Governments across the continent are increasingly championing the use of local, homegrown providers and tightening the rules on where the data of their citizens can be hosted, as a show of their commitment to data sovereignty.
An oft-cited reason for this is geopolitical concerns, which have become more pressing in the wake of US president Donald Trump starting his second stint in the White House back in January 2025.
As previously documented by Computer Weekly, Trump’s roll-out of tech-adjacent tariffs on global exports has prompted calls for Europe to take steps to enable a “strengthening of the domestic economy” to ensure the president’s actions cause minimal disruption to IT supply chains.
There are also the knotty claims pertaining to Microsoft reportedly cutting email access for the International Criminal Court’s (ICC) chief prosecutor, Karim Khan, in response to a February 2025 US executive order relating to a government investigation into Israeli politicians.
Microsoft president Brad Smith recently pushed back on these allegations, claiming the company did not “stop or suspend” its services to the ICC. Either way, the situation has heightened concerns that Trump’s actions could result in the plug being pulled on US-based cloud services that large swathes of European users depend upon.
These events have also served to highlight the divide between the rest of Europe and the UK’s attitude to cloud-related data sovereignty issues.
With many European companies seemingly pulling back from using overseas clouds, the UK’s reliance on them continues to grow, backed by government guidance – released at the start of 2025 – offering support to public sector organisations that want to host more of their workloads and applications in overseas clouds.
In a nutshell, the guidance permits UK public sector organisations to use cloud services hosted outside the UK for “resilience, capacity and access to innovation reasons”, and further states that “non-UK services can be more cost-effective and sustainable” than homegrown ones.
The source of the guidance – the Department for Science, Innovation and Technology (DSIT) – has faced criticism since it was published in early February 2025, with industry watchers telling Computer Weekly its contents are “discouraging public sector bodies” from buying from British tech businesses, at a time when most of Europe is championing homegrown providers.
A different approach in Europe
By contrast, less than two weeks after the DSIT guidance emerged, the Cloud Infrastructure Services Providers in Europe (CISPE) trade body announced a shake-up of its governance structure, with greater emphasis on championing the interests of the continent’s homegrown cloud services providers.
The organisation announced an update to its articles of association on 13 February 2025 that states only European cloud providers are permitted to hold board positions at CISPE.
The rule change resulted in US cloud giant Amazon Web Services (AWS) stepping down as a board member, meaning it no longer has any sway over the organisation’s governance or direction, because only board members have the right to vote on such matters at CISPE.
Incidentally, fellow public cloud giant Microsoft also joined CISPE earlier this year, as a non-voting member, having previously found itself at odds with the organisation over its strategy of charging enterprises more for running its software in competing cloud environments.
CISPE also introduced a new governance framework, dubbed the Sovereignty and Strategic Autonomy Committee, at the same time as announcing the change to its board structure.
According to CISPE, the committee’s creation is in response to the “increasing demand from European cloud users, government agencies and private sector customers for competitive, homegrown cloud infrastructure and AI solutions”.
Speaking to Computer Weekly, Jake Madders, director at Brighton-based cloud company Hyve Managed Hosting, says the UK government seems intent on pushing people towards using the US-based hyperscalers, which is at complete odds with what other European countries are doing.
“The complete opposite is happening in Europe, where they are prioritising homegrown businesses and local firms, and – from our perspective – it seems crazy that the UK is not looking after its own,” he says.
UK interests lie in overseas clouds
The DSIT guidance comes hot on the heels of nearly a decade of growing public sector adoption of US-based cloud services from AWS and Microsoft, predominantly, since both firms opened their first UK datacentre regions in 2016. Google Cloud, incidentally, opened its first UK datacentre in the summer of 2017.
Shortly after these regions went live, the UK government rolled out a public cloud-championing revision to its 2013 mandate for all central government departments to take a cloud-first approach to new technology purchases.
In the wake of this, the pool of UK-based cloud infrastructure providers that can offer genuine sovereign cloud services has all but dried up, as private and public sector organisations continue to increase their IT spend with US-based cloud firms.
Evidence of this can be seen in figures released in late June 2025 by public sector IT market watcher Tussell in its Tech Titans report.
The document details the UK public sector’s top 150 highest-earning technology suppliers, revealing that around a quarter of these companies are based in the US – although the majority are from the UK. However, the amount of public sector IT spend the UK-based “tech titans” are accruing is on a downward trajectory.
“While homegrown firms make up over half of the tech titans by number, their share of public sector tech revenue is shrinking – down from 45% four years ago to 42% today,” the report states.
And it is, as detailed in the report, a cause for concern. “Amid rising geopolitical tensions and renewed calls to ‘buy British’, the UK’s own tech champions are losing ground. This trend raises critical questions about resilience, domestic capability, and the future shape of public sector supply chains,” it says.
Growing concerns about overseas clouds
Dave Michels, a researcher specialising in cloud computing law at Queen Mary University London (QMUL), shared similar findings during a keynote at Forum Europe’s third annual European Sovereign Cloud Day event in June 2025.
“Within the global cloud infrastructure market, the top three providers – AWS, Microsoft Azure and Google Cloud – together hold some 63% of the market … [and when we] go down the list of the top eight providers, we see that those are all either US or Chinese companies. There is no single European cloud provider in the top eight,” says Michels.
“And that’s largely true of the European cloud markets too, [because] if we look at the top six leaders in the provision of cloud services in Europe, we’ll see the top three spaces are almost always occupied by Amazon [and] Microsoft,” he adds.
The exception to this is the French cloud market, where local, homegrown provider OVHCloud occupies the third-place position.
“If we look at data from the start of 2017 to about mid-2022, we can see that the overall [cloud] market has grown from around €2bn to €10bn, but – at the same time – the European provider’s share of the market has decreased from over 25% to just under 15%,” he continues.
“In other words, what we’re seeing is widespread reliance on foreign and particularly US service providers … and this has led to concerns both on behalf of individual customers and European policymakers.”
Some of these customer concerns include the risk that their chosen US-based cloud provider might hand over their data to the US government without informing them for law enforcement or foreign intelligence-gathering reasons under the terms of the Communications Act and FISA Section 72, respectively, says Michels.
“US protection orders can target data stored in Europe,” he adds. “So merely having data stored at datacentres within Europe does not protect data from US government access if the cloud provider is subject to US jurisdiction,” he warns.
AWS, incidentally, recently published a blog post clarifying its stance on responding to US government demands for access to customer data stored outside its home country, citing an “increase in inquiries” about this issue.
“There have been no data requests to AWS that resulted in disclosure to the US government of enterprise or government content data stored outside the US since we started reporting the statistic in 2020,” the AWS blog reads.
“Additionally, US law itself provides numerous statutory protections that help lower the risk that AWS could be required to disclose enterprise or government content data, and the US Department of Justice (DoJ) has implemented additional operational protections over the past eight years.”
Shutting down access
Another concern cited by customers, continues Michels, is whether the issuing of a US government order could result in them being shut off from using the services of their chosen cloud provider, as allegedly occurred during the aforementioned ICC case.
“With the US, we have a long-standing Nato partnership [and] they are our allies, [so] it’s a very low likelihood that they would cut [the UK] off from the US cloud … [but] what I will say for certain is that it would be very high impact,” he continues.
“It would be extremely disruptive if US cloud service providers stopped serving European customers in the public sector or in the critical infrastructure sectors. That would have a huge impact on European society.”
During a Q&A at the same event, Michels was asked by an audience member what advice he would give to enterprises and IT buyers who are concerned about becoming too reliant on the technologies of overseas cloud providers.
The answer to that, says Michels, depends on the industry the enterprise in question operates in, and the sensitivity of their data, which will dictate the type of IT environment they should be looking to build or adopt.
“If you’re talking about the defence sector or European intelligence agencies, then maybe there is a good argument for keeping a lot of that [data] on-premise … [and] in-house, [and] reducing reliance on external providers,” says Michels.
“You could [in that scenario also] have an air-gapped version of a cloud running locally on your own, on-premise infrastructure.”
For less sensitive data that still needs some additional security wrapped around it, Michels says there are European providers out there that have partnered with the US hyperscalers to provide customers with sovereign cloud options that can “reduce the risk of US government access” to their data.
This is an approach the team at Google Cloud has adopted, having forged partnerships with local cloud providers in Germany, France, Spain, Italy, Belgium and Luxembourg.
Microsoft has also announced strategic partnerships with Capgemini and Orange in France, and SAP and Arvato Systems in Germany, to provide users with access to cloud services that are under the respective control of both countries.
As previously reported by Computer Weekly, Microsoft has also entered into a preferential pricing deal with CISPE that will see it charge the trade body’s members less to host versions of its cloud software on their systems than it does AWS and Google for the same luxury.
“[That’s] appropriate for some use cases and can help drive demand for European services as well,” he says.
For low-risk data, though, users should not discount using a US-based hyperscale cloud, he adds.
“You might be storing non-personal data in the cloud about [the] stock [levels] of consumer goods that you’re selling, or you might be testing a new application with dummy data,” he says.
“The current hyperscale solutions are perfectly fine [for those use cases], and so it’s all about figuring out where on that spectrum you find yourself as a customer and choosing the appropriate solution for you.”
