The term ‘Sovereign’ and ‘Sovereignty’ is often mentioned in the context of cloud services and has an increasing relevance in the growing global uncertainty. But what is meant by UK data sovereignty, and why does it matter?
UK Data Sovereignty means that data remains entirely within UK jurisdiction (Residency), and it is not subject to foreign laws or external government access, which must consider the ownership, domiciliary of the supplier and directors, and the supply chain used. This distinction is crucial for organisations in Defence, National Security, and Critical Industries that require full legal and operational control over their data.
Many providers claim to offer ‘UK Sovereign Cloud’ services, but their infrastructure, management, or ownership is often tied to foreign entities, so is actually only data residency.
Is it mandatory for public sector organisations to use UK Data Sovereign providers or is Data Residency safe enough?
According to the NCSC Cloud Security Principles 2.1 Physical location and legal jurisdiction states that “You should be confident that you know where your data is, and who can access your data.”
You should understand:
- in which countries your data will be stored, processed and managed
- which legal jurisdiction(s) your data will be subject to, and whether this is acceptable to you
- the rights that the service provider will have to access and use your data
- the legal circumstances under which your data could be accessed without your consent, and how this affects your compliance with UK legislation
It will also depend on the classification of the data, HMG operates a Classification Policy to identify and value information according to its sensitivity and to drive the right protections. This comprises three levels:
- OFFICIAL
- SECRET
- TOP SECRET
OFFICIAL & OFFICIAL-SENSITIVE
There can often be a misunderstanding about what the OFFICIAL-SENSITIVE classification means in practice, particularly in relation to data sovereignty and storage location. It’s important to clarify that OFFICIAL-SENSITIVE is not a separate classification, but rather a handling caveat applied to information marked OFFICIAL that warrants additional care due to the potential impact of compromise. This could include interest from threat actors, activists, or the media, where a breach might moderately damage the work or reputation of an organisation.
Crucially, the presence of the SENSITIVE caveat does not automatically require data to be stored within UK borders. However, it does indicate that risk must be carefully considered particularly regarding where and how this information is stored, processed, and transmitted.
GDS has published guidance on multi-region cloud and software-as-a-service. It clarifies where the public sector can store and process government data at OFFICIAL (including OFFICIAL-SENSITIVE). It states “We recommend that organisations adopt a multi-region approach, in which they make controlled, considered use of regions in a way which is compatible with UK law.”
This approach aims to enhance resilience, capacity, and access to innovation. It acknowledges that non-UK cloud services can offer benefits such as cost-effectiveness, sustainability, and additional features. However, it emphasises that such use should be compatible with UK law and that satisfactory legal, data protection, and security practices must be in place.
Furthermore, the guidance clarifies that:
“Government data at OFFICIAL (including the SENSITIVE marking) can be stored and processed in data centres or Cloud regions overseas when satisfactory legal, data protection and security practices are in place; there is no universal requirement for government data classified as OFFICIAL to be physically located in the UK.”
Therefore, while not mandatory, the recommendation is to consider a multi-region strategy that includes overseas cloud regions, provided that all legal and security requirements are met.
Is the Guidance on UK Sovereignty Clear?
While UK Government guidance provides a framework for handling data classified as OFFICIAL (including OFFICIAL-SENSITIVE), it ultimately places responsibility on the information owner to determine whether data residency or sovereignty is necessary.
This is a central tenet of the Government’s Cloud First and Cloud Native strategies, which promote the use of modern, scalable, cloud-based services – provided that all legal, data protection, and security considerations are addressed.
This nuanced approach allows flexibility, but also introduces ambiguity. The guidance does not prescribe hard boundaries, and interpretation varies between departments and services.
There is now an increasing number of examples where decisions on data location and sovereignty are being made by departments and agencies, reinforcing the need for clarity, consistency, and confidence in those decisions.
For example, in 2023 the UK Home Office signed a 3-year, £500,000 contract with AWS, while its previous AWS cloud contract was reportedly worth around £120 million.
Lord Clement-Jones, the Liberal Democrats’ digital spokesman in the second chamber, who submitted a series of parliamentary questions on the deal said “It’s really important that we know the Home Office has got the ability to inspect infrastructure to make sure it is delivering the goods. Do we just rely on the say-so of the supplier?”
“The Home Office has got more sensitive information than any other body, other than the DWP (Department for Work and Pensions).”
In response to Lord Clement-Jones’s parliamentary questions, Home Office minister Lord Sharpe said: “The supplier shall not process or otherwise transfer Home Office data outside of the United Kingdom unless the prior written consent of the Home Office has been obtained.”
Another example in June 2024, documents show Microsoft’s lawyers admitted to Scottish policing bodies that the company cannot guarantee sovereignty for sensitive law enforcement data and that the data will remain in the UK, despite long-standing public claims to the contrary.
Nicky Stewart, a former ICT chief at the UK government’s Cabinet Office, said most people with knowledge of how hyperscale public cloud works have known about these data sovereignty issues for years.
“It’s clearly going to be a concern to any police force that’s using Microsoft, but it’s wider than that,” she said, adding that while Part 3 of the Data Protection Act (DPA) 2018 clearly stipulates that law enforcement data needs to be kept in the UK, other kinds of public sector data must also be kept sovereign under the new G-Cloud 14 framework, which has introduced a UK-only data hosting requirement.
Stewart further added that the freedom of information (FOI) disclosure “creates a real opportunity to solve some of these problems, given how much of the UK’s most sensitive data is now sitting on these hyperscale systems”.
U.S. Hyperscale cloud platforms have undoubtedly accelerated digital transformation across the UK public sector but that speed has come with blind spots, particularly around sovereignty, transparency, and control.
When hyperscalers themselves admit they cannot guarantee that law enforcement or government data remains sovereign, it raises the question: who is really in control of our nation’s sensitive data?
Rethinking sovereignty as a requirement in higher-risk use cases like OFFICIAL-SENSITIVE, isn’t about resisting public cloud innovation – it’s about reclaiming control, strengthening resilience, and building trust in the infrastructure that underpins our UK national security and public services.
In a world of increasing geopolitical and cyber risk, sovereignty shouldn’t be optional – it’s strategic. And it starts with where, how, and by whom our data is held.
SECRET & ABOVE
(Very sensitive information that requires enhanced protective controls, including the use of secure networks on secured dedicated physical infrastructure and appropriately defined and implemented boundary security controls, suitable to defend against highly capable and determined threat actors, whereby a compromise could threaten life (an individual or group), seriously damage the UK’s security and/or international relations, its financial security/stability or impede its ability to investigate serious and organised crime.)
If you are handing data at SECRET or above, the requirement is strictly sovereign. Data must remain in systems and infrastructure that are:
- Physically located in the UK
- Under UK legal jurisdiction
- Operated and maintained by UK personnel vetted to appropriate clearance levels (SC/DV)
The NCSC Cloud Security Guidance supports this by stating that:
“A public cloud service can only protect data according to the OFFICIAL threat model (including data with the SENSITIVE handling caveat). This is because a public cloud service will not design or operate its services, operations, and software engineering processes according to the UK SECRET threat model.
If you are developing a service that handles information classified at SECRET or TOP SECRET, you should seek additional specialist advice about the specific threats you need to consider.
There may also be cases where information is not classified as SECRET (or above), but where you need to protect the information to a similar threat model. This might include extremely sensitive bulk personal data or services with very high integrity requirements.”
According to the Security Policy Framework, SECRET and TOP SECRET information will typically require bespoke, sovereign protection.
If SECRET (and above) data were accessed, intercepted or influenced by a foreign actor it could:
- Undermine national security
- Put lives at risk
- Damage international relations
- Compromise UK Defence and Intelligence capabilities
Nine23: A UK Sovereign, High Assurance MSP
At Nine23, we don’t just talk about UK sovereignty – we deliver it. We are a fully UK-owned and operated company, with all staff, solutions, and infrastructure located within the UK. If you have a requirement for UK Sovereign high assurance managed service, please contact us.
- UK Ownership – No foreign ownership or external influence.
- UK-Based Personnel – All employees, from engineers to security teams, must be in the UK.
- UK-Built & Managed Solutions – Infrastructure, applications, and services should be designed, developed, and maintained within the UK.
- Hosted from within the UK – Physical hosting locations should be under UK legal jurisdiction without reliance on foreign-controlled infrastructure.