A new data dive published by Computer Weekly on 2 June 2026 maps 2,823 distinct infrastructure connections across 19 UK central government departments and 10 local councils, and the picture it produces is uncomfortable. Authored by Antony Adshead, the investigation walks DNS, routing, identity and edge layers to show how much of the British public sector now sits on a small number of foreign owned platforms. The headline figure, that 96.55% of surveyed entities are exposed to the US Cloud Act and FISA Section 702, will not surprise procurement teams, but the granularity of the underlying map should.
Where the connections concentrate
The full count breaks down cleanly along familiar lines. Microsoft Cloud accounts for 466 of the mapped connections, the deepest footprint by some distance because it is wired into DNS, routing and identity for many of the surveyed bodies rather than sitting at a single application layer. Google Cloud holds 264 connections and Amazon Web Services 137. Around that core sits a thinner but still concentrated secondary tier: Cloudflare appears in 14 entities, Akamai and Fastly in 7 each, Apple Enterprise services in 16, Salesforce in 7 and ServiceNow in 5. Email security splits between Mimecast and Proofpoint. Of every vendor named in the secondary tier, only Mimecast is headquartered outside the United States.
The jurisdictional surface
The 96.55% exposure figure is the number that will travel furthest, and it deserves to. Both the Cloud Act and Section 702 of the Foreign Intelligence Surveillance Act reach data held by US headquartered providers regardless of where the bits physically sit, which means UK region selection and data residency promises do not change the legal posture. The Adshead piece, available on Computer Weekly, sets that exposure against the practical reality that the same providers also run identity and resolution, the layers that decide who can log in and where traffic terminates. Compromise or compulsion at those layers does not produce a tidy data extract problem, it produces an availability problem.
Departmental patterns
Concentration is not evenly distributed. The Department for Transport runs an estimated 79% of its digital footprint inside Google Cloud, an unusually monolithic posture for a department of that size. The newer Department for Energy Security and Net Zero, by contrast, has so far avoided the legacy entanglement that older Whitehall estates carry, partly because it inherited fewer running contracts and partly because it has been able to design its early architecture against a more current threat model. The contrast is useful because it shows that hyperscale dependence is path dependent rather than inevitable, and that greenfield departments still have room to choose differently.
Taker rather than maker
Owen Sayers of Secon Solutions, quoted in the data dive, captures the strategic position bluntly: the UK is a 'taker rather than maker' of cloud platforms. The Adshead investigation pins four structural risks to that posture. Single points of failure, because identity and resolution sit on the same handful of providers as the workloads. A visibility gap, because the buyer cannot see far enough into the operator stack to audit configuration drift in real time. Configuration brittleness, because misconfigured tenants in a shared control plane can propagate failure horizontally. And the jurisdictional trap, the legal exposure that no contractual data residency clause currently dissolves. These four risks compound, they do not sit in isolation.
What we are telling operators this quarter
We are using the Computer Weekly map as the prompt for a forced exit modelling exercise with public sector and regulated clients. The exercise is narrow and concrete. Pick one hyperscaler, assume a 90 day compulsory wind down driven by either a sanctions event or a Cloud Act disclosure that breaches a UK statutory duty, and walk the dependency graph until the migration cost, the identity rebuild cost and the DNS cutover cost are all numbered. The output is not a migration plan, it is a price tag attached to inaction. We are also drafting procurement clauses borrowed from the EU sovereign cloud frameworks, specifically the residency, key custody and operator nationality conditions, so that the next refresh cycle has a defensible alternative to the default single vendor renewal. For the identity layer specifically, we are pointing buyers at the emerging BSI guidance on separation of resolution, authentication and workload hosting, because consolidating all three under one provider is the configuration that turns a vendor incident into a national outage.
An inventory, not an argument
The map Adshead has built is not a campaign document, it is an inventory, and inventories are harder to argue with than opinions. 2,823 connections, three providers carrying the bulk of them, one of which sits underneath identity for most of Whitehall, and a legal exposure that touches almost every entity surveyed. None of that changes by the next budget cycle without a deliberate procurement decision, and the longer the map looks the same, the more expensive the eventual unwind becomes. The full data dive is worth reading end to end, ideally with a procurement lead in the room. The uncomfortable read on the numbers is that the surveyed footprint is almost certainly an undercount, because shadow tenants, departmental SaaS sprawl and contractor managed environments rarely surface in a public mapping exercise of this kind. If 2,823 is the floor, the ceiling is meaningfully higher, and the jurisdictional exposure follows the same direction of travel.
The next six months of UK procurement signals
Three signals will tell us whether the map prompts a response or simply gets filed. First, whether the next wave of central government framework refreshes carries an operator nationality clause or a key custody requirement borrowed from European sovereign cloud templates. Second, whether the Department for Energy Security and Net Zero holds its lighter footprint as it scales, or quietly drifts toward the same default that captured its older neighbours. Third, whether any council in the surveyed 10 publishes a forced exit cost estimate of its own, because once one local authority numbers the unwind, the others have a reference point. Until those signals move, the inventory stands and the exposure compounds quietly in the background of every renewal.
