Evidence Base & Citations
This document provides verified sources, corrected claims, and transparent methodology for all assertions made in the Sovereign Cloud Initiative documentation.
1. Cloud Market Share Data
Original Claim: "82% of non-US government datacenter capacity controlled by US providers"
Correction: This figure was unsubstantiated. Actual global cloud infrastructure market share (Q3 2025):
| Provider | Global Market Share | Ownership | Source |
|---|---|---|---|
| Amazon Web Services (AWS) | 29% | US (Amazon.com Inc.) | Synergy Research Group, Q3 2025 |
| Microsoft Azure | 20% | US (Microsoft Corp.) | |
| Google Cloud Platform | 13% | US (Alphabet Inc.) | |
| Oracle Cloud Infrastructure | ~2% | US (Oracle Corp.) | |
| Alibaba Cloud | ~4% | China | Synergy Research Group |
| Other Providers | ~32% | Various | - |
Corrected Statement: US-headquartered providers (AWS, Azure, GCP, OCI) collectively hold approximately 64-67% of global cloud infrastructure market share. The "Big Three" (AWS, Azure, GCP) alone hold 62-63%.
Synergy Research Group
"Cloud Market Share Trends - Big Three Together Hold 63% while Oracle and the Neoclouds Inch Higher"
November 2025
https://www.srgresearch.com/articles/cloud-market-share-trends
Statista / TechTarget
"The big three grab two-thirds of $107B cloud market in Q3"
Q3 2025
Data Limitation
Global market share figures do not directly indicate government-specific usage. Government cloud adoption rates vary significantly by jurisdiction. UK, EU, Canada, and Australia government cloud usage data requires formal audit to determine actual US provider dependency.
2. CLOUD Act Data Requests & Legal Framework
Claim: "US government can compel cloud providers to provide data regardless of where stored"
Verification: The CLOUD Act (2018) does authorise extraterritorial data requests. However, significant legal protections exist.
Actual CLOUD Act Request Statistics
| Provider | Period | Enterprise Requests | Content Disclosed | Key Finding |
|---|---|---|---|---|
| AWS | 2020-2025 | Not disclosed separately | ZERO | "No enterprise/government content data stored outside US disclosed to US government" |
| Microsoft | H2 2024 | 173 total | 26 (US law enforcement) | No Azure commercial/public sector content disclosed |
| Microsoft | H1 2024 | 5,560 (consumer) | 52 warrants for non-US data | 4.94% of requests resulted in content disclosure |
Amazon Web Services
"Clarifying Lawful Overseas Use of Data (CLOUD) Act" - Compliance Statement
June 2025
Microsoft
"Government Requests for Customer Data Report"
2024
Existing Legal Protections
| Protection | Mechanism | Status |
|---|---|---|
| UK-US Data Access Agreement | Bilateral treaty under CLOUD Act executive agreement provisions | In force since October 2022. UK made 20,104 requests in first 2 years. |
| GDPR Article 48 | Blocking statute requiring international agreement for foreign data orders | Active. EDPB: CLOUD Act requests without MLAT "cannot legally" compel EU data disclosure. |
| US-Australia CLOUD Act Agreement | Bilateral executive agreement | Signed 2022 |
| EU-US Negotiations | Proposed executive agreement | Under negotiation (no agreement in force) |
UK Government / US Department of Justice
"Landmark U.S.-UK Data Access Agreement Enters into Force"
October 2022
https://www.justice.gov/opa/pr/landmark-us-uk-data-access-agreement
European Data Protection Board (EDPB)
"Opinion on U.S. CLOUD Act" - Article 48 GDPR Analysis
Important Nuance
The legal framework is complex, not binary. While CLOUD Act does provide extraterritorial reach, bilateral agreements (UK-US DAA), GDPR Article 48, and provider policies create significant friction. Transparency reports show minimal actual government content disclosure for enterprise customers. However, the legal capability exists even if not frequently exercised.
3. Service Termination ("Kill Switch") Scenarios
Claim: "US cloud providers can terminate services to allied governments"
Evidence Status: No documented instance of US cloud providers terminating services to allied government customers. This is a theoretical risk based on legal capability, not demonstrated behaviour.
Related Precedents (Adversary Nations, Not Allies)
| Case | Target | Action | Relevance |
|---|---|---|---|
| Huawei Entity List | Chinese company | May 2019: Added to Entity List. US companies barred from supplying technology without licence. | Demonstrates US willingness to use technology denial. However, Huawei is a Chinese company treated as adversary, not an ally. |
| ZTE Near-Bankruptcy | Chinese company | 2017-2018: Export denial nearly bankrupted ZTE. Required $1.4B fine and US monitoring. | Shows severity of US technology controls. However, ZTE violated Iran sanctions. |
| Russia Sanctions 2022 | Russian entities | Cloud providers terminated/suspended services to sanctioned Russian entities. | Demonstrates providers will terminate under sanctions. However, Russia was in active conflict with US ally. |
Congressional Research Service
"U.S. Restrictions on Huawei Technologies: National Security, Foreign Policy, and Economic Interests"
2022
Threat Assessment Methodology
The "kill switch" scenario is based on:
- Legal capability: IEEPA, Executive Orders, and sanctions regimes provide legal authority
- Demonstrated use against adversaries: Huawei, ZTE, Russian entities
- Extrapolation to allies: Theoretical application if diplomatic relationship deteriorated
Probability Assessment: Low under normal diplomatic conditions. Increases with geopolitical instability. No historical precedent against Five Eyes/NATO allies.
Honest Assessment
This is a worst-case scenario, not a demonstrated threat. Documentation should acknowledge:
- No instance of US terminating cloud services to UK/EU/CA/AU governments
- Strong commercial incentives against such action ($300B+ revenue at stake)
- Legal mechanisms exist but have only been used against adversaries
- The strategic case rests on reducing dependency rather than imminent threat
Strategic Framing: Insurance Model
This initiative is insurance, not a response to an imminent attack.
The probability of service termination to allied governments is low under normal diplomatic conditions. However, the impact of such an event would be catastrophic – affecting healthcare, benefits, taxation, and defence systems simultaneously.
Insurance rationale: One does not purchase fire insurance because a fire is imminent, but because:
- The consequences of an uninsured fire are unacceptable
- Circumstances can change unexpectedly (political instability, trade disputes)
- The existence of insurance reduces certain risks (no leverage for coercion)
Key message: We are not claiming the US will terminate services. We are asserting that democratic nations should not be structurally dependent on any single foreign jurisdiction for critical national infrastructure – regardless of how friendly that jurisdiction currently is.
4. Evidence Standards & Methodology
Claim Classification
| Status | Definition | Treatment |
|---|---|---|
| VERIFIED | Claim supported by primary sources or authoritative data | Cite source, include in main documentation |
| CORRECTED | Original claim was inaccurate; corrected figure provided | Replace original claim, acknowledge correction |
| THEORETICAL | Claim based on extrapolation or scenario analysis | Clearly label as theoretical, provide methodology |
Source Hierarchy
- Primary Sources: Government publications, legislation, official statistics
- Authoritative Industry Data: Synergy Research, Gartner, IDC (for market data)
- Provider Transparency Reports: Microsoft, AWS, Google official disclosures
- Academic/Legal Analysis: Peer-reviewed research, legal commentary
- Informed Estimates: Clearly labelled projections with methodology
Required Intelligence Community Input
This documentation acknowledges that a complete threat assessment requires input from:
- UK: NCSC, GCHQ, JIC (Joint Intelligence Committee)
- EU: ENISA, EU INTCEN, Member State agencies
- Canada: CCCS, CSE
- Australia: ACSC, ASD
Current assessment is preliminary. Formal intelligence community review should be a precondition for programme approval.