Multi-region cloud and software-as-a-service (HTML)
Published 5 February 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/multi-region-cloud-and-software-as-a-service/multi-region-cloud-and-software-as-a-service-html
Summary
In order to provide resilience, capacity and access to innovation, organisations may need to use cloud and software-as-a-service solutions located outside the UK. We recommend that organisations adopt a multi-region approach, in which they make controlled, considered use of regions in a way which is compatible with UK law. This guidance reinforces existing legislation and policy: this is not a change of policy.
Government data at OFFICIAL (including the SENSITIVE marking) can be stored and processed in data centres or Cloud regions overseas when satisfactory legal, data protection and security practices are in place; there is no universal requirement for government data classified as OFFICIAL to be physically located in the UK.
Under the Government’s Cloud First policy, organisations should consider the best place to store and process data as non-UK services can be more cost effective, more sustainable or have additional features available, as well as provide an alternative location for disaster response plans.
Context
Alongside the widespread use of Public Cloud by government, it is becoming increasingly common for software to be provided by vendors in a software-as-a-service (SaaS) model. For both SaaS and Public Cloud, while the vendor may offer a technical deployment in a region of your choice, there are often components of the service which are not in the same geography.
Examples: it is common for the vendor’s support staff to be on a ‘follow-the-sun’ model and thus be located around the world, or for SaaS provided software to store backups in a different region overseas.
It can be prohibitive for smaller vendors to provide an entire capability within every geography worldwide because of the level of expense and complexity. With both Public Cloud and SaaS you are benefiting from the commoditisation of technology, but if the architecture is not suitable for your use-case it is very unlikely to be redesigned for a single customer. This means you have to decide whether the solution provided is acceptable or else choose another product.
Public Cloud environments, despite having regions based in specific geographical locations, will often send data between regions to provide the requested service, as metadata or for billing purposes. Not all regions from a Cloud provider are equal: regions often have different pricing, services or features, physical infrastructure, resource availability and sustainability properties. For example, latest-generation chips to support artificial intelligence workloads are not currently deployed to all global regions.
Your disaster response requirements may mean the current distribution of Public Cloud regions in the UK is not sufficient to meet your recovery objectives and so you may consider using an overseas region to meet your resilience requirements in certain scenarios.
Example: if all your services are hosted from the London region of a single Cloud provider, all these services could go offline if there is an outage of services in this region, or if you lose connectivity or access to it, whether through accidental, technical or natural disaster reasons.
Many Public Sector organisations are already taking advantage of SaaS products which are not exclusively UK hosted, operated and supported. These include products storing or processing personally identifiable information or critical business data, such as office productivity tools, document management solutions, code repositories, low-code apps and surveys.
Legislation and other guidance
Cloud First
Government has had a Cloud First policy since 2013, this predates many of the UK regions from the Cloud vendors and therefore organisations may have already hosted data at OFFICIAL in overseas regions. The latest version of the Cloud First policy includes Principle five: “enable teams to use Cloud services provided overseas or globally”.
Data Protection Act
All organisations have a responsibility to ensure personal data has appropriate safeguards when it is transferred outside the UK in line with the Data Protection Act 2018. HM Government and partners must also comply with Government Security Classifications policy.
International Trade Agreements
The UK Government has signed legally binding international trade agreements with other countries, and at the World Trade Organization (WTO), to remove barriers to trade - these include commitments which prevent unjustified data localisation. This aligns with UK trade policy to promote free trade and limit protectionist measures in the global economy. The Government Security Group can advise if you have identified security risks that you believe can only be mitigated or managed by hosting within the UK.
Jurisdiction
International vendors must comply with their home country’s laws and, in many cases, the laws of the region in which they are operating. There will be situations where a jurisdiction will be able to use domestic data access legislation to request your data from the service provider. This is normal and not specific to Cloud services (National Protective Security Authority guidance on supply-chain security and National Cyber Security Centre Cloud Principle on Asset Protection).
Classified data
Government has a routine need to store and process both SECRET and TOP SECRET information outside the UK, including to support civil servants and military personnel based overseas. The National Cyber Security Centre (NCSC) advises that Public Cloud is not designed to protect SECRET and TOP SECRET information, including SaaS deployments using Public Cloud for hosting. This means you will need alternative hosting arrangements for systems storing or processing SECRET or TOP SECRET information and you should seek specialist advice if these are not already available in your organisation.
How this applies to your organisation
This Guidance is for Public Cloud and software-as-a-service (SaaS) only, not your own or managed data centres, or infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) offerings outside a Public Cloud setting.
(1) Legal: before doing business with a new cloud or SaaS vendor you should have sought guidance from your legal advisors and/or Data Protection Officer. It is vital that you satisfy yourself that there are no obligations upon the contracting vendor to share government data in a manner incompatible with UK laws/regulations or government policies (NCSC Cloud Principle 2.1).
Where the legislative position of an international supplier’s home country is not equivalent to the UK data protection landscape, you will need to consider whether this rules out doing business with them, or if this can be provided for by way of imposing contractual obligations in lieu of legislative ones.
(2) Data Protection: when storing or processing data outside of the UK you need to follow data protection legislation; refer to the Information Commissioners Officer (ICO) guidance on international transfers and seek further guidance from your legal advisors and/or DPO as to how this applies to your data transfer requirements.
Adequacy regulations cover data transfers to the EU member states, the European Free Trade Association (EFTA) states and some other countries and territories (ICO). You do not need to carry out a Transfer Risk Assessment if you are making a transfer to any country covered by UK adequacy regulations. (ICO)
(3) Security: Your organisation should already have security policies in place on how to secure your organisation’s data, including making sure data is adequately protected from unauthorised access by parties with physical access to infrastructure, when considered alongside data at rest protections provided by encryption (NCSC Cloud Principle 2.3).
The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the NCSC Cyber Assessment Framework (CAF) under the appropriate Government CAF profile (Baseline or Enhanced) for their critical systems. This includes achieving the required security outcomes in relation to data security under CAF Principle B3: Data Security.
For Public Cloud, you should have cloud-first or cloud-native security policies in place, which may differ from your security policies for on-premise hosting. Those security policies should take advantage of the compliance and security features available from cloud vendors.
If satisfactory legal, data protection and security arrangements are in place, you should then consider the most appropriate location to store the data, noting the different benefits offered by hosting both inside and outside the UK. You can choose/require UK-based hosting for justifiable reasons, such as latency for predominantly UK-based users, however you might find overseas regions are suitably performant while having lower costs or other benefits.
Further advice
This guidance has been developed collaboratively between the Government Digital Service (GDS), the National Cyber Security Centre (NCSC), the Government Security Group, the Department for Science, Innovation and Technology (DSIT) and the Department for Business and Trade. In the first instance you should reach out to your internal data protection officer, but if you need further help you can approach GDS Cloud Strategy, the NCSC, or the DSIT Data Flows team. For trade-related queries please contact the Department for Business and Trade.