Quick answer
Cloud hosting procurement covers the purchase of infrastructure-as-a-service and platform-as-a-service resources from commercial cloud providers, requiring public sector buyers to assess data sovereignty, security accreditation, exit costs, and compliance with national and EU cloud policy before contracting.
Cloud hosting procurement refers to the purchase of compute, storage, networking, and platform services delivered by commercial cloud providers on a pay-per-use or reserved-capacity basis. For public sector organisations across Europe, cloud hosting has become central to digital transformation strategies, but it brings distinct procurement challenges around data sovereignty, security, exit flexibility, and compliance with national cloud policies and EU regulatory requirements.
What is cloud hosting procurement?
Cloud hosting procurement encompasses Infrastructure as a Service (IaaS), where buyers consume raw compute and storage, and Platform as a Service (PaaS), where buyers use managed runtime environments, databases, and middleware. The dominant global providers, alongside European alternatives with varying levels of market share, compete for public sector cloud contracts of significant scale and duration.
In the UK, cloud hosting is primarily procured through the G-Cloud framework, which lists IaaS and PaaS services in the Cloud Hosting lot. EU member states procure under Directive 2014/24/EU procedures, with some using national catalogues or central purchasing bodies to aggregate demand. The European Commission has actively promoted the GAIA-X initiative to develop a European federated cloud ecosystem, though commercial procurement continues to be dominated by established global hyperscalers.
Key considerations for compliant cloud hosting procurement include data residency (which EU or UK regions host the data), security accreditation (for UK public sector, the National Cyber Security Centre publishes cloud security principles; for EU member states, ENISA provides equivalent guidance), GDPR compliance in procurement (data processing agreements and sub-processor controls), and exit provisions (interoperability requirements and data portability to avoid lock-in). The technology code of practice requires UK public bodies to design systems to avoid supplier dependency and to ensure workloads can be migrated.
Why it matters for bidders
Cloud hosting suppliers seeking public sector contracts must demonstrate not only technical capability and competitive pricing but also compliance with an increasingly demanding regulatory and policy environment. For the UK public sector, Cyber Essentials (procurement requirement) is a baseline, with higher security tiers required for sensitive workloads. EU public sector buyers may require compliance with national cloud security frameworks (such as BSI C5 in Germany or SecNumCloud in France).
Suppliers should be prepared to provide clear documentation on data centre locations, third-party audit reports (SOC 2, ISO 27001), data processing agreements, and the costs and mechanisms for data extraction at contract end. Open standards in procurement compliance, including support for standard APIs and data export formats, is increasingly included in tender specifications.
Example
A Norwegian government ministry procures cloud infrastructure for a new public services platform. The specification requires data residency within the EEA, compliance with NSM (Norwegian National Security Authority) cloud security requirements, a documented exit plan with tooling to migrate workloads, and pricing transparency for data egress. Two hyperscaler providers and one European cloud provider submit compliant responses.
Frequently Asked Questions
Do EU public bodies have to use European cloud providers?
No, there is no legal requirement under Directive 2014/24/EU or its national implementations to prefer European providers. However, some member states have national policies that encourage or require use of providers with certified European data centres for sensitive workloads. The GAIA-X initiative aims to create interoperable European alternatives, but adoption is not mandatory.
What is the difference between cloud hosting procurement and SaaS procurement?
SaaS procurement involves purchasing access to ready-made applications where the supplier manages everything including the application layer. Cloud hosting (IaaS/PaaS) involves purchasing infrastructure resources that the buyer uses to run their own applications and workloads. The buyer retains more control but also more responsibility for application security and management.
How should buyers manage cloud cost unpredictability in procurement contracts?
Buyers should include in their call-off terms a requirement for cost reporting and alerting, budget caps or escalation triggers, and clear pricing schedules for standard resource types. Reserved or committed-use pricing arrangements, negotiated at framework or call-off level, provide cost certainty for predictable baseline workloads.
How Bidovate helps
Bidovate puts Cloud Hosting Procurement to work inside your capture and proposal workflow.
Tender discoverySee Bidovate in action
Book a demo and we will show you the platform using your actual contract data.
Related terms
G-Cloud Framework
G-Cloud is a UK Crown Commercial Service framework agreement that enables public sector buyers to purchase pre-approved cloud-based software, hosting, and support services from a catalogue of suppliers without running a full tender, reducing procurement lead times from months to days.
ViewSoftware as a Service (SaaS) Procurement
Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.
ViewICT Procurement
ICT procurement covers the purchase of information and communications technology goods and services by public sector organisations, encompassing hardware, software, cloud services, telecommunications, and associated support, governed by EU Directive 2014/24/EU and national implementing legislation across European member states.
ViewOpen Standards in Procurement
Open standards in procurement refers to the requirement for public sector buyers to specify and accept technology products and services that conform to non-proprietary, publicly available technical standards, ensuring interoperability, avoiding vendor lock-in, and enabling future competition across European digital infrastructure.
ViewInteroperability Requirements
Interoperability requirements in procurement specify that technology systems must be capable of exchanging data with, and working alongside, other systems using defined standards and protocols, preventing lock-in, enabling cross-agency data sharing, and supporting the European Interoperability Framework across EU member states.
View