UK Data Sovereignty Isn't Just an EU Problem

In 2014, I was working for a large I&C gas supplier on the government’s natural gas framework tender. That was the same year the government brought in Cyber Essentials, making it mandatory for certain public contracts from October 2014 under PPN 09/14. At the time, it felt more like a nice-to-have than a must-have. If we’re talking MoSCoW rules, it was a “should” at best. The procurement focus was price, delivery, and whether you could actually supply gas to public buildings. Security and data handling were there on paper but nobody was losing sleep over them.

Twelve years later, the landscape is unrecognisable.

What changed

On 13 July 2026, HM Treasury designated AWS, Google Cloud, Microsoft Azure, and Oracle as “Critical Third Parties” under the Bank of England’s oversight. These four companies now report directly to the PRA and FCA. They must demonstrate they can prevent, respond to, and recover from operational incidents. They must run scenario testing and share results with regulators.

That’s not a nice-to-have. That’s the UK government saying: we accept that our entire financial system depends on a handful of US-owned cloud providers, and we need regulatory teeth to manage that risk.

The same week, Parliament was still investigating Palantir’s £330m NHS Federated Data Platform contract. A US defence and surveillance tech company, founded by a billionaire Trump donor, holding patient data for the entire English NHS. It started with a £1 contract during the pandemic, grew to £60m in uncontested deals, and is now a £330m platform that two-thirds of voters want cancelled according to YouGov polling. The recommendation on the table is to activate the February 2027 break clause and move to either an in-house or UK-owned provider.

This is where we are now. The public cares about where their data lives. Parliament cares. Regulators care. The question is whether the companies building software for these institutions care enough to get their infrastructure right.

The gap between policy and practice

Here’s the strange thing. The government’s own guidance (published February 2025) states: “there is no universal requirement for government data classified as OFFICIAL to be physically located in the UK.” On paper, you can run OFFICIAL data on AWS us-east-1 if your security and legal ducks are in a row.

But paper doesn’t win contracts. Procurement teams read the news. They see Palantir headlines. They see the Critical Third Parties regime. They know their ministers are being asked questions about US tech companies and patient data. So even if the policy says “location doesn’t matter,” the practical reality is that UK data residency is increasingly a factor in scoring.

If you’re a SaaS company bidding on public sector work, or selling into NHS trusts, local authorities, or financial services, the conversation has shifted from “where’s your ISO 27001 cert?” to “where does the data actually live, and who owns the infrastructure it sits on?”

Cyber Essentials then and now

When Cyber Essentials launched in 2014, it covered five technical controls: firewalls, secure configuration, access control, malware protection, and patch management. Basic stuff. It was a floor, not a ceiling, and most of us in the industry treated it that way.

Now? Cyber Essentials Plus (with its independent verification) is a genuine gatekeeper. PPN 09/23 updated the requirements in October 2023 to be more explicit. MOD contracts have required it since January 2016. And it’s increasingly being demanded by private sector supply chains too, particularly banks and insurers.

But Cyber Essentials still doesn’t address data sovereignty. It tells you whether a company has basic security hygiene. It doesn’t tell you whether your data is being processed on infrastructure that a foreign government can legally compel access to. That gap is where the current debate lives.

The CLOUD Act problem (yes, in the UK too)

This isn’t just an EU concern. The US CLOUD Act (2018) allows US law enforcement to compel US-headquartered companies to hand over data stored on their infrastructure, regardless of where that infrastructure physically sits. AWS London, Azure UK South, Google Cloud europe-west2. All UK-located. All US-owned. All within scope.

For most workloads, this is an acceptable risk. The UK and US have a bilateral data access agreement. The likelihood of a US court ordering disclosure of random SaaS customer data is low.

But “low probability” doesn’t satisfy a procurement officer at an NHS trust who just watched their CEO get grilled on Newsnight about Palantir. It doesn’t satisfy the FCA’s new Critical Third Parties framework. And it definitely doesn’t satisfy the growing political mood that says British public services should run on infrastructure that Britain controls.

What this means for UK SaaS companies

If you’re building software that touches public sector, healthcare, or financial services in the UK, here’s where things stand:

Cyber Essentials is table stakes. You need it. Probably Plus. Don’t even turn up without it.

Data residency questions are coming. Not just “is it in the EU?” but “is it in the UK?” and increasingly “who owns the infrastructure?” Even if the formal policy doesn’t mandate UK residency, the scoring is shifting that way.

The Palantir backlash is a signal. The objection isn’t purely technical. It’s political, emotional, and rooted in public trust. Companies that can demonstrate UK-owned, UK-operated infrastructure have a narrative advantage that goes beyond compliance.

The Critical Third Parties regime changes the conversation. If AWS and Azure are now under direct BoE oversight because of systemic risk, that’s an implicit acknowledgement that concentration on US hyperscalers is a problem. Buyers are starting to ask about diversification and exit strategies.

Where does that leave us?

I still build primarily on AWS. For most of my clients, AWS London with proper security controls, encryption, IAM boundaries, and audit trails is the right answer. It’s pragmatic, it’s well-understood, and the regulatory position accepts it for OFFICIAL data.

But I’m watching the direction of travel carefully. The mood in UK public sector is shifting towards infrastructure sovereignty in a way that would have seemed paranoid in 2014 when I was filling in framework tenders and Cyber Essentials was brand new. Now it’s mainstream political debate.

If you’re a UK SaaS company and you can’t clearly articulate where your data lives, who owns the infrastructure, and what jurisdiction it falls under, you’re going to find doors closing. Not because the policy demands it today. Because the people behind those doors are reading the same headlines as everyone else.


Building for UK public sector or regulated industries? Let’s talk about your infrastructure.