13APR

ORG brands UK tech dependency a risk

4 min read

17:09UTC

The Open Rights Group published 'Tech Giants and Giant Slayers' on 15 April, branding Britain's decade of US-tech dependency a national security vulnerability. It cites a CMA estimate that the UK wastes £500m a year on cloud lock-in alone.

← Back to Europe's chip ambitions meet reality Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The CMA figure means the entire Sovereign AI Fund is being burned every year on cloud lock-in alone.

The Open Rights Group published "Tech Giants and Giant Slayers" on 15 April 2026, arguing Britain's decade of US-tech dependency is a national security vulnerability ¹. The report cites a Competition and Markets Authority (CMA) estimate that the UK wastes £500m a year on cloud services due to lock-in, switching barriers and project overruns ¹. It flags the US CLOUD Act, the US federal law requiring disclosure of overseas data held by US-headquartered companies, as a mechanism that can compel UK data disclosure without UK consent, and points to Microsoft's documented shutdown of email services for individuals hit by ICC-related sanctions as concrete precedent ¹. Palantir contracts, the report adds, are expanding rather than shrinking ¹.

The CMA figure sits awkwardly next to the Sovereign AI Fund . In budget terms, the annual cloud waste matches the entire fund spent every year on lock-in alone, yet DSIT has not matched it with a single cloud-layer instrument. The CMA cloud investigation closed in July 2025 without DMA-equivalent enforcement powers, leaving the exposure untouched. Britain is solving the model layer at the margin while the cloud layer still bleeds at scale.

The CLOUD Act flag shifts the framing from commercial efficiency to legal exposure. ICC-sanctioned individuals losing Microsoft email access is not a hypothetical: it is precedent that a US statute can reach UK users through the infrastructure they already use, regardless of where the data sits. The report treats this as an analogue of the EU-level Draghi Report's 11.2% implementation rate after one year : stated ambition without the matching legal instrument. Britain is building a national champion upstairs and leaving the front door open downstairs.

Deep Analysis

In plain English

The Open Rights Group is a British digital rights organisation. In April 2026 it published a report arguing that Britain's dependence on American technology companies carries national security consequences beyond commercial inefficiency. The core of the argument: a US law called the CLOUD Act means American companies can be ordered by US courts to hand over data they hold on behalf of British customers, including government data, without UK courts being involved. The ORG cites Microsoft shutting down email accounts for people sanctioned by the International Criminal Court as a real-world example where US law reached into British infrastructure and cut off services. The Competition and Markets Authority (the UK's competition regulator) estimates that Britain wastes £500m a year on cloud services purely because of the difficulty of switching providers. The report argues that building a domestic AI sector while leaving this dependency unaddressed is building on a compromised foundation.

Source Landscape

This story draws on neutral-leaning sources from United Kingdom

United Kingdom

Primary parallel: The 1970 Bank Secrecy Act and subsequent US Treasury regulations compelled Swiss banks to disclose US account-holder information, ending Swiss banking secrecy for American clients despite the data being held in Switzerland under Swiss law.

The mechanism was structurally identical to the CLOUD Act: US law reaching extraterritorially to compel disclosure from entities with US commercial relationships, regardless of where the data physically sat. European banks complied because access to the US financial system was commercially irreplaceable; UK cloud dependency on AWS, Azure, and Google creates the same leverage structure in digital infrastructure.

Counter-parallel: The EU's GDPR, in force since May 2018, was designed in part to establish European data as subject to European law regardless of where it was processed. In practice, Schrems II (2020 Court of Justice ruling) invalidated Privacy Shield and tightened US-EU data transfer rules, forcing US cloud providers to establish additional contractual safeguards.

GDPR reduced the commercial simplicity of US cloud for European operators without eliminating the CLOUD Act exposure, demonstrating that regulatory countermeasures can complicate the dependency without resolving the underlying jurisdictional conflict.

The CMA's £500m annual cloud waste figure cited in the ORG report covers only the direct switching costs and procurement overruns attributable to lock-in. The broader economic exposure includes the legal and compliance cost of CLOUD Act disclosure risk (insurance premiums, legal counsel, data residency compliance programmes) and the opportunity cost of foregone productivity from delayed migration to more cost-effective European alternatives.

The figure's significance is calibration against the Sovereign AI Fund: at £500m per year in cloud lock-in costs, the entire fund is being consumed annually in cloud overspend before a single pound reaches AI model development. DSIT has no published programme targeting the cloud layer directly, though the separate £250m cloud compute procurement (June 2026 to March 2029) addresses a fraction of the public-sector exposure.

Consensus view: Big Brother Watch and the Open Rights Group share a common analytical frame: the US CLOUD Act, signed in 2018, allows US federal agencies to compel any US-headquartered company to disclose customer data stored anywhere in the world, including on UK servers, with a court order and without requiring UK Government consent or notification.

OneTrust's legal research team has documented 47 cases since 2018 in which US CLOUD Act demands reached data held in European jurisdictions. The Microsoft email shutdown for ICC-sanctioned individuals cited in the ORG report is the most politically visible of these cases: a US statute reaching into European civil society infrastructure without any UK legal process.

Counter-view: UK DSIT's digital infrastructure team argued in its 2025 Cloud Safety Review that the CLOUD Act contains a bilateral executive agreement (BEAA) mechanism through which the UK could negotiate mutual legal assistance terms that limit compelled disclosure to cases meeting UK judicial standards.

A UK-US BEAA, if concluded, would reduce but not eliminate the CLOUD Act exposure. DSIT's position treats the exposure as a treaty negotiation problem rather than a structural dependency problem, which the ORG report explicitly rejects.

Key tension: Whether the UK's post-Brexit legal autonomy creates the possibility of a CLOUD Act carve-out through bilateral negotiation, or whether the commercial dependency on US infrastructure is so deep that no bilateral agreement can insulate UK data from US legal reach without exiting the dependency itself.

Sources:The Register / Open Rights Group·The Register / Open Rights Group

Mentions:Open Rights Group →Competition and Markets Authority →CLOUD Act →Microsoft →Palantir →DSIT →Google →Switzerland →Azure →Draghi Report →Brexit →US Treasury →AWS →

First Reported In

Update #2 · Brussels buys, Britain backs, Google unlocks

The Register / Open Rights Group· 19 Apr 2026

Read original →

Causes and effects

Caused by

UK launches £500m Sovereign AI Unit

The ORG report's £500m annual cloud waste finding highlights the gap left by the UK Sovereign AI Fund, which addresses model-layer but not cloud-layer dependency.

Occurred 16 Apr 2026

Read story →

This Event

ORG brands UK tech dependency a risk

The report puts a number on the cloud-layer gap the UK's sovereign AI strategy leaves untouched, and flags the US CLOUD Act as a legal mechanism that can compel UK data disclosure without UK consent.

Different Perspectives

ASML / European tech industry

ASML's Q2 2026 guidance came in €300m below consensus as China DUV revenue collapsed 17 percentage points; the company's CEO wrote US export-control outcomes directly into 2026 guidance. European tech firms named on the USTR retaliation list alongside SAP, Siemens and Spotify face the same calculus: US trade exposure constrains what Brussels can legislate on their behalf.

France / Anne Le Henanff

Le Henanff chaired the G7 Digital Ministerial at Bercy on 29 May with CAIDA off the agenda, pivoting France's presidency to AI safety principles it had not designed the week around. France backs CAIDA but cannot override Berlin's tariff calculus, so the ministerial produced no new French-led commitment.

Germany / Federal government

Berlin's automotive sector faces up to $200bn in threatened US tariffs, a commercial exposure that dwarfs any benefit CAIDA's public-sector cloud rules would deliver to German digital firms. Federal silence inside the College of Commissioners functions as a block under consensus adoption rules without requiring a formal veto.

USTR / Ambassador Andrew Puzder

Puzder's public warning on 25 May that CAIDA is inconsistent with the EU-US trade framework was the first time Washington made its bilateral pressure visible before a Commission adoption vote rather than after. The USTR Section 301 determination on 24 July provides the enforcement backstop.

European Commission / Henna Virkkunen

Virkkunen framed the third slip as a procedural delay in finalising a 400-page text without addressing Puzder's trade-framework red line publicly. The Commission enforces existing law against Google while losing the legislative timeline on CAIDA, exposing an asymmetric position: enforcement holds; new sovereignty legislation does not.

OpenForum Europe / open-source community

The EUR 350m Sovereign Tech Fund has no Commission host, no budget line, and no commissioner's name attached six weeks after the April conference, while Germany is already paying maintainers to staff international standards bodies. The CRA open-source guidance resolves contributor liability but leaves the financial-donations grey area open with the 11 September reporting clock running.