The Open Rights Group is warning politicians that the UK is leaning far too heavily on US tech companies to run critical systems, and wants the Cybersecurity and Resilience Bill to force a rethink.

The digital rights outfit says the bill, which is due to receive its second reading in the House of Commons today, represents a rare opportunity to force the government to confront what it sees as a strategic blind spot: the UK's reliance on companies such as Amazon, Google, Microsoft, and data analytics biz Palantir for everything from cloud hosting to sensitive public sector systems.

UK govt office admits ability to negotiate billions in cloud spending curbed by vendor lock-in

READ MORE

"Just as relying on one country for the UK's energy needs would be risky and irresponsible, so is overreliance on US companies to supply the bulk of our digital infrastructure," said James Baker, platform power programme manager at Open Rights Group. He argued that digital infrastructure has become an extension of geopolitical power, and the UK is increasingly vulnerable to decisions taken far beyond Westminster's control.

"Now more than ever, the UK needs to build and protect sovereignty over its digital infrastructure, and not leave itself vulnerable to the policies and actions of foreign powers such as the US and China," Baker added. While the US remains a close ally, he said its growing willingness to use economic and technological leverage to pursue political and military objectives should give UK lawmakers pause.

"The Cybersecurity and Resilience Bill is an opportunity to improve the UK's control over its infrastructure," he added.

ORG points to several recent cases where control over digital infrastructure was used as political leverage. 

One case cited in its briefing involves the International Criminal Court, which reportedly found itself caught up in US sanctions policy. After former US president Donald Trump imposed sanctions on the court over its arrest warrant for Israeli prime minister Benjamin Netanyahu, reports emerged that the email account of chief prosecutor Karim Khan was blocked. Microsoft denied cutting off access, but the ICC later confirmed that in October 2025 it had stopped using Microsoft services altogether, switching instead to openDesk, an open source European platform.

• Europe gets serious about cutting digital umbilical cord with Uncle Sam's big tech
• Canadian data order risks blowing a hole in EU sovereignty
• Microsoft-SAP pact aims to keep Euro cloud running in a crisis
• Brussels eyes AWS, Azure for gatekeeper tag in cloud clampdown

Another episode dates back to 2022, when US agricultural giant John Deere remotely disabled tractors stolen by Russian forces from a Ukrainian dealership. The move was widely celebrated at the time, but it also revealed that the same remote "kill switch" could, under political pressure, be used against customers anywhere in the world.

Closer to home, ORG points to the UK's own experience with Huawei. The Chinese networking giant's kit is being expunged from Brit networks following extensive pressure from the US government. The episode, ORG argues, shows how quickly strategic dependencies can turn into liabilities.

ORG says ministers need to think harder about what happens when things go wrong, such as a major supplier pulling out or foreign laws getting in the way of UK access to data. It argues that those risks should be considered up front when the government signs off on core digital systems.

The group's point is that security tends to look fine until politics gets involved. Systems can be locked down and fully certified, but still come unstuck if they depend on a few foreign vendors, closed platforms that can't be swapped out quickly, or cloud services that ultimately answer to lawmakers in another country.

Airbus to migrate critical apps to a sovereign Euro cloud

READ MORE

Its proposed fix is not flashy. ORG wants the government to lean harder on open source software and interoperable systems, reducing vendor lock-in and making it easier to replace suppliers when relationships sour. The upside, it says, is that more UK firms would finally stand a chance of bidding for public sector work, instead of watching contracts default to the same multinational names, including AWS and Microsoft.

The timing is no accident. Similar arguments are playing out across Europe, where governments are growing twitchy about just how much of their digital plumbing now sits in the hands of US hyperscalers.

Whether the UK treats that as a warning sign or just the price of convenience is now a question MPs will have to answer. ®