Skip to content
You can now search across every topic, entity and event.What's new
European Tech Sovereignty
13APR

ORG brands UK tech dependency a risk

4 min read
17:09UTC

The Open Rights Group published 'Tech Giants and Giant Slayers' on 15 April, branding Britain's decade of US-tech dependency a national security vulnerability. It cites a CMA estimate that the UK wastes £500m a year on cloud lock-in alone.

TechnologyDeveloping
Key takeaway

The CMA figure means the entire Sovereign AI Fund is being burned every year on cloud lock-in alone.

The Open Rights Group published "Tech Giants and Giant Slayers" on 15 April 2026, arguing Britain's decade of US-tech dependency is a national security vulnerability 1. The report cites a Competition and Markets Authority (CMA) estimate that the UK wastes £500m a year on cloud services due to lock-in, switching barriers and project overruns 1. It flags the US CLOUD Act, the US federal law requiring disclosure of overseas data held by US-headquartered companies, as a mechanism that can compel UK data disclosure without UK consent, and points to Microsoft's documented shutdown of email services for individuals hit by ICC-related sanctions as concrete precedent 1. Palantir contracts, the report adds, are expanding rather than shrinking 1.

The CMA figure sits awkwardly next to the Sovereign AI Fund . In budget terms, the annual cloud waste matches the entire fund spent every year on lock-in alone, yet DSIT has not matched it with a single cloud-layer instrument. The CMA cloud investigation closed in July 2025 without DMA-equivalent enforcement powers, leaving the exposure untouched. Britain is solving the model layer at the margin while the cloud layer still bleeds at scale.

The CLOUD Act flag shifts the framing from commercial efficiency to legal exposure. ICC-sanctioned individuals losing Microsoft email access is not a hypothetical: it is precedent that a US statute can reach UK users through the infrastructure they already use, regardless of where the data sits. The report treats this as an analogue of the EU-level Draghi Report's 11.2% implementation rate after one year : stated ambition without the matching legal instrument. Britain is building a national champion upstairs and leaving the front door open downstairs.

Deep Analysis

In plain English

The Open Rights Group is a British digital rights organisation. In April 2026 it published a report arguing that Britain's dependence on American technology companies carries national security consequences beyond commercial inefficiency. The core of the argument: a US law called the CLOUD Act means American companies can be ordered by US courts to hand over data they hold on behalf of British customers, including government data, without UK courts being involved. The ORG cites Microsoft shutting down email accounts for people sanctioned by the International Criminal Court as a real-world example where US law reached into British infrastructure and cut off services. The Competition and Markets Authority (the UK's competition regulator) estimates that Britain wastes £500m a year on cloud services purely because of the difficulty of switching providers. The report argues that building a domestic AI sector while leaving this dependency unaddressed is building on a compromised foundation.

First Reported In

Update #2 · Brussels buys, Britain backs, Google unlocks

The Register / Open Rights Group· 19 Apr 2026
Read original
Causes and effects
This Event
ORG brands UK tech dependency a risk
The report puts a number on the cloud-layer gap the UK's sovereign AI strategy leaves untouched, and flags the US CLOUD Act as a legal mechanism that can compel UK data disclosure without UK consent.
Different Perspectives
United States (Google/Alphabet)
United States (Google/Alphabet)
Alphabet lost its final Android appeal on 2 July with no further court to hear it, a result its Computer and Communications Industry Association allies frame as precedent, not deterrence, since the €4.1bn fine changed nothing about Google's Play Store terms across eight years of litigation.
UK Department for Science, Innovation and Technology
UK Department for Science, Innovation and Technology
DSIT opened its £96m second Sovereign AI wave on 3 July, switching from April's equity stakes to fixed-price contracts because Britain has no domestic hyperscaler or Bpifrance-style lender to fund capacity another way. It is betting on buying outcomes it controls alone rather than joining an EU-wide framework.
German federal government
German federal government
Berlin backed both German deliverables this week, Infineon's fab and Aleph Alpha's merger, but is finding one far harder to close than the other. It wants enforceable protective rights inside Cohere's cap table before the merger closes, a legal instrument the Bundeskartellamt has no filing to review yet.
European Commission
European Commission
The Commission banked a clean CJEU win on the eight-year Android case on 2 July, removing Google's last comparator argument before President von der Leyen rules on the far larger DMA self-preferencing fine due 27 July. Brussels treats Infineon's early Dresden delivery as proof the Chips Act mechanism works, at the node Europe already led.
Bruegel (EU industry sceptics)
Bruegel (EU industry sceptics)
Bruegel economist Mario Mariniello argued the EU sovereignty package mimics US and Chinese strategy while EU cloud providers hold roughly 15% of their home market; using nationality as a proxy for security without fixing the underlying capital and energy gaps that drive the dependency creates €86bn of migration cost without the security benefit it is sold as delivering.
France
France
France published a joint sovereignty definition with Germany at VivaTech and mobilised €13bn under Tibi Phase 3, placing SAP's partnership with Mistral as the working proof that a German enterprise-software giant running a French sovereign model inside public administration is what digital sovereignty looks like in practice.