When One Government Holds the Off Switch: Cross-Border Redundancy for SME Tech Stacks

On the evening of Friday 12 June 2026, Anthropic received a US government directive — at 5:21pm Eastern, by its own account — ordering it to cut off access to its two most capable AI models, Fable 5 and Mythos 5, for any foreign national, whether inside or outside the United States, including Anthropic's own foreign-national employees. The company complied. To do so, it had to "abruptly disable Fable 5 and Mythos 5 for all our customers" — a worldwide switch-off, three days after the models had launched (Anthropic, 2026; Bloomberg, 2026; TIME, 2026).

Here is the part worth sitting with if you run a small business in the UK: nothing about Anthropic failed. The models worked. The company didn't go bust, didn't get breached, didn't change its terms. By every measure a customer normally checks, it remained a good supplier. It became unavailable to non-US users anyway — by government action, over the vendor's stated objection.

That is a different kind of risk from the ones we usually plan for. And it has a name: jurisdictional concentration risk.

The risk is the flag over the data centre, not the vendor

Most resilience thinking for a small business is about the vendor: are they reliable, solvent, secure, well-run? Those questions still matter. But this episode is about a layer underneath them — the jurisdiction the vendor operates in. A government can reach a company incorporated under its laws and compel it to act, regardless of how good or principled that company is. The character of the vendor doesn't protect you from the flag over its data centre.

For most UK SMEs, that flag is the same flag, over and over. The model (Anthropic, OpenAI), the source control (GitHub), the hosting (AWS, Vercel, Google Cloud or Azure), the CDN and DNS (Cloudflare) — quietly, the whole stack often sits under one government's jurisdiction. One jurisdiction means one off-switch. The Anthropic order made a long-documented, abstract risk suddenly concrete: it stopped being hypothetical.

The political reliability question — opinion

The Anthropic suspension is not an isolated incident but part of a broader pattern. In the current US political climate — characterised by policy reversals, contradictory signals, and governance that prioritises domestic political considerations over global business stability — technology suppliers incorporated under US law face unpredictable regulatory exposure. For international customers, this means that political risk, not technical risk, has become an additional continuity concern.

This is opinion, not fact: the observable pattern of chaotic policymaking (Politico, 2026) creates an environment where even well-intentioned US vendors can be compelled to take actions that harm their international customers overnight. The lesson for UK SMEs is that reliability assessments must now include political exposure analysis alongside traditional technical and financial due diligence.

"Two is one, one is none"

The old continuity instinct says have a backup. Fair — but a backup in the same jurisdiction is theatre against this failure mode. If a regulatory or political action can reach one US provider, it can reach the US provider you'd fail over to. Swapping Anthropic for another American model house does nothing about an order that targets American model houses as a class.

The principle that actually helps is the one soldiers and sysadmins both quote: two is one, one is none — and, crucially, the two must sit in different jurisdictions. Redundancy now has to cross a border to count.

What a UK small business can actually do

You do not need to rip out your stack tomorrow. Frontier US models are, on the date of publishing, genuinely ahead of the European alternatives, and pretending otherwise helps no one. The realistic ladder looks like this:

1. Map your concentration. Write down your model, source control, hosting, CDN and DNS, and the operational jurisdiction of each. If every line reads "US", that single column is your exposure. Most owners have never looked at it laid out this way.
2. Remember that even if cloud providers, such as AWS, GCP and Azure, list the service as being in a European region, but under the US CLOUD Act, all AWS regions are still under US government political and legal reach (US Government, 2018).
3. Prioritise exit-readiness over replacement. The valuable property isn't "uses no US tools" — it's "could move if it had to." Export your data, keep your infrastructure reproducible (infrastructure-as-code), avoid one-way proprietary lock-in. Portability is the cheap insurance.
4. Know your second-jurisdiction options before you need them. For AI models, EU-sovereign options exist: for example Mistral (France), Aleph Alpha (Germany) — with an honest caveat that they trail the frontier on the hardest tasks (Mistral AI, 2024; Aleph Alpha, 2024). For source control, Forgejo and Codeberg (EU) (Forgejo, 2024; Codeberg, 2024). For hosting, Hetzner, OVH or Scaleway (EU) (Hetzner, 2024; OVHcloud, 2024; Scaleway, 2024). You don't have to adopt them; you have toknow which one you'd jump to.
5. Exercise and document your alternatives. Practice moving your tech stack, find the weak points and solve them. Make it so that it is a simple task to relocate if you have to.

The honest limit — and why it strengthens the point

Here's where a lesser version of this argument overreaches, so let's not. You can move the model, the repo, the host and the CDN to Europe and still not be fully sovereign, because naming and numbering trace up to a single, US-jurisdiction apex.

The DNS root and the major registries sit under ICANN/IANA, a body incorporated in California and subject to US law (ICANN, 2023); .com and .net are operated by Verisign, a US company (Verisign, 2023). While the 2016 IANA stewardship transition moved oversight of IANA functions to the global multistakeholder community (NTIA, 2016), ICANN's legal domicile and incorporation remain in California, subject to US federal law (ICANN, 2023). Choosing a .uk or .eu domain and an EU DNS host reduces the exposure, but root delegation still runs through that apex. The same is true of IP numbering: Europe's addresses are administered day-to-day by RIPE NCC in Amsterdam, but the top of the numbering hierarchy is coordinated by the same US-incorporated body (IANA, 2023; RIPE NCC, 2023).

This is a limit, not a defeat. Cross-jurisdiction redundancy genuinely reduces your exposure; it doesn't reduce it to zero. Saying so plainly is the difference between resilience planning and a doom piece. Another useful concept: Control what you can, be aware of what you can't.

Credit where it's due

It would be easy to read this as a story about a bad vendor. It isn't. Anthropic complied with a lawful order it openly disagreed with, told its customers what had happened and why, and published the detail — including that the government's stated concern rested on what Anthropic describes as "a narrow, non-universal jailbreak." That transparency is exactly what you want from a supplier in a bad spot. The lesson isn't "trust this vendor less." It's "don't let any single jurisdiction be your only one."

Disclaimer

Mention of specific companies, services, or products in this article is for informational and contextual purposes only. Such mention does not constitute an endorsement, recommendation, or commercial promotion by Spyced Concepts Ltd. We do not favour any particular vendor, technology, or solution over another. Readers should conduct their own evaluation and due diligence based on their specific requirements.