Where your systems actually live

Almost every UK business that runs software runs it on rented ground — and for most of them the landlord is one of three American companies. This article looks at who owns the cloud underneath British IT, what a “UK region” does and does not buy you, and which genuinely UK- and European-controlled alternatives exist. The short version: a data centre in London does not put your data beyond the reach of US law if the company that runs it answers to Washington.

Every other article in this series asks which vendor you should pick. This one starts a level lower, with the ground all the vendors stand on. When a UK firm buys accounting software, a customer-records system or a payroll tool, that software almost always runs on rented infrastructure — someone else’s servers, in someone else’s data centre, reachable over the internet. That layer is “the cloud”, and in the UK it is dominated by three providers: Amazon Web Services (AWS), Microsoft Azure and Google Cloud. We call these the hyperscalers because of the sheer scale of their data-centre estates.

Our own database of UK business software puts a number on the dependency. Across the products we have mapped, roughly 84% host on one of the three US clouds — what we have called the 84% floor. Sovereignty here is not a yes/no switch; it is a dial. The question is not “is my data in Britain?” but “who could be compelled to hand it over, and under whose law?”

A UK region is not the same as a UK provider

All three hyperscalers run data centres in Britain. AWS and Microsoft Azure have London regions; Google Cloud has a London region too (europe-west2, listed on Google’s own locations page, which shows 43 regions worldwide). So a UK customer can, in most cases, choose to keep data physically in Britain. That is real, and it matters for latency and for some data-protection obligations.

But physical location is only one layer of the dial. The harder layer is legal reach — whose courts and intelligence agencies can compel the provider to produce your data, wherever it sits. Two US laws settle this for any US-controlled provider:

• The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), written into US law at 18 U.S.C. § 2713, says a US provider must hand over data in its “possession, custody, or control, regardless of whether [it] is located within or outside of the United States.” In plain terms: a London data centre run by a US company is still reachable by a US warrant.
• Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), at 50 U.S.C. § 1881a, lets US authorities compel an “electronic communication service provider” to assist in collecting foreign-intelligence information on people outside the United States. It was most recently reauthorised in April 2024.

Neither law cares which flag flies over the building. They follow the company’s ownership. So the test we apply throughout this series is ownership, not headquarters address: who ultimately controls the entity, and which government can lean on it.

“Sovereign cloud” — the partial answers

The hyperscalers know this is a problem for European buyers, and each has built an answer.

AWS European Sovereign Cloud is described by Amazon as “a new, independent cloud for Europe” with operations run by European personnel and legal structures intended to keep it at arm’s length from the US parent. It is a serious engineering effort. But the ultimate parent is still Amazon.com, Inc., a US-listed company, so the CLOUD Act question does not vanish — it depends on how watertight the operational and legal separation turns out to be in practice, which is untested.

Microsoft offers two related things. Its EU Data Boundary commits to storing and processing the personal data of EU and EFTA customers within Europe. The catch for British readers is in the name: it is the EU boundary, and the UK left the EU. A UK customer is not inside the EU Data Boundary by default. Microsoft also markets Microsoft Cloud for Sovereignty for governments and regulated bodies, again under Microsoft Corporation’s ultimate control.

These offerings move the dial — they reduce day-to-day exposure and the routine flow of data across the Atlantic. What they cannot do, while the controlling company is American, is remove the CLOUD Act and FISA 702 reach entirely. That is the honest limit of “sovereign cloud” from a US provider.

The genuinely UK- and European-controlled options

There is a real market of providers controlled outside the United States. They are smaller, and none has the feature depth of a hyperscaler, but for many workloads they are credible.

British-controlled. Civo is a London-founded company (founder and chief executive Mark Boost) that markets itself explicitly as sovereign cloud, with a London region. Its commercial chief, Simon Hansford, previously ran UKCloud — which matters, because UKCloud is the cautionary tale here. UKCloud Ltd (originally Skyscape Cloud Services), once the flagship UK-government cloud provider, entered liquidation in 2022 and remains in liquidation under Ernst & Young, per Companies House. The lesson is not that British cloud is doomed but that scale and sustainable economics are hard against the hyperscalers. Several listed and private UK names operate managed and “sovereign” private cloud and colocation — iomart and Redcentric (both AIM-listed in London), Hyve Managed Hosting, Krystal Hosting, Nine23 and 34SP.com (all UK founder-owned). Two cohort names look British but are not, on the ownership test: Node4 is controlled by US private-equity firm Providence Equity Partners, and Pulsant by France-based Antin Infrastructure Partners.

European-controlled. France has the two best-known names: OVHcloud (listed on Euronext Paris) and Scaleway (part of iliad SA). Germany has IONOS (listed in Frankfurt, with a UK region), Hetzner (founder-owned), STACKIT (part of the Schwarz retail group) and the Deutsche Telekom-operated Open Telekom Cloud. These sit under European law, which still has its own access regimes, but not the CLOUD Act. They are the clearest way to move the dial off US legal reach for workloads that do not need a hyperscaler’s catalogue.

At a glance

Provider	Controlled from	UK region?	Legal reach	Notes
Amazon Web Services [1]	USA (listed)	Yes (London)	US: CLOUD Act + FISA 702	The largest UK cloud landlord
AWS European Sovereign Cloud [1]	USA (listed)	No (EU)	US reach persists via parent	“Independent cloud for Europe”; separation untested
Microsoft Azure [2]	USA (listed)	Yes (London)	US: CLOUD Act + FISA 702	EU Data Boundary excludes the UK by default
Microsoft Cloud for Sovereignty [2]	USA (listed)	Optional	US reach persists via parent	Aimed at governments/regulated bodies
Google Cloud [3]	USA (listed)	Yes (London, europe-west2)	US: CLOUD Act + FISA 702	43 regions worldwide
Oracle Cloud (OCI) [4]	USA (listed)	Optional	US: CLOUD Act + FISA 702	UK regions available
IBM Cloud [5]	USA (listed)	Optional	US: CLOUD Act + FISA 702	UK data-centre presence
OVHcloud [6]	France (listed)	Yes	EU/French law; no CLOUD Act	Largest EU-controlled hyperscale alternative
Scaleway [7]	France (iliad SA)	No	EU/French law; no CLOUD Act	Sister to iliad’s telecoms business
IONOS [8]	Germany (listed)	Yes	EU/German law; no CLOUD Act	Frankfurt-listed; UK region
Hetzner [9]	Germany (founder-owned)	No (DE/FI)	EU/German law; no CLOUD Act	Low-cost; servers in Germany and Finland
Open Telekom Cloud [10]	Germany (Deutsche Telekom)	No	EU/German law; no CLOUD Act	Operated by T-Systems
STACKIT [11]	Germany (Schwarz Group)	No	EU/German law; no CLOUD Act	Owned by the retailer behind Lidl/Kaufland
Civo [12]	UK (founder-owned)	Yes (London)	UK law	UK-founded; markets as sovereign cloud
iomart [13]	UK (listed, AIM)	Yes	UK law	Managed and private cloud, colocation
Redcentric [14]	UK (listed, AIM)	Yes	UK law	Managed/sovereign cloud, colocation
Hyve Managed Hosting [15]	UK (founder-owned)	Optional	UK law	Managed public/private cloud
Node4 [16]	USA (Providence Equity)	Yes	US ownership; UK operations	UK brand, US private-equity control
Pulsant [17]	France (Antin Infrastructure)	Yes	EU ownership; UK operations	UK brand, French infrastructure-fund control

The escape routes are real — and they have a cost

The dial gives buyers five honest positions, from least to most sovereign:

1. Hyperscaler, UK region pinned. The default for most UK firms. You get the full catalogue and physical UK residency, and you accept US legal reach. This is a defensible choice if you name it as a choice.

2. Hyperscaler sovereign offering. AWS European Sovereign Cloud or Microsoft Cloud for Sovereignty reduce routine data flow and tighten operational controls, but do not remove the parent-company legal reach.

3. European-controlled provider. OVHcloud, Scaleway, IONOS, Hetzner and others move you off US law onto European law, at the cost of a thinner service catalogue and more integration work.

4. UK-controlled provider. Civo, iomart, Redcentric and the managed-hosting names keep both control and operations under UK law. Smaller catalogues; strongest on the ownership test.

5. Private cloud or colocation. Your own kit, your own (or a UK provider’s) data centre. Maximum control, maximum operational burden.

The cost of moving along the dial is real: re-architecting applications, losing proprietary hyperscaler services, and doing more of the operational work yourself. The cost of not thinking about it is that you may be carrying US legal exposure on data — health, legal, financial, government — where that exposure is the thing you most needed to avoid.

What buyers should take from this

For most UK organisations the realistic outcome is staying on a hyperscaler — so the sovereignty work becomes a set of configuration and contract questions. Is the tenant pinned to a UK region? Do we hold our own encryption keys (the providers call this “bring your own key” or “hold your own key”)? For the genuinely sensitive workloads — anything where a foreign government compelling disclosure would be a serious problem — is there a case for putting that slice on a UK- or European-controlled provider, even if the rest stays on a hyperscaler?

The split rarely has to be all-or-nothing. A common and sensible pattern is hyperscaler for the bulk, with the sensitive core on a sovereign-by-ownership provider. What this category adds to the series is its foundation: every other sovereignty decision a UK business makes sits on top of the cloud underneath it, and for most businesses that cloud is American. Knowing that, and choosing it deliberately rather than by default, is the whole of the exercise.

Sources

All facts are taken from each provider’s own published pages, from US statute as published by the Legal Information Institute (Cornell Law School), and from Companies House, read directly during June 2026. Ownership/control domicile is drawn from Information Matters’ audited vendor database. Legal-reach statements rest on two statutes: the CLOUD Act, 18 U.S.C. § 2713, and FISA Section 702, 50 U.S.C. § 1881a.

• US CLOUD Act — 18 U.S.C. § 2713: https://www.law.cornell.edu/uscode/text/18/2713
• FISA Section 702 — 50 U.S.C. § 1881a: https://www.law.cornell.edu/uscode/text/50/1881a

1. Amazon Web Services / AWS European Sovereign Cloud — AWS digital sovereignty page: https://aws.amazon.com/compliance/europe-digital-sovereignty/ ; parent Amazon.com, Inc. (NASDAQ: AMZN)
2. Microsoft (Azure / Cloud for Sovereignty) — EU Data Boundary: https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn ; parent Microsoft Corporation (NASDAQ: MSFT)
3. Google Cloud — global locations (43 regions, London europe-west2): https://cloud.google.com/about/locations ; parent Alphabet Inc. (Nasdaq)
4. Oracle Cloud Infrastructure — data regions: https://www.oracle.com/cloud/public-cloud-regions/ ; parent Oracle Corporation (NYSE)
5. IBM Cloud — data centres/regions: https://www.ibm.com/cloud/data-centers ; parent International Business Machines Corporation (NYSE)
6. OVHcloud — corporate: https://corporate.ovhcloud.com/en/ ; OVH Groupe SA (Euronext Paris)
7. Scaleway — about: https://www.scaleway.com/en/about-us/ ; part of iliad SA
8. IONOS — group/investor relations: https://www.ionos-group.com/ ; IONOS Group SE (Frankfurt Stock Exchange)
9. Hetzner — company: https://www.hetzner.com/unternehmen/ ; Hetzner Online GmbH (founder-owned)
10. Open Telekom Cloud — operator: https://open-telekom-cloud.com/en ; Deutsche Telekom AG / T-Systems
11. STACKIT — company: https://www.stackit.de/en/ ; Schwarz Group (Schwarz Digits)
12. Civo — about: https://www.civo.com/about ; Civo Limited (UK, founder-owned)
13. iomart — corporate: https://www.iomart.com/ ; iomart Group plc (AIM: IOM)
14. Redcentric — corporate: https://www.redcentricplc.com/ ; Redcentric plc (AIM: RCN)
15. Hyve Managed Hosting — company: https://www.hyve.com/ ; UK founder-owned
16. Node4 — about: https://www.node4.co.uk/ ; controlled by Providence Equity Partners (US)
17. Pulsant — about: https://www.pulsant.com/ ; controlled by Antin Infrastructure Partners S.A. (France)

• UKCloud Ltd (liquidation) — Companies House, company 07619797: https://find-and-update.company-information.service.gov.uk/company/07619797