References & Sources
This page documents the evidence base for claims made throughout the Sovereign Cloud Architecture Initiative documentation. All sources are from official government agencies, established research institutions, reputable news organisations, or primary legal texts.
1. US Legal Framework for Data Access
CLOUD Act (Clarifying Lawful Overseas Use of Data Act)
Claim: The CLOUD Act allows US law enforcement to compel US-based technology companies to provide data regardless of where it is physically stored.
Evidence:
- US Department of Justice - CLOUD Act Resources (Primary source - US Government)
- Congressional Research Service - Cross-Border Data Sharing Under the CLOUD Act (Library of Congress)
- Congressional Research Service - Law Enforcement Access to Overseas Data (Library of Congress)
Key quote from DOJ: "The United States enacted the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018 to speed access to electronic information held by U.S.-based global providers."
FISA Section 702
Claim: FISA Section 702 authorises warrantless surveillance of non-US persons located outside the United States.
Evidence:
- Office of the Director of National Intelligence - FISA Section 702 (Primary source - US Government)
- FBI - Foreign Intelligence Surveillance Act and Section 702 (Primary source - US Government)
- Congressional Research Service - FISA Section 702 and the 2024 Reforming Intelligence and Securing America Act (Library of Congress)
Key quote from ODNI: "Section 702 permits only targeting of: (1) non-United States persons, (2) who are reasonably believed to be located outside the United States."
IEEPA (International Emergency Economic Powers Act)
Claim: IEEPA provides the President broad authority to regulate economic transactions and impose sanctions, including technology export controls.
Evidence:
- Congressional Research Service - The International Emergency Economic Powers Act: Origins, Evolution, and Use (Library of Congress)
- 50 U.S. Code Chapter 35 - International Emergency Economic Powers (Primary source - US Code)
- US Department of Justice - Export Control and Sanctions (Primary source - US Government)
Key fact: As of September 2025, Presidents had declared 77 national emergencies invoking IEEPA, 46 of which are ongoing. IEEPA is the foundational authority for much of the US sanctions regime.
2. Cloud Market Share Data
Claim: US cloud providers (AWS, Azure, GCP, Oracle) dominate the global cloud infrastructure market.
Evidence (Q2-Q3 2025):
- Synergy Research Group via Statista - Q2 2025: AWS 30%, Azure 20%, GCP 13%
- TechTarget - Q3 2025: Big Three hold 62% of $107B market
- Canalys - Q2 2025: Global cloud spending $95.3B, Azure 22%
Key statistics (Q3 2025):
| Provider | HQ | Share | CLOUD Act |
|---|---|---|---|
| AWS | USA | 29% | Yes |
| Microsoft Azure | USA | 20% | Yes |
| Google Cloud | USA | 13% | Yes |
| Oracle Cloud | USA | ~3% | Yes |
| IBM Cloud | USA | ~2% | Yes |
| US Total | — | ~67% | Yes |
3. Control Plane Architecture
Claim: AWS global services have control planes concentrated in us-east-1 (Northern Virginia), creating dependencies even for workloads in other regions.
Evidence:
- AWS Whitepaper - Global Services and Fault Isolation Boundaries (Primary source - AWS)
- AWS re:Post - Reducing Control Plane Dependencies in US-EAST-1 (Primary source - AWS)
- The Register - AWS outage exposes Achilles heel: central control plane (Technology news)
Key quote from AWS documentation: "US-EAST-1 (Northern Virginia) hosts the control planes for numerous global AWS services... Route 53 operates its control plane in the us-east-1 Region... In the aws partition, the IAM service's control plane is in the us-east-1 Region."
Impact documented: "Amazon S3 bucket names are globally unique and all calls to the CreateBucket and DeleteBucket APIs depend on us-east-1, in the aws partition."
4. CLOUD Act Data Request Statistics
Claim: CLOUD Act is actively used for data requests, though enterprise/government data disclosure remains limited.
Evidence:
| Provider | Statistic | Period |
|---|---|---|
| Microsoft | 173 enterprise requests globally; 62% rejected/redirected; 38% resulted in disclosure | H2 2024 |
| Microsoft | 5,560 US law enforcement requests; 52 warrants sought content outside US | H1 2024 |
| Microsoft | Only 4.94% of requests resulted in content disclosure | 2024 |
| AWS | ZERO disclosures of enterprise/government content stored outside US | To June 2025 |
Sources:
UK-US CLOUD Act Agreement (Oct 2022 - Oct 2024):
- UK issued 20,142 requests to US providers
- US issued 63 requests to UK providers
- UK enforcement outcomes (H1 2024): 368 arrests, 3.5 tons drugs seized, £5M recovered
Source: Lawfare - First Insights into US-UK CLOUD Act Agreement
5. Sanctions Precedent: Russia Cloud Service Termination
Claim: US cloud providers have demonstrated capability and willingness to terminate services to entire nation-states.
Timeline:
| Date | Action |
|---|---|
| March 4, 2022 | Microsoft suspends all new sales in Russia |
| March 8, 2022 | AWS stops new sign-ups in Russia and Belarus |
| March 2022 | All major US providers (AWS, Azure, GCP, Oracle, IBM) exit Russia |
| August 2023 | Microsoft stops renewing all Russian subscriptions |
| March 20, 2024 | Microsoft and Amazon suspend ALL cloud access. Russian companies lose access to existing data. |
Sources:
6. Technology Denial Precedent: Huawei 5G
Claim: The US uses technology access as geopolitical leverage and pressures allies to adopt its technology policies.
Evidence:
| Country | Action | US Pressure |
|---|---|---|
| United Kingdom | Full Huawei 5G ban (July 2020); removal by 2027 | Threats to reduce intelligence sharing |
| Australia | Banned foreign 5G vendors (2018) | Five Eyes coordination |
| European Union | Considering bloc-wide ban (Nov 2025) | EC recommending "high-risk vendor" phase-out |
Sources:
- NPR - UK bans Huawei from 5G network
- TechCrunch - EU considers Huawei phase-out
- Courthouse News - UK moves closer to US with Huawei ban
7. UK Government IT Programme Benchmarks
Purpose: Cost and timeline estimates are benchmarked against actual UK government IT programmes.
NHS National Programme for IT (NPfIT)
| Metric | Original | Final | Overrun |
|---|---|---|---|
| Budget | £2.3 billion | £12.7 billion | 452% |
| Timeline | 3 years | 10 years (cancelled) | 333% |
| Benefits | Full e-records | £3.7B vs £9.8B cost | 38% of cost |
Sources: NAO Final Review; PAC Report; Case Study
Universal Credit
| Metric | Original | Current | Overrun |
|---|---|---|---|
| Lifetime cost | £2.2 billion | £15.8 billion | 618% |
| Completion | 2017 | 2028+ (projected) | 11+ years late |
| Reschedules | — | 7 major | — |
Sources: NAO Progress Update; NAO 2024 Report; Computer Weekly
8. Gaia-X Status Assessment
Claim: Gaia-X provides lessons for sovereign cloud initiatives but has not achieved its original infrastructure goals.
| Aspect | Status |
|---|---|
| Launch | 2019 (France-Germany initiative) |
| Scope | Framework/standards only, not infrastructure |
| Use cases | 180+ across Europe |
| Catalogue | 500+ compliant services (Nov 2024) |
| Key criticism | "Paper monster" (Nextcloud CEO); US hyperscalers as members; bureaucracy |
Sources:
- EuroStack - Gaia-X: Chronicle of a Failure Foretold
- Cloudflight - Why Gaia-X hasn't been successful
- Bert Hubert - Gaia-X is a distraction
- The Register - Gaia-X future in doubt
9. Country Precedents
Denmark - Microsoft Exit
Claim: Denmark is transitioning away from Microsoft products at both municipal and national government levels.
Evidence:
- Euronews - Two city governments in Denmark are moving away from Microsoft (June 2025)
- The Record (Recorded Future News) - Danish government agency to ditch Microsoft software
- Digital Watch Observatory - Denmark moves to replace Microsoft software
Key facts:
- Copenhagen and Aarhus (Denmark's two largest municipalities) announced plans to abandon Microsoft
- Danish Minister for Digitalisation Caroline Stage Olsen confirmed national government transition to LibreOffice
- Danish expert group report (December 2024) called for "Big Tech alternatives in Europe"
France - SecNumCloud
Claim: France's SecNumCloud certification effectively excludes US cloud providers through sovereignty requirements.
Evidence:
- CNIL (French Data Protection Authority) - Cloud: risks of European certification (Primary source - French Government)
- ITIF - France's Cloud Service Restrictions (Research institution)
- OVHcloud - SecNumCloud Qualification (Certified provider)
Key requirements (SecNumCloud v3.2):
- Non-EU shareholders restricted to below 25% individually, 39% collectively
- No veto rights or majority board control for non-EU entities
- Provider must be immune to extraterritorial laws (e.g., US CLOUD Act)
- Only four companies certified as of 2025 (all French): 3DS Outscale, OVHcloud, Oodrive, Worldline
Germany - Schleswig-Holstein Linux Migration
Claim: The German state of Schleswig-Holstein is migrating 30,000 workstations from Windows to Linux.
Evidence:
- The Register - German state switches to LibreOffice, promises Windows move
- IT Brew - German state is tired of paying for Microsoft licenses, adopts Linux
- Computing UK - German state Schleswig-Holstein ditches Windows for Linux
Key facts:
- 30,000 government computers to migrate to Linux by 2026
- Impact on 60,000 public servants and 30,000 teachers
- Estimated savings: €15 million annually in licence costs
- Nearly 80% of workplaces already migrated to LibreOffice
- Quote from Minister-President's office: "Schleswig-Holstein will be a digital pioneer region and the first state to introduce a digitally sovereign IT workplace"
European Commission - Microsoft 365 GDPR Violation
Claim: The European Data Protection Supervisor found the European Commission's use of Microsoft 365 violated data protection rules.
Evidence:
- European Data Protection Supervisor - Official Press Release (2025) (Primary source - EU)
- TechCrunch - EU's use of Microsoft 365 found to breach data protection rules
Key facts:
- EDPS imposed corrective measures requiring compliance by December 9, 2024
- Following additional measures by Commission and Microsoft, EDPS concluded infringements were remedied (July 2025)
5. Source Selection Methodology
Sources for this documentation have been selected according to the following hierarchy:
- Primary sources: Official government documents, legislation, court filings, regulatory decisions
- Secondary authoritative sources: Congressional Research Service reports, academic institutions, established research bodies (Gartner, IDC)
- Reputable news sources: Established technology and business publications (The Register, TechCrunch, Euronews, Computing UK)
- Vendor documentation: Where claims relate to specific technical capabilities, vendor documentation is cited
Sources explicitly excluded: Social media, user-generated content sites (Reddit, Quora), unverified blogs, opinion pieces without factual basis.
6. Claims Requiring Jurisdiction-Specific Verification
The following claims are stated in the documentation but require jurisdiction-specific verification as exact figures vary by country and data classification:
| Claim | Status | Recommendation |
|---|---|---|
| Government-specific cloud market share by jurisdiction | To verify | Each jurisdiction should audit their own cloud estate |
| Current spend with US providers by jurisdiction | To verify | Request from finance/procurement teams |
| Specific data flows through US infrastructure | To verify | Technical architecture review required |
| Migration cost estimates | Indicative | Detailed assessment needed per jurisdiction |