In February 2026 DSIT admitted it has no settled sovereignty definition. NHS trusts are signing cloud contracts without key-control mapping. MOD has spent £400M on a Google Distributed Cloud deal whose data-flow geometry few inside the building have read. The decisions being made in 2026 will hold for a decade. This is the layer under everything else.
Sovereign compute is the question of who can read your data when, where the keys to the encryption sit, which jurisdiction's law touches the operator, and which compute environment is allowed to process what. It is more than data residency. Residency is a postal address. Sovereignty is a power relation.
For most of the last decade, UK public sector procurement has treated sovereignty as a checkbox. Was the data centre in the UK? Were the encryption keys customer-managed? Was the operator UK-domiciled? The boxes get ticked. The contract gets signed. The data flows.
The signing has accelerated. The thinking has not kept pace.
In February 2026 DSIT officials gave evidence to a Parliamentary committee on the UK's sovereign AI ambitions. Asked for the settled definition of sovereignty the government was operating under, they admitted there was none. The work was, in their phrase, "still in progress".
This is not a technical detail. It is the foundational claim under every NHS cloud contract, every MOD AI procurement, every local-authority data-sharing agreement signed between January 2024 and now. If the government does not have a settled sovereignty definition, then every public-body buyer has been making sovereignty decisions on their own reading of an unsettled concept. Some of those readings have been careful. Many have not. The data layer of the country is being shaped by ad hoc decisions in the absence of a national framework.
The MOD has spent £400M on a Google Distributed Cloud deal for defence workloads. It has spent further on Palantir's Foundry data platform. The technical merits of each are not the question. The question is the geometry of who can read what when, and the contractual mechanisms that constrain that geometry.
The sovereignty test (the RiDraw public tool) asks three questions of any sovereign-compute claim.
One. Where do the encryption keys sit, and who has the legal right to ask for them? If the operator is subject to extraterritorial legal process from a third country, customer-managed keys are a partial defence. A determined legal request can compel disclosure of the operational context that would let an attacker break the encryption envelope.
Two. Where does the compute environment sit, and what governs the operator's staff? An operator with UK data centres but a foreign staffing posture still hands the keys to a foreign workforce. Vetting, security clearance, employment law are the substantive controls.
Three. What is the failover geometry? An AI workload that runs in a sovereign environment but fails over to a non-sovereign one under load is sovereign only in steady state. The contract needs to specify the failover, not just the steady state.
The MOD Google Distributed Cloud deal scores well on question one and adequately on question two, depending on which version of the operator's staffing posture you read. The failover geometry is opaque to public reporting. The Palantir Foundry deployment carries its own version of the same triangle, with a different answer on question one.
Neither is a sovereignty failure. Neither is a sovereignty success either. They are decisions made in the absence of a national framework.
The NHS is the larger and quieter site of the same decisions. Every NHS trust is signing cloud contracts. Every ICB has data-sharing agreements with cloud-hosted analytics providers. The Foundation Trust digital strategy on most boards in 2025 to 2026 takes a major hyperscaler as a baseline.
The sovereignty discussion in NHS contracts is mostly about UK data residency. The keys, the staffing, the failover are rarely in the procurement document. The data goes where the data has always gone. The strategic question of what happens if the geopolitical posture changes in 2027 or 2028 is not on the boardroom agenda.
This matters for NNHIP specifically. The 10-Year Plan ask for outcome commissioning at neighbourhood scale (Library position No. 2) implies a patient-data layer of unprecedented density. PROMs at neighbourhood scale, captured on Apple HealthKit and Android Health Connect, are one of the few ways to build that layer without expanding the existing cloud-hosted footprint. Sovereignty by absence (no PII leaves the device) is the design choice that closes the sovereignty question at source.
The decisions being made now will hold for a decade. Cloud contracts run five to seven years. The replacement cycle for major NHS digital platforms is comparable. The infrastructure that sits underneath the 2032 trajectory commitments is being procured now and will not be re-procured before the trajectory horizon.
If the framework lands in 2026 or 2027, contracts can be re-shaped against it. If it lands after 2028, the public-body buyers will already be locked into the geometry they chose without it.
One. A national sovereignty framework, even an unfinished one. Settled enough to be cited in procurement. Tested against the MOD-Palantir-Google triangle and any equivalent NHS contract. Updated as understanding deepens. The framework does not have to be perfect. It has to exist.
Two. A sovereignty-by-absence track for neighbourhood-health data. Where PROM capture can sit on device (Apple HealthKit, Android Health Connect), it should. Where aggregation is needed, it should run on local hardware under direct NHS control. This is achievable now. It does not need a national framework to start.
Three. Editorial Validators or the equivalent for compute sovereignty claims. The buyer-side cannot do the work alone. There needs to be a credible signal-trust layer that reviews specific contracts against specific claims. The sovereignty test (CC BY 4.0, published by RiDraw) is one starting point. There are others. A national review function would be more powerful.
If you sit at NHS England in the data and digital function, the ask is to put the sovereignty question on the agenda for every new procurement. Not as a checkbox. As a sustained engineering review, with the failover geometry and the staffing posture documented before the contract signs.
If you sit at MOD in the data and AI function, the ask is to publish the geometry of the Google Distributed Cloud and Palantir Foundry deployments in enough detail for the sovereignty test to be run independently. The CC BY 4.0 nature of the public test makes that low-friction.
If you sit at an ICB and you are making a NNHIP-related digital procurement in 2026, the ask is to consider the sovereignty-by-absence track. PROM on device is not the answer for every data flow. It is the answer for the neighbourhood-scale outcome data that NNHIP needs.
If you sit at DSIT or at the Cabinet Office, the ask is to settle the definition. The country is making sovereignty decisions every day. It cannot keep doing so against an unsettled concept for another two years without consequence.
| Claim type | Source citation |
|---|---|
| DSIT February 2026 admission of no settled sovereignty definition | Parliamentary committee evidence session, February 2026; Hansard committee transcript |
| MOD £400M Google Distributed Cloud deal | MOD published procurement documents 2024-2025; defence press reporting |
| Palantir Foundry adoption in MOD and NHS contexts | Published procurement notices; public reporting on the Federated Data Platform contract |
| NHS cloud contract patterns favour hyperscaler baseline | NHS Digital published strategies; Foundation Trust digital strategy returns 2024-2025 |
| Apple HealthKit on-device PROM capture is feasible | Apple HealthKit developer documentation; published academic on-device PROM studies |
| Android Health Connect equivalent capability | Google Health Connect developer documentation |
| Sovereignty test (CC BY 4.0) | RiDraw sovereignty test at /tools/sovereignty-test/ |
| The sovereignty-by-absence design principle | RiDraw PROM/PRIM v0.1 method paper, April 2026 |