AWS and UK Government: Dependency, Disruption and Deferred Accountability
Executive Summary
This brief synthesises 41 parliamentary questions and ministerial responses referencing Amazon Web Services (AWS) in UK Parliament, spanning March 2018 to November 2025. The dataset encompasses questions from both Houses directed at multiple departments, including the Cabinet Office, the Department for Science, Innovation and Technology (DSIT), the Home Office, the Department for Business and Trade, the Department of Health and Social Care, the Ministry of Defence, and the Foreign and Commonwealth Office.
The analytical picture that emerges is one of a government that has become deeply structurally reliant on a single dominant cloud provider — Amazon Web Services — without developing commensurate governance capacity, transparency mechanisms, or credible contingency frameworks. The October 2025 outage, which disrupted multiple mission-critical government departments simultaneously, served as an acute stress-test of that dependency. The parliamentary record suggests the government was neither fully prepared for that event nor currently able to account for its full cost.
It should be noted that a small number of questions in the dataset use the abbreviation “AWS” in reference to the Army Welfare Service or Anglian Water Services, rather than Amazon Web Services. These items have been contextualised appropriately and do not materially affect the analytical conclusions of this brief.
Volume and Pattern Analysis
The 41 questions span nearly eight years of parliamentary scrutiny. Interrogation of the dataset reveals several distinct thematic clusters:
Cluster One — Procurement and Contractual Oversight (2018–2021): Early questions, particularly from Dame Chi Onwurah in the Commons and Lord Clement-Jones in the Lords, focused on the terms, security implications, and labour rights dimensions of government contracts with AWS. Responses during this period were characterised by a degree of operational detail — referencing G-Cloud framework agreements, Crown Commercial Service arrangements, and encryption standards — but conspicuously avoided disclosure of contract values in aggregate. When asked directly in November 2020 for the total value and number of government contracts with AWS over the preceding five years, the Cabinet Office declined to provide a figure, directing the questioner to Crown Commercial Service spend data published online.
Cluster Two — Data Security and Sovereignty (2020–2023): A second cluster addressed the security of government data held by AWS, including questions about the implications of the Schrems II ruling, the US Cloud Act, and the potential for foreign government access to Home Office data. Ministerial answers in this cluster were notably reliant on AWS’s own public assurances, reproducing in one instance a statement provided directly by Amazon. The broader question of whether DSIT supervises data stored at UK data centres was answered directly in February 2025: “DSIT does not directly supervise the storage of data in specific UK data centres by specific companies.”
Cluster Three — The October 2025 Outage and Its Aftermath (October–November 2025): The largest and most recent cluster concerns the AWS outage of 20 October 2025 and subsequent parliamentary questions about market concentration and competitive remedies. This cluster is analytically the most significant, given its direct policy salience and the density of ministerial responses it generated.
Ministerial Response Quality
Across the full dataset, ministerial response quality varies considerably by period and subject matter. Several patterns merit specific identification.
Boilerplate proliferation: Multiple distinct parliamentary questions received substantively identical answers. Three questions from Mr Joshua Reynolds and Julia Lopez in November 2025, directed to different departments, received responses containing the same paragraph describing the CMA’s July 2025 Final Report and its key recommendation. Similarly, three questions from Dame Chi Onwurah in March 2022 about Home Office cloud services received word-for-word identical responses. Whilst cross-departmental coordination on sensitive topics is understandable, the use of identical text to answer materially different questions — including a question about market concentration, one about specific service resilience, and one about SME financial impact — suggests that responses were prepared centrally without genuine engagement with the specificity of the question posed.
Absence of quantification: Consistent with ISAR Global’s governance reality framework, ministers repeatedly declined or were unable to provide quantitative information that would permit meaningful scrutiny. The cost of the October 2025 outage was described as “not yet known.” The proportion of government cloud services hosted on AWS, Google, and Microsoft respectively was stated to be unavailable in “more granular” form, though up to 60% of the government estate was confirmed as cloud-hosted. The Government explicitly stated it had “not assessed the impacts of the practices detailed in the CMA’s Cloud Service Market Investigation” on UK small and medium-sized enterprises.
Deferred to CMA independence: On the central question of competitive remedies — specifically whether and when the CMA would designate AWS and Microsoft with Strategic Market Status — ministers consistently and explicitly declined to engage with timelines, citing the CMA’s operational independence. This posture is constitutionally defensible but politically convenient: it allows ministers to acknowledge the problem, endorse the solution, and disclaim any responsibility for its pace or implementation.
Key Commitments and Timelines
The parliamentary record yields the following commitments, such as they are:
DSIT committed to publishing a Government Cyber Action Plan “this Winter” (referenced in October 2025 responses), setting out a clear approach for government and the public sector to manage cyber security and resilience incidents. No specific publication date was given.
The Cyber Security and Resilience Bill was referenced in multiple October 2025 answers as “forthcoming,” with ministers noting it would expand regulatory scope to include managed service providers and critical suppliers such as cloud providers. No commencement date was specified in any response analysed.
The Government Digital Service was confirmed to be developing a “cloud consumption dashboard” to provide greater visibility of cloud usage and costs across the public sector. No delivery date was provided.
The Crown Commercial Service, DSIT, and Cabinet Office confirmed they are “exploring measures” to strengthen value for money and promote supplier diversification in public sector cloud procurement. No timeline, budget, or metric of success was attached to this commitment.
Rhetoric Versus Reality
The gap between governance rhetoric and governance reality in the AWS parliamentary record is substantial and measurable.
The Government has repeatedly asserted, across administrations, a commitment to cloud diversification, supplier competition, and value for money. The State of Digital Government report cited in October 2025 confirms that up to 60% of the government estate is cloud-hosted, “mostly using AWS, Microsoft and Google.” The CMA’s own July 2025 Final Report found that Microsoft and AWS together hold approximately 70% of the UK cloud market. Government procurement practices — including the Crown Commercial Service One Gov Value Agreement and the G-Cloud framework — have demonstrably channelled substantial public sector spend toward these two providers over the period examined.
The Government acknowledged in 2020 that the Home Office was already achieving savings by consolidating its AWS contract, and confirmed by 2022 that the department operated over 250 separate application groupings on AWS and Azure combined. By October 2025, the Home Office, DVLA, DWP, and HMRC all experienced simultaneous service disruption from a single provider failure. DSIT acknowledged it would take “some time to fully understand the scale of the impact.”
This trajectory — from early procurement consolidation, through repeated reassurances about security and data sovereignty, to a major multi-department operational failure — represents a textbook case of governance risk accumulation. At no point in the parliamentary record does any minister acknowledge that the government’s own procurement policies contributed to the concentration risk that the CMA subsequently identified and that the October 2025 outage made visible.
On data oversight, the February 2025 confirmation that DSIT does not directly supervise the storage of data in specific UK data centres by specific companies stands in notable contrast to the assurances provided in earlier responses that government data is secure, encrypted, and protected by contractual obligations. Both may be true simultaneously, but the juxtaposition reveals the limits of a governance model that relies primarily on contractual and technical controls in the absence of active regulatory supervision.
Strategic Intelligence Assessment
The parliamentary record on AWS provides a detailed longitudinal view of a structural governance problem that has been accumulating since at least 2018 and which the events of October 2025 brought into acute public focus.
The core finding is this: the UK Government is a large, concentrated, and poorly measured consumer of AWS cloud services. It does not hold granular data on the split of its cloud spend across providers, has not assessed the economic impact of anti-competitive practices on public sector procurement, and operates no direct regulatory supervision of the storage of its data. When a single provider experienced a significant outage, multiple departments providing essential public services were simultaneously disrupted, and the total cost remains publicly unquantified.
The government’s response framework — the Cyber Security and Resilience Bill, the forthcoming Cyber Action Plan, the cloud consumption dashboard, and the CMA’s potential Strategic Market Status investigation — represents a plausible set of interventions. However, not one of these instruments was operational at the time of the October 2025 outage, none has a firm implementation timeline embedded in ministerial responses, and the most consequential remedy (Strategic Market Status designation) has been explicitly placed outside ministerial control.
For policy audiences, the most significant intelligence signal in this dataset is not the outage itself, but the government’s demonstrable inability, in its immediate parliamentary aftermath, to answer basic questions: what did it cost, which services were affected, and what proportion of critical government infrastructure depends on a single provider? These are questions that a mature digital governance framework should be able to answer within days. The parliamentary record indicates they cannot currently be answered at all.
The trajectory of scrutiny — from Dame Chi Onwurah’s persistent questioning beginning in 2020, through Lord Clement-Jones’s cloud market questions in the Lords, to the concentrated burst of outage-related questions in October and November 2025 — reflects a parliamentary community that has identified this risk well ahead of the executive. The executive’s response, characterised by deference, boilerplate, and the absence of quantified commitment, does not yet match the scale of the dependency it has created.