Is Your Business Built on Someone Else's Land? The Growing Case for Digital Sovereignty

Only 35% of UK IT leaders have complete knowledge of where their organisation's data is hosted and which legal jurisdiction governs it. That finding, from a 2025 survey of over 1,000 UK technology decision-makers, should give every business owner pause — because the 65% who don't know are carrying a risk they can't quantify.

It's a risk that stopped being theoretical in October 2025, when a single DNS failure at Amazon Web Services' data centre in Virginia triggered the largest cloud outage of the year. Over 17 million disruption reports were logged globally. Banking applications failed. E-commerce platforms went dark. Post Office branches couldn't process packages. Services across more than 60 countries were knocked offline for over 15 hours — all because of one technical fault, in one building, on one continent. For businesses relying on AWS-hosted infrastructure, the estimated cost of downtime runs between $5,000 and $9,000 per minute.

And then there's the political dimension. In May 2025, the chief prosecutor of the International Criminal Court lost access to his Microsoft email account after US sanctions were imposed on ICC staff. Microsoft denied cutting services, but the outcome was the same: an international judicial body couldn't access its own communications. By October, the ICC had abandoned Microsoft entirely, replacing it with openDesk, an open-source platform developed under a German government digital sovereignty initiative. That same year, Chinese universities had their Microsoft 365 subscriptions terminated without warning. A Dutch cloud provider — Solvinity — chosen specifically by the Dutch government and the Municipality of Amsterdam to reduce US dependency, was acquired by American IT giant Kyndryl, placing critical national infrastructure back within reach of US law.

These are not isolated incidents. They are the early signals of a structural shift in how the world thinks about digital infrastructure — and UK businesses that aren't paying attention are leaving themselves exposed.

The infrastructure hiding in plain sight

When digital sovereignty comes up in the press, the conversation tends to focus on enterprise cloud computing and government data centres. But for the majority of UK businesses, the most immediate exposure is far more mundane: their website, their email, their analytics, their customer data.

Consider a typical small to medium-sized business. Its website is hosted on a US-owned platform. Its email runs through Microsoft 365 or Google Workspace. Its customer data flows through American CRM software. Its SEO performance is measured through US-owned analytics tools. Every layer of its digital presence is, in practical terms, subject to the legal jurisdiction of a foreign government.

The mechanism is the US CLOUD Act — the Clarifying Lawful Overseas Use of Data Act, passed in 2018. It allows American authorities to compel US-based technology companies to hand over data, regardless of where in the world that data is physically stored. When the president of Microsoft France was asked by the French Senate whether the company could guarantee that customer data would never be transferred to US authorities under this law, his answer was unequivocal: it could not.

Why this has become urgent

Three developments have pushed digital sovereignty from a niche concern into boardrooms across Europe.

The geopolitical context has changed fundamentally. Gartner — the world's leading technology research firm — has coined a new term for what's happening: "geopatriation," the strategic migration of digital workloads from global public clouds to local or sovereign environments. Gartner has named it a top strategic technology trend for 2026 and predicts that by 2030, more than 75% of European and Middle Eastern enterprises will have moved workloads into sovereignty-focused solutions, up from less than 5% in 2025. A separate Gartner survey found that 61% of Western European CIOs say geopolitical factors will increase their reliance on local cloud providers, while 53% say those same factors will restrict their future use of global providers.

Real-world disruptions have made the risk tangible. Beyond the AWS outage in October, the Iberian power blackout of April 2025 knocked out internet services for 60 million people across Spain and Portugal. Electronic payments stopped working. Transport systems halted. Emergency services were disrupted. It wasn't a cyberattack or a political decision — it was a reminder that physical infrastructure has its own vulnerabilities, and that digital resilience requires more than choosing the right software provider.

Regulation is accelerating. The UK's Data (Use and Access) Act 2025 came into force in June, introducing new rules on international data transfers. The EU's Data Act, enforceable from September 2025, mandates data portability and gives businesses explicit rights to switch between cloud providers. The NIS2 Directive imposes stringent security requirements on any UK business operating within an EU supply chain. For businesses that handle customer data — which is virtually all of them — the compliance landscape is shifting fast.

The response is already underway

This movement is no longer theoretical. Germany's state of Schleswig-Holstein has completed the migration of 40,000 employee email accounts from Microsoft to open-source alternatives, replaced Windows with Linux, and swapped Microsoft Office for LibreOffice. Denmark's Ministry of Digitalization is phasing out Office 365. France, Germany, the Netherlands, and Italy are investing in shared open-source platforms for government communication and document management.

In the private sector, European cloud providers are reporting surges in new customers. SAP has announced €20 billion in sovereign cloud investment. BT has launched a UK sovereign cloud platform. A coalition of 100 businesses wrote to European Commission President Ursula von der Leyen urging investment in a "EuroStack" of sovereign technology. 55% of Western European CIOs say open-source technologies will be an important factor in their future cloud strategies.

The era of defaulting to US platforms without question is drawing to a close.

What this means for your website and digital strategy

For businesses reviewing their digital presence — whether considering a website redesign, evaluating their SEO performance, or assessing their hosting arrangements — digital sovereignty adds a new and increasingly important dimension to what might otherwise seem like routine decisions.

Hosting jurisdiction determines which laws govern your data. A UK business whose website sits on US infrastructure is, in principle, subject to the CLOUD Act. Platform dependency limits your ability to move quickly if circumstances change — the EU Data Act now mandates portability, but mandating it and achieving it in practice are different things. The analytics and SEO tools businesses rely on to measure their online performance are overwhelmingly US-owned, and the data they process flows through US jurisdiction. Even email and communication platforms carry the same exposure, as the ICC discovered.

None of this means businesses should abandon every US-based tool overnight. But it does mean that decisions which were once purely technical — where to host a website, which CMS to build on, which analytics platform to use — now carry strategic, legal, and in some cases political weight.

What this means for your website and digital strategy

For businesses reviewing their digital presence — whether considering a website redesign, evaluating their SEO performance, or assessing their hosting arrangements — digital sovereignty adds a new and increasingly important dimension to what might otherwise seem like routine decisions.

Hosting jurisdiction determines which laws govern your data. A UK business whose website sits on US infrastructure is, in principle, subject to the CLOUD Act. Choosing a UK-based hosting provider that operates its own infrastructure within the United Kingdom ensures that customer data — enquiry forms, booking systems, e-commerce transactions — stays within UK legal jurisdiction. There is no ambiguity about which government can compel access to it, and no risk of a foreign policy decision disrupting service. Providers like Krystal, 20i, and TSOHost operate entirely within the UK; it is worth asking your current host where their data centres actually sit.

Open-source platforms reduce vendor lock-in. A website built on an open-source CMS like WordPress gives the business genuine ownership. The code is open. The data is portable. If circumstances change — a provider is acquired, a service is discontinued, a better option emerges — you can move without restriction. Proprietary platforms, by contrast, create the kind of dependency that the ICC, Chinese universities, and Dutch government bodies discovered the hard way.

Analytics and SEO tools carry the same exposure. The platforms businesses rely on to measure their online performance are overwhelmingly US-owned, and the data they process flows through US jurisdiction. When evaluating these tools, it is worth asking where data is processed and stored, and whether European or UK alternatives exist that meet your needs.

The choice of hosting provider or CMS might seem like a minor detail in the context of a web project. The events of 2025 suggest otherwise.

What not to do

The worst response to this shift is a panicked one.

Don't try to migrate everything at once. IDC analysts have noted that if every European organisation moved to local public cloud providers simultaneously, it would take approximately 20 years to build sufficient data centre capacity to meet current demand. Full independence from US hyperscalers is not realistic in the short or medium term. The pragmatic approach is to identify which data and workloads genuinely require sovereign hosting, and to make those changes deliberately.

Don't underestimate the acquisition risk. The Solvinity case is instructive. Dutch government bodies chose a local cloud provider specifically to reduce US dependency. When American firm Kyndryl announced its acquisition, those organisations found their sovereignty strategy undone by a market transaction they couldn't control. Choosing a European or UK provider isn't a permanent safeguard if that provider can be bought. Ownership structures and funding sources matter.

Don't assume it only applies to large enterprises. 70% of UK and Irish SMEs are concerned about data sovereignty but lack full understanding of the implications. The regulatory environment is evolving quickly. Businesses that assess their digital dependencies now and make informed choices about hosting, platforms, and data flows will be better positioned than those that wait for compliance — or circumstance — to force the decision.

Where to start

The starting point is simply knowing what you have and where it sits. Map the services your business depends on — hosting, email, CRM, analytics, document storage, communication tools — and identify the jurisdiction of each provider. Review your website hosting and understand who ultimately controls the infrastructure. If your site is built on a proprietary platform, ask how easily you could move it. If you work with an SEO agency or manage search performance in-house, find out where your data is processed and stored.

None of this requires a dramatic overhaul. Most of it requires a conversation and an honest audit. The businesses that will navigate this shift most successfully are the ones that start with clear-eyed awareness of their current position — and make deliberate, informed choices from there.

That 65% of UK technology leaders who don't fully know where their data is hosted? The question is whether your business is among them.

If you'd like to discuss your website hosting, digital infrastructure, or online strategy, get in touch.

Sources

• SecurityBrief UK / Civo, "UK IT leaders voice concerns over data sovereignty risks," June 2025 (survey of 1,006 UK IT leaders)
• Gartner, "Survey Reveals Geopolitics Will Drive 61% of CIOs and IT Leaders in Western Europe to Increase Reliance on Local Cloud Providers," November 2025
• Gartner, "Top Strategic Technology Trends for 2026," October 2025
• Downdetector / Communications Daily, "October AWS Outage Was the Largest of the Year," December 2025
• InfoQ, "AWS Disruption Exposes Fragility in Critical Cloud Infrastructure," November 2025
• The Register, "International Criminal Court dumps Microsoft Office," October 2025
• EJIL: Talk!, "Justice Recoded? Why It Matters that the International Criminal Court Embraced Open-Source Software and Ditched Microsoft," November 2025
• Computer Weekly, "Microsoft's ICC email block reignites European data sovereignty concerns," May 2025
• The Register, "Europe gets serious about cutting US digital umbilical cord," December 2025
• EE Times, "Europe is Breaking Up with U.S. Cloud," November 2025
• Computerworld, "Global uncertainty is reshaping cloud strategies in Europe," December 2025
• The Conversation, "Europe wants to end its dangerous reliance on US internet technology," February 2026
• Cloudflare, "How the April 28, 2025, power outage in Portugal and Spain impacted Internet traffic," July 2025
• ICO, "Data (Use and Access) Act 2025," June 2025
• Sherwood News, "European companies are leaving US cloud providers," March 2025
• Tech Monitor, "How much digital sovereignty does the UK have left?" September 2025
• The Register, "UK urged to cut out US Big Tech for sake of digi sovereignty," January 2026
• Capacity, "Outage, outrage and no plan B — AWS failure shows Europe is flying without a safety net," October 2025