UK Parliament Debates Digital Sovereign Strategy

There is a phrase buried in this week's parliamentary debate that should make any senior leader sit up, and it has nothing to do with hacking or hostile states. It is the idea of being "locked in".

MPs are worried that government departments have signed up to technology they cannot easily walk away from, even if they wanted to. Once your email, your data, your day-to-day operations all run through one company's platform, switching becomes so expensive and disruptive that you effectively cannot. You are a customer who has lost the ability to say no.

That is the heart of the amendment to the Cyber Security and Resilience Bill. Backed by twenty MPs and proposed by Liberal Democrat Victoria Collins, it calls on the government to publish a "digital sovereignty strategy" to reduce the UK's dependency on overseas suppliers across critical infrastructure. The headline framing is national security. The more practical worry, the one I think matters most for the rest of us, is concentration. Too much of the public sector now runs on a handful of American firms, and a cross-party committee has warned this leaves the UK "at the mercy" of foreign actors and represents a "clear vulnerability".

I want to be careful here, because "sovereign IT" can tip very quickly into flag-waving and protectionism, and that is not the interesting version of this story. The interesting version is about choice. A system you cannot exit is a system that controls you, not the other way around. That is true whether the supplier is in California, Shenzhen or Slough. The question is not "is this company foreign?" but "if this relationship went wrong tomorrow, could we leave without the wheels coming off?" For a surprising number of organisations, the honest answer is no.

There is a second thread in the source that deserves attention, and it is about secrecy. The MPs point out that the UK keeps its analysis of these "chronic risks", things like over-dependence on a few global tech giants, largely classified. France, Germany, Denmark and the Netherlands are having these debates in the open. France is even moving its senior civil servants onto sovereign open-source tools to reduce the risk of surveillance or sudden loss of service. You cannot have a grown-up national conversation about resilience if the evidence is sealed in a drawer. Transparency is not a nice-to-have here. It is the precondition for anyone outside government being able to plan sensibly.

So what does this mean if you are a chief data officer in financial services, a CIO in an NHS trust, or running IT for a university? Watch whether "sovereign IT" stays a slogan or grows teeth through procurement rules. If it becomes the latter, expect data-residency requirements (where your data is physically stored) and vendor-diversification expectations to tighten, and expect those expectations to flow down to private firms holding government contracts. The supply chain does not stop at the department's front door.

My practical encouragement is to stop treating this as a policy story you will deal with later, and start treating it as a design question you can act on now. Most lock-in is not imposed on us in one dramatic decision. It accumulates, one convenient default at a time, until exit feels unthinkable. The organisations that will cope best are the ones that built optionality in early, before anyone forced them to.

One thing to try this quarter: pick your most business-critical system and run a genuine exit test. Ask, in concrete terms, what it would take to move it to a different provider. How long, how much, who would have to sign off, what would break. You are not necessarily going to move it. You are finding out whether you could. That single exercise tells you more about your real resilience than any compliance checklist, and it shifts the conversation from fear of foreign suppliers to something far more useful: knowing exactly where your freedom to choose has quietly run out.