Phase 0: Pilot Programme Proposal
Before committing billions to full sovereign cloud migration, a structured 24-36 month pilot programme validates technology choices, coordination mechanisms, and migration approaches with non-critical workloads.
1. Executive Summary
Phase 0: Prove Before You Scale
Objective: Demonstrate that CloudStack-based sovereign infrastructure can successfully host real government workloads, achieve interoperability across jurisdictions, and deliver acceptable performance/security before committing to full programme.
Go/No-Go Decision: At Month 30, Cabinet Office/Treasury (UK), Commission (EU), TBS (Canada), and Finance (Australia) make binding decision based on defined success criteria.
2. Pilot Scope
2.1 Candidate Workloads per Jurisdiction
Workloads selected for pilot must be: (a) non-critical (failure doesn't affect citizens directly), (b) representative of common patterns, (c) currently on US cloud, (d) departmentally willing.
| Jurisdiction | Candidate Workloads | Complexity | Current Provider |
|---|---|---|---|
| United Kingdom | 1. Internal policy collaboration platform | Low-Medium | Azure |
| 2. Non-public datasets analytics platform | Medium | AWS | |
| 3. Development/test environments | Low | GCP | |
| European Union | 1. Internal document management system | Low-Medium | Azure |
| 2. Staff HR portal | Medium | AWS | |
| 3. Non-production regulatory data platform | Medium-High | AWS | |
| Canada | 1. Internal collaboration tools | Low | Azure |
| 2. Development environments for digital services | Low-Medium | AWS | |
| Australia | 1. Policy analysis platform | Medium | AWS |
| 2. Internal learning management system | Low | Azure |
2.2 What the Pilot Will NOT Include
- Citizen-facing services: No public-facing workloads until Phase 1+
- Critical infrastructure: No health, tax, benefits, defence until validated
- High-volume transactional: Reserved for post-pilot performance validation
- Classified workloads: Requires separate security certification path
3. Budget
| Category | UK | EU | Canada | Australia | Shared | Total |
|---|---|---|---|---|---|---|
| Infrastructure (pilot scale) | €25 | €50 | €20 | €25 | €15 | €135 |
| Platform development | €15 | €30 | €10 | €15 | €30 | €100 |
| Migration/integration | €10 | €20 | €8 | €10 | €5 | €53 |
| Security certification | €8 | €15 | €6 | €8 | €10 | €47 |
| Training | €5 | €10 | €4 | €5 | €5 | €29 |
| Programme management | €5 | €10 | €4 | €5 | €10 | €34 |
| Contingency (20%) | €14 | €27 | €10 | €14 | €15 | €80 |
| TOTAL | €82 | €162 | €62 | €82 | €90 | €478 |
Budget notes: This represents approximately 5% of the full programme Likely Case estimate. Pilot infrastructure is sized for workloads listed, not full production. Equipment purchased for pilot can be incorporated into full programme if Go decision made.
4. Timeline and Gates
| Phase | Months | Activities | Gateway |
|---|---|---|---|
| P0.1 Setup | 0-6 | Establish governance, procure pilot infrastructure, deploy CloudStack core, set up ISCC coordination mechanisms | Gate 0: Infrastructure ready; governance operational |
| P0.2 First workload | 6-12 | Migrate first workload per jurisdiction (dev/test environments); establish interoperability baseline | Gate 1: First workload operational in all 4 jurisdictions |
| P0.3 Production pilot | 12-24 | Migrate remaining pilot workloads; validate cross-jurisdiction interop; security certification progress | Gate 2: All pilot workloads operational; interop validated |
| P0.4 Evaluation | 24-30 | Operate under production conditions; performance monitoring; cost analysis; security audit; lessons learned | Gate 3: GO/NO-GO DECISION |
| P0.5 Transition | 30-36 |
If GO: Prepare Phase 1 business case, procure additional infrastructure If NO-GO: Wind down pilot, migrate workloads back, document lessons |
Phase 1 launch or orderly exit |
5. Success Criteria for Go/No-Go Decision
The Gate 3 Go/No-Go decision requires achievement of all mandatory criteria and at least 70% of target criteria.
5.1 Mandatory Criteria (Must Achieve)
| Criterion | Measure | Threshold |
|---|---|---|
| M1: Workloads operational | All pilot workloads running on sovereign infrastructure | 100% migrated and operational |
| M2: Uptime | Infrastructure availability over 6-month assessment period | ≥99.5% (excludes planned maintenance) |
| M3: Security certification | Platform certified to national security standard | At least one national certification per jurisdiction |
| M4: Data sovereignty | Zero data leaving designated jurisdiction boundaries | 100% verified by audit |
| M5: No security incidents | No critical/high security incidents during pilot | Zero critical; ≤2 high (contained) |
5.2 Target Criteria (Aim for 70%+)
| Criterion | Measure | Target |
|---|---|---|
| T1: Performance parity | Response time vs previous US cloud | Within 20% of previous |
| T2: Cost efficiency | TCO comparison to US cloud equivalent | Within 130% of US cloud cost |
| T3: Interoperability | Cross-jurisdiction API compatibility | ≥90% of defined APIs interoperable |
| T4: User satisfaction | End-user and operator satisfaction survey | ≥70% satisfied or better |
| T5: Skills transfer | Staff certified on sovereign cloud operations | ≥80% of target headcount certified |
| T6: Migration velocity | Time to migrate typical workload | Within 150% of planned duration |
| T7: Governance function | ISCC coordination mechanisms working | ≥80% of decisions made within SLA |
| T8: Supplier delivery | Contracted suppliers meeting commitments | ≥90% on-time, on-quality delivery |
| T9: Budget adherence | Pilot spend vs approved budget | Within 110% of budget (excl contingency) |
| T10: Full programme confidence | Independent assessor confidence in scalability | ≥70% confidence rating |
6. Pilot Governance
6.1 Oversight Structure
| Body | Composition | Role |
|---|---|---|
| Pilot Board | Senior officials from each jurisdiction + independent chair | Strategic oversight; gateway decisions; resource allocation |
| Technical Authority | Chief architects from each jurisdiction | Technical decisions; standards; architecture approval |
| Security Authority | NCSC/ENISA/CSE/ASD representatives | Security standards; certification oversight; incident response |
| Independent Assurance | IPA (UK)/equivalent per jurisdiction | Gateway reviews; delivery confidence assessment |
6.2 Reporting
- Monthly: Technical progress reports to Technical Authority
- Quarterly: Status reports to Pilot Board
- Gateway: Independent gateway reviews at Gates 0, 1, 2, 3
- Annual: Progress reports to national parliaments/audit offices
7. Key Risks and Mitigations
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| CloudStack doesn't meet requirements | Medium | High | Early technical validation; alternative evaluation (OpenStack, OCI Dedicated) |
| Interoperability fails | Medium | High | Kubernetes-native approach; standard APIs; conformance testing from Month 6 |
| Security certification delayed | High | Medium | Early engagement with NCSC/ENISA/CSE/ASD; parallel certification tracks |
| Coordination gridlock | Medium | Medium | Independent chair; clear escalation; majority voting for non-critical decisions |
| Skills shortage | High | Medium | Early hiring; contractor augmentation; cross-jurisdiction training |
| Budget overrun | High | Low | 20% contingency; strict change control; monthly financial review |
8. No-Go Exit Strategy
If Gate 3 results in NO-GO decision, the following exit process applies:
| Step | Duration | Activities | Cost |
|---|---|---|---|
| 1. Decision confirmed | Month 30 | Formal No-Go decision; exit plan approval | - |
| 2. Data migration back | Months 30-34 | Migrate pilot workloads back to US cloud providers | €15-25M |
| 3. Infrastructure disposal | Months 34-36 | Secure data destruction; hardware resale/reuse; contract termination | €5-10M |
| 4. Lessons documented | Month 36 | Comprehensive lessons learned report; technology recommendations | €2M |
| 5. Staff redeployment | Months 30-36 | Redeploy/outplace pilot staff; preserve skills | Normal costs |
Stranded Capital Risk: Maximum stranded capital in No-Go scenario is approximately €478M (full pilot budget) minus recoverable hardware value (~€80M) = €400M maximum loss. This represents ~0.5% of full programme Likely Case, an acceptable risk for de-risking a €85B programme.
9. Required Approvals
| Jurisdiction | Approving Authority | Requirements |
|---|---|---|
| United Kingdom | Cabinet Office + HM Treasury | Business case approval; Spending Review allocation |
| European Union | European Commission (DIGIT) | Budget line approval; procurement authorization |
| Canada | Treasury Board Secretariat | Investment approval; GC IT standards compliance |
| Australia | Department of Finance + Cabinet | New Policy Proposal approval; Digital Investment Framework compliance |