UK sovereign cloud push requires hybrid balance

Writing in ITechLaw, Simon Colvin and Justin Chan, technology experts at Pinsent Masons were commenting on the balance between using normal cloud computing and ‘sovereign’ cloud resources, which is entirely operated, located and governed within one country.

Demand for sovereign cloud infrastructure is growing, with the UK rapidly becoming one of the most closely watched jurisdictions shaping how the market evolves. Driven by mounting concerns over data jurisdiction, national security and geopolitical instability, governments and companies are reassessing their reliance on global cloud providers.

Hear Simon Colvin and Hinesh Shah discuss this story on The Pinsent Masons podcast here or wherever you get your podcasts.

Sovereign cloud is a cloud environment entirely operated, located and governed within a country's borders. Governments are expected to be the main buyers of sovereign cloud solutions; followed by regulated industries, such as financial services; and critical infrastructure organisations such as energy, utilities and telecommunications.

But there is no universally accepted definition of what ‘sovereign’ means. Some stakeholders treat sovereignty as a largely technical concept, focused on data residency and operational controls. Others argue it must extend to ownership and corporate governance.

Colvin, who will be presenting on sovereign cloud at the ITechLaw World Technology Law conference in Chicago in May, said: “As concerns grow over geopolitical tensions and treatment of data as a strategic economic asset, data localisation and legal certainty - particularly reduced exposure to mandatory foreign disclosure and data transfer uncertainty - may outweigh the scale and elasticity advantages of global cloud platforms.”

One of the attractions of sovereign cloud is its potential to mitigate exposure to extraterritorial data access laws, such as the US Cloud Act. Sovereign cloud also offers an alternative to reliance on international transfer mechanisms such as the EU-US Data Privacy Framework.

“However, the recent Middle East conflict has shown the risks of ring fencing of data and the localisation agenda. Take for example the impact on data centres affected by the attacks. Any event that can hit an individual country is a risk to sovereign cloud services,” said Chan.

The UK government must balance ambitions for sovereign cloud and pragmatism about the scale and flexibility of the global cloud. In July 2025 it published its UK Compute Roadmap, committing to a “world-class compute ecosystem” and linking compute infrastructure to “sovereign, secure and sustainable capabilities”.

The UK framework stops short of a formal sovereign cloud policy. Existing government cloud guidance explicitly allows public sector data to be stored outside the UK, adopting a risk-based approach that permits global public cloud and multi-region software-as-a-service-models. Some departments, however, have taken their own approach. Last year, the Ministry of Defence agreed a £400 million contract with Google for a UK sovereign cloud environment tailored to defence and national security workloads, with UK-based controls and no reliance on the public internet. Oracle has launched its UK sovereign cloud to service organisations requiring UK data and operational sovereignty, while BT has introduced its Sovereign Platform to meet what it describes as a “growing priority” across public and private sectors.

Colvin said: “As has been the case with the adoption of hybrid public cloud and private models, we anticipate that many UK organisations concerned about the risks will consider the adoption of hybrid global and sovereign models. This is a pragmatic view given the concerns regarding the adoption of sovereign-only models. Such an approach, though, would introduce a range of technical, legal and operational considerations that will need to be carefully assessed."

"This will likely involve the adherence to somewhat competing principles which require a determination of the data and workloads that can safely reside in global cloud regions and those which require UK sovereign environments and how the distinction is managed and, on the other hand, consistent and secure interoperability between global and sovereign cloud environments.”