Summary
- A cross-party group of MPs wants the government to publish a digital sovereignty strategy within 12 months.
- The amendment would assess risks from foreign-supplied technologies, procurement, supply chains, and critical digital services.
- The debate links cyber resilience, cloud dependency, public procurement, and domestic technology capability.
MPs are pushing for the UK government to publish a digital sovereignty strategy as part of the Cyber Security and Resilience Bill, arguing that dependence on overseas technology suppliers creates national security, economic, and operational risks.
The proposed amendment, tabled by Liberal Democrat MP Victoria Collins and backed by 20 MPs, would require the government to set out within 12 months how it plans to assess and reduce risks from foreign-supplied technologies, procurement processes, supply chains, critical digital services, and managed service providers.
The amendment would cover relevant operators of essential services, digital service providers, managed services, and critical suppliers as defined under the UK’s network and information systems framework. It would also require an assessment of hardware, software, supply-chain, and procurement risks, alongside measures to reduce strategic dependence on foreign-owned providers.
Digital sovereignty is becoming less abstract as public services, critical infrastructure, and regulated sectors depend more heavily on cloud platforms, managed services, AI systems, and outsourced software. The question is not whether the UK should retreat from global technology markets. The sharper issue is whether the state knows where it has become dependent, what happens if access changes, and how quickly it could recover from disruption.
The public sector spends heavily on digital technology and relies on outsourced systems for core services. Those arrangements bring capability and scale, but they can also concentrate operational risk. Departments that cannot switch suppliers, audit control planes, protect sensitive data flows, or maintain services during geopolitical or commercial disruption may find that digital transformation has created new fragility.
Cyber policy has traditionally concentrated on attacks, vulnerabilities, and incident reporting. The sovereignty amendment widens the frame. A system can be secure against many common threats and still be strategically exposed if it depends on a supplier, jurisdiction, platform, or managed service that the UK cannot influence during a crisis.
Similar debates are already taking place across Europe. Governments are re-examining public cloud procurement, open-source alternatives, domestic suppliers, sensitive workloads, and the role of foreign hyperscalers in national infrastructure. AI has sharpened the question because model access, compute infrastructure, data governance, and deployment tooling are increasingly tied to a small group of US-headquartered companies.
Sovereignty policy can go wrong if it slides into crude protectionism. Domestic suppliers still have to meet performance, security, reliability, and value-for-money standards. Public bodies cannot justify weaker systems by appealing to geography alone.
The current position is also weak. Treating supplier concentration as an unavoidable feature of modern IT leaves the state with limited options when contracts, laws, sanctions, platform decisions, or geopolitical conditions change. A credible strategy would classify risk, identify critical dependencies, design exit routes, support domestic capability where it is strategically useful, and require public buyers to consider operational control as part of value for money.
The amendment may not survive the legislative process, but the argument behind it will continue. As AI, cloud, and managed services become the operating layer of public services and critical infrastructure, the UK needs a clearer answer to who can keep the systems running when conditions change.










