In September 2024, the UK government decided to classify datacentres as critical national infrastructure, aiming to strengthen its digital economy. However, the actual landscape is more complex than it appears at first glance. There’s uncertainty in policy, a heavy reliance on foreign cloud providers, and growing concerns about data sovereignty.
Forrester’s principal analyst, Tracy Woo, highlights the implementation of new sovereignty standards in Europe, like SecNumCloud in France and C5 in Germany, which push for local data handling. Nevertheless, the reality is tough. Major cloud services like Microsoft 365 and Azure openly acknowledge they can’t ensure that UK government data will stay on British soil.
Countries in the EU and Asia-Pacific are shifting towards non-US-based cloud providers to establish sovereign clouds and maintain their data locally. In the UK, recent scrutiny of cloud market practices has revealed vulnerabilities in the nation’s digital independence. The Data Use and Access (DUA) Bill, introduced in October 2024, adopts a more flexible, risk-based approach for international data transfers, but its effectiveness raises questions about the nuances of data protection standards.
As the UK leans on cloud-based tools, worries about compliance with data laws are on the rise. The Competition and Markets Authority (CMA) is now looking into practices that might tie customers to foreign providers, with a preliminary report due in early 2025. This scrutiny could pave the way for reforms to strengthen data sovereignty.
Mark Boost, CEO of UK cloud provider Civo, warns that depending on hyperscalers jeopardizes both technical control and national independence. The CMA’s review could lead to greater transparency and stricter UK data storage requirements from global providers. Boost emphasizes that transparency goes beyond mere location; it involves how datacentres are powered and secured.
The UK datacentre sector shows promise through regional investments, evidenced by a recent £250 million project in Salford. However, these initiatives are still outliers. Luisa Cardani of TechUK stresses the absence of a national policy statement could lead to a fragmented industry, with planning authorities lacking the expertise to streamline approvals.
There’s hope that classifying datacentres as nationally significant infrastructure projects could help. Yet, without a solid national strategy, investment is likely to stagnate. Data sovereignty and security standards are crucial in shaping the datacentre landscape, influenced largely by market dynamics.
Alvin Nguyen of Forrester emphasizes the risks of mixing local and hyperscaler-operated datacentres. Organizations should weigh their unique security requirements against the advantages and disadvantages of different providers. With increasing complexity around data sovereignty, businesses must consider strategic workload management across hybrid environments.
Jon Cosson from JM Finn observes that using a major cloud provider doesn’t automatically equate to security. He insists on knowing where data resides and how it is protected, raising concerns around compliance when data crosses international borders. The US Cloud Act presents additional challenges, potentially allowing US authorities easier access to data stored offshore.
While cloud adoption is unavoidable for some applications, on-premise solutions still hold vital importance for companies dealing with sensitive information. Nutanix provides tools that enable organizations to manage their workloads securely across both cloud and on-premise environments.
Both Boost and Cardani agree that collaboration among government, industry, and local authorities is essential for a resilient datacentre ecosystem. This cooperation must involve shared accountability, clearer policies, and incentives for both foreign and local cloud providers.
As we look ahead, organizations need to navigate the current landscape and meet existing data standards. National policies must support rigorous audits and certifications tailored to local needs. Standards like ISO 27001, GDPR, and PCI DSS set clear expectations but are just part of a larger framework increasingly focused on data sovereignty.
The CMA’s investigation is crucial for clarifying this complicated subject. IT leaders must remember that they cannot offload responsibility for security and compliance. As the UK’s digital infrastructure evolves, the businesses that adapt proactively to regulations and demand transparency will thrive.
At this pivotal moment, the UK datacentre industry stands ready for transformation. With clear policy, local investments, and a commitment to accountability, it could emerge as a global leader in digital infrastructure. Ultimately, trust and fair practices are key, as the true value at stake is the nation’s data. As Cosson aptly puts it, “Data sovereignty is not a buzzword, it’s survival.”