HomeGlossarySoftware as a Service (SaaS) Procurement
IT & Digital ProcurementSaaS

Software as a Service (SaaS) Procurement

Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.

Quick answer

Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.


Software as a Service (SaaS) procurement has become one of the most common forms of ICT procurement across European public bodies. Rather than purchasing and installing software on-premise, contracting authorities pay a subscription fee to access functionality hosted and managed by the supplier. This model accelerates deployment and shifts infrastructure management responsibility to the vendor, but it also introduces procurement considerations that differ significantly from traditional software licensing.

What is SaaS procurement?

SaaS procurement involves contracting for access to software delivered over the internet, typically priced per user, per transaction, or as a platform fee. The buyer does not own the software or the underlying infrastructure. The supplier is responsible for availability, security patching, and upgrades. Common public sector SaaS categories include case management, finance, HR, document management, and communications tools.

In the UK, SaaS services are primarily procured through the G-Cloud framework, which provides a catalogue of pre-evaluated cloud software suppliers. EU member states increasingly use framework agreements, dynamic purchasing systems, or competitive procedures under Directive 2014/24/EU for SaaS contracts, with national central purchasing bodies operating equivalent catalogues in France, Germany, the Netherlands, and the Nordic countries.

Key procurement considerations for SaaS include data residency (where is the data stored and processed, and does this comply with GDPR compliance in procurement obligations), interoperability requirements (can data be exported in open formats if the contract ends), open standards in procurement compliance, and exit provisions (what happens to data at contract termination). A data protection impact assessment (DPIA) in procurement is typically required before procuring any SaaS that processes personal data.

Why it matters for bidders

For SaaS suppliers pursuing public sector contracts, demonstrating compliance with data protection, security, and interoperability requirements is as important as the functionality of the product itself. Public sector buyers are risk-averse: a SaaS product that cannot demonstrate data residency within the European Economic Area or UK, or that lacks Cyber Essentials (procurement requirement) certification, will be disqualified regardless of its capabilities.

Suppliers should prepare clear documentation on data handling, sub-processor lists, data export formats, and contractual exit provisions. The technology code of practice sets out UK government expectations for SaaS procurement, including requirements to avoid proprietary lock-in and to support open standards.

Example

A regional health authority in Sweden needs a patient communications SaaS platform. The procurement specifies data residency within the EU, GDPR-compliant data processing agreements, export of all patient data in interoperable formats on contract termination, and ISO 27001 certification for the supplier. The winning SaaS vendor provides a dedicated EU data region, a pre-signed data processing agreement, and documented export APIs.

Frequently Asked Questions

Does a DPIA always need to be completed before procuring SaaS?

Under GDPR (applicable across EU member states and the UK), a DPIA is required when processing is "likely to result in a high risk" to individuals. For most SaaS procurements handling personal data at scale, health data, or data relating to vulnerable people, a DPIA will be required. Even where not strictly mandatory, completing one is best practice and increasingly required by contracting authority data protection policies.

How do buyers handle vendor lock-in in SaaS contracts?

Buyers mitigate lock-in through contractual data portability clauses (requiring data export in standard formats), exit plans (requiring the supplier to support migration for a defined period after termination), and by favouring suppliers who comply with open standards in procurement. The technology code of practice explicitly requires public bodies to avoid creating dependencies on proprietary technologies.

What security certifications should a SaaS supplier hold?

For UK public sector SaaS, Cyber Essentials Plus is commonly required as a minimum. ISO 27001, SOC 2 Type II, and NHS Data Security and Protection Toolkit compliance are expected for health-sector contracts. EU member states have equivalent national frameworks, and many reference the ENISA cloud security guidelines or national cybersecurity agency standards.

How Bidovate helps

Bidovate puts Software as a Service (SaaS) Procurement to work inside your capture and proposal workflow.

Tender discovery

See Bidovate in action

Book a demo and we will show you the platform using your actual contract data.

Related terms

G-Cloud Framework

G-Cloud is a UK Crown Commercial Service framework agreement that enables public sector buyers to purchase pre-approved cloud-based software, hosting, and support services from a catalogue of suppliers without running a full tender, reducing procurement lead times from months to days.

View

Cloud Hosting Procurement

Cloud hosting procurement covers the purchase of infrastructure-as-a-service and platform-as-a-service resources from commercial cloud providers, requiring public sector buyers to assess data sovereignty, security accreditation, exit costs, and compliance with national and EU cloud policy before contracting.

View

GDPR Compliance in Procurement

GDPR compliance in procurement requires contracting authorities across EU member states and the UK to embed data protection obligations into technology contracts, including data processing agreements, controller/processor role definitions, sub-processor controls, and breach notification requirements, before any personal data is processed.

View

Data Protection Impact Assessment (DPIA) in Procurement

A Data Protection Impact Assessment (DPIA) in procurement is a structured process required under GDPR before deploying any technology that processes personal data at significant scale or risk, identifying privacy risks and mitigation measures before a contract is signed and a system goes live.

View

Open Standards in Procurement

Open standards in procurement refers to the requirement for public sector buyers to specify and accept technology products and services that conform to non-proprietary, publicly available technical standards, ensuring interoperability, avoiding vendor lock-in, and enabling future competition across European digital infrastructure.

View