Our View: New UK Government Guidance on Multi-Region Cloud & SaaS

Tom Burton
Subscribe Contact us
Tom Burton

Well Intended Guidance Leaves more Questions than Answers


The UK Government Digital Services – part of the Department for Science, Innovation and Technology – has recently published guidance for how the public sector should adopt a multi-region approach to cloud technology. At first sight this appears encouraging. Any unnecessary constraints on hosting arrangements (or any other non-functional requirements) reduce the available market of providers, constrain competition, and therefore inevitably reduce value for money. If parts of Government, whether central, regional or local, have felt that everything must be hosted in the UK then it makes sense to produce guidance that clarifies this perception and helps to open their options up.


But for guidance to be useful it should guide. It should make it easier for people to take actions that they previously would have discounted. The guidance in this case, which at 1420 words is almost as short as this article, probably leaves the reader with more questions than answers. It may reveal some unknowns, but without increasing certainty.


The Guidance in a Nutshell


A summary of the guidance is as follows:


  • Look wider than UK: Many cloud solutions may not offer UK hosting, particularly new innovative solutions that haven’t scaled up yet. Irrespective, their staff are likely to be distributed around the world if the service is supported 24/7. There may also be other benefits in looking wider than UK hosting, such as enabling better business continuity and disaster recovery options if the vendor only has one UK site.


  • Get legal advice: Before you even consider a non-UK option you need to seek advice from your own legal advisors and your Data Protection Officer (DPO).


  • Ensure compliance with ICO guidance: Before you even consider a non-UK option you need to check and make sure that any international transfer of personal data will be compliant with the Information Commissioner’s Office (ICO) guidance, and you should get further guidance from your own legal advice and DPO.


  • Do a full review of vendor security: Before you even consider a non-UK option you need to make sure the vendor and solution are compliant with your own security policies.


In a nutshell, it says: 'you should consider options outside of the UK but only if you have checked everything is legal and secure'. This seems to be verging on a statement of the obvious; the real difficulty in going offshore is covering all of the legal, regulatory and security compliance aspects.


Adequacy is a Moment in Time


On point 3, the guidance points out data protection compliance is easier if the country in question is considered by the ICO to be adequate – having equivalent regulations for data protection to the UK. Sound advice. But even this is not that simple. For instance, the USA is not considered adequate unless it is under an extension of the EU-US Data Privacy Framework. This framework is dependent on an Executive Order that the Biden administration put in place, and it is entirely possible that it will be revoked by the current administration. If such an action was taken, or if for any other reason the EU decides that adequacy is no longer met (also not unlikely given Herr Schrems has achieved this twice already and has stated he plans to challenge the DPF), then the vendor will no longer be considered compliant.


Consideration is Far Wider than Residency


Security is far wider than data residency though. This is where point 4 both states the obvious and understates the complexity. Managing risk in the supply chain is inherently difficult. Cloud providers, and particularly SaaS solutions, aggravate this challenge by an order of magnitude. By their nature they are solutions designed for a broad and varied range of customers. This means they will always involve compromise. If they tried to meet the most demanding requirements, they would price themselves out of the scale marketplace. If they went for the lowest common denominator, they would be unable to meet the requirements of the majority. An individual customer can rarely dictate a specific security requirement for themselves.


They are also highly opaque. The vendor presents their service as a black box. The features delivered to the customer are defined, but much of the underlying design and the means the vendor uses to manage it in operation are hidden. This makes assessing the risk far more of a judgement call than when the design and delivery is conducted under your control. Depending on the supplier, and the leverage that the customer has over them, it may be possible to get some information and assurances; but the right questions need to be asked, and the answers need to be interpreted correctly. Third party certifications and audits, such as the ISO27000 series of standards or the SOC1, SOC2 and SOC3 reports, can also provide some additional assurances. But only the customer will be able to decide the extent to which they can mitigate the risk, and the confidence they have in the supplier to manage their own. This is a business decision informed by the specifics and nuances of the risks being considered.


Summary


It is important to minimise the non-functional requirements and keep an open mind about potential solutions and vendors. This includes looking wider than just the UK when national security requirements are not paramount. But this is not something that can be distilled onto a single sheet of A4 in any meaningful way. Yes, there are legal and regulatory issues that need to be reviewed. And geopolitical risk needs to be factored in, considering how you would respond to future external changes that are outside of the UK’s control. 


But from experience, the greatest challenge is getting comfortable that the vendor’s organisation and their solution have adequate security – this applies equally whether the solution is hosted in the UK or overseas. The SaaS world is opaque, and balances priorities across a broad and varied customer base. The public sector needs to increase its adoption of cloud and SaaS solutions to remain efficient and relevant, in the same way that the private sector has had to. But the route to responsible adoption is more nuanced, requiring candid conversations with suppliers, and ultimately an informed but subjective judgement by the customer’s leadership.


Sources/Links:


DSIT Guidance for Multi-region cloud and software-as-a-service ↩︎


ICO Guide to International Transfers ↩︎


Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities ↩︎



Note: This article originally appeared on Tom Burton's personal blog at https://digility.net/insights/

Contact - Partner Spotlight - Darren Sheppard

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Two blocks of data with bottleneck inbetween

Hidden Costs of Complexity: Why CIOs Must Prioritise IT Supply Chain Visibility

by Paul Brooker 29 October 2025
Read our article on hidden complexity and find out how shadow IT, duplicate tools and siloed buying bloat costs. See how CIOs gain a single view of IT spend to cut waste, boost compliance and unlock 5–7% annual savings | READ FULL ARTICLE

Fibrematic Engages Cambridge Management Consulting to Support its Go-to-Market Strategy and Expansion in Europe

by Cambridge Management Consulting 20 October 2025
Press Release
A darkly lit circuitboard with a flat padlock lying on top – purple tint

Cambridge Management Consulting Accredited as a National Cyber Security Centre Assured Services Cyber Advisor

by Tom Burton 17 October 2025
2 MIN READ
Neon 'Open' sign in business window

5 Questions to Help SMEs with Their Cyber Security

by Tom Burton 9 October 2025
SMEs make up 99% of UK businesses, three fifths of employment, over 50% of all business revenue, are in everyone's supply chain, and are exposed to largely the same threats as large enterprises. How should they get started with cyber security? Small and Medium sized Enterprises (SME) are not immune to the threat of cyber attacks. At the very least, if your business has money then it will be attractive to criminals. And even if you don’t have anything of value, you may still get caught up in a ransomware campaign with all of your data and systems made inaccessible. Unfortunately many SMEs do not have an IT team let alone a cyber security team. It may not be obvious where to start, but inaction can have significant impact on your business by both increasing risk and reducing the confidence to address new opportunities. In this article we outline 5 key questions that can help SMEs to understand what they need to do. Even if you outsource your IT to a supplier these questions are still relevant. Some can’t be delegated, and others are topics for discussion so that you can ensure your service provider is doing the right things, as well as understanding where their responsibilities stop and yours start. Q1: What's Important & Worth Defending Not everything needs protecting equally. In your personal life you will have some possessions that are dear to you and others that you are more laissez-faire about. The same applies to your digital assets, and the start point for any security plan needs to be an audit of the things you own and their importance to your business. Those ‘things’, or assets, may be particular types of data or information. For instance, you may have sensitive intellectual property or trade secrets; you may hold information about your customers that is governed by privacy regulations; or your financial data may be of particular concern. Some of this information needs to be protected from theft, while it may be more important to prevent other types of data from being modified or deleted. It is helpful to build a list of these assets, and their characteristics like the table below:
Illustration of EV sensor fields

AI at the Edge: The Backbone of Digital Infrastructure

by Duncan Clubb 25 September 2025
Explore the rise of edge AI: smaller data centres, faster networks, and sustainable power solutions. See why the future of digital infrastructure is distributed and intelligent | READ FULL ARTICLE
A close-up of the Downing St sign

How the UK Government's AI Playbook Will Reshape Public Services

by Craig Cheney 19 September 2025
Craig Cheney | The conversation around artificial intelligence (AI) in Government has shifted in recent years. The publication of the UK Government’s AI Playbook represents more than just updated guidance — it signals a huge shift in the government's approach to AI.
Volcano lava lake

The Cost of Short-Termism: Why Ignoring Sustainability Erodes Business Value

by Scott Armstrong 18 September 2025
Discover why short-term thinking on sustainability risks business growth. Explore how long-term climate strategy drives resilience, valuation, and trust | READ FULL ARTICLE
Close up of electricity pylon

AI Gridlock: The Infrastructure Problem that Might Derail the UK's AI Ambitions

by Duncan Clubb 17 September 2025
The UK’s AI ambitions face gridlock. Discover how power shortages, costly electricity, and rack density challenges threaten data centre growth – and what’s being done | READ FULL ARTICLE
Abstract neon hexagons

Why Startups Can’t Afford to Delay Their Cyber Resilience

by Tom Burton 17 September 2025
Delaying cybersecurity puts startups at risk. Discover how early safeguards boost investor confidence, customer trust, and long-term business resilience | READ FULL ARTICLE
More posts