Sovereign Cloud Initiative

Executive Summary

A multi-national cooperative framework for governmental migration from US-controlled cloud infrastructure to sovereign alternatives.

Classification: OFFICIAL

Audience: Cabinet Ministers, National Security Council, Permanent Secretaries

Action Required: Decision on proceeding with feasibility study and cross-government working group establishment

1. The Existential Threat

US CLOUD CONTROL: CRITICAL NATIONAL SECURITY RISK

Current Dependency

Four American corporations—Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI)—collectively control approximately 67% of global cloud infrastructure market (Q3 2025: AWS 29%, Azure 20%, GCP 13%, OCI 2% per Canalys/Synergy Research). Government cloud workloads in the European Union, United Kingdom, Canada, and Australia rely heavily on these providers, with sector-specific concentration often exceeding 80% for critical services.

Kill-Switch Mechanisms

Each US cloud provider possesses both the technical capability and legal obligation to comply with US government directives that could:

Disable or degrade services to foreign government workloads
Revoke encryption keys rendering data inaccessible
Exfiltrate data to US intelligence agencies
Terminate instances and deny service without notice

Legal Authorities

Authority	Capability
CLOUD Act (2018)	Compels US providers to produce data stored abroad regardless of local law
FISA Section 702	Enables warrantless surveillance of non-US persons using US infrastructure
Executive Orders	President can designate any foreign entity for technology sanctions
National Security Letters	Secret demands for data with gag orders preventing disclosure
IEEPA (1977)	Grants President emergency powers to regulate commerce and freeze foreign assets

Threat Scenarios

Economic Coercion

US threatens cloud service disruption to extract trade concessions, tariff agreements, or policy compliance. "Accept these terms or your benefits system goes offline."

Service Denial

During geopolitical dispute, US disables critical government services: healthcare records, tax systems, benefits administration, emergency services coordination.

Mass Surveillance

US intelligence agencies compel systematic access to government communications, citizen data, policy deliberations, and national security information.

State Ransomware

US holds sovereign data hostage: "Align with our foreign policy position or we encrypt your data and revoke access to your own government systems."

Important context: The legal authorities above are real and documented. However, there is no recorded instance of the US terminating cloud services to Five Eyes or NATO allies. These scenarios are theoretical risks, not demonstrated threats. The strategic case is about reducing structural dependency, not responding to an imminent attack. See the Evidence Base for full citations and claim verification.

2. The Cooperative Solution

Proposed Approach

A multi-national government cooperative coordinating cloud sovereignty migration via a consortium of non-US suppliers delivering:

Sovereign cloud infrastructure: Datacenters physically located within each jurisdiction, owned and operated by non-US entities, subject to local law exclusively
Open-source platforms: Kubernetes, OpenStack, open-source databases—avoiding proprietary US vendor lock-in
Collaborative architecture: Common reference architecture enabling cross-border cooperation while maintaining national sovereignty
Shared investment: Pooled R&D, common security frameworks, collective procurement leverage

Governance Model

Each jurisdiction retains full sovereignty over its infrastructure, data, and decision-making. The cooperative provides coordination, not control.

No central authority or supranational governance
Common architecture framework established collaboratively
Bilateral/multilateral working groups for standards alignment
Threat intelligence sharing and coordinated incident response
Joint procurement leverage without mandated suppliers

Partner Jurisdictions

UK United Kingdom

EU European Union

CA Canada

AU Australia

Sovereign Supplier Ecosystem

Region	Example Providers
European Union	OVHcloud (France), Hetzner (Germany), Scaleway (France), IONOS (Germany)
United Kingdom	Crown Hosting, UK sovereign hyperscale buildout, European providers with UK presence
Canada	Canadian sovereign providers, Crown corporation infrastructure
Australia	Australian-owned datacenter operators, government-backed sovereign cloud

3. The Case for Action

Strategic Benefits

Data Sovereignty: Government data resides only within national borders, subject only to domestic law
Eliminate Kill-Switch Risk: No US entity can disable, access, or deny service to sovereign infrastructure
Democratic Resilience: Protect electoral systems, public services, and civil infrastructure from foreign interference

Economic Growth: Stimulate domestic tech sector, create high-skill jobs, reduce foreign currency outflows
Strategic Autonomy: Signal to adversaries that critical infrastructure cannot be weaponised
Operational Continuity: Ensure citizen services cannot be held hostage to foreign policy disputes

Cost-Benefit Summary

Factor	Assessment
Migration Investment	Significant but amortised over 5-7 year programme
Risk Mitigation Value	Eliminates existential threat to government operations
Economic Multiplier	Domestic investment creates jobs, tax revenue, technical capability
Operating Costs	Comparable to current US cloud spend after initial investment
Strategic Value	Priceless—sovereignty is not a line item

The Cost of Inaction

Every day of continued dependence on US cloud infrastructure:

Deepens technical debt and migration complexity
Increases leverage available to adversarial actors
Signals to the US administration that coercion is cost-free
Risks catastrophic service denial during a crisis when alternative paths are unavailable

4. Recommendations

Immediate Actions Requested

Commission independent review of this proposal by NAO (costs), NCSC (security), and IPA (deliverability) before any commitment. This is a policy proposal requiring independent validation, not a pre-approved business case.
Request NCSC/JIC threat assessment to validate or refute the threat scenarios and probability ratings presented in this document with classified intelligence.
Approve establishment of cross-government working group with mandate to assess current cloud dependency and develop sovereign migration strategy.
Authorise diplomatic engagement with EU, Canada, and Australia counterparts to explore cooperative framework participation. No commitments currently exist.
Allocate planning budget for detailed feasibility study and proof-of-concept pilot programme (subject to independent review findings).

TIMELINE NOTICE: This section shows wartime emergency timelines as the primary figures, with peacetime estimates in brackets. Given current geopolitical conditions, the emergency mobilisation timeline should be treated as the baseline planning assumption.

Programme Timeline Overview

Phase 0: Preparation & Assessment

Week 0-2 (Peacetime: Months 1-6)

Risk assessment, working group establishment, diplomatic engagement, feasibility study

Phase 1: Pilot Migration

Week 2-8 (Peacetime: Months 6-18)

Low-risk workload migration, proof of concept, supplier evaluation, architecture validation

Phase 2: Platform Foundation

Week 8-14 (Peacetime: Months 18-30)

Core platform buildout, security hardening, operational capability establishment

Phase 3-4: Migration Waves

Week 14-24 (Peacetime: Months 30-66)

Systematic migration of government workloads by criticality and complexity

Phase 5-6: Optimisation & Exit

Week 24+ (Peacetime: Months 66-84)

Performance tuning, cost optimisation, complete US cloud decommissioning

WARTIME: 24 WEEKS TO CORE CAPABILITY
(Peacetime: 5-7 Years / 60-84 Months)

This is a matter of national security,
democratic resilience, and sovereign survival.

The window for action is narrowing.
The threat is real, present, and growing.
The solution is achievable through cooperation.

Continue to Threat Assessment

View Technical Framework

Cookies on Sovereign Cloud Architecture