Governance Model
Starting Point Assessment
Where each jurisdiction stands today: current dependencies, existing capabilities, and the baseline from which migration begins.
1. Current State Summary
The starting point is characterised by deep, systemic dependency on US cloud providers
at every layer of government IT—from desktop to datacenter. This dependency developed
incrementally over 15+ years and will require sustained effort to unwind.
Dependency Matrix by Jurisdiction
| Dependency Area | UK | EU | Canada | Australia |
|---|---|---|---|---|
| Desktop OS | 95%+ Windows | 90%+ Windows | 95%+ Windows | 95%+ Windows |
| Office Suite | 95%+ M365 | 80%+ M365/Google | 90%+ M365 | 90%+ M365 |
| Cloud IaaS | 85%+ US | 80%+ US | 90%+ US | 85%+ US |
| Email/Collaboration | M365 dominant | Mixed | M365 dominant | M365 dominant |
| Identity (Directory) | Azure AD/Entra | Mixed | Azure AD | Azure AD |
| Sovereign Alternatives | Limited | Available | Limited | Emerging |
2. What We Already Have
Despite deep US dependency, each jurisdiction has existing capabilities and initiatives that provide a foundation for sovereign migration:
United Kingdom
| Crown Hosting | Government datacenter partnership with Ark Data Centres; physical sovereign capability exists |
| G-Cloud Framework | Procurement framework includes EU providers (OVHcloud, IONOS); mechanism exists |
| NCSC Guidance | Cloud Security Principles provide security framework |
| GOV.UK Platform | GDS shared services (Notify, Pay) could be migrated as unit |
| Open Source Experience | GDS has significant open source expertise; GOV.UK runs on open platforms |
European Union
| European Providers | OVHcloud, Hetzner, Scaleway, IONOS, T-Systems—mature hyperscale alternatives available |
| SecNumCloud (FR) | French certification framework already excludes US providers |
| BSI C5 (DE) | German cloud security certification available for mutual recognition |
| Gaia-X | European federated data infrastructure initiative provides standards framework |
| Member State Initiatives | Italy PSN, Germany Bundescloud, France Cloud de Confiance—active programmes |
| Schrems II Legal Basis | ECJ ruling provides legal foundation for US cloud restrictions |
Canada
| SSC Infrastructure | Shared Services Canada operates government datacenters; expansion possible |
| Canadian Telecoms | Bell, Telus, Rogers have datacenter operations; potential sovereign partners |
| OVHcloud Canada | European provider with Canadian presence; available now |
| CSE/CCCS Expertise | Canadian cyber security expertise for security framework |
| Open Source Culture | Government of Canada has open source policy; foundation for tooling adoption |
Australia
| Australian Providers | AUCloud, Vault Cloud, Sliced Tech—PROTECTED certified sovereign options exist |
| Australian Datacenters | NEXTDC, Macquarie—Australian-owned datacenter operators |
| Hosting Certification | DTA Hosting Certification Framework provides security baseline |
| ASD/ACSC | Essential Eight and ISM provide security framework |
| cloud.gov.au | DTA platform-as-a-service; could be migrated to sovereign infrastructure |
3. What We Need to Build
Gaps that must be filled to enable sovereign migration:
| Gap | Current State | Required State | Approach |
|---|---|---|---|
| Governance | No international coordination mechanism | Functioning SCAB and TSC | Establish through diplomatic channels |
| Common Standards | Each jurisdiction has own standards | Interoperable standards with mutual recognition | Working groups to harmonise |
| Supplier Capacity | Limited outside EU | Sufficient capacity in all jurisdictions | EU provider expansion + local development |
| Migration Tooling | Ad-hoc, vendor-specific | Common open-source toolkit | Joint development via WG-Migration |
| Skills | Concentrated in US tech | Distributed across sovereign stack | Training programmes, secondments |
| Political Mandate | Limited awareness at senior levels | Cabinet/ministerial commitment | Briefings, this documentation |
4. Entry Points: Where to Start
Based on current state assessment, recommended entry points for each jurisdiction:
Immediate Actions (All Jurisdictions)
-
Data Backup Initiative
Copy all critical data to sovereign storage. Does not require migration—just backup. Can begin this week. -
Encryption Key Export
Copy customer-managed keys to sovereign vault (OpenBao on EU infrastructure). Ensures data remains accessible if US access revoked. -
Dependency Inventory
Complete audit of US cloud accounts, services, and spend. Foundation for all planning. -
European Provider Evaluation
Trial accounts with OVHcloud, Hetzner, Scaleway. Hands-on experience informs planning.
First Migration Candidates (By Jurisdiction)
| Jurisdiction | Recommended First Migration | Rationale |
|---|---|---|
| UK | GDS shared services (Notify, Pay) to Crown Hosting + European IaaS | High visibility, GDS has open source skills, manageable scope |
| EU | European Commission internal collaboration tools | Demonstrates EU eating own cooking, SecNumCloud providers ready |
| Canada | StatsCan data platforms to SSC + OVHcloud Canada | High sensitivity data, clear sovereignty case, manageable scale |
| Australia | DTA internal tools to AUCloud | DTA should lead by example, Australian provider ready |
Quick Win: Email & Collaboration
Across all jurisdictions, email and collaboration tools represent the fastest path to demonstrable progress. Alternatives (Nextcloud, Open-Xchange, Collabora) are mature. Denmark has proven this works. Migration can begin immediately with pilot departments.
5. Readiness Assessment Framework
Each jurisdiction should assess readiness across these dimensions:
| Dimension | Questions | Evidence Required |
|---|---|---|
| Political | Is there ministerial/Cabinet awareness? Is sovereignty on the agenda? | Briefing uptake, policy statements |
| Legal | Is there legal basis for sovereign cloud requirements? Procurement flexibility? | Legal opinions, procurement rules review |
| Technical | Do we have skills for sovereign stack? Pilot capability? | Skills audit, pilot project readiness |
| Supplier | Are sovereign providers available? On frameworks? | Framework listings, capability assessments |
| Financial | Is funding available? Business case accepted? | Budget allocation, Treasury approval |
| Organisational | Is there programme team? Governance structure? | Team establishment, governance charter |
6. Starting Point Checklist
Day 1 Readiness Checklist
Before formal programme launch, confirm:
7. Next Steps from Starting Point
Week 1-2: Foundation
- Complete dependency inventory
- Begin critical data backup
- Set up sovereign collaboration tools for programme team
- Brief senior sponsor
Week 3-4: Evaluation
- European provider hands-on evaluation
- First migration candidate deep-dive
- Skills gap assessment
- Cross-jurisdiction contact
Month 2: Planning
- Draft pilot migration plan
- Initial budget estimate
- Governance structure proposal
- Procurement pathway identified
Month 3: Approval
- Seek pilot approval
- Establish programme team
- Engage with international partners
- Begin pilot execution
The Starting Point is Now
We know where we are. We know where we need to go.
The first step is the hardest—but the path is clear.
The first step is the hardest—but the path is clear.