The UK government is facing criticism for sending mixed signals about its goal of becoming a technology superpower. On February 5, 2025, the Department for Science, Innovation and Technology (DSIT) released new guidance allowing public sector organizations to use cloud services hosted outside the UK. This is framed as a strategy to enhance resilience, capacity, and access to innovation.
The document underscores a “cloud-first” policy urging organizations to consider the best data storage options, including overseas services that might be cheaper or offer better features. DSIT claims this guidance reinforces existing laws and reflects a trend where some public sector bodies have been using overseas data storage for years, with this practice dating back to 2013.
However, this guidance comes in contrast to the Government Security Classification Policy, which until June 2023 restricted the use of non-UK cloud services. Owen Sayers, a seasoned enterprise architect, points out that the guidance seems to acknowledge the reality that critical data has already been processed on offshore platforms, despite previous warnings against it.
Public sector data on international cloud services surged after major providers like Amazon Web Services (AWS) and Microsoft opened UK data centers in late 2016. The transition away from British providers was significant, as seen in G-Cloud sales data—AWS’s sales went from £2.93m before its UK center to £149m within the next 57 months, totaling over £1.1bn since then. Similarly, Microsoft experienced increased sales after establishing its UK region.
Yet, questions about data sovereignty persist. In summer 2024, Microsoft disclosed it couldn’t guarantee the sovereignty of policing data stored in its public cloud. This raises concerns about how much government data may have already been stored abroad.
Sayers finds the new DSIT guidance noteworthy because it explicitly suggests that public sector organizations should seek out overseas options if they provide better pricing or innovation. He highlights the contradiction between these recommendations and the government’s recent push to establish the UK as a technology leader, particularly in artificial intelligence (AI).
The UK government’s 50-point AI opportunities action plan, introduced in January 2025, promises to build sovereign AI capabilities through significant investments in supercomputing and enhanced datacenter capacity. This raises concerns about how the recent guidance aligns with these ambitious plans.
In what appears to be a contradictory strategy, DSIT’s document states that not all cloud regions are equal, suggesting that public sector organizations shouldn’t restrict their options to the UK. Critics like Mark Boost, CEO of British cloud provider Civo, argue that the guidance undermines the UK economy and tech market by encouraging organizations to seek cheaper solutions abroad.
Boost insists that this move could harm British businesses and drive taxpayer money overseas, undermining investments in the UK’s tech capabilities. He emphasizes the potential dangers of outsourcing sensitive data and points to the availability of robust domestic cloud providers that can meet these needs without compromising security.
DSIT maintains that encouraging the use of overseas data centers will promote competition and improve IT resilience. However, Boost remains skeptical, arguing that processing sensitive data across borders exposes it to foreign legal systems, which is a significant risk for government departments.
Nicky Stewart from the Open Cloud Coalition echoes the sentiment, agreeing on the need to modernize public services but questioning the competitive claims made in the DSIT guidance. She suggests that rather than seeking foreign options, the government should address competition issues identified by the Competition and Markets Authority to bolster the UK cloud market.
When contacted, a DSIT spokesperson reiterated the government’s commitment to fostering a competitive cloud market that supports both domestic and international providers, emphasizing the benefits of using overseas data centers while assuring data security and compliance.