Your Cloud Stack Is Not Just Stationery: The Bet Your Business Made Without Realising It
I am going to ask you to do something uncomfortable. Not technically complicated. Not expensive. Just uncomfortable.
Open a spreadsheet. List every piece of software your business uses that touches client data, staff data, or anything you would not want on the front page of your local paper. Next to each one, write down who owns the company that makes it. Not who sells it to you. Not who provides your support. Who actually owns it, and where their headquarters sit.
I will wait.
Done? Good. Now count the American flags.
You Did Not Build This on Purpose
This is the bit that catches people off guard. Nobody sat down at a board meeting and said, "Right, let's deliberately route our entire digital life through companies subject to US legal jurisdiction." Nobody ticked a box marked "I accept that a foreign court can, in theory, compel my email provider to hand over everything."
You did what every sensible small business does. You picked the tools that worked, that your staff already knew how to use, that your IT person recommended, and that came up first when you Googled "best CRM for small business."
Microsoft 365 for email and documents. Maybe Google Workspace. A US-based CRM for your client database. Probably a US ticketing system for your help desk. A backup tool that quietly copies everything to a US-owned cloud. Monitoring agents on your servers phoning home to a platform in the States.
The DSIT Cyber Security Breaches Survey 2025 found that 71% of UK businesses now back up data via a cloud service. The FSB reports 56% of small businesses use cloud services, up from 35% five years ago. Microsoft 365 alone has more than 400 million paid seats globally.
You are not unusual. You are the norm. And that is precisely the problem.
The Stationery Analogy Is Dead
I used to hear this from IT managers all the time. "It is just email. It is just document storage. It is basically digital stationery."
That framing made sense in 2015. It does not make sense in 2026.
Your email contains contract negotiations, personnel disputes, client complaints, financial projections, merger discussions, and private messages between directors. Your document store holds board minutes, legal correspondence, HR investigations, and intellectual property. Your CRM holds every relationship your business depends on. Your backup system contains copies of all of it.
This is not stationery. This is the operational core of your business, and it is sitting on infrastructure controlled by companies that answer to a legal system you did not choose and cannot influence.
Corrine explained the CLOUD Act mechanics in yesterday's deep-dive. I am not going to repeat the legal analysis. What I want to do is connect those mechanics to the decisions you make every day without thinking about them.
The Same Bet, Different Scale
On the podcast this week, Noel made a point that stuck with me. If governments are getting nervous about US vendors having leverage over their health systems, their militaries, and their nuclear weapons programmes, why are you treating the same vendors as just office tools?
The NHS Federated Data Platform is a £330 million, seven-year contract with a Palantir-led consortium. The Ministry of Defence signed a direct award enterprise agreement worth approximately £240 million. Palantir sits across health data, defence systems, policing, nuclear weapons support, and border planning.
Switzerland looked at Palantir and walked away. Their military's risk assessment concluded data held by Palantir could be accessed by the American government and that leaks could not be technically prevented. The UK looked at the same company and gave it more.
Your business has made a smaller version of the same decision. You have put your email, documents, calendars, chat, CRM, and help desk onto US platforms. Not because you love America. Because that is where the tools are. Fair enough. But pretending it is neutral plumbing is where you get hurt.
What "Getting Hurt" Actually Looks Like
Let me be concrete, because abstract sovereignty arguments do not pay the bills.
Scenario one: the client question. You are pitching for a contract with an NHS trust, a local authority, or a European company with GDPR obligations. The procurement questionnaire asks: "Describe your data sovereignty posture. Which of your systems are operated by companies subject to non-UK legal jurisdiction? How do you assess and manage this risk?" You have never thought about this. You fumble. You lose the contract.
Scenario two: the journalist. A reporter writes a piece about UK charities handling vulnerable people's data on US platforms. They send you a standard press enquiry: "Can you confirm where your client data is stored and whether it is accessible to foreign government legal process?" You do not have an answer. The headline writes itself.
Scenario three: the ICO letter. No enforcement has happened yet. But the ICO updated its international transfers guidance in January 2026 with a three-step test for restricted transfers. The framework requires organisations to assess government access risks. When the ICO decides to test this area, and the direction of European regulation makes that increasingly likely, the question will be simple: "Show us your Transfer Risk Assessment for your US cloud providers." Do you have one?
Scenario four: the insurance claim. Your cyber insurance policy asks whether you have assessed and documented third-party data processing risks. You ticked yes. But you never assessed the jurisdictional risk of your primary cloud provider being subject to foreign legal process. If a claim arises, that gap in your documentation becomes relevant.
None of these scenarios require a breach. None require the NSA to actually care about your data. They require someone to ask the right question at the wrong time.
The Reputation Dimension Nobody Talks About
Imagine the headline: "Local charity cannot explain where vulnerable client data really lives."
Or: "NHS supplier had no idea US law might touch patient-related data they process."
You do not need a data breach for that to look terrible. All it takes is an awkward parliamentary question or a journalist with time on their hands.
This is the reputational dimension that boards consistently underestimate. Data sovereignty is not a technical issue. It is a trust issue. And trust, once questioned publicly, is extraordinarily expensive to rebuild.
The CMA's cloud services market investigation, published in July 2025, found that fewer than 1% of cloud customers switch providers annually. You are locked in. Your competitors are locked in. The first business in your sector to articulate a clear data sovereignty position gets to define what "responsible" looks like. Everyone else has to catch up.
The Psychology of Invisible Risk
I have spent years working with behavioural psychology in cybersecurity, and the CLOUD Act exposure is a textbook case of what psychologists call "normalcy bias." When something has never gone wrong, people assume it cannot go wrong. The absence of an ICO enforcement action becomes evidence of safety rather than evidence of a gap.
This is the same psychology that leads businesses to skip backups until they get ransomwared. The same psychology that treats MFA as optional until a credential stuffing attack empties the bank account. The risk is real, documented, and growing. The fact that it has not bitten you yet is not protection. It is luck.
A Gartner survey of Western European CIOs in November 2025 found 61% intend to shift more workloads to local or regional providers due to geopolitical concerns. 53% plan to restrict use of global hyperscalers. 44% have already started. The awareness is there at CIO level. It has not reached the 30-person firm in Wolverhampton.
That disconnect is your window. Before it closes.
How to Turn This Into a Competitive Advantage
Be the first in your sector to publish a data sovereignty statement. Not a 50-page policy document. A clear, simple statement on your website: "We have assessed where our business data is processed, understand the jurisdictional implications, and have taken specific steps to protect sensitive information." None of your competitors have done this.
Use it in tender responses. When a procurement questionnaire asks about data handling, you can now answer with specifics: "We have conducted a CLOUD Act exposure audit, identified our crown jewel data sets, and implemented proportionate protections including [specific measures]." That answer wins contracts.
Build it into client conversations. If you handle sensitive data for clients, proactively raising your data sovereignty posture signals competence and trustworthiness. "We want you to know we have assessed the jurisdictional risks of our cloud providers and here is what we have done" is a conversation nobody else is having.
How to Sell This to Your Board
The board does not need a seminar on the CLOUD Act. They need three slides.
Slide one: the exposure. "X of our Y core systems are operated by US-headquartered companies subject to the CLOUD Act. This means a US court could, in theory, compel production of data we hold on those platforms, including client data. No UK court has tested whether this conflicts with our UK GDPR obligations."
Slide two: the business risk. "This creates exposure in four areas: client contract compliance, regulatory investigations, insurance claims, and public reputation. The risk is unquantified because no enforcement precedent exists. European governments are actively restricting US cloud services. UK regulation is likely to follow."
Slide three: the ask. "We recommend a half-day CLOUD Act exposure audit (guide published Thursday on the blog), crown jewels identification for our most sensitive data, and a documented position we can reference if asked. Estimated effort: one afternoon with IT. Estimated cost: minimal."
What to Do This Week
Start small. Do the audit. Mark the crown jewels.
Ask one awkward question on your next vendor call: "Who controls the encryption keys for our data, and under what legal circumstances could you be compelled to provide access?"
That is it. Forward motion. Not panic. Not a rip-and-replace project. Just an honest look at the water you are swimming in.
Thursday's post gives you the complete step-by-step guide. No jargon. No consultancy fees. Just a whiteboard, a spreadsheet, and an uncomfortable truth.
Listen to the Full Discussion
This article expands on themes from Season 2, Episode 7 of The Small Business Cyber Security Guy podcast.