UK government’s G-Cloud 15 framework: Everything you need to know

How different is G-Cloud 15 to what’s gone before?

Compared with the first-ever iteration of G-Cloud, which made its debut in spring 2012, G-Cloud 15 is a world apart.

When it made its debut, the framework was pitched as a means of opening up government IT deals to SMEs and supporting the growth of the UK’s own homegrown market of cloud providers.

This was at a time when the awarding of lengthy and expensive contracts to big tech firms and systems integrators (SIs) was the norm, and G-Cloud was intended to help break the hold these firms had on public sector IT procurement.

To this end, G-Cloud contracts were initially capped at 12 months in length, to give buyers the freedom to switch out their cloud providers regularly for cost or performance reasons.

The framework was also regularly updated (with new iterations launching every six months) to ensure the public sector was getting access to the latest and greatest tools and technologies the burgeoning cloud market had to offer.

“The G-Cloud tenets were around innovation and getting SMEs into public sector IT, and introducing a fresh approach, niche tools and cost-effective solutions, and actually freeing up departmental procurement professionals [because it was easier to use],” Bill McCluggage, a former director of IT strategy and policy in the Cabinet Office and deputy government CIO from 2009 to 2012, told Computer Weekly.

“And the customers loved it because it meant they didn’t have to go through a big, costly, long-winded, complex procurement process that – by the time you got through the other end of it – your requirements have literally changed.”

And while the framework initially helped to give homegrown cloud firms and SME tech providers a leg-up into government IT deals, the picture has steadily changed over the past decade or so. Specifically, since the hyperscalers began opening UK datacentres in late 2016.

Evidence of this can be seen from glancing at the government’s Digital Marketplace sales figures. These confirm the tech suppliers making the most amount of sales from the framework these days are big tech firms such as Amazon Web Services (AWS), IBM, Microsoft, and consultancies and SIs such as Deloitte, Capgemini and Accenture.

“[The framework has] slowly but surely been grasped by the procurement professionals in CCS and tailored into a traditional, risk-averse framework that now starts to look as if it’s favouring the big hyperscalers and the SIs again,” said McCluggage.

What’s the timeline for G-Cloud 15 to start?

The invitation to tender (ITT) part of the procurement process for G-Cloud 15 began on 23 October 2025, and would-be suppliers have until Friday 30 January 2026 to apply for a place on the framework, which is expected to go-live in September 2026.

How does G-Cloud 15 differ to G-Cloud 14?

There are quite a few differences between the two purchasing agreements, with the number and structuring of the framework Lots for G-Cloud 15 looking significantly different for one thing.  This is mainly because G-Cloud 15 is covering the work of the Cloud Compute framework, as well.

For example, Cloud Hosting is now spread across two lots (dubbed Lot 1a and Lot 1b) rather than one.

Lot 1a is for suppliers specialising in the provision of “core” infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) subscription services, while Lot 1b covers the same types of services when used to host information that is classified as being above the “official” government data security classification level.

The framework’s Cloud Software Lot has also been similarly split into Lot 2a, covering the provision of infrastructure software-as-a service (ISaaS), and Lot 2b, which covers software-as-a-service (SaaS) offerings.

Lot 3, covering Cloud Support services, remains intact, but Lot 4, which was run as a standalone framework to G-Cloud 14 for public sector IT buyers that wanted to run their own competitive processes for more complex cloud support contracts, is being discontinued.  

As previously stated, G-Cloud 15 is set to run for four years while G-Cloud 14 was initially a two-year framework (that got extended by an additional six months).

Meanwhile, the maximum amount of time that contracts can run for has doubled (in the case of the cloud hosting lots) to eight years in G-Cloud 15. This works out at five years for the initial term of the contract, with buyers offered up to three optional extensions of 12 months.

For the other G-Cloud 15 lots, the maximum amount of time that contracts can run for is six years, consisting of an initial period of four years, with buyers offered up to two optional extensions of 12 months.

For context, all G-Cloud 14 contracts, regardless of the Lot they were called off from, could run for an initial 36-month period, with the option given to extend them by a further 12 months if needed.

What other changes has CCS introduced?

As well as a rework of the G-Cloud 15 Lot structures, CCS is considering introducing enhanced applicant vetting procedures for Lot 1a and Lot 1b participants, specifically.

As previously detailed by Computer Weekly, CCS is reportedly considering making potential suppliers:

• Undergo more rigorous financial vetting than required under the previous iteration of the framework.
• Possess an expanded number of mandatory ISO accreditations than before, or provide proof that work to acquire them is underway by the time the application deadline for G-Cloud 15 closes in January 2026.
• Where Lot 1b applicants are concerned, they must possess insurance cover in excess of £75m to secure deals through G-Cloud 15.

How will the financial vetting procedures for G-Cloud 15 differ to what’s gone before?

Participants in G-Cloud 15’s cloud hosting lots will need to participate in a more in-depth Gold Standard Financial Viability Readiness Assessment (FVRA).

This process typically involves suppliers having to participate in a detailed assessment of their financial affairs, involving the supply of extensive information about their businesses, which will be subject to tight scrutiny by CCS.

Under the previous iteration of the framework, all suppliers – regardless of lot – were subject to less onerous checks that would only involve them having to participate in a full FVRA if they did not meet an initial credit score screening test. This system remains in place for Lot 2a, Lot 2b and Lot 3 providers under G-Cloud 15.

What kind of accreditations are participating suppliers expected to have?

The CCS has confirmed it is now mandatory for suppliers wishing to participate in its Cloud Hosting Lots to possess the ISO 9001, ISO 20000-1, ISO 27001 and ISO 27018 certifications.

CCS initially stated in its tender documents that suppliers would need to be in possession of these mandatory accreditations by the time the application deadline for G-Cloud 15 closes in January 2026.

However, it appears, in response to supplier pushback, CCS’s stance on this matter has now softened.

“Following a review of requirements and the current capability and capacity issues that exist within the market, CCS has decided to amend its position concerning ISO accreditation,” CCS has confirmed.

“The ISO standards listed are still mandatory … to operate in Lots 1a and 1b. However, the requirements on bidders will now be that if they do not currently hold the required ISO certification, they must evidence to CCS, before the application deadline of 30 January 2026, that they have begun the process of certification … This should take the form of an authorised third-party confirmation from an ISO accreditation body.”

G-Cloud suppliers have previously been exempt from needing the Cyber Essentials accreditation. Is that the case this time around?

No – under the terms of G-Cloud 15, all participating suppliers will now need to hold a Cyber Essentials accreditation.

CCS previously stated this would just be mandatory for G-Cloud 15’s Cloud Hosting participants but – in an email to suppliers dated 5 December 2025 – it confirmed this condition now applies to all suppliers.

“Suppliers awarded a place on the framework on either Lots 2a, 2b or 3 will be required to obtain a valid Cyber Essentials certificate for themselves and ensure any of their subcontractors who process personal or OFFICIAL data have a Cyber Essentials certificate,” the email, seen by Computer Weekly stated.

“Evidence of your certification is required within 12 months of the award date of the G-Cloud 15 framework. Certificates will be monitored by CCS, and any suppliers who fail to provide a valid certificate within 12 months of the award date will be suspended from the framework. Suspended suppliers can be reinstated as soon as they provide a valid Cyber Essentials certificate to CCS.” It added: “Bidders who already have a Cyber Essentials certificate should provide it with their tender.”

And what’s with the changes to the insurance requirements?

Details of G-Cloud 15’s reworked insurance requirements are laid out in a “Joint Schedule 3” document CCS has previously shared with potential suppliers.

It stipulates that suppliers wanting to secure contracts under framework Lot 1a, Lot 2a, Lot 2b and Lot 3 “shall hold” separate private indemnity, public liability insurance and employers’ liability insurance with cover that totals at least £7m.

As such, suppliers must have separate professional indemnity insurance and public liability insurance of at least £1m each, as well as at least £5m in employers’ liability insurance. Incidentally, these levels of insurance are the same as those required of suppliers on G-Cloud 14.

However, suppliers vying for contracts awarded under Lot 1b, which covers IaaS and PaaS services used to host data that is above the “official” security grading, must have in place separate private indemnity, public liability and employers’ liability insurance that totals at least £75m, the document states.

These changes appear to raise the barriers to entry to G-Cloud quiet significantly. What has been the response to them?

As previously reported by Computer Weekly, concerns have been raised by various sources within the G-Cloud supplier community that G-Cloud 15 looks set to finally put paid to the notion that the framework is SME friendly, based on the changes CCS is planning to introduce.

Speaking to Computer Weekly, Nicky Stewart, a senior advisor to the pro-cloud market competition advocacy group, The Open Cloud Coalition, echoed these concerns.

“G-Cloud began as a revolutionary initiative designed to shatter the IT ‘oligopoly’ [of big tech firms and SIs], enabling the government to ‘pay less, get more, and get it sooner’ by allowing SMEs and new market entrants access to the market to compete with the oligopoly,” she said.

“G-Cloud, in its initial iterations, genuinely enabled this aspiration. SMEs and new market entrants grew, hired, created wealth and helped to underpin the government's digital transformation. But along the way, G-Cloud lost its way.”

An “absence of competition” within G-Cloud paved with way for a new “duopoly” of suppliers emerging – namely AWS and Microsoft – that, in time, SMEs would find difficult to beat on price and – ultimately – would lose out on business to.

And, G-Cloud 15 seems to be continuing a marked shift that started with G-Cloud 14, in terms of the framework becoming harder for SMEs to get a foothold in.

“G-Cloud 14 saw a shift, not towards competition and diversity, but towards alignment with the CCS Public Sector Contract,” she said. “This meant financial tests from the outset and, initially at least, much tougher insurance requirements. Previously, buyers would perform their own due diligence and determine their insurance requirements.

“G-Cloud 15 takes this shift to a new level … the insurance, financial and accreditation requirements are all significant barriers to entry. These, coupled with a potential eight-year term for cloud hosting call-off contracts, risk undermining G-Cloud's initial principles of diversity and competition, and could nullify any meaningful impact that G15 could have had in terms of diversifying and strengthening the government's unhealthily concentrated cloud market.”   

Why has CCS decided to make such big changes to how G-Cloud this time around?

The reasoning for pushing through many of the proposed changes to the framework can be traced back in part to the fact when G-Cloud 15 launches it will not only be replacing G-Cloud 14, but also the need for CCS to roll out a third iteration of its hyperscale-focused Cloud Compute framework.

The latter was created as a purchasing agreement for large-scale, high-value public sector cloud contracts, and so it is thought that CCS is putting suppliers through heightened financial vetting and requiring more accreditations to make sure they have what it takes to deliver on these types of deals.  

What difference will adding the Cloud Compute framework to the G-Cloud purchasing agreement make?

The government’s Cloud Compute framework was originally created and introduced so that large, hyperscale deals of that ilk would no longer be funneled through the more SME-friendly G-Cloud setup. However, that purchasing agreement – over two iterations - has struggled to find its footing with public sector IT buyers.

CCS has confirmed that there will be no third iteration of the Cloud Compute, as the principles of that framework are set to be incorporated into G-Cloud 15.

This is thought to be why G-Cloud 15’s value has ballooned between iterations, and why G-Cloud 16 is not expected to make an appearance until 2030 at the earliest.

Why exactly is CCS merging the Cloud Compute framework with G-Cloud?

The official line on this is that merging the two frameworks will allow Cloud Compute to “leverage” G-Cloud’s popularity, with the latter purchasing agreement described by CCS in the G-Cloud 15 tender document as the “largest framework of its kind in the public sector”.

Reading between the lines, this could be interpreted as an admission from CCS that the Cloud Compute framework never quite delivered on what it was intended to, and under-performed.

The first iteration, which went live in 2021, reportedly generated very few sales, with a 2023 investigation by Computer Weekly uncovering just one contract – totaling £750,000 - called off under the £750m Cloud Compute 1 framework.

The framework’s second iteration, Cloud Compute 2, has fared a little better since it went live in November 2023, having undergone a revamp by CCS to make it more accessible to SME suppliers.  

According to contract data supplied to Computer Weekly by public sector-focused analyst house Tussell, there have been at least five deals totaling £10.8m called off under Cloud Compute 2 since it went live. The largest of these being a £5m contract awarded by the Department for Work and Pensions to Oracle in May 2024.

For a framework valued at £1.35bn, though, it’s not a great sales track record, particularly as it’s a purchasing agreement intended for large-value cloud deals to be pushed through it.

To put that figure into context, during the 2023-2024 financial year, the amount of cloud spend – as confirmed by CCS – transacted through the G-Cloud framework totaled £3.1bn.