Author: Eternity Lab

The UK government’s decision to designate datacentres as critical national infrastructure (CNI) in September 2024 signalled its ambition to build a digital economy that is secure and globally competitive.

But behind the headlines about protecting against cyber crime and IT blackouts lies a more complicated reality – a sector grappling with policy uncertainty, reliance on foreign cloud giants and a data sovereignty agenda that looks increasingly compromised.

In a blog post, Forrester principal analyst Tracy Woo wrote: “New sovereignty requirements such as SecNumCloud, Cloud de Confiance from France, and the Cloud Computing Compliance Controls Catalog (C5) from Germany, along with the push to keep data in-country, have created a broader push for private and sovereign clouds.”

But the promise of “protected infrastructure” rings hollow when hyperscalers openly admit they cannot guarantee that UK government data stored in cloud services such as Microsoft 365 and Azure will remain within national borders.

Woo points out that countries in the European Union (EU) and Asia-Pacific (APAC) have been attempting to more heavily leverage non-US-based cloud providers, create sovereign clouds, or leave workloads on-premise.

In the UK, regulatory scrutiny is exposing the fragile state of the UK’s digital independence. Looking at the UK’s approach to data sovereignty, law firm Kennedys Law describes the Data Use and Access (DUA) Bill, which was published in October 2024, as “a more flexible risk-based approach for international data transfers”.

Kennedys notes that the new test requires that the data protection standards in the destination jurisdiction must not be materially lower than those in the UK. According to Kennedys, this standard is less rigid than the EU’s “essential equivalence” requirement but raises questions about how “materially lower” will be interpreted in practice.

Understandably, with the government’s reliance on cloud-based productivity tools, concerns about compliance with UK data protection laws have intensified.

The Competition and Markets Authority (CMA) is now investigating cloud market practices that could lock customers into foreign providers. A provisional report is expected in early 2025, setting the stage for potential regulatory reforms aimed at boosting data sovereignty and curbing monopolistic practices.

Reshaping data sovereignty

This is not before time for Mark Boost, CEO of Civo, a UK-based cloud hosting specialist. “The inability to ensure data remains within UK borders underscores the risks of depending on hyperscalers,” warns Boost. “If we keep outsourcing critical data infrastructure, we risk losing more than just technical control, we lose national independence.”

The CMA’s review could reshape the country’s digital future, potentially mandating greater transparency and requiring UK data storage guarantees from global cloud providers. This is something Boost has been talking about for some time.

“Transparency isn’t just about where data is stored, it’s about how datacentres are powered, maintained and secured,” he says. His argument highlights the essential connection between data sovereignty and operational clarity, urging providers to adopt clearer accountability measures.

The inability to ensure data remains within UK borders underscores the risks of depending on hyperscalers. If we keep outsourcing critical data infrastructure, we risk losing more than just technical control, we lose national independence Mark Boost, Civo

Despite these challenges around transparency, the UK datacentre industry has seen promising signs, particularly in regional investment. The government’s recent announcement of a £250m datacentre project in Salford showcases how local government cooperation and targeted investment can drive growth. But such projects remain exceptions rather than the rule.

Luisa Cardani, head of datacentres at TechUK and author of the report Foundations for the future: How datacentres can supercharge UK economic growth, warns that without a national policy statement (NPS), the datacentre sector risks becoming fragmented. Local planning authorities lack the expertise and resources to approve projects efficiently, creating bottlenecks that could delay critical infrastructure developments for years.

“The industry wants to work with local people and authorities, but clear national planning guidance is missing,” says Cardani. “Without a coherent strategy, we’re stuck in a cycle of fragmented decisions and regulatory inertia.”

The proposed inclusion of datacentres under the nationally significant infrastructure projects (NSIP) regime could streamline the approval process, ensuring faster decision-making. However, this remains, for the moment at least, more of an aspiration. In reality, investment will remain stalled until the UK develops a coherent, national approach that balances public and private interests while streamlining the project approval process.

Data sovereignty and security requirements are fundamental to this, and to a large extent it will be market forces that determine the shape and size of the UK’s datacentre industry. On this front, Alvin Nguyen, senior analyst at Forrester, says businesses must recognise the different risk profiles posed by local and hyperscaler-operated datacentres.

“It should be expected that hyperscalers will have more bandwidth, more scalability and more redundancy than their more localised counterparts, but having datacentres classified as critical to the UK’s infrastructure may help with mitigating some, but not all, security risks,” he says.

Complexity of keeping data within national borders

Nguyen also questions whether data sovereignty debates might be over-simplified in some cases.

“With data security, it comes down to what the organisation’s requirements are to determine whether or not to go to a hyperscaler or a local datacentre,” he says. “With sovereignty, that is a bit different. If there are components to the sovereignty laws to restrict access or use of data outside of the local datacentres, hyperscalers will need to ensure that guardrails are in place.”

Nguyen’s comments underscore the complexity of managing sensitive data across hybrid environments. Rather than focusing solely on whether to choose a local or global provider, businesses should consider managing workloads across hybrid cloud environments more strategically.

“Many organisations will find a mix of cloud and datacentres makes the most sense … the risk profile of each is different and that blend of risk when combining cloud and datacentres can be made to be optimised for them,” he says.

The security risks associated with data sovereignty are multifaceted, extending far beyond simple data storage concerns. For businesses in regulated sectors, particularly financial services, the stakes are immense.

When on-premise is the only option

Jon Cosson, head of IT and chief information security officer at wealth management firm JM Finn, underscores the potential dangers when businesses assume that using a large cloud provider automatically guarantees security.

“It’s absolutely imperative you know where your data is and how to secure it,” he warns. “You would not believe how many businesses still just rely on somebody else.”

The issue is compounded by the jurisdictional complexity of global cloud services. When sensitive data crosses borders, it may fall under multiple regulatory regimes, raising questions about legal access and government overreach. This concern has been amplified by legislation such as the US Cloud Act.

In 2019, the then home secretary, Priti Patel, signed a US Cloud Act Agreement covering the UK and Northern Ireland, in which the US and UK governments agreed to provide timely access to electronic data for authorised law enforcement purposes. The Cloud Act could compel US-based hyperscalers to provide foreign-stored data to US authorities, bypassing local laws.

“I want to know exactly where my data goes, how it’s encrypted and how quickly I can get out if needed,” says Cosson, reflecting a broader industry concern that opaque data paths and limited contractual assurances can expose businesses to significant compliance risks.

“We use the cloud when we have to, but still run key systems on-premise for control,” adds Cosson. This approach is typical of companies handling sensitive financial data. There is a lack of trust with organisations not prepared to take promises of “secure cloud storage” at face value.

While Cosson acknowledges that cloud adoption is inevitable for some services, such as Microsoft 365, he underscores the enduring role of on-premise infrastructure for businesses that require absolute control over sensitive data. This, of course, raises an additional problem of how to manage hybrid data environments securely and efficiently.

According to Cosson, companies like Nutanix play a critical role here, enabling organisations to manage workloads across cloud and on-premise environments while maintaining data control. Nutanix’s infrastructure services are designed to address sovereignty concerns, he says, by ensuring businesses have clear data management policies and remain compliant with local regulations.

We need coordinated efforts between government, industry and local authorities to build a resilient datacentre ecosystem. This means shared responsibility, clearer policy frameworks, and incentives for both hyperscalers and UK-based providers Luisa Cardani, TechUK

“The next five years will be decisive,” says Civo’s Boost. “If transparency becomes a legal requirement, we’ll see businesses demanding more from providers, not just about where data resides, but also how infrastructure is managed and powered.”

TechUK’s Cardani believes public-private partnerships will play a crucial role here. “We need coordinated efforts between government, industry and local authorities to build a resilient datacentre ecosystem,” she says. “This means shared responsibility, clearer policy frameworks, and incentives for both hyperscalers and UK-based providers.”

Boost and Cardani each agree that the balance of power between hyperscalers and local operators may shift, particularly if future policies mandate data localisation or prohibit cross-border data transfers without explicit guarantees. Sovereignty-by-design, where infrastructure is built to meet local compliance from the start, could become the new standard.

Adhering to current standards

Until that point, organisations need to work out how they can meet existing standards. Cardani argues that adherence to standards must be supported by national policies that enable transparent reporting and clear accountability structures.

In practice, this means enforcing mandatory audits, data residency certifications and security benchmarks tailored to UK-specific legal frameworks. Without these measures, businesses risk falling into compliance gaps that could expose them to data breaches, fines and legal disputes.

Frameworks such as ISO 27001 for information security management, General Data Protection Regulation (GDPR) for data privacy and Payment Card Industry Data Security Standard (PCI DSS) for payment security set clear operational expectations. Yet these standards are only part of the equation, as evolving regulations increasingly emphasise data sovereignty and security-by-design.

Ensuring that datacentres comply with such frameworks while offering sovereignty guarantees has become a pressing challenge. Hyperscalers operating across multiple jurisdictions complicate audits and compliance checks due to varying legal obligations and data transfer rules.

The introduction of the CMA’s investigation is urgently needed, if only to provide some clarity around what, for most buyers, has become a confusing subject.

For IT leaders, the critical takeaway is that responsibility cannot be outsourced. Security, compliance and sovereignty must be actively managed through risk assessments, compliance audits and multi-supplier strategies.

And as the UK’s digital infrastructure evolves, only businesses that stay ahead of regulation and demand transparency from their providers will be able to navigate the uncertainties.

On that score, the UK’s datacentre industry stands at a crossroads – but with policy clarity, local investment and industry transparency, it has the potential to become a global digital leader in this space.

It’s about trust and everyone playing by the same, fair rules, but from a UK perspective it is also about protecting that most valuable national asset – data.

At JM Finn’s Cosson puts it: “Data sovereignty is not a buzzword, it’s survival.”

Source