Procurement Compliance Analysis
Analysis of procurement law requirements across UK, EU, Canada, and Australia for the Sovereign Cloud Initiative, including compliance pathways and legal challenges.
The Core Legal Challenge
Question from procurement specialists: "You can't run a single tender across four different procurement regimes. Each has different thresholds, procedures, and remedies. Who has standing to challenge a joint award?"
This document addresses this challenge by analysing each regime and proposing compliant procurement structures.
Procurement Regime Overview
United Kingdom
Procurement Act 2023
Effective Feb 2025
G-Cloud 15
European Union
Directive 2014/24/EU
27 Member States
TED notices
Canada
PSPC/SSC Authority
Buy Canadian Policy
CanadaBuys
Australia
CPRs 2024
Digital Marketplace
AusTender
United Kingdom - Procurement Act 2023
Effective 24 Feb 2025Legislative Framework
The Procurement Act 2023 replaces complex retained EU rules with a simpler, more flexible system aligned with UK strategic needs. It came into force on 24 February 2025, supported by the Procurement Regulations 2024 and National Procurement Policy Statement (NPPS).
Threshold for central government goods/services (2024 rates, updated biennially)
Key Requirements
| Requirement | Detail | Compliance Status |
|---|---|---|
| Publication | All above-threshold contracts published on Find a Tender (FTS) | MANDATORY |
| Social Value | Minimum 10% of evaluation criteria for social value | MANDATORY |
| SME Targets | Three-year targets for direct spend with small businesses | MANDATORY |
| Security | NPPS requires mitigating supply chain and national security risks | MANDATORY |
| Transparency | Pipeline notices, tender notices, award notices, contract details | MANDATORY |
Cloud-Specific Framework: G-Cloud 15
G-Cloud 15 is the first framework formalised under the Procurement Act 2023. The UK public cloud market is estimated at £6bn (2024).
- Pricing must be publicly available on Digital Marketplace
- Direct award criteria includes "lowest price" as final step
- Sovereign cloud requirements expected to increase under NPPS security provisions
National Security Exception
The Procurement Act includes exemptions for national security procurements. Critical national infrastructure may qualify, but formal legal opinion required.
European Union - Directive 2014/24/EU
27 Member StatesLegislative Framework
The EU Public Procurement Directives package (2014) establishes harmonised rules for public contracts across all member states. National authorities must treat all applicants equally, not discriminate, and be transparent.
Threshold for central government goods/services (2024 rates, excluding VAT)
Key Requirements
| Requirement | Detail | Compliance Status |
|---|---|---|
| Publication | All above-threshold contracts published in TED (Tenders Electronic Daily) | MANDATORY |
| Equal Treatment | Non-discrimination between bidders from any EU member state | MANDATORY |
| Transparency | Technical specifications, selection/award criteria must be published | MANDATORY |
| Standstill Period | Minimum 10 days between award decision and contract signature | MANDATORY |
| GDPR Compliance | Data protection impact assessment for cloud services processing personal data | MANDATORY |
EU Cloud Sovereignty Initiatives
- IPCEI-CIS: €1.2B state contribution + €1.4B private investment across 12 Member States
- Cloud and AI Development Act (2025): Target to triple EU datacenter capacity in 5-7 years
- Cloud Sovereignty Framework (Oct 2025): Eight Sovereignty Objectives, SEAL evaluation mechanism
Security Exception (Article 346 TFEU)
"No Member State shall be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security" and may take measures "connected with the production of or trade in arms, munitions and war material."
Canada - Federal Procurement Framework
Buy Canadian Policy Dec 2025Legislative Framework
Canadian federal procurement is governed by the Financial Administration Act, Treasury Board policies, and trade agreements. Only Shared Services Canada (SSC) and Public Services and Procurement Canada (PSPC) have authority to procure cloud services.
GPA threshold for federal government goods/services (2024)
Key Requirements
| Requirement | Detail | Compliance Status |
|---|---|---|
| Cloud-First Policy | TBS Policy on Management of IT requires cloud as preferred option (s.6.2.6) | MANDATORY |
| Data Residency | Protected B/C and Classified data must reside in Canada (Direction for Electronic Data Residency) | MANDATORY |
| Buy Canadian Policy | Prioritize Canadian suppliers and content in strategic procurements (effective Dec 2025) | MANDATORY from Dec 2025 |
| CETA Obligations | EU suppliers have procurement market access under CETA Chapter 19 | MANDATORY |
| Cyber Security Clauses | CCCS recommends standard clauses for cloud contracts (ITSM.50.104) | RECOMMENDED |
Canadian Content Policy
The Buy Canadian Procurement Policy Framework (effective 16 December 2025) prioritises Canadian suppliers, materials and content to strengthen economic resilience and industrial capacity.
- Minimum proportions of labour, materials, overhead from Canada
- Calculation via net cost or cost of production method
- Supplier declarations required to verify Canadian origin claims
National Security Exception
CETA Article 28.6 permits measures "necessary for the protection of its essential security interests." Similar provisions in GPA.
Australia - Commonwealth Procurement Rules 2024
Effective 1 July 2024Legislative Framework
The Commonwealth Procurement Rules (CPRs) 2024, issued by the Minister for Finance, govern procurement by non-corporate Commonwealth entities. Significant updates took effect 1 July 2024.
Non-construction procurement threshold (increased from $80,000 - first increase in 20 years)
Key Requirements
| Requirement | Detail | Compliance Status |
|---|---|---|
| Value for Money | Core principle; includes economic benefit assessment for contracts >$1M | MANDATORY |
| SME Targets | 25% from SMEs (<$1B), 40% from SMEs (<$20M), SME exemption to $500K | MANDATORY |
| Supplier Code of Conduct | Minimum expectations for suppliers under contract with Commonwealth | MANDATORY |
| Cloud Policy | Whole-of-Government Cloud Computing Policy encourages cloud-first | MANDATORY for NCCEs |
| Security (PSPF) | Alignment with Protective Security Policy Framework requirements | MANDATORY |
Cloud Procurement Mechanisms
- Digital Marketplace Panel 2 (DMP2): Established by DTA for digital/ICT services
- AusTender: Central publication platform for all Commonwealth tenders
- BuyICT: Model clauses including AI and cyber risk provisions
National Security Exception
CPRs Division 2 provides exemptions for procurement where publication would compromise national security or where security agency exemption applies.
Proposed Procurement Structures
Given that a single multinational tender is legally impractical, three compliant structures are proposed.
Option A: Coordinated National Procurements (Recommended)
Each jurisdiction runs its own procurement under its national rules, with coordination through a common requirements specification and shared evaluation criteria.
| Aspect | Approach |
|---|---|
| Tender authority | Each national procurement body (CCS, EU central purchasing, PSPC/SSC, DTA) |
| Specifications | Common technical requirements developed by joint working group |
| Publication | National platforms (FTS, TED, CanadaBuys, AusTender) with cross-references |
| Evaluation | National evaluation panels with harmonised scoring methodology |
| Award | Separate national contracts with interoperability requirements |
| Challenge remedies | National courts/tribunals per jurisdiction's rules |
Advantage: Full compliance with each regime; clear standing and remedies.
Disadvantage: Risk of divergent outcomes; higher coordination overhead.
Option B: Lead Nation Framework with Mutual Recognition
One jurisdiction conducts the primary procurement; others recognise the outcome and call off from the established framework.
| Aspect | Approach |
|---|---|
| Lead procurement | UK or EU conducts above-threshold procurement for framework agreement |
| Mutual recognition | Other jurisdictions recognise suppliers on framework as pre-qualified |
| Call-off | Each jurisdiction conducts mini-competition or direct award per national rules |
| Contract | National contracts under national law, referencing framework terms |
Advantage: Reduced duplication; leverages economies of scale.
Disadvantage: Requires formal mutual recognition agreement; may face legal challenge.
Option C: Government-to-Government Cooperation (Non-Procurement)
Structure the initiative as government cooperation rather than commercial procurement, potentially exempting from standard procurement rules.
| Aspect | Approach |
|---|---|
| Legal basis | Treaty establishing international organisation or joint undertaking |
| Procurement entity | International organisation with own procurement rules (cf. ESA, CERN) |
| Member contributions | Assessed contributions to organisation budget, not commercial contracts |
| Work allocation | Geographic return principle (cf. ESA) or capability-based allocation |
Advantage: Avoids national procurement regime constraints entirely.
Disadvantage: Requires new treaty; longer timeline; may face WTO challenge.
Challenge and Remedy Procedures
| Jurisdiction | Challenge Forum | Standstill Period | Remedies Available |
|---|---|---|---|
| UK | High Court (Technology and Construction Court) | 8-10 working days (depending on notification method) | Interim relief, set aside, damages, ineffectiveness declaration |
| EU | National courts/tribunals per Member State | Minimum 10 calendar days | Suspension, annulment, damages, ineffectiveness declaration |
| Canada | Canadian International Trade Tribunal (CITT) | 10 working days for GPA-covered procurement | Recommendation to redo, compensation |
| Australia | Federal Court / Administrative Appeals Tribunal | No mandatory standstill | Judicial review (limited), compensation (rare) |
Standing to Challenge
Under coordinated national procurements, only suppliers who bid in a specific jurisdiction have standing to challenge that award. US cloud providers excluded under security exceptions would need to challenge the exception itself, not the individual award.
Recommendations
- Adopt Option A (Coordinated National Procurements) for the initial programme phase, ensuring full compliance with each jurisdiction's rules.
- Establish a Joint Technical Authority to develop common specifications, ensuring interoperability without requiring a single procurement.
- Document security exception rationale clearly for each jurisdiction, with formal legal opinions supporting the use of national security exemptions.
- Consider Option C for longer-term - if a binding treaty is established, creating an international organisation with own procurement rules may be appropriate for Phase 2 and beyond.
- Seek WTO GPA clarification early, engaging with trade ministries to assess whether coordinated exclusion of US providers could face challenge.
Document Status
This procurement compliance analysis is a working document. It identifies legal requirements and potential structures but does not constitute legal advice. Formal opinions required from:
- UK: Government Legal Department, Cabinet Office Commercial
- EU: European Commission Legal Service, DG GROW
- Canada: PSPC Legal Services, Global Affairs Canada
- Australia: Attorney-General's Department, Department of Finance
Version: 1.0 Draft | Last updated: January 2026