Maintaining the true sovereignty of the UK’s CNI data
As our nation’s Critical National Infrastructure (CNI) continues its ongoing digital journey, Operators of Essential Services (OESs), their supply chains, and their technology partners are increasingly forced to reconsider longstanding assumptions that includes preserving the integrity of the sensitive data used to monitor, manage, and maintain their critical operational assets, systems, and process.
With increased use of third-parties, highly interconnected physical and digital systems, and inter- and intra-site flows of real time data essential to for the operation and availability of critical services, it is important that both the attack surface and potential attack vectors are understood, documented, and – wherever possible – secured.
One of the less obvious, but increasingly vital, areas that must be factored into OES’ overall security posture is the question of data sovereignty. While most technology providers will already promise a certain degree of data sovereignty, recent events have shown the question to be much more complex than previously assumed, and so a closer look is needed…
Defining ‘sovereignty’
This is ostensibly simple. In its broadest terms, data sovereignty refers to the specific location where data is assimilated, processed, and hosted, i.e. the data centres in which it is stored. Organisations may require their data to be geolocated in their own country of operation for security or compliance purposes, particularly for organisations who fall under the new CNI umbrella.
Indeed, the UK Government has also codified this requirement, with the Data Protection Act 2018 placing strict restrictions on how and when data may be transferred to overseas locations.
So far, all fairly straightforward…
But, as we have already touched on, physical and digital infrastructure is now interconnected in ways that would previously have been inconceivable, particularly with the now near-ubiquity of Cloud platforms. While a Cloud provider may indeed maintain data centres in their customers’ required locations, what guarantees can they offer that critical data will never leave the stated regions at any point? When we consider that regulations such as the USA’s Cloud Act allow governments to access the data stored in any Cloud platforms incorporated in their countries – an unacceptable scenario when it comes to the data that powers our nation’s critical services.
Retaining control of our critical data… in transit and at rest
In light of these concerns, our definition of data sovereignty must expand to not only encompass where it sits at rest, but any other regions it may pass through when in transit. The need for this shift was highlighted in 2024, when Microsoft were forced to disclose that they were unable to guarantee that the data stored on their Cloud platforms by the Scottish Policing Authority would always remain in the UK. Things get even more blurred if a Cloud provider is part of an umbrella company headquartered in a different country.
Based on conversations I and my colleagues across the Exponential-e Group are currently having with multiple OESs around their security and compliance challenges, I would argue that technology providers must be ready to take the lead here, ensuring this new standard of data sovereignty is inherent in the design of their solution wraps. This should include:
- Ensuring they are fully incorporated in the locations in which their customers operate
- Maintaining full jurisdictional control of all data
- Establishing per-user control over who is able to access critical data, with all appropriate clearances in place
- Extending these principles to their business continuity and disaster recovery processes, with all backups hosted in the customer’s own nation
This conversation is very much ongoing, and new dimensions are sure to reveal themselves in the years ahead, but as this new model of data sovereignty establishes itself, we will have achieved a robust foundation for ensuring the continued performance and availability of critical services across the country.
For more information on these topics, our most recent report – Translating the new regulatory standards into a sustainable cyber strategy – is available for download here.
