Britain’s Billion-Pound Cloud Gamble: How US Hyperscalers Became a National Vulnerability

UK public bodies spend billions annually on US hyperscalers, with 95% dependency exposing government and industry to outages, geopolitical risks and data access under the CLOUD Act. New reports reveal FTSE firms and IT leaders growing alarmed, yet migration lags. Real reform demands procurement shifts and domestic investment before a major disruption hits.
Britain’s Billion-Pound Cloud Gamble: How US Hyperscalers Became a National Vulnerability
Written by Ava Callegari

Britain runs on American clouds. The numbers paint a stark picture. Nearly every government department funnels money into systems operated by Microsoft, Amazon and Google. The sums add up fast. They reach billions each year. And the exposure grows with them.

Some 95 percent of central and local public-sector bodies spent on hyperscale cloud services in 2023/24. Count the software layered on top and that figure climbs to 99 percent across more than 1,100 organisations. Of the £17.7 billion handed to major tech suppliers, 55 percent — or £9.9 billion — flowed straight to the hyperscalers or their partners. The Ministry of Defence led the pack at £1.09 billion. HM Revenue & Customs followed with £1.01 billion. The Home Office, Department for Work and Pensions and NHS England each committed hundreds of millions more. The Next Web reported these figures.

Three names control the plumbing. Microsoft, Google and Amazon dominate connections mapped across departments and councils. The pattern repeats in the private sector. More than 60 percent of UK companies lean on cloud services for critical functions. Among FTSE 100 firms that share jumps above 80 percent. Eighty percent of cloud-using businesses depend on AWS, Azure or Google Cloud. Half the FTSE 100 ties its fate to UK and Ireland regions alone.

A single 24-hour outage in AWS’s eu-west-1 region in Dublin could trigger £1 billion in revenue losses for UK firms. The same disruption in the US-east-1 zone might cost £650 million. These estimates come from the Cyber Monitoring Centre’s report The Cost of Downtime: UK Exposure to Cloud Infrastructure Failure. They capture only direct hits. Ripple effects through supply chains stay uncounted. The Register covered the analysis in detail.

Last October an AWS outage offered a preview. A flaw in the DNS management system for DynamoDB cascaded across services. Lloyds Banking Group felt the pain. Government systems stumbled too. Many organisations thought they had spread risk with multi-region setups. Yet many critical workloads still trace back to the same vulnerable points. Redundancy failed to deliver when it mattered.

Outages tell only part of the story. Geopolitics adds sharper edges. The US CLOUD Act lets American authorities demand data from US providers regardless of where it sits. British soil offers no shield. Security officials lose sleep over black-box gateways that hide details from in-house teams. Thirty-nine percent of UK firms reported a hyperscaler outage in the past year. Seventy-seven percent of IT leaders voice concern about geopolitical exposure. Those numbers come from Civo’s 2026 research on UK cloud dependency.

That same survey shows priorities shifting. Sixty-one percent of UK IT leaders called data sovereignty a strategic priority in 2025. The figure rose to 73 percent this year. Sixty-one percent point to regulatory and compliance pressures as the main driver. Sixty-six percent say they would consider switching providers. Yet only 15 percent have moved to domestic alternatives. A 51-point gap yawns between intent and action. Just one in four believes their organisation could truly exit a major US provider. Twenty-eight percent now expect to deepen reliance on American hyperscalers, up from 12 percent previously. Ninety percent want the government to back British cloud technology. Civo published the findings.

Critics say successive governments slept on the issue. They embraced a cloud-first policy from 2013 onward. Guidance from the Department for Science, Innovation and Technology even suggested non-UK services could prove more cost-effective. Domestic providers such as UKCloud won contracts with the NHS, Ministry of Defence and local authorities. The firm entered administration in 2022. Post-Brexit talk of Global Britain accelerated deals with US giants. A £400 million Ministry of Defence contract went to Google. A £1.5 billion defence AI partnership landed with Palantir. The pattern repeats.

“Successive UK governments have created huge risks by sleeping on the issue of digital sovereignty while boosting the influence of the biggest US- and China-based tech companies,” Siân Berry, Green Party MP, told Computing. Matt Harris of HPE put it more bluntly. “If we look at say mobile or cloud, where did the UK play? Well, we made a choice to get strategically dependent on some large US companies.” He added that the hyperscalers “are now as powerful as sovereign governments.”

Mark Butcher went further. “We basically wrote a strategy which said we’re going to give all of our money to two big American hyperscalers. Neither of those hyperscalers contribute to UK society. They pay as little tax as possible and they don’t contribute back whatsoever, to any meaningful effect. And we’re now repeating exactly the same exercise with AI adoption.” Nicky Stewart of the Open Cloud Coalition noted simply that “Government is massively locked in.”

The Competition and Markets Authority spent three years studying the market. It concluded that AWS and Microsoft hold significant unilateral market power. High barriers and lock-in make switching rare. The regulator accepted voluntary commitments on egress fees and interoperability. It stopped short of binding rules. A separate probe into Microsoft’s software licensing continues. Vendors insist their dominance stems from genuine advantages in scale, security and cost. Customers keep signing up. The services work. They scale. They integrate. They also bind.

Europe watches with unease. Brussels has pushed a tech sovereignty package that restricts US cloud use for sensitive government data. France and Germany explore stricter measures. The UK response feels softer. Lawmakers hear repeated calls for action. Chi Onwurah, Labour MP, raised US cloud dependency in Parliament alongside cyber security concerns. Ninety percent of IT leaders in the Civo survey want proactive government support for homegrown options. Seventy-two percent believe UK innovation requires domestic infrastructure. Forty-three percent cite high compute costs as the biggest barrier.

Will Mayes, CEO of the Cyber Monitoring Centre, strikes a measured tone. “This concentration creates systemic vulnerabilities that require coordinated action from companies, insurers, regulators, and policymakers to manage effectively. This isn’t about stepping back from the cloud; it’s about recognizing that cloud is now part of our critical infrastructure and designing, governing, and investing accordingly.” His words appear in the downtime report covered by The Register.

Fixes exist on paper. Open standards could loosen lock-in. Government procurement could tilt toward UK-based providers that pay local taxes and employ local staff. Investment in domestic R&D, tax incentives and low-interest loans might nurture alternatives. Contingency plans — portable encrypted data replicas, clear exit processes — could reduce panic during failure. Some organisations already move workloads. One-third of respondents in related surveys report shifting or planning to shift away from US or Chinese clouds. Progress remains slow. Sovereign options often cost 10 to 30 percent more. Technical, contractual and organisational barriers stack high.

The Bank of England once warned that cloud concentration in financial services demanded new rules. That was years ago. Concentration has only grown. Recent cyber breaches at major UK organisations underscore the point. An outage or a sudden policy shift in Washington could turn theoretical risk into immediate crisis. Hyperscalers promise resilience. Their track record includes memorable failures. Customers accept the trade-off for now. Efficiency today. Exposure tomorrow.

Policy makers face a choice. They can continue writing large cheques to foreign providers. Or they can build a credible alternative that keeps critical data and operations under clearer national oversight. The latter demands money, coordination and political will. The former feels easier until the bill arrives. Britain’s cloud habit has hardened into dependency. Breaking it will not happen overnight. Ignoring it carries a price measured in billions — and potentially more.

Subscribe for Updates

CloudSecurityUpdate Newsletter

The CloudSecurityUpdate Email Newsletter is essential for IT, security, and cloud professionals focused on protecting cloud environments. Perfect for leaders managing cloud security in a rapidly evolving landscape.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us