In early 2026, the FBI served Microsoft with a search warrant. Microsoft handed over the BitLocker encryption keys for three laptops. No hack. No breach. No compromised passwords. Just a warrant, and Microsoft's compliance. Here is what nobody in UK small business is talking about: those same default settings that allowed this are almost certainly running on your devices right now.

And the legal mechanism that made it possible, the US CLOUD Act, reaches across the Atlantic directly into your Microsoft 365 tenancy, your Google Workspace, your entire US-hosted cloud stack. This is your five-step audit. No politics. No theory. Just the checks you need to do this week.

France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data.

The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations.

Noel Bradford, with 40-odd years of watching the UK IT establishment make the same mistakes on repeat, asks the question nobody in Whitehall wants to answer: when did we decide that digital independence was somebody else's problem?

Switzerland's military commissioned a 20-page risk assessment of Palantir's software. The findings were blunt: data held by Palantir could be accessed by the American government, leaks could not be technically prevented, and the Army would become dependent on Palantir specialists. The recommendation was unambiguous: consider alternatives. Neutral Switzerland quietly walked away.

The United Kingdom looked at the same company and gave them more than £900 million in contracts across the NHS, Ministry of Defence, policing, nuclear weapons support, and border planning. Same company. Same risks. Opposite conclusions. This is the case study every UK business owner needs to read.

Every UK business using Microsoft 365, Google Workspace, or any US cloud service has an unassessed CLOUD Act exposure. This guide gives you a step-by-step process to map it: list your vendors, identify your crown jewels, check who controls the encryption keys, fold the findings into your DPIAs, and build a realistic exit plan.

No consultancy fees, no jargon, no panic. One afternoon with your IT lead and a spreadsheet. By Friday you will know exactly where your business sits and what, if anything, you need to change. This is governance, not a technology project.

You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ago, and what one awkward question on your next vendor call can change.

The US CLOUD Act gives American courts the power to compel any US technology company to hand over your data, regardless of whether it sits in a London data centre or a bunker in Wyoming. UK GDPR Article 48 says foreign court orders do not make that transfer lawful. No UK court has tested this conflict. No ICO enforcement action has targeted it. The NCSC does not mention it by name. Corrine Jefferson, our resident intelligence analyst, dissects the legal contradiction sitting quietly in the middle of your Microsoft 365 tenant, and explains why "it's encrypted" is not the answer you think it is.

I used to work in US government intelligence. I now live in London. Those two facts make me uniquely uncomfortable about Palantir's expanding presence across the British state. In December 2024, Switzerland's military concluded that data held by Palantir could be accessed by the American government and that leaks "cannot be technically prevented." Their recommendation was unambiguous: find alternatives. The UK's response to the same evidence has been to award Palantir more than £900 million in contracts spanning health records, defence operations, policing, and nuclear weapons systems. The reality is this: those are not compatible positions.

You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure.

They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem.

This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outlast any political cycle.

Let's dissect what those images actually represent, why they're simultaneously right and wrong, and what UK SMBs need to understand about where their data actually lives.