereignty requirements positions us ahead of competitors in European procurement, public sector supply chain, and client trust."
What This Means for Your Business
Do not wait for the government to tell you. The ICO has not enforced. The NCSC has not published specific guidance. That does not mean the risk does not exist. It means you are responsible for assessing it yourself.
If you have completed Thursday's audit, you are already ahead. Document your findings. Brief your board. Set a review date. You now have a governance position that 99% of UK businesses do not.
Watch the European regulatory calendar. Denmark, Germany, France, and the Netherlands are all tightening requirements. If you trade with or supply into European markets, those requirements will affect you directly.
Talk to your industry body. Ask them what guidance they provide on data sovereignty and CLOUD Act exposure. If the answer is "none," tell them their members need it. Sometimes the conversations that change industries start with one awkward email.
Read the full series from this week if you have missed any part of it. Tuesday's CLOUD Act analysis, Wednesday's cloud dependency piece, Thursday's audit guide, and Friday's Switzerland case study. Together, they give you everything you need to make an informed decision about your data sovereignty posture.
This week's series has been based on Season 2, Episode 7 of The Small Business Cyber Security Guy podcast. If you have not listened yet, the full discussion covers territory we could not fit into five blog posts.
