In the basement of a government building in Ottawa, behind security doors and biometric scanners, sits a server rack. Or rather, it used to sit there. The physical machine has been decommissioned. The data it once held—aircraft‑coordination logs, situational‑awareness feeds, the payroll files of the Canadian Armed Forces—now resides somewhere else. It is not in Canada. It lives on computers owned and operated by Amazon Web Services, Microsoft Azure, and Google Cloud, all of them incorporated south of the border. The Canadian government knows this because it pays for the privilege: since 2021, Ottawa has funnelled more than CAD $1.3 billion to the three American cloud giants. Microsoft alone has received over CAD $1 billion. National Defence, the department charged with guarding the realm, runs its “mission‑critical” systems on the rented infrastructure of a foreign power.
Canada is not a cautionary tale; it is the norm. Around the democratic world, the back offices of the state have migrated to a handful of U.S. hyperscale cloud providers. Tax agencies, health services, police databases, pension systems, and intelligence‑sharing platforms now operate as tenants on someone else’s hardware. The three companies that dominate this market—AWS, Microsoft Azure, and Google Cloud—are no longer mere vendors. They have become the landlords of digital statehood, extracting rent and, with it, a structural leverage that no treaty or alliance can fully neutralise. This article dissects the anatomy of that grip.
A market without competitors#
To appreciate the scale of concentration, start with the raw numbers. In the third quarter of 2025, global cloud‑infrastructure spending reached $119 billion, a 25% jump from the year before. Three firms captured 62% of that total (Synergy Research Group, 2025). AWS, the pioneer of the pay‑as‑you‑go model, held 29% of the market and posted quarterly revenue of $33 billion. Microsoft Azure, buoyed by its deep integration with Office 365 and enterprise software, commanded 20% and reported $49.1 billion in broader commercial cloud income—a figure that includes productivity tools but also reflects the gravitational pull of its infrastructure business. Google Cloud, the brash third entrant, sat at 13%, with its AI‑fuelled offerings growing at more than 30% year on year and a staggering $155 billion contract backlog promising even faster expansion ahead.
The bars in the chart above tell one part of the story: sheer scale. These are not software companies in the traditional sense. AWS alone generated an operating profit of roughly $40 billion in the second quarter of 2025, representing about 60% of Amazon’s entire profit, making it one of the most lucrative enterprises in corporate history. But the market‑share line reveals the structural fact: even as the pie expands, the Big Three’s slice remains stubbornly disproportionate. No other competitor breaks double digits. Alibaba Cloud, the largest non‑American rival, hovers around 5%; IBM, Oracle, and Salesforce are niche players. In infrastructure services—the raw computing and storage that governments need—the gap is even starker.
Why? Because cloud computing is not a commodity; it is an ecosystem. Once a government migrates its legacy systems to, say, Azure, it becomes entangled in a thicket of proprietary services, security certifications, and employee training that makes switching providers astronomically expensive and operationally perilous. The Big Three invest tens of billions annually in capital expenditure to widen the moat. Amazon’s 2025 capex, overwhelmingly directed at expanding AWS data centres, was $125 billion. Alphabet (Google) spent $91‑93 billion. These figures exceed the GDP of many of the nations that will eventually rent the server space. The result is a market where the incumbents not only dominate today but are building the capacity to dominate for a generation.
Bricks, mortar, and jurisdiction#
The cloud may sound ethereal, but it is fiercely physical. The world’s hyperscale data centres—warehouse‑sized complexes filled with humming racks of processors—numbered between 1,300 and 1,360 at the end of 2025, nearly triple the count seven years earlier. Three‑fifths of that global capacity is owned by the same three firms. And while the companies are frantically building new facilities in Europe, Asia, and Latin America to satisfy data‑sovereignty laws, the ultimate jurisdiction remains unchanged.
The pie chart shows a simple but devastating fact: 58% of all hyperscale capacity sits in the hands of AWS, Microsoft, and Google. Fifty‑five percent of the world’s total capacity is physically located in the United States. A server in Frankfurt may be ring‑fenced by German privacy law, but the corporation that owns it remains subject to the U.S. CLOUD Act and executive orders. When American law enforcement demands data, the company must comply, often in secret and often regardless of where the disk spins. The physical boundary that once defined sovereignty—the line at which one country’s writ ends and another’s begins—is no longer the relevant boundary. The legal border now follows the certificate of incorporation, and that certificate invariably points to Delaware or Washington state.
The state as tenant#
This legal asymmetry is not an abstract concern; it is the daily reality of public administration. Consider the United Kingdom. Through a single purchasing framework known as SPA24, the British public sector spent £1.9 billion on Microsoft licences in just five months of the 2024‑25 fiscal year—an annualised rate of roughly £4.6 billion. That figure covers everything from the National Health Service’s email servers to the Ministry of Defence’s document‑management systems. The MoD, meanwhile, signed a £400 million deal with Google for a “sovereign cloud,” an arrangement that keeps data on UK soil but still on Google‑managed infrastructure, still accessible under U.S. law.
In the Netherlands, a government audit in mid‑2025 delivered a sobering verdict: all 1,722 public‑sector websites depend on U.S. cloud services. Microsoft alone accounted for 60% of institutional cloud usage. The Dutch authorities publicly urged the European Union to accelerate a sovereign‑cloud strategy, but the horse had long since bolted. Over 20,000 public institutions are locked into contracts that would take years and billions of euros to unwind. The American cloud firms had achieved what no foreign power could through force: a near‑total integration into the operational tissue of a sovereign state.
The United States itself is not immune, though its position is different. Washington is both landlord and tenant. Federal cloud‑services spending runs at about $20 billion a year, a sum that has drawn the usual swarm of contractors and discount deals. AWS committed $1 billion in savings for government customers through 2028 and is investing $50 billion in a private artificial‑intelligence cloud for classified workloads. Microsoft negotiated a $6 billion discount for federal agencies. These are not charitable gestures; they are market‑capture strategies. When the U.S. government builds its next‑generation intelligence platform on AWS’s air‑gapped “GovCloud,” it cedes a degree of technical control to a private entity whose fiduciary duty is to shareholders, not to the Constitution. The Congressional Budget Office has quietly noted that the federal government lacks the in‑house expertise to audit the security of those clouds, leaving it dependent on the vendor’s own assurances.
The CLOUD Act’s long arm#
The linchpin of this dependency is the CLOUD Act of 2018, passed with little fanfare but profound consequence. The law clarifies that U.S. tech companies must produce data requested by American law enforcement even if that data is stored abroad. It also creates a mechanism for foreign governments to request data directly, but the process is onerous and, crucially, subject to U.S. executive‑branch approval. In practice, the CLOUD Act means that the data of a Dutch citizen, held on a Microsoft server in Amsterdam, is reachable by the FBI under American legal process. The Dutch government has no comparable reach into an American data centre in Virginia.
This jurisdictional one‑way mirror is not lost on diplomats. A European Commission official recently compared the CLOUD Act to the extraterritorial claims that sparked the 1904 Dogger Bank incident, when the Russian Baltic Fleet fired on British trawlers off the Danish coast, claiming they were Japanese torpedo boats. The analogy is deliberately absurd, but the point is serious: extraterritorial legal claims, when backed by technological dominance, become instruments of leverage. A nation that hosts its defence secrets on an American cloud is effectively trusting a foreign legal system to protect its most sensitive interests. History suggests that such trust is seldom rewarded indefinitely.
The cost of exit#
Why don’t governments simply build their own clouds? The European Commission’s €180 million sovereign‑cloud tender, launched in late 2025, is one answer. It is a down‑payment on a shared European infrastructure that would, in theory, free the continent from the Big Three. But €180 million is a rounding error compared with the $125 billion Amazon spent on AWS expansion in a single year. Even the projected $250 billion global sovereign‑cloud market by 2028, while sizeable, would be spread across dozens of projects and jurisdictions, none of which individually can match the scale and network effects of the incumbents.
Moreover, the “sovereign cloud” label is often a marketing veneer. Most such offerings are operated by one of the Big Three under a licence that keeps data within national borders but leaves the control plane—the orchestration software, the root keys, the security patches—in American hands. The French government’s “trusted cloud” initiative, which was supposed to exclude American firms, ended up granting a special security clearance to Microsoft and Google after it became clear that a purely French alternative would be years behind schedule and incompatible with widely used applications.
The technical reality is that escape is possible only if a government is willing to accept a degraded digital experience. And in a world where citizens expect instant tax refunds, seamless health records, and AI‑assisted public services, no elected politician is likely to choose clunky but sovereign. The cloud giants understand this; they have moved beyond selling technology and into selling governance itself.
The new imperial rents#
In the 19th century, Britain derived a substantial portion of its imperial income from “rents” on the Suez Canal and on the ports and railways of its colonies. Those rents were extracted by virtue of physical control and enforced by naval power. Today’s infrastructure rentiers extract their returns not with gunboats but with service‑level agreements. The mechanism is different, but the underlying dynamic—a handful of foreign entities holding a tollbooth over the essential flows of statecraft—is remarkably similar.
When Canada’s Department of National Defence cannot communicate with its aircraft except through a platform running on a U.S. cloud, when the United Kingdom cannot send an internal ministry memo without paying a per‑seat licence fee to Microsoft, when the Netherlands cannot launch a new citizen portal without Google’s or Amazon’s tools, the states in question have not outsourced a utility. They have surrendered a degree of operational autonomy that is hard to measure and even harder to recover. Sovereignty, like a muscle, atrophies if not exercised.
The cloud is no longer a piece of government’s technology stack; it is the foundation on which the entire stack rests. In the next article, we will ascend from the server room to orbit, where a different kind of rentier—a satellite constellation—has placed the last mile of connectivity under a single, mercurial authority. For now, the servers hum quietly in the data centres of Northern Virginia, and with each hum, the Westphalian state grows a little more hollow.
