The Open Rights Group's intervention ahead of the Cybersecurity and Resilience Bill's second reading frames a blunt question for Westminster: can the UK afford to let its critical digital infrastructure remain overwhelmingly dependent on US hyperscalers and proprietary vendors, or does that dependence now count as a strategic vulnerability? The charity's briefing argues for a stronger emphasis on digital sovereignty — pushing for open source, interoperability, and procurement rules that reduce vendor lock-in — and it arrives at a moment when high-profile disruptions and geopolitical pressure have exposed the hard limits of outsourcing resilience to a small set of global providers.

The Core Argument: Digital Sovereignty as National Security

Open Rights Group (ORG) has urged MPs to use the Cybersecurity and Resilience Bill (CSRB) as an opportunity to enshrine a UK Digital Sovereignty strategy into law. The group wants the government to assess and mitigate risks created by reliance on foreign-based hardware, software, cloud platforms, and analytics suppliers — naming Amazon, Microsoft, Google and Palantir as examples of vendors whose scale and legal jurisdictions create potential fragilities. ORG's policy paper calls for stronger procurement rules favouring open source and interoperable systems to reduce the cost and difficulty of replacing suppliers if political pressure or legal constraints interrupt service.

This perspective represents a significant shift in how procurement is viewed. Rather than treating IT purchases as purely commercial decisions based on cost and functionality, ORG reframes them as national resilience issues. The argument suggests that short-term price comparators often miss long-term sovereignty and continuity costs that could prove far more expensive when geopolitical tensions escalate.

The Legislative Context: CSRB and Government Priorities

The CSRB, introduced in late 2025, reached its second reading in the House of Commons on 6 January 2026, the stage where Parliament debates the Bill's general principles and can propose fundamental amendments. The government has paired the Bill with a wider Cyber Action Plan and a new Government Cyber Unit backed with roughly £210 million of funding to coordinate resilience across departments, signalling that cybersecurity is currently a high political priority.

According to The Register's reporting, the CSRB represents a critical legislative opportunity to address digital sovereignty concerns. The bill's timing coincides with growing international recognition that digital infrastructure has become geopolitical infrastructure, with nations increasingly viewing control over their digital ecosystems as essential to national security.

Real-World Cases Highlighting the Risks

International Criminal Court: Sanctions and Service Disruption

ORG cites an episode where the International Criminal Court (ICC) found itself entangled in US sanctions policy: after US executive action in 2025 targeted ICC officials, the chief prosecutor, Karim Khan, reportedly lost access to his Microsoft email account and moved to other services — a development widely reported in international media and followed by the ICC taking steps to reduce dependence on US-centric platforms. Multiple outlets documented service interruption claims, the sanctions' legal reach, and the court's contingency moves.

Microsoft has publicly contested some versions of events, creating a factual dispute over exact corporate actions, but the episode illustrates how extraterritorial sanctions can cascade into operational disruption for organisations that rely on third-party cloud services. This is an example where geopolitics, vendor control and operational continuity intersect.

John Deere and Remote Disablement: Convenience Versus Control

The experience of stolen Ukrainian farm machinery in 2022—where equipment equipped with GPS and remote locking was rendered unusable after being looted—demonstrates the dual nature of remote control features. The capability to disable vehicles is a defensive anti-theft tool and a right-to-repair flashpoint, but it also shows how embedded remote control can be used (or repurposed) at distance, including in wartime or under political pressure. Reporting by major outlets described how dealers used remote immobilisation to stop stolen harvesters being run, underscoring that possession of control channels can be an operational lever.

Huawei Removal: A Dependency Becomes a Liability

The UK's decision to ban Huawei equipment from 5G core elements in 2020 and order its removal by 2027 shows how quickly a supplier relationship can become a strategic liability once national policy shifts. The move — driven by national security assessments and allied pressure — required large and costly rip-and-replace programmes, and has caused real operational headaches and expense for UK telcos. The episode is often invoked by commentators and campaigners as evidence that long-term reliance on foreign vendors carries geopolitical risk.

Why Digital Sovereignty Matters Now More Than Ever

Digital Infrastructure as Geopolitical Infrastructure

Critical IT systems — identity platforms, citizen records, healthcare IT, emergency services communications, defence supply chains — are not merely operational assets. They are vectors of national capability and, in many cases, national security. When those services sit on software and infrastructure controlled by companies that answer to foreign legal regimes, they can be affected by extraterritorial orders, sanctions, commercial pressures, or unilateral policy shifts. ORG's central claim is that digital sovereignty isn't a nostalgia for national tech stacks; it's a strategic hedge against the concentration of risk in a handful of global vendors.

The Economic Impact of Vendor Lock-In

Vendor lock-in happens when bespoke use of provider-specific platform features, poorly defined exit clauses, or one-off customisations make migration costly or impractical. The Cabinet Office's Central Digital and Data Office (CDDO) has warned the government that concentration in a few hyperscalers could reduce its ability to negotiate favourable commercial terms in the future — effectively surrendering leverage to providers that control the platforms departments depend on. Independent industry reporting has highlighted the risk and the practical pain local councils and public bodies face when custom systems leave them tied to suppliers. The consequence is not just higher bills; it is slower policy options and the inability to respond quickly if a vendor becomes a liability.

AI and Data Analytics: New Frontiers of Dependency

As government systems generate larger datasets and as AI models become integral to decision-making, who controls the infrastructure and who can access the raw data becomes a policy decision. The more that core analytics and training happen on foreign-run platforms, the more the UK buys into a model where critical insights and operational control may be out of reach during geopolitical stress. Companies like Palantir, and hyperscalers offering integrated AI stacks, are powerful enablers — but they also centralise capability. ORG argues that procurement policy should factor this concentration into risk assessments.

Evaluating the Practical Challenges

Strengths of the Digital Sovereignty Argument

ORG's approach has several compelling strengths:
- It reframes procurement as a national resilience issue rather than a pure value-for-money exercise
- The call for open source and interoperable systems is practical: open standards reduce integration friction, increase auditability and make supplier substitution easier
- Real precedents (ICC, John Deere, Huawei) demonstrate that legal or political pressure can interrupt services, strengthening policy urgency

Weaknesses and Practical Constraints

However, significant challenges remain:
- Building, operating and maintaining sovereign alternatives is expensive and time consuming. Hyperscalers have spent a decade and tens of billions building global cloud footprints; replicating even a subset of that capability requires sustained capital and market coordination
- Open source is not a panacea. It reduces lock-in risk, but wide adoption still requires staff with the right skills, long-term maintenance commitments, and clear responsibility for security updates
- There are trade-offs in resilience decisions. Multi-vendor strategies can reduce concentration risk but increase operational complexity

Policy Options and Technical Implications

Procurement and Contractual Reforms

The government can require interoperability and clear exit pathways in public contracts. Contractual enforcement of data-export guarantees, escrow for critical code and configuration, and mandated standards for APIs and data formats will make it easier to migrate workloads if a supplier becomes politically or operationally untenable. These are blunt but effective levers, and they can be targeted to the most sensitive systems first.

Sovereign Cloud Marketplace Approach

Rather than attempting to replicate hyperscale offerings across the board, the state could fund and aggregate sovereign cloud options for genuinely sensitive workloads: defence, certain national infrastructure, and uniquely sensitive datasets. The CDDO has discussed a Public Sector Cloud Marketplace concept to give departments ready-built, well-architected environments while preserving choice and standards. This approach acknowledges that not every workload needs a sovereign home, but some do.

Technical Implementation for IT Teams

For technology professionals, the sovereignty debate has concrete implications:
- Design for portability: Agencies should adopt cloud-agnostic architectures where practicable: containerised workloads, Infrastructure as Code with provider-agnostic tooling, and careful separation of platform-specific managed services behind abstraction layers
- Workload classification: Governments should classify workloads by sensitivity, recoverability, and strategic importance. High-sensitivity workloads should be the priority for sovereign or highly constrained deployment patterns
- Exit planning: Every major contract should have a tested exit plan, including regular, automated export of data in open formats, and rehearsed cold-standby migrations to alternative environments

Economic Realities and Industrial Policy Considerations

Building a sovereign sector takes time and demand aggregation. Industrial policy can crowd in suppliers — France and Germany have invested in sovereign cloud initiatives and European initiatives such as Gaia-X and various national cloud providers are attempting to fill the gap. But national players lack hyperscaler scale, and without long-term, multi-year public sector demand it will remain hard for them to reach equivalent capability and price.

Airbus's tender signals how major European corporates may be needed as anchor customers to create viable sovereign offers. The company estimates only an 80/20 chance of finding a European provider able to host its most sensitive workloads today — highlighting that this isn't just a procurement problem; it's a market-capacity problem.

Risks and Caveats in the Sovereignty Approach

Verification Challenges

Some high-profile examples cited by campaigners — such as the precise sequence and responsibility for the ICC email interruption — include conflicting corporate statements and ongoing legal or diplomatic disputes. Microsoft and other vendors have disputed elements of media coverage at times. Where reporting disagrees, policymakers should seek primary evidence and, if necessary, independent audits to establish the facts before presuming vendor malfeasance.

New Points of Failure

Building a UK or European sovereign cloud does not automatically solve resilience problems. If procurement funnels sensitive workloads to a small number of newly national or regional providers, concentration risk transfers rather than disappears. Sovereignty must be implemented alongside competition policy, supply-chain diversification, and transparency to avoid new monocultures.

Skills and Operational Overhead

Open source and sovereign stacks still require expert operators. The public sector will need to invest in skills, modern DevOps practices, and long-term funding commitments to sustain alternative ecosystems — otherwise the state will still be dependent, only now on niche providers whose commercial viability may be fragile.

Concrete Steps Forward

MPs and civil servants can take several immediate actions:
- Require a national Digital Sovereignty risk assessment for any major contract above a defined threshold
- Mandate interoperable APIs and open data export formats in central government contracts
- Pilot a UK Public Sector Sovereign Cloud Marketplace for high-sensitivity workloads
- Establish an Open Source Maintenance Fund to support long-term stewardship of critical public-sector OSS components
- Include legally enforceable exit and continuity playbooks in contracts with annual migration rehearsals

Conclusion: A Balanced Path Forward

The Open Rights Group's intervention is more than an ideological plea for open source — it is a challenge to conventional cost-centric procurement logic that has underpinned a decade of cloud modernization. The UK's reliance on a small number of large foreign vendors is now a cross-cutting policy issue: legal exposure, geopolitical leverage, competition policy and operational resilience have collapsed into a single problem set that the Cybersecurity and Resilience Bill is uniquely positioned to address.

The right course is not wholesale decoupling from hyperscalers — that would be impractical and costly — but a calibrated set of measures that protect the nation's most sensitive systems, reduce supplier concentration, and make vendor substitution realistic when it is needed. The political test for MPs at the CSRB second reading is straightforward: will the government acknowledge that digital sovereignty is a public good, and act to reduce systemic dependence where it matters most, or will convenience and short-term savings continue to determine the architecture of public services?

The answer will shape not just procurement, but the UK's operational independence in a world where digital control increasingly equals strategic power. As nations worldwide grapple with similar questions about technological sovereignty, the UK's approach through the CSRB could establish important precedents for how democracies balance innovation, security, and strategic autonomy in an increasingly digital world.