UK Cloud Dependency: Parliamentary Questions Expose Governance Gap
Executive Summary
This brief analyses 37 parliamentary written questions and ministerial responses relating to “digital service providers,” drawn from Hansard records spanning July 2015 to January 2026. The corpus is dominated by a coherent cluster of questions — concentrated in the period from September 2024 to January 2026 — pressing the government on cloud market concentration, competition enforcement, procurement reform, and cyber resilience following a series of high-profile outages. A secondary cluster addresses Digital Services Tax policy, whilst a small number of older items concern cybersecurity standards and, in one outlying case, music video classification.
The central finding of this analysis is one of institutional displacement: ministers acknowledge a structural problem — overwhelming dependency on two US-headquartered hyperscale cloud providers — but consistently deflect questions about remedy to the Competition and Markets Authority, whose independence from government direction is cited as both a constitutional virtue and a practical constraint. The result is a governance posture that is rhetorically engaged but operationally passive.
Volume and Pattern Analysis
Of the 37 questions loaded, approximately 22 are substantively concerned with cloud market concentration, provider resilience, procurement diversification, or competition enforcement in digital markets. Seven questions address Digital Services Tax and the taxation of digital economy actors. The remainder address cybersecurity standards, NHS digital compliance, SME procurement access, and one tangential item on music video classification.
The cloud concentration cluster intensifies markedly around two trigger events: the autumn 2025 outages attributed to Amazon Web Services and Microsoft Azure, and the Competition and Markets Authority’s publication of its final cloud services market investigation report in July 2025. Lord Clement-Jones (Liberal Democrats, Lords) is the most persistent individual questioner, having tabled questions on this theme in September 2024, February 2025, June 2025, and November 2025. Julia Lopez and Samantha Niblett (Commons) filed coordinated batches of questions in November 2025. Victoria Collins filed a significant question in January 2026 that elicited the most candid admission of data gaps in the entire corpus.
The breadth of departments drawn into answering — DSIT, Cabinet Office, Department for Business and Trade, HM Treasury, and historically DCMS and DHSC — illustrates how cloud dependency cuts across the machinery of government, yet no single department holds a consolidated view of national exposure.
Ministerial Response Quality
Ministerial responses are, on the whole, professionally constructed but substantively thin. Three rhetorical patterns recur with sufficient frequency to constitute a template:
The Independence Shield. When pressed on competition enforcement timelines or action against restrictive licensing practices, ministers invoke CMA independence in near-identical terms across multiple responses and multiple departments. The formulation “the CMA is independent of Government and any decisions on which markets it investigates is for their Board” appears, with minor variation, in at least eight separate answers. Whilst constitutionally accurate, the repetition functions less as an explanation than as a deflection device.
The Forthcoming Instrument. Ministers repeatedly reference legislation or guidance that is either in development or recently introduced. The Cyber Security and Resilience Bill is cited in at least three separate responses from October and November 2025. The Government Cyber Action Plan is promised “this Winter” in two separate answers from November 2025 (UINs 92927 and HL11169). The Blueprint for Modern Digital Government, published January 2025, is cited as the basis for procurement reform commitments. The cumulative effect is of a policy shelf that is perpetually being stocked but from which items are rarely retrieved for inspection.
The Data Absence Admission. Several responses concede, with apparent equanimity, that the government does not hold the data one might expect. The January 2026 response to UIN 109363 confirms that “there is no centralised record of the proportion of such services that use US-owned cloud infrastructure” across critical public services. The same answer notes that government “does not generally comment on national security or commercial matters related to CNI.” The November 2025 response to UIN HL12401 states flatly that “the Government has not carried out an assessment of the risks of over-reliance on dominant cloud service providers in the market.” These are not incidental admissions; they are central to evaluating the credibility of the government’s resilience posture.
Key Commitments and Timelines
Extracting firm commitments from the parliamentary record yields a modest list. The Digital Commercial Centre of Excellence is to be established, as referenced in the response to HL12402 (November 2025), with a mandate to strengthen digital procurement capability and improve supplier management. The National Digital Exchange, described as intended to make it easier for public sector organisations to access services from new cloud providers including SMEs, is referenced in the same answer without a delivery date. The forthcoming iteration of G-Cloud will introduce a streamlined “Open Framework” under the Procurement Act, as stated in the response to HL5084 (February 2025), though no timeline is given. Multi-region cloud adoption guidance was published by DSIT in February 2025. The Cyber Security and Resilience Bill was introduced on 12 November 2025. The Government Cyber Action Plan was promised for “this Winter” in November 2025 responses.
On competition enforcement, the government has committed to nothing beyond noting that the CMA completed three Strategic Market Status investigations in the course of 2025 and that the CMA anticipates considering further investigations in early 2026. Whether cloud services will be among them is, formally, not the government’s decision to make.
On the Digital Services Tax, the Treasury position is consistent across five questions spanning October 2024 to April 2025: the DST remains in force as an interim measure at 2%, and will be repealed when Pillar 1 of the OECD Inclusive Framework is implemented. No timeline is given for that international settlement.
Rhetoric Versus Reality
The governance rhetoric evident in this corpus is one of confident engagement: data centres and cloud infrastructure were designated Critical National Infrastructure in 2024; the Blueprint for Modern Digital Government was published in January 2025; the Procurement Act 2023 is in force; new digital markets powers have been given to the CMA; the Cyber Security and Resilience Bill has been introduced. Ministers project an image of systematic, layered action.
The governance reality, as revealed by the same parliamentary record, is considerably more qualified. Central government has no consolidated picture of how dependent critical public services or critical national infrastructure are on US-owned cloud providers. The government has not itself assessed the risks of over-reliance on dominant cloud providers — it defers to a CMA investigation whose remedial recommendations it cannot compel. Survey data cited in the January 2026 response (UIN 109363) reveals that all central government survey participants reported using one of two leading cloud providers, both US-based, and that around 55% of central government organisations reported over 60% of their estate is now on the cloud. These figures sit in uncomfortable tension with assurances of diversification and resilience.
The response to autumn 2025 outages — confirmed as affecting AWS and Microsoft Azure — consists largely of retrospective impact assessment, cross-referral to previous answers, and citation of forthcoming instruments. There is no evidence in the parliamentary record of proactive contingency plans having been activated, of switching costs having been assessed, or of binding contractual or procurement mechanisms having been deployed to reduce dependency prior to the outages occurring.
The repeated invocation of CMA independence, whilst legitimate, also reveals a structural gap: the government has given the regulator new powers but has no mechanism — and apparently no appetite — to accelerate their deployment in response to politically salient market failures. The gap between the urgency implied by questions about cloud outages affecting essential national services and the measured pace of regulatory process is the central tension this parliamentary record does not resolve.
Strategic Intelligence Assessment
For organisations monitoring UK digital governance, four intelligence conclusions emerge from this analysis.
First, data sovereignty risk is unquantified at the national level. The government’s own admissions confirm it cannot state with precision the degree of dependency of critical public services or critical national infrastructure on US-owned cloud infrastructure. This is a material gap in national risk management, independent of any assessment of geopolitical conditions.
Second, competition enforcement is the chosen instrument, but the timeline is indeterminate. The CMA’s cloud services market investigation recommended its Board prioritise Strategic Market Status investigations into AWS and Microsoft. The CMA anticipated doing so in early 2026. Whether this translates into binding conduct requirements in any operationally relevant timeframe is unknown, and the government has no formal lever to accelerate the process.
Third, procurement reform commitments are real but nascent. The National Digital Exchange, the Digital Commercial Centre of Excellence, and the G-Cloud Open Framework represent substantive institutional development. None is yet operational in a form that has demonstrably shifted market share away from the two dominant providers. The gap between announced intent and measurable procurement diversification remains wide.
Fourth, the Digital Services Tax is unlikely to be a permanent feature of the fiscal landscape. Treasury responses across five questions are unequivocal: DST repeal is contingent on Pillar 1 OECD implementation, not on any domestic policy choice. Given the stalled state of international negotiations, the tax persists by default rather than by design.
The broader pattern this corpus reveals is of a government that has correctly identified the structural risks of cloud market concentration and has assembled a credible array of policy instruments in response — but has not yet generated the institutional momentum or data infrastructure required to demonstrate that those instruments are producing material change. Parliamentary scrutiny, to its credit, is pressing precisely on this gap. Whether executive action will close it remains, on the evidence available at the date of this analysis, an open question.