Cloud computing has become a core function in modern finance and while many depend on it to store their sensitive data, they do not realise what happens to it once they upload it.
A new whitepaper from esynergy, ‘Who really controls your cloud?‘ has taken a dive into what UK technology professionals need to know about sovereignty, control and risk across modern platforms. esynergy claims that most organisations lack a clear view of where their data sits, who controls the systems around it and what legal frameworks apply.
The report argues that data location and operational control are fundamentally separate concerns in modern cloud architecture — and that conflating the two creates significant legal and security blind spots for UK enterprises. In a typical enterprise stack analysed by eSynergy, 20 of 21 platform components were found to have primary sovereignty exposure outside the United Kingdom. The sole exception was data at rest — which the report describes as the least significant element from a control perspective.
Central to the paper’s argument is the role of the control plane. Even where workloads are deployed in UK regions, administrative actions routinely route through infrastructure controlled by vendors headquartered in the United States, placing that data within reach of the CLOUD Act — US legislation that compels disclosure regardless of where data is physically stored. The paper notes that when hyperscaler executives have been questioned in regulatory proceedings, rather than marketing materials, they have acknowledged they cannot guarantee European data remains outside the reach of US authorities.
The whitepaper also takes aim at four common misconceptions it labels as fallacies. The first is the belief that UK-hosted infrastructure confers meaningful jurisdictional control. The second is that European cloud providers offer a viable sovereign alternative — a claim the paper counters by pointing to the trajectory of Gaia-X, the flagship EU sovereign cloud initiative.
The third fallacy is hardware independence, with the report highlighting that TSMC manufactures 90% of the world’s most advanced chips and the US sources 92% of its advanced AI semiconductors from the same supplier. The fourth is the notion that self-hosting resolves the problem — eSynergy argues this shifts only three of 21 components into UK jurisdiction while significantly increasing operational risk and human attack surface.
Another area explored by the whiepaper is why sovereignty is not a point-in-time certification, but a continuous exposure reintroduced with every patch, update and scaling event. Finally, esynergy offers the practical questions engineering and risk leaders should be asking.
For more insights, download the free whitepaper here.
Copyright © 2026 FinTech Global
