The Crown Commercial Service (CCS) stands accused of making parts of its flagship cloud computing framework, G-Cloud, inaccessible to small and medium-sized enterprises (SMEs) and the hyperscalers, having set out a series of enhanced participation requirements for its cloud hosting lots.
Government procurement chiefs began the invitation to tender (ITT) part of the procurement process for the 15th iteration of G-Cloud last month, which is set to replace both G-Cloud 14 and CCS’s under-performing Cloud Compute Framework in September 2026.
As stated in the G-Cloud 15 tender document, G-Cloud is the “largest framework of its kind in the public sector”, and CCS said it wants to “leverage” its popularity by merging it with the Cloud Compute Framework.
“G-Cloud spend for FY23/24 was £3.1bn and Cloud Compute was £0.5m,” the document added.
And with G-Cloud 15 now covering the work of two purchasing agreements, the framework’s lot structure looks significantly different to G-Cloud 14.
For example, Cloud Hosting is now spread across two lots (dubbed Lot 1a and Lot 1b) rather than one.
Lot 1a is for suppliers specialising in the provision of “core” infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) subscription services, while Lot 1b covers the same types of services when used to host information that is classified as being above the “official” government data security classification level.
The framework’s Cloud Software Lot has also been similarly split into Lot 2a, covering the provision of infrastructure software as a service (ISaaS), and Lot 2b, which covers software-as-a-service (SaaS) offerings.
Lot 3, covering Cloud Support services, remains intact, but Lot 4, which was run as a standalone framework to G-Cloud 14 for public sector IT buyers that wanted to run their own competitive processes for more complex cloud support contracts, is being axed.
“G-Cloud 15 is the proposed replacement for G-Cloud 14, G-Cloud 14 Lot 4 and Cloud Compute 2 … removing the need for Cloud Compute 3,” confirmed CCS in the G-Cloud 15 tender document.
As well as a rework of the G-Cloud 15 Lot structures, tender documents shared with Computer Weekly by potential framework participants confirm CCS is considering introducing enhanced applicant vetting procedures for Lot 1a and Lot 1b participants.
And these changes could, according to several potential G-Cloud 15 applicants, who spoke to Computer Weekly on condition of anonymity, render these lots inaccessible to SMEs, and trickier for even some hyperscalers – which have come to dominate G-Cloud in recent years – to participate in them.
“Only Google really has a capability amongst the hyperscalers to go for Lot 1b,” said a member of the G-Cloud supplier community. “Meanwhile, I know of at least half a dozen or so SMEs – and maybe the same number again in bigger supplies like Vodafone – who could do Lot 1b easily enough [who will be affected] by these changes.”
What’s changed?
The tender documents shared with Computer Weekly show that Lot 1a and Lot 1b applicants will need to:
Undergo more rigorous financial vetting than required under the previous iteration of the framework.
Possess an expanded number of mandatory ISO accreditations than before, or provide proof that work to acquire them is underway by the time the application deadline for G-Cloud 15 closes in January 2026.
Where Lot 1b applicants are concerned, possess insurance cover in excess of £75m to secure deals through G-Cloud 15.
“The requirements for these cloud hosting lots make it very clear that smaller and SME cloud providers are not welcome to host public sector data, despite their clear capabilities,” said another G-Cloud supplier source.
“This will do nothing to diversify or strengthen the over-concentrated [UK cloud hosting market] market that the Competition and Markets Authority (CMA) has already identified.”
Potential suppliers have until 12 December 2025 to query these requirements by submitting “clarification questions” to CCS, ahead of the deadline for applications to participate in the framework closing on 30 January 2026.
The requirements for these cloud hosting lots make it very clear that smaller and SME cloud providers are not welcome to host public sector data, despite their clear capabilities Anonymous source at a G-Cloud supplier
Computer Weekly has seen a copy of the most recent set of submitted clarification questions, as well as CCS’s responses to them, from which it seems the insurance changes, in particular, have not landed well with the G-Cloud supplier community.
“In regards to the Lot 1b insurance requirements … [£75m] is extremely high and if the objective is for Lot 1b to be comparable with Lot 4 of Cloud Compute 2, then as far as we’re aware, the professional indemnity limit for that was only £1m,” one supplier wrote. “This represents a significant increase in the insurance requirement.”
Another question also sees CCS field a request to consider lowering the required insurance cover needed, as it did in response to supplier pushback on a similar move to increase insurance requirements during the tender process for G-Cloud 14.
“CCS appears to have lost the plot,” said another potential G-Cloud 15 supplier, who spoke to Computer Weekly on condition of anonymity. “There is no limitation on the number of suppliers who can take part in G-Cloud 15, but the bar is so high for the hosting lots, specifically, that it will be a very limited field indeed.”
Enhanced financial check for cloud hosting providers
As confirmed during a recent G-Cloud 15 supplier event, hosted by UK tech trade association TechUK, participants in the framework’s cloud hosting lots will need to participate in a more in-depth Gold Standard Financial Viability Readiness Assessment (FVRA).
This process typically involves suppliers having to participate in a detailed assessment of their financial affairs, involving the supply of extensive information about their businesses, which will be subject to tight scrutiny by CCS.
Under the previous iteration of the framework, all suppliers – regardless of lot – were subject to less onerous checks that would only involve them having to participate in a full FVRA if they did not meet an initial credit score screening test. This system remains in place for Lot 2a, Lot 2b and Lot 3 providers under G-Cloud 15.
The additional administrative burden involved with having to attain a Gold FVRA could end up being a potential barrier to entry to SMEs, specifically, that want to be in the running for cloud hosting deals under G-Cloud 15, it is feared.
Mandatory accreditations and heightened insurance requirements
The CCS-issued bid pack for G-Cloud 15 confirms that it is now mandatory for suppliers wishing to participate in its Cloud Hosting Lots to possess a Cyber Essentials Plus accreditation, as well as the ISO 9001, ISO 20000-1, ISO 27001 and ISO 27018 certifications.
CCS initially stated in its tender documents that suppliers would need to be in possession of these mandatory accreditations by the time the application deadline for G-Cloud 15 closes in January 2026.
“G-Cloud 15 requires a supplier to state that they have ISO 27017 certification,” said another supplier, in the clarification questions document. “This wasn’t a requirement under G Cloud 14, but has become a mandatory requirement for Lot 1a 1763476289.”
They continued: “Three months is insufficient time to get accredited to ISO 27017.”
However, it appears, in response to supplier pushback, that CCS’s stance on this matter has now softened.
“Following a review of requirements and the current capability and capacity issues that exist within the market, CCS has decided to amend its position concerning ISO accreditation,” CCS confirmed in its response.
“The ISO standards listed are still mandatory … to operate in Lots 1a and 1b. However, the requirements on bidders will now be that if they do not currently hold the required ISO certification, they must evidence to CCS, before the application deadline of 30 January 2026, that they have begun the process of certification …. This should take the form of an authorised third-party confirmation from an ISO accreditation body.”
Uptick in insurance requirements
Details of G-Cloud 15’s reworked insurance requirements are laid out in a “Joint Schedule 3” document, shared with Computer Weekly by another prospective framework supplier.
It stipulates that suppliers wanting to secure contracts under framework Lot 1a, Lot 2a, Lot 2b and Lot 3 “shall hold” separate private indemnity, public liability insurance and employers’ liability insurance with cover that totals at least £7m.
As such, suppliers must have separate professional indemnity insurance and public liability insurance of at least £1m each, as well as at least £5m in employers’ liability insurance. Incidentally, these levels of insurance are the same as those required of suppliers on G-Cloud 14.
However, suppliers vying for contracts awarded under Lot 1b, which covers IaaS and PaaS services used to host data that is above the “official” security grading, must have in place separate private indemnity, public liability and employers’ liability insurance that totals at least £75m, the document states.
“It is good in principle to see CCS recognising that there is a market above “official” that cannot be readily serviced by hyperscale public cloud, [but] it is concerning that they have associated that with an automatically higher insurance requirement,” Owen Sayers, an independent security architect and data protection specialist with a long history of working in the public sector, told Computer Weekly.
Services above ‘official’ are one of the last existing preserves of UK SMEs … Cutting them out of that market through restrictive barriers to entry is the last thing the government should be doing Owen Sayers, independent security architect and data protection specialist
“After all, the Ministry of Defence breach of Afghan data may have had a serious, life-threatening impact, but attracted no real financial penalties.”
He also agreed with the members of the supplier community quoted in this article that mandating such high insurance requirements would disproportionately disadvantage UK SMEs operating in the cloud hosting space.
“Services above ‘official’ are also one of the last existing preserves of UK SMEs, who are unique in their capabilities to specialise in these types of solution,” he said.
“Cutting them out of that market through restrictive barriers to entry is the last thing the government should be doing. If anything, they should underwrite and support UK SMEs here. After all, they have little left in the remainder of government they can realistically hope to compete for.”
Computer Weekly contacted CCS to notify it of the suppliers’ comments and to get a response to their concerns about the heightened insurance, financial and accreditation requirements for G-Cloud 15.
In response, Computer Weekly received the following from a CCS spokesperson: “G-Cloud 15 is a live procurement. Suppliers should submit questions about the procurement directly through the official clarification process, where they will be reviewed and addressed appropriately.”
