AppHosts All articles
Data Sovereignty

Framework Status Is Not a Performance Guarantee: What UK Public Sector Buyers Must Verify Beyond the Approved Supplier List

AppHosts
Framework Status Is Not a Performance Guarantee: What UK Public Sector Buyers Must Verify Beyond the Approved Supplier List

The Proxy Problem

Public sector procurement in the United Kingdom operates under considerable pressure. Contracting authorities face legal obligations around competitive tendering, commercial compliance, and value for money that consume significant internal resource. Against this backdrop, the existence of pre-approved supplier frameworks administered by the Crown Commercial Service represents a genuine administrative convenience — a mechanism through which procurement teams can contract with vetted suppliers without repeating the full due diligence process from scratch.

The difficulty arises when that convenience is mistaken for assurance. Framework inclusion signals that a supplier has passed a commercial and legal assessment at a point in time. It does not signal that the supplier's infrastructure is technically capable of meeting the specific operational requirements of a given public sector organisation, that their security posture has been independently verified to a meaningful standard, or that their service delivery record in comparable environments is strong.

For hosting and cloud infrastructure procurement specifically, this distinction matters enormously. The consequences of selecting an inadequate hosting provider — application downtime, data exposure, performance degradation, compliance failure — fall on the contracting authority and, ultimately, on the citizens and service users who depend on the systems being hosted.

How Framework Assessment Works in Practice

The Crown Commercial Service's technology frameworks — including the G-Cloud framework under which cloud and hosting services are most commonly procured — operate on a supplier self-certification model for many technical criteria. Suppliers submit service definitions, pricing, and compliance declarations. The assessment process verifies commercial standing, financial health, and adherence to the framework's structural requirements.

Technical performance capability is assessed primarily through the supplier's own documentation. There is no mandatory independent penetration testing requirement, no infrastructure audit, and no operational performance verification as part of the standard framework admission process. A supplier can hold G-Cloud status whilst running infrastructure that has never been subjected to independent security assessment, whilst operating data centres that do not meet the availability standards implied by their marketing materials, and whilst delivering support through arrangements that fall short of what a public sector buyer would reasonably expect.

This is not a criticism of the Crown Commercial Service's framework design — the frameworks serve an important purpose and have evolved considerably over successive iterations. It is, however, a structural reality that procurement teams must understand and account for in their decision-making.

The Gap Between Compliance and Capability

Several categories of discrepancy between framework status and operational capability recur in public sector hosting procurement.

Security certification scope is frequently narrower than buyers assume. A supplier holding ISO 27001 certification may have certified only a specific portion of their infrastructure or operational processes, with the certification scope defined in a way that excludes the precise environment in which a buyer's application will be hosted. Cyber Essentials and Cyber Essentials Plus certifications, whilst valuable, address a defined set of controls and do not constitute a comprehensive security assurance.

Data residency commitments require explicit contractual verification. Framework listings may describe services as 'UK-hosted' whilst the underlying infrastructure includes components — backup facilities, CDN nodes, support tooling — that sit outside UK jurisdiction. For public sector organisations handling sensitive data, including health records, benefits information, or law enforcement data, the distinction between 'primarily UK-hosted' and 'exclusively UK-hosted' is legally significant.

Disaster recovery and business continuity capabilities are self-declared in framework service descriptions. A supplier may list recovery time objectives and recovery point objectives that reflect aspirational targets rather than tested operational capability. The absence of a requirement to provide evidence of DR testing as part of framework admission means that buyers cannot assume these figures are grounded in verified practice.

Support and response commitments in framework service descriptions are not always aligned with the operational reality of a supplier's staffing model. Stated response times may reflect best-case scenarios under normal load conditions, with no disclosure of how support capacity scales during major incidents or how escalation processes function outside standard business hours.

A Secondary Due Diligence Checklist

Public sector IT decision-makers should treat framework verification as the beginning of their due diligence process, not its conclusion. The following checklist is designed to surface the information that framework assessment does not reliably provide.

Request the precise scope of all security certifications. Ask the supplier to provide the certification scope document for any ISO 27001, Cyber Essentials Plus, or equivalent certification they hold. Confirm that the infrastructure on which your application will be hosted falls within that scope.

Obtain written data residency confirmation. Require a contractual commitment specifying that all data — including backups, logs, support tooling data, and any third-party processing — will remain within UK jurisdiction. Request a list of all sub-processors and their locations.

Ask for evidence of DR testing. Request documentation of the most recent disaster recovery exercise, including the scenario tested, the outcome, and any remediation actions taken. A supplier unwilling to provide this should be treated with appropriate caution.

Request references from comparable public sector deployments. Framework status does not indicate relevant sector experience. Ask specifically for references from public sector organisations running applications of comparable sensitivity and scale. Speak to the reference contacts directly rather than relying on written testimonials.

Examine the support model in detail. Ask how many engineers are available on-call during out-of-hours periods, where they are based, and what the escalation process is for P1 incidents. Request a sample incident report from a previous major outage, with sensitive details redacted.

Review the financial stability of the supplier. Framework admission includes financial assessment, but this is conducted at a point in time. For multi-year contracts, request up-to-date accounts and ask about the supplier's ownership structure. Acquisition activity in the hosting sector is frequent, and a change of ownership can materially alter service commitments.

Assess the contractual exit provisions. Public sector organisations have particular obligations around continuity of service. Confirm that the contract includes data portability commitments, a transition assistance period, and exit charges that are proportionate and capped.

The Accountability Gap

One structural feature of framework procurement that deserves specific attention is the accountability gap that can emerge between framework terms and call-off contract terms. The framework establishes a ceiling for certain commercial conditions but does not mandate uniformity across all terms. Suppliers may introduce limitations, exclusions, or liability caps in their call-off contract terms that are less favourable than the framework's general provisions suggest.

Procurement teams should ensure that legal review of the call-off contract is conducted with specific attention to how liability for hosting failures — including data loss, extended outages, and security incidents — is allocated between the supplier and the contracting authority.

Conclusion

The Crown Commercial Service frameworks provide genuine value to public sector procurement, and many framework suppliers deliver excellent infrastructure services. The risk lies not in the framework itself but in the assumption that framework status is a sufficient proxy for technical capability and operational reliability. Public sector IT leaders who apply rigorous secondary due diligence — treating the approved supplier list as the starting point rather than the endpoint of their assessment — are considerably better positioned to procure hosting infrastructure that genuinely meets the demands of the services they are responsible for delivering.

All Articles

Related Articles

The Licence Minefield: What UK Businesses Self-Hosting Open Source Software Must Understand Before It Is Too Late

The Licence Minefield: What UK Businesses Self-Hosting Open Source Software Must Understand Before It Is Too Late

Trading Address vs. Data Address: The Dangerous Gap UK Businesses Must Understand Before Signing a Hosting Contract

Trading Address vs. Data Address: The Dangerous Gap UK Businesses Must Understand Before Signing a Hosting Contract

Failing Before You Bid: How Your Hosting Environment Could Be Silently Blocking UK Public Sector Contracts

Failing Before You Bid: How Your Hosting Environment Could Be Silently Blocking UK Public Sector Contracts