UK public sector organisations can buy compliant cloud hosting through the G-Cloud framework on the Crown Commercial Service (CCS) Digital Marketplace — without running a full tender. The decisive questions are whether a provider holds the right certifications, maps to the NCSC Cloud Security Principles, and keeps citizen data within UK legal jurisdiction.
BlackBox Hosting is G-Cloud listed, UK-incorporated, and UK-only — built specifically around UK jurisdiction and public sector compliance.
Quick Reference: Public Sector Cloud Hosting & G-Cloud
- G-Cloud is the UK government framework for buying cloud services without a separate procurement exercise.
- It runs on the Crown Commercial Service (CCS) Digital Marketplace; the current iteration is G-Cloud 14 (extended to October 2026), with G-Cloud 15 due to go live in autumn 2026.
- Most public sector cloud handles data at the OFFICIAL classification, including OFFICIAL-SENSITIVE.
- Providers should map to the NCSC 14 Cloud Security Principles and hold Cyber Essentials Plus as a minimum.
- Data residency and legal jurisdiction — not just data-centre location — are what make a service genuinely sovereign.
What is G-Cloud and the Digital Marketplace?
G-Cloud is a procurement framework run by the Crown Commercial Service (CCS) that lets UK public sector bodies buy off-the-shelf cloud services through an online catalogue called the Digital Marketplace. Instead of running a full, lengthy tender for every requirement, buyers search approved suppliers, compare services, and award a short call-off contract directly.
CCS refreshes the framework periodically and numbers each refresh (G-Cloud 13, G-Cloud 14, and so on). In practice, a listing means CCS has assessed and accepted the supplier onto the current framework, and publishes its services, pricing, and terms openly for buyers to evaluate.
Services on G-Cloud fall into lots covering cloud hosting (infrastructure and platform), cloud software (applications), and cloud support (services such as migration and consultancy).
How does public sector cloud procurement work?
The UK government’s Cloud First policy requires public sector organisations to consider cloud solutions before alternatives when buying new IT. G-Cloud is the mechanism that makes this practical. As a result, the process is deliberately lighter than traditional public procurement:
- Search the Digital Marketplace for services that meet the requirement.
- Shortlist suppliers against clear, documented criteria (such as security, support, certifications, and data location).
- Evaluate the shortlisted services on quality, value, and fit against your published criteria.
- Award a call-off contract to the supplier whose service best meets the need and offers best value.
Because CCS pre-assesses suppliers onto the framework, buyers avoid a separate tender — which shortens procurement from months to weeks while keeping the process compliant and auditable.
What security and compliance standards must public sector cloud meet?
Public sector buyers are accountable for protecting citizen data and public records, so security and compliance are assessed before anything else. The main reference points are:
- NCSC Cloud Security Principles — 14 principles published by the National Cyber Security Centre covering data in transit, asset protection, separation between customers, governance, and more. Providers should show how they meet each one.
- Government Security Classifications — most public sector workloads sit at OFFICIAL (including OFFICIAL-SENSITIVE). Providers should be able to support handling at this level.
- Cyber Essentials Plus — the UK government-backed certification, often a baseline expectation for suppliers handling public sector data.
- ISO 27001 and CSA STAR — recognised information-security and cloud-assurance standards that demonstrate independently audited controls.
- NHS Data Security and Protection Toolkit (DSPT) — relevant wherever health and social care data is involved.
Compliance is also defined by the law that governs the data. Public sector bodies operate under UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025), which amends how the UK GDPR and DPA 2018 are applied. A provider’s certifications matter, but so does whose law can compel access to the data — the subject of the next section.
Why does data sovereignty matter for the public sector?
For public sector bodies, where data physically sits is only half the question. The other half is which country’s law governs it and who can compel access. A hyperscaler may operate UK data centres while remaining a US-headquartered company, which can expose data to foreign legislation such as the US CLOUD Act and FISA Section 702 regardless of where the servers are located.
By contrast, a genuinely sovereign provider incorporates and operates entirely in the UK, keeps primary, backup, and disaster-recovery data within UK borders, and answers exclusively to UK law. The same principle applies to recovery infrastructure: disaster-recovery data carries the same obligations as live data, so DR hosted with a US provider reintroduces the exact exposure that sovereign cloud removes.
Hyperscaler vs UK sovereign provider: public sector comparison
| Consideration | Global hyperscaler | UK sovereign provider |
|---|---|---|
| Legal jurisdiction | May be subject to US CLOUD Act / FISA Section 702 via parent company | UK law only; no foreign access legislation |
| Data residency | UK region available; provider globally operated | Primary, backup and DR all within UK borders |
| G-Cloud presence | Listed; very large catalogue | Listed; specialist, UK-focused services |
| Pricing model | Usage-based; egress fees common | Fixed, transparent pricing; no egress fees |
| Support | Tiered; often offshore | UK-based team, 24/7/365 |
For a worked, like-for-like example, see our BlackBox vs AWS sovereign cloud comparison, which covers jurisdiction, performance, and cost in detail.
Which G-Cloud framework is current?
As of 2026, the live framework is G-Cloud 14, which came into effect in October 2024 and has been extended to October 2026. Its successor, G-Cloud 15, is the first iteration launched under the Procurement Act 2023; awards are expected by 17 September 2026, with go-live in autumn 2026.
For buyers, the practical point is simple: procure from the framework that is live at the time of award. A supplier listed on the current framework can be engaged directly, without a separate tender, whichever iteration is in force.
Which public sector organisations use sovereign cloud?
Sovereign and private cloud suits any public body handling sensitive or regulated data, including:
- Local government — citizen records, revenues and benefits, and case management systems.
- Health and social care — patient data subject to UK GDPR and DSPT requirements.
- Education and research — keeping research data and student records within UK borders.
- Central government and agencies — operational systems handling data at OFFICIAL.
What to look for in a public sector cloud provider
Use this checklist when evaluating a provider on the Digital Marketplace.
| What to check | Why it matters |
|---|---|
| G-Cloud listing on the current framework | Confirms the supplier can be procured without a separate tender |
| UK incorporation and UK-only data residency | Removes exposure to foreign access legislation |
| NCSC Cloud Security Principles mapping | Shows the service meets recognised government security expectations |
| Cyber Essentials Plus + ISO 27001 + CSA STAR | Independently audited security and cloud-assurance controls |
| Tier 3+ UK data centres | Resilient, accredited physical infrastructure |
| Carbon-neutral / social-value credentials | G-Cloud evaluation increasingly weights social value alongside price |
| UK-based 24/7 support and clear SLAs | Accountability and response when it matters |
Is BlackBox G-Cloud registered?
Yes. BlackBox Hosting is listed on the Crown Commercial Service G-Cloud Digital Marketplace, so public sector organisations can procure its managed cloud services directly through the framework. BlackBox is a UK-incorporated, UK-operated managed private and sovereign cloud provider built specifically around UK jurisdiction and compliance.
For public sector buyers, the relevant credentials are:
- G-Cloud listed on the Crown Commercial Service Digital Marketplace.
- UK-only data residency — primary, backup and disaster-recovery data all held within UK borders and governed by UK law.
- Two Tier 3+ UK data centres in London with N+3 power redundancy, a 99.999% network uptime guarantee, 24/7/365 UK-based support, and a 4-hour hardware replacement SLA.
- Certifications including ISO 27001, ISO 22301, ISO 20000-1, ISO 9001, ISO 14001, CSA STAR Level 2, and Cyber Essentials Plus.
- Carbon neutral certified under ISO 14068-1:2023 (BSI-verified), powered by 100% carbon neutral energy.
- Fixed, transparent pricing with no egress fees — independent benchmarking shows costs up to 50% lower than AWS and Azure.
— Matt Burden, Founder & Managing Director, BlackBox Hosting
Frequently asked questions
What is G-Cloud hosting?
G-Cloud hosting is cloud infrastructure procured through the UK government’s G-Cloud framework on the Crown Commercial Service Digital Marketplace. It lets public sector bodies buy approved cloud services without running a full tender.
Do public sector bodies have to run a tender to buy cloud?
No. Because G-Cloud suppliers are pre-assessed onto the framework, public sector buyers can award a call-off contract directly after comparing services, which avoids a separate full tender.
What is the Cloud First policy?
Cloud First is UK government policy requiring public sector organisations to consider cloud solutions before alternatives when procuring new IT. G-Cloud is the framework that makes this practical.
What security standards apply to public sector cloud?
Providers are typically expected to map to the NCSC Cloud Security Principles, support data at the OFFICIAL classification, and hold certifications such as Cyber Essentials Plus, ISO 27001, and CSA STAR.
Is sovereign cloud the same as a UK data centre?
No. A UK data centre describes where data sits. Sovereign cloud also means the provider and the data are governed exclusively by UK law, with no exposure to foreign access legislation such as the US CLOUD Act or FISA Section 702.
Which G-Cloud framework is current?
The live framework is G-Cloud 14, which has been extended to October 2026. G-Cloud 15 is expected to be awarded by 17 September 2026 and go live in autumn 2026. Buyers procure from whichever framework is in force at the time of award.
Is BlackBox Hosting on G-Cloud?
Yes. BlackBox Hosting is listed on the Crown Commercial Service G-Cloud Digital Marketplace, so public sector organisations can procure its services directly.
Does BlackBox keep data in the UK?
Yes. BlackBox is UK-incorporated and operated, with primary, backup, and disaster-recovery data all held within UK borders and governed by UK law.
Procuring public sector cloud with confidence
For public sector buyers, compliant cloud comes down to three things: a provider listed on the current G-Cloud framework, certifications that map to recognised government security standards, and data held exclusively under UK jurisdiction. Get those right and procurement is fast, auditable, and defensible.
BlackBox Hosting meets all three — G-Cloud listed, fully certified, and UK-only by design. Speak to the team to discuss your compliance obligations, infrastructure requirements, and migration path.
