What’s changed?

The tender documents shared with Computer Weekly show that Lot 1a and Lot 1b applicants will need to:

• Undergo more rigorous financial vetting than required under the previous iteration of the framework.
• Possess an expanded number of mandatory ISO accreditations than before, or provide proof that work to acquire them is underway by the time the application deadline for G-Cloud 15 closes in January 2026.
• Where Lot 1b applicants are concerned, possess insurance cover in excess of £75m to secure deals through G-Cloud 15.

“The requirements for these cloud hosting lots make it very clear that smaller and SME cloud providers are not welcome to host public sector data, despite their clear capabilities,” said another G-Cloud supplier source.

“This will do nothing to diversify or strengthen the over-concentrated [UK cloud hosting market] market that the Competition and Markets Authority (CMA) has already identified.”

Potential suppliers have until 12 December 2025 to query these requirements by submitting “clarification questions” to CCS, ahead of the deadline for applications to participate in the framework closing on 30 January 2026.

The requirements for these cloud hosting lots make it very clear that smaller and SME cloud providers are not welcome to host public sector data, despite their clear capabilities

Computer Weekly has seen a copy of the most recent set of submitted clarification questions, as well as CCS’s responses to them, from which it seems the insurance changes, in particular, have not landed well with the G-Cloud supplier community.

“In regards to the Lot 1b insurance requirements … [£75m] is extremely high and if the objective is for Lot 1b to be comparable with Lot 4 of Cloud Compute 2, then as far as we’re aware, the professional indemnity limit for that was only £1m,” one supplier wrote. “This represents a significant increase in the insurance requirement.”

Another question also sees CCS field a request to consider lowering the required insurance cover needed, as it did in response to supplier pushback on a similar move to increase insurance requirements during the tender process for G-Cloud 14.

“CCS appears to have lost the plot,” said another potential G-Cloud 15 supplier, who spoke to Computer Weekly on condition of anonymity. “There is no limitation on the number of suppliers who can take part in G-Cloud 15, but the bar is so high for the hosting lots, specifically, that it will be a very limited field indeed.”

Enhanced financial check for cloud hosting providers

As confirmed during a recent G-Cloud 15 supplier event, hosted by UK tech trade association TechUK, participants in the framework’s cloud hosting lots will need to participate in a more in-depth Gold Standard Financial Viability Readiness Assessment (FVRA).

This process typically involves suppliers having to participate in a detailed assessment of their financial affairs, involving the supply of extensive information about their businesses, which will be subject to tight scrutiny by CCS.

Under the previous iteration of the framework, all suppliers – regardless of lot – were subject to less onerous checks that would only involve them having to participate in a full FVRA if they did not meet an initial credit score screening test. This system remains in place for Lot 2a, Lot 2b and Lot 3 providers under G-Cloud 15.

The additional administrative burden involved with having to attain a Gold FVRA could end up being a potential barrier to entry to SMEs, specifically, that want to be in the running for cloud hosting deals under G-Cloud 15, it is feared.

Mandatory accreditations and heightened insurance requirements

The CCS-issued bid pack for G-Cloud 15 confirms that it is now mandatory for suppliers wishing to participate in its Cloud Hosting Lots to possess a Cyber Essentials Plus accreditation, as well as the ISO 9001, ISO 20000-1, ISO 27001 and ISO 27018 certifications.

CCS initially stated in its tender documents that suppliers would need to be in possession of these mandatory accreditations by the time the application deadline for G-Cloud 15 closes in January 2026.

“G-Cloud 15 requires a supplier to state that they have ISO 27017 certification,” said another supplier, in the clarification questions document. “This wasn’t a requirement under G Cloud 14, but has become a mandatory requirement for Lot 1a [now].”

They continued: “Three months is insufficient time to get accredited to ISO 27017.”

However, it appears, in response to supplier pushback, that CCS’s stance on this matter has now softened.

“Following a review of requirements and the current capability and capacity issues that exist within the market, CCS has decided to amend its position concerning ISO accreditation,” CCS confirmed in its response.

“The ISO standards listed are still mandatory … to operate in Lots 1a and 1b. However, the requirements on bidders will now be that if they do not currently hold the required ISO certification, they must evidence to CCS, before the application deadline of 30 January 2026, that they have begun the process of certification …. This should take the form of an authorised third-party confirmation from an ISO accreditation body.”

Uptick in insurance requirements

Details of G-Cloud 15’s reworked insurance requirements are laid out in a “Joint Schedule 3” document, shared with Computer Weekly by another prospective framework supplier.

It stipulates that suppliers wanting to secure contracts under framework Lot 1a, Lot 2a, Lot 2b and Lot 3 “shall hold” separate private indemnity, public liability insurance and employers’ liability insurance with cover that totals at least £7m.

As such, suppliers must have separate professional indemnity insurance and public liability insurance of at least £1m each, as well as at least £5m in employers’ liability insurance. Incidentally, these levels of insurance are the same as those required of suppliers on G-Cloud 14.

However, suppliers vying for contracts awarded under Lot 1b, which covers IaaS and PaaS services used to host data that is above the “official” security grading, must have in place separate private indemnity, public liability and employers’ liability insurance that totals at least £75m, the document states.

“It is good in principle to see CCS recognising that there is a market above “official” that cannot be readily serviced by hyperscale public cloud, [but] it is concerning that they have associated that with an automatically higher insurance requirement,” Owen Sayers, an independent security architect and data protection specialist with a long history of working in the public sector, told Computer Weekly.

Services above ‘official’ are one of the last existing preserves of UK SMEs … Cutting them out of that market through restrictive barriers to entry is the last thing the government should be doing

“After all, the Ministry of Defence breach of Afghan data may have had a serious, life-threatening impact, but attracted no real financial penalties.”

“Cutting them out of that market through restrictive barriers to entry is the last thing the government should be doing. If anything, they should underwrite and support UK SMEs here. After all, they have little left in the remainder of government they can realistically hope to compete for.”

Computer Weekly contacted CCS to notify it of the suppliers’ comments and to get a response to their concerns about the heightened insurance, financial and accreditation requirements for G-Cloud 15.

In response, Computer Weekly received the following from a CCS spokesperson: “G-Cloud 15 is a live procurement. Suppliers should submit questions about the procurement directly through the official clarification process, where they will be reviewed and addressed appropriately.”