Campaigners from the Open Rights Group (ORG) have called on UK MPs to use the Cyber Security and Resilience Bill to adopt a formal digital sovereignty strategy that reduces reliance on large US technology companies for the nation’s digital infrastructure.
ORG argues that UK digital systems remain heavily dependent on firms such as Amazon, Google, Microsoft and Palantir, which it says could pose risks akin to over-dependence on foreign energy supplies.
“Just as relying on one country for the UK’s energy needs would be risky and irresponsible, so is overreliance on US companies to supply the bulk of our digital infrastructure,” said James Baker, ORG’s Platform Power programme manager.
The group argues that embedding digital sovereignty into the Bill would mean assessing supplier resilience if foreign firms withdraw services, ensuring data access isn’t subject to foreign law, and prioritising open-source and interoperable systems to boost domestic capacity.
ORG provided examples of how states have used digital infrastructure to wield political and military power. It includes reports that Microsoft blocked the email account of ICC chief prosecutor Karim Khan after the US President Donald Trump imposed sanctions on the ICC for issuing an arrest warrant against Israeli Prime Minister Benjamin Netanyahu. Microsoft denied this but in October 2025, the ICC stopped using Microsoft services and had switched to openDesk, an open source European software platform.
AI strategy criticism adds to tech policy debate
The UK’s Cyber Security and Resilience Bill aims to update and expand the UK’s cyber legal framework, strengthening protections for essential services and digital infrastructure. While the government’s focus remains on enhancing cyber defences, ORG’s intervention underscores growing calls for policy that also tackles strategic dependency on non-UK tech providers.
Director of consultancy Posetiv and Green Ops advocate, Mark Butcher, recently argued that successive Government strategies have funnelled billions of pounds to American hyperscalers through long-term contracts, while offering little direct support to UK technology firms.
Elsewhere, European tech and policy leaders have also raised alarms about dependence on US hyperscaler cloud providers. At November’s Gaia-X Summit, stakeholders stressed that although US cloud firms can serve a large share of European workloads, they are unable to deliver the highest levels of digital sovereignty for sensitive public services and critical infrastructure because of legal constraints like the US Cloud Act.
Under the Cloud Act, American authorities can demand access to data held by companies under American jurisdiction, even if stored outside the US.