G-Cloud 14 and Successor: Bid Strategy for Hyperscalers and Tier 1 Cloud Providers
G-Cloud 14 and Successor: Bid Strategy for Hyperscalers and Tier 1 Cloud Providers
G-Cloud 14 has generated over £11 billion in call-off contract value since its launch, with the Cloud Hosting lot alone accounting for approximately 40% of that figure. The framework is scheduled to remain live until June 2026, at which point CCS will launch a successor framework with updated lot structures and enhanced sovereignty requirements. For hyperscalers and Tier 1 cloud providers, this transition period represents both a continuation of established high-value opportunities and a material shift in how UK public sector buyers evaluate residency, assurance, and commercial risk at the £10 million-plus workload level.
The current G-Cloud 14 framework accommodates suppliers across three primary lots relevant to hyperscale providers. Cloud Hosting (Lot 1) covers infrastructure services, including compute, storage, and network resources delivered via public, private, or hybrid models. Cloud Software (Lot 2) encompasses SaaS and platform offerings that run on underlying infrastructure. Cloud Support (Lot 3) includes professional services wrapped around cloud deployments: migration, integration, managed services, and ongoing optimisation. Most hyperscalers hold positions across all three lots, though the bulk of contract value flows through Lot 1.
The successor framework, expected to open for applications in early 2026, will refine these lot definitions and introduce stricter baseline requirements around data sovereignty and supply chain transparency. CCS has signalled that buyers will gain improved filtering mechanisms to identify suppliers meeting UK-specific residency criteria, a direct response to increasing scrutiny of where data physically resides and who holds the cryptographic keys. This matters less for generic workloads but becomes commercially decisive when central government departments and defence-adjacent bodies run competitive call-offs for sensitive or classified-adjacent systems.
Assurance Stack and Certification Requirements
Hyperscalers entering or maintaining a position on G-Cloud must navigate a layered assurance regime that has converged with international standards while retaining UK-specific nuances. The baseline remains ISO 27001, which we have covered in detail elsewhere in relation to ISO 27001 for CCS bidders. Beyond this, cloud-specific certifications carry significant weight in buyer evaluation.
ISO 27017 extends ISO 27001 controls to cloud service providers, covering areas such as shared responsibility models, virtual machine hardening, and cloud service customer data separation. ISO 27018 addresses privacy controls for personally identifiable information processed in public cloud environments, particularly relevant under UK GDPR obligations. Both certifications are now common table stakes for hyperscalers bidding into central government and NHS trusts, where data protection impact assessments explicitly reference these standards.
CSA STAR (Security, Trust, Assurance, and Risk) occupies a parallel track. The STAR registry provides a transparency mechanism through self-assessment, third-party attestation, or continuous monitoring. For hyperscalers, STAR Certification (Level 2) offers a credible signal to UK buyers familiar with the Cloud Security Alliance framework, though it does not replace ISO certifications. Instead, it complements them by demonstrating alignment with the CSA Cloud Controls Matrix, a structure that maps reasonably well to NCSC Cloud Security Principles.
The NCSC Cloud Security Principles form the UK-specific assessment lens. These 14 principles cover asset protection, data in transit, data at rest, governance, operational security, and personnel security. Buyers working on sensitive or national security workloads will often require explicit self-attestation or third-party validation against these principles. Hyperscalers typically publish implementation guidance documents showing how their platform controls satisfy each principle, but call-off competitions increasingly ask for workload-specific assurance statements rather than generic platform-level documentation.
The interplay between these regimes creates a practical challenge. A hyperscaler may hold all relevant certifications globally but face questions during call-off competitions about which specific UK regions or availability zones meet enhanced residency requirements. Buyers in defence, policing, or sensitive health contexts will ask whether data and metadata remain within UK sovereign territory, whether support staff with access to decryption keys are UK nationals subject to UK vetting, and whether subprocessors in the supply chain introduce third-country risk. This scrutiny has intensified following high-profile supply chain compromises and increasing geopolitical concern about data access by foreign governments.
The successor framework is expected to formalise these requirements through enhanced service definitions and mandatory declaration fields. CCS is likely to introduce clear labelling for UK-sovereign services, requiring suppliers to specify not only where data resides but also where encryption keys are generated, stored, and managed, and where operational support functions are performed. Hyperscalers with genuine UK sovereign offerings will gain a commercial advantage, while those relying on general-purpose European regions may find themselves filtered out of certain high-value call-offs before technical evaluation begins.
Call-Off Competition Dynamics
The majority of G-Cloud contract value flows through direct award call-offs where buyers select a single supplier from the framework and negotiate terms. However, the largest and most strategically important workloads, typically above £10 million over the life of the contract, almost always trigger further competition. Buyers issue a detailed specification, invite shortlisted suppliers to respond, and evaluate submissions against weighted criteria that commonly include technical capability (35-40%), commercial model (25-30%), service management and support (15-20%), and social value or sustainability commitments (10-15%).
Hyperscalers compete in this environment against each other and, occasionally, against Tier 1 systems integrators offering resold or white-labelled cloud services. The competitive tension centres on four variables: cost predictability, migration risk, lock-in perception, and assurance credibility. Buyers understand that hyperscale platforms offer significant technical capability and global resilience, but they also recognise the commercial and operational risk of deep platform dependence. A well-constructed bid addresses these concerns explicitly rather than relying on brand recognition or market position.
Cost predictability demands transparent pricing models and realistic consumption forecasting. Hyperscalers often propose consumption-based pricing, which offers flexibility but introduces budget uncertainty for public sector finance teams working within fixed annual allocations. Successful bids include cost management tooling, committed use discounts, and clear governance mechanisms to prevent cost overruns. Some hyperscalers have begun offering fixed-price envelopes for defined workloads, effectively shifting consumption risk onto the supplier in exchange for a higher unit rate. This approach performs well in evaluation where buyers prioritise budget certainty over marginal cost efficiency.
Migration risk becomes acute when buyers are moving from on-premises infrastructure or competing hyperscale platforms. Bids that acknowledge complexity, provide detailed migration plans with named resources, and include contingency provisions score higher than those that underplay risk. Buyers want to see evidence of similar migrations within UK public sector contexts, including realistic timelines and post-migration support commitments. Hyperscalers that can demonstrate prior delivery with the specific buyer or within the same department gain a material advantage.
Lock-in perception requires careful handling. Buyers are aware that deep integration with proprietary platform services creates switching costs, but they also recognise that advanced capabilities often depend on platform-specific tooling. The effective response involves demonstrating portability where feasible, using open standards and containerisation where appropriate, and being transparent about which services introduce dependency. Some hyperscalers have started offering multi-cloud or hybrid architecture options within their bids, positioning themselves as pragmatic rather than dogmatic about platform exclusivity. This approach resonates particularly well with buyers who have been burned by vendor lock-in in previous technology generations.
Assurance credibility at call-off level goes beyond holding the right certifications. Buyers expect tailored assurance narratives that map platform controls to the specific risk profile of the workload. A bid for a citizen-facing digital service requires a different assurance approach than a bid for intelligence community infrastructure. Hyperscalers that invest in UK-specific assurance collateral, including NCSC-aligned documentation, residency statements, and personnel vetting commitments, differentiate themselves from competitors relying on global boilerplate.
Three Positioning Moves for High-Value Departmental Call-Offs
First, develop a UK sovereign service line with clear residency and key management boundaries. This does not mean abandoning global platform capabilities but rather creating a subset of services that meet enhanced sovereignty requirements and can be credibly marketed to defence, national security, and sensitive health buyers. Publish detailed technical documentation showing exactly where data, metadata, encryption keys, and support functions reside. Obtain third-party validation of these claims through NCSC engagement or independent audit. Position this offering at a premium to standard regional services, reflecting the cost of jurisdictional constraints, but make the value exchange explicit.
Second, invest in UK public sector delivery case studies that demonstrate successful migration, operation, and cost management of workloads comparable in scale and sensitivity to target call-offs. Generic customer lists carry little weight. Buyers want named references, quantified outcomes, and evidence of problem resolution during delivery. Hyperscalers that can point to a central government department or NHS trust where they delivered a complex migration on time, within budget, and with effective ongoing support will outperform competitors with larger but less relevant customer bases.
Third, build commercial flexibility into standard offerings. The traditional hyperscale consumption model works well for digitally mature organisations with sophisticated FinOps capability, but many UK public sector buyers lack this maturity. Offer alternative commercial structures: fixed-price packages for defined workloads, committed use discounts with realistic consumption forecasting, and cost management tooling with active monitoring and alerting. Where possible, accept some consumption risk in exchange for higher rates. This approach addresses the budget certainty concern while maintaining commercial viability for the supplier.
The G-Cloud framework remains the primary route to market for cloud services into UK public sector, and its successor will continue this role beyond 2026. Hyperscalers that treat framework presence as merely a licensing requirement will capture transactional workloads but miss the highest-value call-offs. Those that invest in UK-specific assurance, sovereignty-ready service lines, and public sector delivery evidence will find themselves shortlisted for the departmental competitions that generate eight-figure contract values.
Our revenue model ties directly to call-off contract wins, not framework awards. We succeed when you win competitive call-offs for high-value work.
Book a call at www.glaxtons.co.uk/contact
Glaxtons, 3 More London Place, London SE1 2RE