For decades, the Defence sector has operated in an environment where security, sovereignty, and assurance are non-negotiable. From typewriters and filing cabinets to today’s digital-first systems, a culture of security awareness has always been embedded in how information is handled.
But the rapid adoption of cloud technologies by the Ministry of Defence (MOD) is forcing a new kind of conversation, one that challenges long-standing assumptions about how sovereignty can be achieved. This isn’t a move made in isolation, it stems directly from the UK Government’s Cloud First Policy, first introduced in 2013 and reaffirmed in later strategies.
MOD in the Cloud: Policy Setting the Tone
The MOD has clearly set a direction of travel: cloud-first, in line with central Government policy. This has brought huge benefits in terms of flexibility, scalability, and innovation. Yet, for organisations within the Defence Industrial Base (DIB), the move has created a new set of sovereignty challenges.
Suppliers are now receiving Statements of Work (SOWs) and Security Aspects Letters that mandate strict requirements. At the same time, those same programmes are embracing cloud services. For many suppliers, this creates confusion:
- “How can we meet these security requirements if we’re also told to use cloud?”
- “How do we reconcile guidance from MOD, DSIT, NCSC, and GCHQ, when it sometimes feels at odds?”
The challenge isn’t the technology itself, it’s understanding which risks can be tolerated and which must be mitigated.
The Guidance Gap
Current government guidance is high quality, but as Dan Hilton noted during TechUK’s Navigating Sovereignty in the Era of Cloud Computing panel, the world has changed faster than the policy.
- DSIT guidance has been consistent: cloud-first, multi-cloud is acceptable.
- NCSC and GCHQ emphasise a principles-based approach: know your risks, assess them, and assure against them.
Because the MOD aligns its stance with these wider government strategies, Defence organisations are left interpreting multiple voices of authority. The result? Hesitation, uncertainty, and in some cases, stalled transformation.
The Outsourcing Dilemma
Another sovereignty issue arises from outsourcing. Many large organisations have embraced global outsourcing models, only to discover they cannot deliver on MOD or Home Office contracts that require UK-based, sovereign service delivery.
This is where Nine23’s approach for example, our SC-cleared UK help desk, operated entirely from within the UK has proven essential. Defence customers often come to us for specific sovereign capabilities that can integrate with their wider services, ensuring compliance without disrupting operations.
But as Dan highlighted, “none of these things are islands.” True sovereignty requires visibility across data flows, risks, and dependencies, not just outsourcing one piece of the puzzle.
The SaaS Lock-In Threat
The future poses another sovereignty risk: the shift of critical software from on-premise to cloud-only SaaS models.
We’ve already seen this with Skype for Business moving to Microsoft Teams. For Defence organisations that previously relied on sovereign, on-premise deployments, this trend raises difficult questions:
- What if a line-of-business application is suddenly only available as SaaS from outside the UK?
- How will that impact operational sovereignty and contract compliance?
- What mitigations should be planned now?
Over the next 3–5 years, this SaaS-driven lock-in could fundamentally reshape how defence organisations manage sovereignty.
Making Assured Decisions
At Nine23, our perspective is clear:
- Not everything has to be sovereign.
- But decisions about sovereignty must be conscious, documented, and risk-informed.
For the Defence sector, that means:
- Mapping your dependencies — from SaaS providers to subsea cables.
- Understanding what sovereignty really means for each service.
- Making assured decisions backed by evidence, not assumptions.
Conclusion
The MOD’s cloud-first approach is an extension of wider UK Government policy, and its adoption is irreversible. It offers real benefits. But for Defence organisations, sovereignty can no longer be reduced to “where the data rests.” It’s about balancing MOD requirements with the realities of modern cloud environments, and ensuring that security is embedded at every stage.
At Nine23, we support Defence and regulated industries in navigating this balance. From sovereign service delivery to risk-led assurance, we help organisations stay compliant, secure, and operationally sovereign.
You can hear more from our CTO, Dan Hilton, on TechUK’s panel discussion Navigating Sovereignty in the Era of Cloud Computing watch here.
