Our View: New UK Government Guidance on Multi-Region Cloud & SaaS

Tom Burton

Well Intended Guidance Leaves more Questions than Answers

The UK Government Digital Services – part of the Department for Science, Innovation and Technology – has recently published guidance for how the public sector should adopt a multi-region approach to cloud technology. At first sight this appears encouraging. Any unnecessary constraints on hosting arrangements (or any other non-functional requirements) reduce the available market of providers, constrain competition, and therefore inevitably reduce value for money. If parts of Government, whether central, regional or local, have felt that everything must be hosted in the UK then it makes sense to produce guidance that clarifies this perception and helps to open their options up.

But for guidance to be useful it should guide. It should make it easier for people to take actions that they previously would have discounted. The guidance in this case, which at 1420 words is almost as short as this article, probably leaves the reader with more questions than answers. It may reveal some unknowns, but without increasing certainty.

The Guidance in a Nutshell

A summary of the guidance is as follows:

Look wider than UK: Many cloud solutions may not offer UK hosting, particularly new innovative solutions that haven’t scaled up yet. Irrespective, their staff are likely to be distributed around the world if the service is supported 24/7. There may also be other benefits in looking wider than UK hosting, such as enabling better business continuity and disaster recovery options if the vendor only has one UK site.

Get legal advice: Before you even consider a non-UK option you need to seek advice from your own legal advisors and your Data Protection Officer (DPO).

Ensure compliance with ICO guidance: Before you even consider a non-UK option you need to check and make sure that any international transfer of personal data will be compliant with the Information Commissioner’s Office (ICO) guidance, and you should get further guidance from your own legal advice and DPO.

Do a full review of vendor security: Before you even consider a non-UK option you need to make sure the vendor and solution are compliant with your own security policies.

In a nutshell, it says: 'you should consider options outside of the UK but only if you have checked everything is legal and secure'. This seems to be verging on a statement of the obvious; the real difficulty in going offshore is covering all of the legal, regulatory and security compliance aspects.

Adequacy is a Moment in Time

On point 3, the guidance points out data protection compliance is easier if the country in question is considered by the ICO to be adequate – having equivalent regulations for data protection to the UK. Sound advice. But even this is not that simple. For instance, the USA is not considered adequate unless it is under an extension of the EU-US Data Privacy Framework. This framework is dependent on an Executive Order that the Biden administration put in place, and it is entirely possible that it will be revoked by the current administration. If such an action was taken, or if for any other reason the EU decides that adequacy is no longer met (also not unlikely given Herr Schrems has achieved this twice already and has stated he plans to challenge the DPF), then the vendor will no longer be considered compliant.

Consideration is Far Wider than Residency

Security is far wider than data residency though. This is where point 4 both states the obvious and understates the complexity. Managing risk in the supply chain is inherently difficult. Cloud providers, and particularly SaaS solutions, aggravate this challenge by an order of magnitude. By their nature they are solutions designed for a broad and varied range of customers. This means they will always involve compromise. If they tried to meet the most demanding requirements, they would price themselves out of the scale marketplace. If they went for the lowest common denominator, they would be unable to meet the requirements of the majority. An individual customer can rarely dictate a specific security requirement for themselves.

They are also highly opaque. The vendor presents their service as a black box. The features delivered to the customer are defined, but much of the underlying design and the means the vendor uses to manage it in operation are hidden. This makes assessing the risk far more of a judgement call than when the design and delivery is conducted under your control. Depending on the supplier, and the leverage that the customer has over them, it may be possible to get some information and assurances; but the right questions need to be asked, and the answers need to be interpreted correctly. Third party certifications and audits, such as the ISO27000 series of standards or the SOC1, SOC2 and SOC3 reports, can also provide some additional assurances. But only the customer will be able to decide the extent to which they can mitigate the risk, and the confidence they have in the supplier to manage their own. This is a business decision informed by the specifics and nuances of the risks being considered.

Summary

It is important to minimise the non-functional requirements and keep an open mind about potential solutions and vendors. This includes looking wider than just the UK when national security requirements are not paramount. But this is not something that can be distilled onto a single sheet of A4 in any meaningful way. Yes, there are legal and regulatory issues that need to be reviewed. And geopolitical risk needs to be factored in, considering how you would respond to future external changes that are outside of the UK’s control.

But from experience, the greatest challenge is getting comfortable that the vendor’s organisation and their solution have adequate security – this applies equally whether the solution is hosted in the UK or overseas. The SaaS world is opaque, and balances priorities across a broad and varied customer base. The public sector needs to increase its adoption of cloud and SaaS solutions to remain efficient and relevant, in the same way that the private sector has had to. But the route to responsible adoption is more nuanced, requiring candid conversations with suppliers, and ultimately an informed but subjective judgement by the customer’s leadership.

Sources/Links:

DSIT Guidance for Multi-region cloud and software-as-a-service ↩︎

ICO Guide to International Transfers ↩︎

Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities ↩︎

Note: This article originally appeared on Tom Burton's personal blog at https://digility.net/insights/

Contact - Partner Spotlight - Darren Sheppard

< Older Post

Newer Post >

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Case Study: A Rapid Strategy Stress Test to Accelerate a Go-to-Market Strategy

by Mauro Mortali • 9 May 2026

We were approached by a global networking systems, services, and software company that specialises in optical and routing solutions. Their technology helps carriers, enterprises, and governments build more efficient and scalable networks, particularly for high-bandwidth applications like 5G, cloud computing, and AI-driven networking. Africa is a key strategic market for this client. They are also playing an active role in advancing outlined 5G technology on the continent, emphasising a focus on routing and switching aggregation components, network slicing, and monetisation. The Opportunity The client engaged Cambridge MC to provide external insight and support to augment and accelerate the progress of their Go-to-Market plans for Africa. We proposed our in-house rapid Strategy Stress Test that delivers key insights across areas of your strategy using a 1–5 health-scoring matrix. The client's aim is to grow market share in the region with a precisely focussed strategy that targets their market with key propositions and solutions. We were engaged to review this strategy and their plans for the region, identifying critical opportunities and gaps with a quick turnaround. Approach We used our Rapid Strategy Stress Test methodology which provides: Target geographies, opportunities, and partners for resource effectiveness and success maximisation Assessment of client's Go-to-Market Strategy including identification and testing of key assumptions Identification of new opportunities and any gaps in the strategy Recommendations on how best to capitalise on the market and accelerate their route to success This included carrying out target addressable and client-addressable market sizing by country for the Optical, Data Centre Interconnect, Routing and Switching portfolios; competitor market share analysis; analysis of current and planned data centre build in the target countries; future trend analysis, including Political, Economic, Social, Technological, Legal and Environmental trends by country. We put their GtM strategy and plans through our Stress Test framework, scoring capabilities against best-in-class – across 11 parameters such as Market Potential, Adaptability to Local Needs, Pricing and Marketing & Demand Generation. Recommendations were made against each of the 11 areas relating to opportunities to accelerate their GtM strategy. In order to support effective targeting of resources into key countries, we developed a country prioritisation framework across 15 parameters, such as GDP growth, energy supply, stability of regulatory environment, and ease of doing business. This quantitative assessment was supplemented with the real world experience of our Africa experts.