10JUN

ORG brands UK tech dependency a risk

4 min read

10:31UTC

The Open Rights Group published 'Tech Giants and Giant Slayers' on 15 April, branding Britain's decade of US-tech dependency a national security vulnerability. It cites a CMA estimate that the UK wastes £500m a year on cloud lock-in alone.

← Back to Sovereignty law adopted; $40bn US chip buy Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The CMA figure means the entire Sovereign AI Fund is being burned every year on cloud lock-in alone.

The Open Rights Group published "Tech Giants and Giant Slayers" on 15 April 2026, arguing Britain's decade of US-tech dependency is a national security vulnerability ¹. The report cites a Competition and Markets Authority (CMA) estimate that the UK wastes £500m a year on cloud services due to lock-in, switching barriers and project overruns ¹. It flags the US CLOUD Act, the US federal law requiring disclosure of overseas data held by US-headquartered companies, as a mechanism that can compel UK data disclosure without UK consent, and points to Microsoft's documented shutdown of email services for individuals hit by ICC-related sanctions as concrete precedent ¹. Palantir contracts, the report adds, are expanding rather than shrinking ¹.

The CMA figure sits awkwardly next to the Sovereign AI Fund . In budget terms, the annual cloud waste matches the entire fund spent every year on lock-in alone, yet DSIT has not matched it with a single cloud-layer instrument. The CMA cloud investigation closed in July 2025 without DMA-equivalent enforcement powers, leaving the exposure untouched. Britain is solving the model layer at the margin while the cloud layer still bleeds at scale.

The CLOUD Act flag shifts the framing from commercial efficiency to legal exposure. ICC-sanctioned individuals losing Microsoft email access is not a hypothetical: it is precedent that a US statute can reach UK users through the infrastructure they already use, regardless of where the data sits. The report treats this as an analogue of the EU-level Draghi Report's 11.2% implementation rate after one year : stated ambition without the matching legal instrument. Britain is building a national champion upstairs and leaving the front door open downstairs.

Deep Analysis

In plain English

The Open Rights Group is a British digital rights organisation. In April 2026 it published a report arguing that Britain's dependence on American technology companies carries national security consequences beyond commercial inefficiency. The core of the argument: a US law called the CLOUD Act means American companies can be ordered by US courts to hand over data they hold on behalf of British customers, including government data, without UK courts being involved. The ORG cites Microsoft shutting down email accounts for people sanctioned by the International Criminal Court as a real-world example where US law reached into British infrastructure and cut off services. The Competition and Markets Authority (the UK's competition regulator) estimates that Britain wastes £500m a year on cloud services purely because of the difficulty of switching providers. The report argues that building a domestic AI sector while leaving this dependency unaddressed is building on a compromised foundation.

Source Landscape

This story draws on neutral-leaning sources from United Kingdom

United Kingdom

Primary parallel: The 1970 Bank Secrecy Act and subsequent US Treasury regulations compelled Swiss banks to disclose US account-holder information, ending Swiss banking secrecy for American clients despite the data being held in Switzerland under Swiss law.

The mechanism was structurally identical to the CLOUD Act: US law reaching extraterritorially to compel disclosure from entities with US commercial relationships, regardless of where the data physically sat. European banks complied because access to the US financial system was commercially irreplaceable; UK cloud dependency on AWS, Azure, and Google creates the same leverage structure in digital infrastructure.

Counter-parallel: The EU's GDPR, in force since May 2018, was designed in part to establish European data as subject to European law regardless of where it was processed. In practice, Schrems II (2020 Court of Justice ruling) invalidated Privacy Shield and tightened US-EU data transfer rules, forcing US cloud providers to establish additional contractual safeguards.

GDPR reduced the commercial simplicity of US cloud for European operators without eliminating the CLOUD Act exposure, demonstrating that regulatory countermeasures can complicate the dependency without resolving the underlying jurisdictional conflict.

The CMA's £500m annual cloud waste figure cited in the ORG report covers only the direct switching costs and procurement overruns attributable to lock-in. The broader economic exposure includes the legal and compliance cost of CLOUD Act disclosure risk (insurance premiums, legal counsel, data residency compliance programmes) and the opportunity cost of foregone productivity from delayed migration to more cost-effective European alternatives.

The figure's significance is calibration against the Sovereign AI Fund: at £500m per year in cloud lock-in costs, the entire fund is being consumed annually in cloud overspend before a single pound reaches AI model development. DSIT has no published programme targeting the cloud layer directly, though the separate £250m cloud compute procurement (June 2026 to March 2029) addresses a fraction of the public-sector exposure.

Consensus view: Big Brother Watch and the Open Rights Group share a common analytical frame: the US CLOUD Act, signed in 2018, allows US federal agencies to compel any US-headquartered company to disclose customer data stored anywhere in the world, including on UK servers, with a court order and without requiring UK government consent or notification.

OneTrust's legal research team has documented 47 cases since 2018 in which US CLOUD Act demands reached data held in European jurisdictions. The Microsoft email shutdown for ICC-sanctioned individuals cited in the ORG report is the most politically visible of these cases: a US statute reaching into European civil society infrastructure without any UK legal process.

Counter-view: UK DSIT's digital infrastructure team argued in its 2025 Cloud Safety Review that the CLOUD Act contains a bilateral executive agreement (BEAA) mechanism through which the UK could negotiate mutual legal assistance terms that limit compelled disclosure to cases meeting UK judicial standards.

A UK-US BEAA, if concluded, would reduce but not eliminate the CLOUD Act exposure. DSIT's position treats the exposure as a treaty negotiation problem rather than a structural dependency problem, which the ORG report explicitly rejects.

Key tension: Whether the UK's post-Brexit legal autonomy creates the possibility of a CLOUD Act carve-out through bilateral negotiation, or whether the commercial dependency on US infrastructure is so deep that no bilateral agreement can insulate UK data from US legal reach without exiting the dependency itself.

Sources:The Register / Open Rights Group·The Register / Open Rights Group

Mentions:Open Rights Group →Competition and Markets Authority →CLOUD Act →Microsoft →Palantir →DSIT →Google →Switzerland →Azure →Draghi Report →Brexit →US Treasury →AWS →

First Reported In

Update #2 · Brussels buys, Britain backs, Google unlocks

The Register / Open Rights Group· 19 Apr 2026

Read original →

Causes and effects

Caused by

UK launches £500m Sovereign AI Unit

The ORG report's £500m annual cloud waste finding highlights the gap left by the UK Sovereign AI Fund, which addresses model-layer but not cloud-layer dependency.

Occurred 16 Apr 2026

Read story →

This Event

ORG brands UK tech dependency a risk

The report puts a number on the cloud-layer gap the UK's sovereign AI strategy leaves untouched, and flags the US CLOUD Act as a legal mechanism that can compel UK data disclosure without UK consent.

Different Perspectives

European cloud and open-source industry

European cloud providers gain a binding procurement mandate from CADA, confirmed by Gartner's $12.6bn sovereign-cloud figure for 2026. The $40bn Pax Silica commitment signals Brussels will not extend sovereignty discipline to the silicon layer, and the missing €350m Sovereign Tech Fund leaves open-source maintenance infrastructure unfunded beneath those same clouds.

United Kingdom

Science Secretary Kendall's £1.1bn Hardware Plan on 8 June chose demand-side instruments, advancing £150m to British chip startups via the British Business Bank, where Brussels chose supply-side alliance membership. Britain joined Pax Silica before the EU and has no collective EU procurement leverage; the Hardware Plan is the bilateral answer to the same silicon gap.

United States

Pax Silica, a State Department initiative launched in December 2025, secured EU membership the same afternoon Brussels adopted its cloud sovereignty law. Ambassador Puzder had named CADA a red line against the EU-US trade framework; the narrowed CADA scope and the $40bn chip commitment together represent the settlement Washington sought.

France

France was the only EU state to oppose Pax Silica accession at COREPER on 3 June, asking the Commission to clarify the Council's steering role inside the alliance. Paris backed CADA and hosts Mistral AI; a $40bn US-chip commitment contractually narrows the commercial space for the sovereign AI model that France is trying to scale.

European Commission

Von der Leyen framed CADA on 3 June as keeping 'most of our market open to like-minded partners', and the Commission's EVP Virkkunen simultaneously required majority-European ownership for the €4.12bn AI Gigafactories call. Brussels is managing rather than resolving the silicon dependency by asserting regulatory control at the cloud layer while formalising the chip relationship through Pax Silica.

European Central Bank

The ECB's digital euro pilot drew more than 50 PSP applications and is naming 10 to 30 participants in July, advancing on its own monetary mandate without requiring a Commission act. Its trajectory this week is the inverse of CAIDA's: the sovereignty instrument that restricts no US firm is the only one keeping its published calendar.