Cloud services procurement: 2025 policy update

In May 2025, the Office of Government Procurement (OGP) issued a revised version of its Cloud Services Procurement Guidance Note, superseding the 2021 edition.

This updated guidance is intended to support Public Sector Bodies (PSBs) in Ireland in procuring cloud-based services in a compliant, risk-aware, and commercially appropriate manner, taking into account the increasing reliance on cloud delivery models across all public service domains.

The revised note outlines procedural recommendations, contractual considerations, legal compliance obligations, and market engagement practices, with a particular focus on the complexities introduced by hyperscale providers and emerging technologies such as embedded artificial intelligence (AI) components.
The guidance reiterates that all PSBs must comply with EU and national procurement regulations, most notably the European Union (Award of Public Authority Contracts) Regulations 2016 (S.I. No. 284/2016), when procuring cloud services. These requirements include the publication of contract terms as part of the Request for Tender (RFT) and the use of transparent and non-discriminatory procurement procedures.

Due to the distinctive contractual and operational characteristics of cloud services, the guidance advises PSBs that standard OGP contract templates may be insufficient and may require customisation to account for service-specific risk factors, commercial terms, and performance arrangements.

Procurement procedure selection

The OGP highlights that PSBs must choose an appropriate procurement procedure type in accordance with the risk profile, market maturity, and complexity of the cloud services being sought. In circumstances where it is anticipated that standard terms and conditions may be rejected or modified by prospective suppliers – particularly hyperscale cloud service providers – the guidance suggests that negotiated procedures or competitive dialogues may offer a more suitable procurement path than open procedures.

PSBs are reminded that while negotiation-friendly procedures offer flexibility, they must be used in accordance with legal thresholds and must preserve the principles of transparency and equal treatment.

Market engagement

The guidance strongly recommends that PSBs undertake structured pre-market engagement, most often through the publication of a pre-market consultation (PMC) via the eTenders platform. This engagement should serve several purposes:

• Solution assessment: Determine whether the appropriate service model is infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), and assess whether services include AI functionality.
• Risk assessment and DPIA: Conduct a data protection impact assessment (DPIA) and classify the data to be processed under the prospective service. PSBs must be able to demonstrate understanding of the nature, purpose, and legal basis for all personal data processed in the cloud environment.
• Supplier screening: Assess whether potential suppliers – including resellers and systems integrators – can meet GDPR and security obligations.
• Cost and lifetime analysis: Estimate the total cost of ownership (TCO) over the contract term, including variable usage-based pricing structures.
• Contract alignment: Identify conflicts between standard supplier terms and PSB requirements.

The guidance makes clear that engaging external legal and data protection advisors is advisable before initiating formal procurement processes.

Contractual and commercial considerations

The document outlines 10 contractual and commercial terms (CCTs), each of which addresses a specific challenge for cloud procurement:

CCT.1: Data protection: The PSB remains fully accountable under GDPR for data processing. Contracts must explicitly define processing roles, sub-processor controls, audit access, breach notification procedures, and restrictions on cross-border data transfers.

CCT.2: Hierarchy of documents: The PSB Services Contract must define a clear order of precedence among all documents, with PSB terms explicitly taking precedence over CSP terms – especially those included via embedded hyperlinks or “click-through” agreements.

CCT.3: Security requirements: Contracts must specify standards for data encryption (in transit and at rest), data residency, private vs public access, and responsibilities under the shared responsibility model.

CCT.4: Contract duration: Long-term contracts may offer improved unit pricing but introduce risk of supplier lock-in. PSBs should balance pricing incentives with flexibility for early termination and re-tendering.

CCT.5: Exit management: Exit provisions must cover data extraction, service transition, and handover obligations. Contracts should include a mandatory exit management plan reviewed at regular intervals.

CCT.6: Service suspension: CSPs may reserve rights to suspend service unilaterally. The PSB should seek to restrict such rights to well-defined and proportionate scenarios.

CCT.7: Pricing models: The note distinguishes between fixed pricing and consumption-based pricing, including PAYG and commitment models. PSBs must fully scope the pricing components, including compute, storage, bandwidth, and licensing.

CCT.8: In-life service management: Governance mechanisms must be in place to monitor SLA compliance, incident resolution, and strategic review. This includes regular supplier performance reviews and operational meetings.

CCT.9: Other contractual issues: These include force majeure, indemnities, intellectual property rights, software versioning, and novation clauses.

CCT.10: General procurement issues: PSBs must distinguish between direct CSPs, resellers, and systems integrators and ensure contractual accountability is not diluted in multi-party arrangements.

The 2025 Cloud Services Procurement Guidance Note is intended to serve as a technical resource for contracting authorities procuring cloud services. It does not represent a change in policy direction but consolidates recent legal developments and codifies procurement best practices into a single reference point.

PSBs are expected to operationalise the guidance in all relevant procurement processes and to retain appropriate legal and technical advisory support. Compliance with GDPR, procurement law, and internal governance frameworks remains a fundamental requirement.