Executive Summary
A review of 25 written parliamentary questions retrieved from the UK Parliament record, spanning February 2018 to November 2025, reveals a persistent and largely unresolved tension at the heart of British digital governance: the government’s simultaneous dependence upon hyperscale cloud providers and its rhetorical commitment to competitive, SME-inclusive procurement. The parliamentary record exposes a pattern in which ministers across successive administrations have been unable — or unwilling — to provide consistent, granular data on the extent of hyperscale dependency across Whitehall, even when directly and repeatedly asked to do so.
The dataset divides broadly into two distinct phases of parliamentary scrutiny. The first, concentrated in early 2018, was driven almost entirely by a single Conservative backbencher, James Gray (North Wiltshire), who submitted a systematic cross-departmental inquiry into cloud-hosting contract allocation. The responses he received were strikingly inconsistent: some departments disclosed specific contract values and provider names, others pleaded an inability to collect the data centrally, and at least one ministry deferred its answer indefinitely. The second phase, comprising two questions tabled in November 2025 by Samantha Niblett (South Derbyshire, Labour), shifted the frame from procurement transparency to systemic risk, asking whether government had assessed the economic and security consequences of concentration among dominant hyperscale providers. The responses to these more recent questions were notably more guarded, offering process reassurance rather than substantive analysis.
Taken together, the parliamentary record suggests that while the language of risk management and resilience has become more sophisticated over seven years, the underlying governance reality has changed little: central visibility over hyperscale dependency remains fragmented, no department has committed to a binding diversification target, and the question of what the United Kingdom would do in the event of a sustained outage by a dominant provider remains, on the parliamentary record at least, unanswered.
Volume and Pattern Analysis
Temporal Distribution and Authorship
Of the 25 questions analysed, 22 were tabled between February and March 2018, representing a concentrated and evidently coordinated campaign of parliamentary scrutiny. A further question was tabled in April 2019, and the remaining two in November 2025. This distribution is analytically significant: it demonstrates that sustained parliamentary interest in hyperscale cloud governance has been episodic rather than continuous, driven by individual members rather than by select committee programmes or opposition front-bench strategy.
James Gray (Conservative, North Wiltshire) is responsible for 20 of the 25 questions in this dataset, making him by a considerable margin the most active parliamentary interrogator of government cloud policy during the period under review. His 2018 campaign was methodical and cross-departmental, targeting the Cabinet Office, the Home Office, the Treasury, the Foreign and Commonwealth Office, the Ministry of Justice, the Department for Transport, the Department for Education, the Department for Environment Food and Rural Affairs, the Department of Health and Social Care, the Department for Work and Pensions, the Ministry of Defence, the Scotland Office, the Northern Ireland Office, the Department for Business Energy and Industrial Strategy, the Department for International Trade, the Department for Digital Culture Media and Sport, and the Department for Exiting the European Union — seventeen departments in total. This breadth of inquiry is unusual and suggests a deliberate effort to map the full extent of government exposure to hyperscale providers at a moment when the passage of the US CLOUD Act had made data sovereignty a live political concern.
Rachel Hopkins (Labour, Luton South and South Bedfordshire) contributed two questions in December 2022 concerning Ministry of Defence digital transformation contracts, though these touched on hyperscale procurement only obliquely. Samantha Niblett’s two questions in November 2025 represent the most recent and arguably most consequential contribution to the record, reframing the debate from procurement statistics to systemic economic and security risk. The fact that these questions were directed simultaneously to both the Department for Science Innovation and Technology and the Treasury signals a recognition that hyperscale dependency is no longer merely a procurement matter but a macroeconomic and national security concern.
Departmental Coverage
The 2018 questions generated responses from an unusually wide range of departments, providing what amounts to a cross-sectional snapshot of Whitehall’s cloud procurement posture at a single point in time. The variation in response quality across departments is itself analytically revealing, and is addressed in detail in the section on ministerial response quality below.
Ministerial Response Quality
The 2018 Cross-Departmental Survey: Inconsistency as a Finding
The most striking feature of the 2018 responses is not any individual answer but the collective picture they present: a government that had no common framework for recording, categorising, or reporting its own cloud-hosting expenditure. When James Gray asked each department the same question — how many contracts had been awarded to hyperscale providers, how many to UK SMEs, and what were the values — the responses ranged from detailed disclosure to outright admission of ignorance.
The Department for Transport provided specific figures, disclosing that seven contracts had been awarded to hyperscale providers, comprising 50 per cent of all cloud contracts, with a total value of £13,770,480. The Ministry of Housing Communities and Local Government confirmed that both of its cloud-hosting contracts were with hyperscale providers, representing 100 per cent of its cloud spend, and provided annual expenditure figures. The Department for Environment Food and Rural Affairs named its providers directly — Amazon Web Services from January 2017 and Microsoft Azure from July 2017 — and disclosed specific expenditure. These responses, while not uniformly complete, at least engaged with the substance of the question.
By contrast, the Department for Business Energy and Industrial Strategy stated that the information was “not held in a format” that would allow a response. The Department for Work and Pensions similarly declared that it did not centrally collect the data requested, directing the questioner to the public Contracts Finder database. The Scotland Office and the Northern Ireland Office both pleaded an absence of central data collection. The Cabinet Office — the department nominally responsible for cross-government digital policy — acknowledged that it did not hold the requested information on hyperscale contracts, while providing SME figures. The Ministry of Defence deferred its answer entirely, with the minister writing that it would “take some time to gather the information required” and promising to write separately — a commitment whose fulfilment is not evidenced in this dataset.
The Department for Education’s response merits particular scrutiny. It stated that its cloud-hosting contracts had been awarded to UK SMEs and that it had not awarded any contracts to hyperscale providers, yet simultaneously disclosed that one of its contracts was with CDW Ltd acting as a reseller on behalf of Microsoft — a hyperscale provider by any conventional definition. This illustrates a broader definitional problem: the government had no agreed definition of “hyperscale,” and the Ministry of Justice was sufficiently uncertain that it felt obliged to state in its response that it had “interpreted the definition of Hyperscale Cloud providers to mean larger suppliers of Cloud Hosting.” Where departments could define the term as they chose, the resulting data was not comparable across government.
The 2019 and 2025 Responses: Reassurance Without Substance
Oliver Dowden’s April 2019 response to David Davis’s question about the US CLOUD Act was more substantive in tone but ultimately deflective in content. Rather than addressing the specific risk of US government access to British citizens’ data held by American hyperscale providers, the response contextualised the issue within broader international norms of extraterritorial jurisdiction and noted that the UK asserted similar powers. No specific protective measures were identified, and no commitment to review or mitigate the risk was offered.
The November 2025 responses to Samantha Niblett’s questions on systemic risk represent the most recent ministerial position on record. Both the Department for Science Innovation and Technology (answered by Kanishka Narayan) and the Treasury (answered by James Murray) offered responses that were substantively identical in structure: an acknowledgement that the government monitors systemic risks to critical national infrastructure, a reference to resilience measures and contingency planning, and an implicit suggestion that existing frameworks were adequate. Neither response disclosed what specific assessment had been made, what the findings were, whether any economic cost estimate existed, or what the contingency plans contained. The answers were, in the analytical vocabulary of parliamentary scrutiny, non-answers dressed in the language of competence.
Boilerplate and Formulaic Responses
A notable feature of the 2018 procurement questions is the recurrence of near-identical formulaic language across multiple departments on the question of procurement policy. The Home Office, HM Treasury, and the Cabinet Office all deployed variants of the same formulation:
It is our policy to award contracts on the basis of value for money, whilst doing everything we can to encourage UK suppliers, and UK SME’s in particular, to win business.
This language, appearing verbatim or near-verbatim across at least three separate departmental responses, suggests either a centrally coordinated briefing line or a standard Cabinet Office template. Its effect is to substitute a statement of general procurement principle for the specific data requested, and to imply that the absence of hyperscale concentration is a natural consequence of value-for-money discipline — a proposition that the more candid departmental responses (Transport, MHCLG, Defra) directly contradict.
Key Commitments and Timelines
The parliamentary record under review is notably sparse in terms of specific, verifiable commitments. The 2018 responses contain no ministerial pledges to review hyperscale dependency, introduce diversification targets, or establish cross-government data collection on cloud expenditure. The closest the record comes to a policy commitment is the Cabinet Office’s implicit endorsement of the Government’s SME procurement targets, but these are framed as aspirations rather than binding obligations, and no timeline is attached.
Oliver Dowden’s 2025 response to the original 2019 question on the CLOUD Act noted that the UK and US were engaged in negotiations on a bilateral agreement under the Act, which would provide a legal framework for cross-border data access requests. This was a genuine policy commitment with a defined mechanism, though the timeline for conclusion was not specified and the question of whether such an agreement would adequately protect British citizens’ data from unilateral US government access was not addressed.
The Ministry of Defence’s 2018 deferral — the promise to write to James Gray with the requested information — represents a commitment of sorts, but one that is unverifiable from the parliamentary record alone. The absence of a published follow-up answer in this dataset means it cannot be confirmed whether the commitment was honoured.
The 2025 responses from DSIT and the Treasury contain no specific commitments whatsoever. The language of monitoring, resilience, and contingency planning is deployed without any accompanying statement of what monitoring has found, what resilience measures exist, or what contingency plans provide for. These responses are, in terms of parliamentary accountability, commitments to process rather than commitments to outcome.
Rhetoric Versus Reality
The Procurement Diversity Illusion
The most significant gap between rhetoric and reality in this dataset concerns the government’s stated commitment to SME-inclusive cloud procurement. The formulaic language deployed by multiple departments — that contracts are awarded on value for money while doing “everything we can” to encourage UK SMEs — sits in direct tension with the empirical data disclosed by those departments willing to provide it. The Ministry of Housing Communities and Local Government reported that 100 per cent of its cloud-hosting contracts were with hyperscale providers. The Department for Transport reported that hyperscale providers held 50 per cent of its cloud contracts by number but a disproportionately large share by value. The Department for Environment Food and Rural Affairs had moved directly to AWS and Azure for its public cloud infrastructure. The rhetoric of SME encouragement was, in practice, a statement of aspiration that the procurement record did not support.
The Data Governance Paradox
There is a profound irony in the fact that a government deploying cloud infrastructure to manage citizens’ data was itself unable to centrally collect data about its own cloud contracts. Multiple departments — BEIS, DWP, the Scotland Office, the Northern Ireland Office, the Cabinet Office itself — acknowledged that they did not hold the requested information in a form that would permit a response. This is not merely an administrative inconvenience: it means that at the time of the 2018 survey, no single part of government had a complete picture of the UK’s public sector exposure to hyperscale providers. The Cabinet Office, as the department responsible for cross-government digital policy, was in the position of being unable to answer a question about its own department’s hyperscale contracts while simultaneously being responsible for the policy framework governing all other departments’ procurement decisions.
The Definitional Vacuum
The Ministry of Justice’s candid admission that it had been obliged to interpret the definition of “hyperscale” for itself reveals a governance vacuum that has material consequences. Without an agreed government-wide definition, departments could — and evidently did — classify their cloud arrangements differently. The Department for Education’s treatment of a Microsoft reseller contract as an SME contract rather than a hyperscale contract is the clearest example, but the problem is likely systemic. Any policy designed to manage or limit hyperscale dependency requires a shared understanding of what hyperscale means; the parliamentary record provides no evidence that such a shared understanding existed in 2018, and no evidence that it has been formally established since.
Systemic Risk: Acknowledged but Unquantified
The 2025 responses represent the most recent iteration of a pattern that has persisted throughout this dataset: the government acknowledges that systemic risks from hyperscale dependency exist, but declines to quantify them, disclose its assessments, or commit to specific mitigation measures. Samantha Niblett’s question to the Treasury asked directly whether the economic cost of hyperscale outages had been estimated and whether such risks were factored into national digital resilience planning. James Murray’s response confirmed that the government “monitors systemic risks” and “recognises the importance of robust protections” — but did not answer either specific question. The gap between the sophistication of the question and the generality of the answer is itself a finding of analytical significance.
Strategic Intelligence Conclusions
- 1. The UK government’s cross-departmental exposure to hyperscale cloud providers was, as of 2018, both more extensive and less centrally understood than official procurement rhetoric suggested, with multiple departments unable to provide basic data on their own cloud contract portfolios.
- 2. The absence of a government-wide agreed definition of “hyperscale” in 2018 — and the absence of any parliamentary evidence that such a definition has since been formally adopted — represents a structural governance gap that undermines any policy designed to manage or limit concentration risk.
- 3. The formulaic value-for-money and SME-encouragement language deployed across multiple departmental responses in 2018 functioned as a rhetorical shield against disclosure rather than a substantive account of procurement practice, and should be treated with scepticism in any future ministerial response using similar formulations.
- 4. The November 2025 responses from DSIT and the Treasury confirm that the government’s public position on hyperscale systemic risk remains one of process reassurance — monitoring, resilience, contingency planning — without any disclosed quantitative assessment of economic exposure or specific mitigation commitments.
- 5. The shift in parliamentary questioning between 2018 and 2025, from procurement transparency to systemic economic and security risk, reflects a maturing understanding among parliamentarians of the strategic stakes involved in hyperscale dependency, but has not yet produced a correspondingly more substantive ministerial response.
- 6. Senior decision-makers in government, industry, and civil society should treat the parliamentary record on hyperscale governance as evidence of a persistent accountability deficit: the questions being asked are increasingly sophisticated, the answers being given are not, and the gap between the two is itself a material risk indicator for UK digital resilience policy.
Dataset Note
This analysis is based on 25 written parliamentary questions retrieved from the UK Parliament record and submitted in full for analysis, with a retrieval date of 1 April 2026 and no date filter applied to the underlying search. The questions span a period from 19 February 2018 to 19 November 2025, with a pronounced concentration of 22 questions in the February–March 2018 period and only three questions from the remainder of the period. This temporal skew is a limitation of the dataset: it means the analysis is substantially weighted towards a single cross-departmental procurement survey conducted by one backbench MP, and the intervening seven years — during which cloud dependency has deepened considerably and the AI infrastructure debate has intensified — are represented by only three questions. Analysts and decision-makers should treat the 2018 findings as a baseline snapshot rather than a continuous record, and should note that the absence of questions in the intervening period reflects the limits of this particular dataset rather than an absence of parliamentary activity on related subjects more broadly.