Citadel
Sovereign

Advisory

← All case studies

Subsidiary jurisdiction

FY 2023/24 · United Kingdom

UK public sector hyperscaler lock-in

Risk visible at

Risk: L0

Mitigated at

Mitigated: L3

— What happened
A National Audit Office review found UK government departments structurally dependent on AWS, Microsoft, and Google — with switching costs so high that competition had become impossible. Microsoft admitted it could not guarantee data sovereignty for law enforcement data in Microsoft 365. Lock-in had been designed in over 15 years of unconstrained procurement.
— Root cause
No procurement guardrails limiting single-vendor concentration. No interoperability requirements mandating open data formats. No switching cost model. No market competition test. Each individual contract was commercially rational; the aggregate created a structural monopoly the government could not exit.
— How our model mitigates this
Prevention (our model)
At Level 1, no new workload may be placed on a vendor already holding more than 30% of critical infrastructure without a sovereignty impact assessment. At Level 2, all contracts require data exportability in open formats. At Level 3, at least one validated sovereign alternative exists for every critical dependency.
Detection (our observability)
An annual market competition test assesses whether two or more sovereign vendors could replace each critical provider within 12 months. If not, the dependency is classified CRITICAL structural lock-in. The sovereignty gap score reported annually to leadership makes lock-in a governance finding.
— Our specific action
The UK’s lock-in was built over 15 years of individually rational procurement decisions. Our Level 0 assessment reveals the aggregate instantly — a single vendor appearing across infrastructure, identity, productivity, AI, and ERP simultaneously is scored CRITICAL concentration. We then architect the diversification pathway before lock-in becomes structural.

— Source & reference

Published source

Digital transformation in government: addressing the barriers to efficiency

UK National Audit Office

Read the source
Commission an assessment
Could this happen to you?
Our Level 0 assessment maps every exposure of this type across your digital estate — in 4 weeks, at a price a director can approve. The findings answer this question precisely.
Commission an assessment →

Citadel Sovereign Advisory

Your hardware, your software, your sovereignty?

sovereignty-services.com
info@sovereignty-services.com · © 2026