Who controls the technology behind a UK manufacturer?
How much this sector depends on technology suppliers it cannot fully control — and where that matters most.
The big picture
For a typical UK mid-size manufacturer, seven of the eight technology building blocks come out as high exposure. The defining risk is distinctive to this sector: the software that runs the live production line, and the firm’s crown-jewel product designs, both sit with foreign-controlled suppliers and under foreign legal reach. Only the firm’s banking is genuinely UK-controlled.
We looked at eight everyday layers of technology a UK manufacturer relies on, from the cloud it runs on to the software that runs the production line. A supplier owned in the United States can be required to hand over data under the US CLOUD Act even when that data is stored in Britain[1]; a British supplier answers only to UK law. We scored each building block on four things — how few the suppliers are, whose laws they answer to, how hard they are to switch, and how essential they are.
Where the exposure sits
Who controls each layer
The building blocks this sector relies on, coloured by who ultimately controls each one:US-controlledUK-controlled
Only one of the eight layers – business banking – is genuinely UK-controlled; all seven technology layers are foreign-controlled (six US-dominated, with European options available as mitigations rather than incumbents).
What this means, in plain terms
If a supplier pulled the plug, how fast would it hurt?
| Speed of impact | Layer | What happens |
|---|---|---|
| Immediate | Identity & access (Microsoft Entra) | Staff log-in fails within hours – an instant lockout of every cloud system at once. |
| Immediate | MES / shop-floor | The production line stops within hours to days; re-equipping it with a different control system could take well over a year. |
| Fast | Manufacturing ERP | Orders, planning and dispatch halt within days; replacing an ERP is a 6-18-month re-implementation compressed into a crisis. |
| Fast | Cloud | Account suspension propagates quickly to everything hosted on it. |
| Medium | PLM / CAD | Engineering can limp on local copies for a short while, but migrating the full design vault is very slow. |
| Slow | Payments & banking | Low exposure – not a crisis layer for a manufacturer. |
What organisations can do about this
| Building block | Practical steps |
|---|---|
| Design IP (PLM/CAD) – protect the crown jewels first | Always keep an exportable copy of the design vault in neutral open formats (STEP, JT) so you are never trapped. Where re-platforming is realistic, the main non-US options are European – Siemens (Germany) and Dassault (France). No UK-controlled suite exists at this scale, so this is about choosing the less-exposed foreign option. |
| Shop floor (MES) – reduce the black box | Prefer a European-controlled system, or one built by a UK system integrator on UK infrastructure, and insist on the right to inspect and pause it. Genuinely UK-controlled options in our database: Cimlogic and FourJaw Manufacturing Analytics. |
| ERP – choose carefully at renewal | ERP contracts last years, so renewal is the decision point. UK-controlled packages in our database: Exel Computer Systems (EFACS) and WinMan. Credible European options: IFS (Sweden), Forterro (Switzerland), Columbus Global (Denmark), Katana and MRPeasy (Estonia). The widely-used names – Infor, Epicor, SYSPRO, Plex – are all American. |
| Cloud and log-in – reduce the Microsoft concentration | Moving the cloud and/or staff log-in off Microsoft stops one problem taking down email, reporting, log-in and computers together. UK and European cloud options: OVHcloud and Scaleway (France), IONOS (Germany), Civo (UK). |
| Payments and banking – accept and monitor | Already low-risk; business banking runs over UK rails under UK law. |
Sources
- US CLOUD Act 2018 (18 U.S.C. 2713) – compels US-incorporated providers to produce data in their custody wherever in the world it is stored. https://www.govinfo.gov/content/pkg/USCODE-2018-title18/html/USCODE-2018-title18-partI-chap121-sec2713.htm
- US Foreign Intelligence Surveillance Act, Section 702 (50 U.S.C. 1881a) – a US directed-surveillance authority. https://www.govinfo.gov/app/details/USCODE-2021-title50/USCODE-2021-title50-chap36-subchapVI-sec1881a
- Vendor ownership and hosting – taken from company filings, public registries (including UK Companies House) and suppliers’ own documentation, compiled in the Information Matters UK vendor sovereignty database.
How we did this. We scored each technology layer on four things — supplier concentration, whose laws they answer to, how hard they are to switch, and how essential they are — using the IM Sovereignty Framework and our UK vendor database. Control and hosting facts come from primary sources; the harder-to-quantify judgments are our reasoned view of a typical organisation. Scores are bands, not exact measurements. Full evidence record available on request.
This research consists of the opinions of the Information Matters team — human and AI — and should not be considered statements of fact.
Information Matters · informationmatters.net
If you have any questions or comments about this article please email info@informationmatters.net

