G-Cloud Framework

Overview#

G-Cloud is the standing framework agreement that the Crown Commercial Service maintains so UK public-sector bodies can procure cloud services without running a fresh competitive tender every time they buy. It is operated under the procurement reference RM1557.x, where the numerical suffix indicates the framework iteration. The agreement was launched in February 2012 with G-Cloud 1 and has been reissued roughly every 12-24 months since; as of 2026 the current iteration runs alongside its predecessors in their respective transition windows. The lot-9 numbering in CCS catalogue references is the framework's position within the broader CCS catalogue of pre-competed agreements rather than a lot within G-Cloud itself.

The framework's purpose is to compress a typical EU-style procurement timeline — six to twelve months — into a few weeks of direct-award activity off a pre-competed catalogue. Suppliers are assessed once on financial standing, legal status, compliance with mandatory regulations (Modern Slavery Act 2015, the General Data Protection Regulation as retained in UK law, the Equality Act 2010) and the framework-specific terms; listed services are then directly available to any contracting authority within the public sector for the duration of the framework. Contracting authorities include central government departments, executive agencies, non-departmental public bodies, the NHS in England (commissioned through NHS Shared Business Services where relevant), devolved administrations in Scotland, Wales and Northern Ireland, local authorities, police and emergency services, and a wider set of public-sector bodies enumerated in the framework definition.

Listing on G-Cloud is a route to market, not a security certification. The Crown Commercial Service does not run its own technical security audit of supplier services; it relies on supplier self-assertions backed by independent attestations (ISO 27001 + 27017 + 27018, SOC 2 Type II, Cyber Essentials Plus, penetration test reports, sub-processor registers). The operative security layer underneath the framework is the NCSC Cloud Security Principles — covered separately at [[ncsc-cloud-security-principles]] — and buyers run their own verification of NCSC posture at call-off time. The DSP Toolkit applies on top for NHS workloads; the FCA SYSC 8 third-party risk framework applies for FCA-supervised firms procuring through the framework.

Yobitel UK Sovereign is listed on G-Cloud Lot 1 (Cloud Hosting) and Lot 3 (Cloud Support) — the Lot 1 listing covers NeoCloud GPU capacity in UK regions and Yobitel UK Sovereign region presence for Yobibyte clinical-app workspaces; the Lot 3 listing covers Yobitel Managed Operations (24/7 NOC operating customer infrastructure), Yobitel Professional Services (architecture, migration, optimisation engagements) and InferenceBench evaluation programmes. This is the published procurement path UK public-sector buyers consume to access the Yobitel product surface without negotiating a bespoke contract.

This entry helps you understand what G-Cloud is, how the lot structure works, how a buyer actually consumes the framework at call-off, what evidence a supplier must publish, and how Yobitel's Lot 1 and Lot 3 listings give UK public-sector customers a procurement path to NeoCloud capacity and Yobibyte workspaces with the underlying NCSC + DSP Toolkit posture already in place.

Scope — who can buy, who can sell, what counts as cloud#

G-Cloud's scope binds three actors. The contracting authority is the public-sector buyer; suppliers are the firms listing services on the Digital Marketplace; and the Crown Commercial Service operates the framework agreement and the underlying catalogue. The framework agreement itself is a legally binding contract between CCS and each listed supplier; the call-off contract between the contracting authority and the supplier is a separate, downstream legal instrument that inherits the framework terms.

Contracting authorities — who can buy on the framework — are defined broadly in the framework agreement and follow the Public Contracts Regulations 2015 definition. They include all UK central government departments and executive agencies, non-departmental public bodies, the NHS in England (NHS trusts, NHS England, NHS Digital, integrated care boards), devolved administrations in Scotland, Wales and Northern Ireland (and their respective public-sector buyers), local authorities, fire and rescue services, police forces, education sector bodies (universities and further-education colleges within the public-sector remit), and a wider set enumerated in the framework. The CCS publishes a list of eligible bodies; suppliers should check that a particular buyer is in scope before negotiating a call-off.

Suppliers — who can sell on the framework — must satisfy a financial standing test (turnover threshold scaled to the services offered), legal status checks (Companies House registration or international equivalent), Modern Slavery Act 2015 compliance, UK GDPR + DPA 2018 compliance for any service touching personal data, and the lot-specific qualifying criteria. There is no security certification gate to listing — Cyber Essentials is the framework minimum, with Cyber Essentials Plus being the de facto expectation for any service hosting government data — but security claims are supplier self-assertions evidenced at call-off rather than at listing.

What counts as cloud is also defined by the framework's lot structure. Services that do not fit one of the three lot definitions cannot be listed; suppliers offering hybrid services often have to split their offering into separate listings under different lots. The most common categorisation error is treating a managed-service offering as Cloud Hosting (Lot 1) when it actually sits in Cloud Support (Lot 3), or treating a SaaS application with a heavy managed-service element as Lot 2 when it is genuinely Lot 3. The Crown Commercial Service publishes lot definitions in detail; suppliers re-submitting under a new iteration should re-read the definitions because they have shifted between iterations.

• Contracting authority — UK public-sector buyer eligible to procure on the framework; defined broadly under Public Contracts Regulations 2015.
• Supplier — firm listing services on the Digital Marketplace; financial, legal, modern-slavery and data-protection checks at framework entry.
• Crown Commercial Service (CCS) — operates the framework agreement under reference RM1557.x; publishes lot definitions, terms, and the Digital Marketplace.
• Framework agreement — legally binding contract between CCS and supplier; sets terms inherited into call-off contracts.
• Call-off contract — between contracting authority and supplier; inherits framework terms; maximum 24-month base plus extensions.
• Lot structure (current iteration) — Lot 1 Cloud Hosting (IaaS / PaaS); Lot 2 Cloud Software (SaaS); Lot 3 Cloud Support (professional and managed services).
• Pre-competed model — no fresh tender required at call-off; buyer shortlists from Digital Marketplace and awards based on Most Economically Advantageous Tender.
• Cyber Essentials — minimum framework requirement; Cyber Essentials Plus de facto expected for services hosting government data.

The framework — the three lots and what each one covers#

G-Cloud's three lots correspond to the three classical cloud service models, adjusted for the practical reality of how public-sector buyers consume cloud. The table below distils what each lot covers, the typical evidence a supplier must publish on the service page, where Yobitel UK Sovereign is listed, and the typical buyer-side decision criteria at call-off.

Evidence patterns — what suppliers publish and buyers read#

G-Cloud listing requires a service definition document, a pricing document in the CCS template, a terms-of-service document that does not conflict with the framework agreement, and a set of mandatory declarations covering modern slavery, data protection, financial standing and supplier conduct. Beyond the framework-entry paperwork, the evidence pack a buyer's security and procurement teams will actually read at call-off time is denser and harder to write — and the difference between a quickly-awarded service and a stalled call-off is almost always the depth of this evidence.

The service definition document is the front door. It states what the service does, who runs it, how a buyer consumes it, how the buyer's data is handled, what the SLA is, what the buyer's responsibilities are under the shared-responsibility model, and what the exit and portability terms are. A vague service definition stalls every call-off it touches; specificity wins business. Yobitel UK Sovereign service definitions name the supported regions (UK London, UK Manchester), the supported GPU SKUs (H100 80GB HBM3, H200 141GB HBM3e), the supported software runtimes (industry-standard inference engines selected per workload), and the customer-facing SLA per service tier.

The pricing document is the second-most-read artefact. CCS requires per-unit pricing — per GPU hour, per GB-month, per workspace per month, per consultant day — with no volume tiers hidden off-catalogue. Buyers may not negotiate down from the listed price; they take the published price or walk away. Pricing must be in pounds sterling on the framework price list itself (a CCS framework requirement); Yobitel's customer-facing commercial pricing surface remains USD across the rest of the product family.

Beyond the framework-mandated paperwork, the evidence pack a buyer's security team will read at call-off includes the NCSC Cloud Security Principles mapping (the 14-principle self-assessment), the ISO 27001 + 27017 + 27018 certificates from a UKAS-accredited certifying body, the SOC 2 Type II report covering the last 6-12 month observation window, the Cyber Essentials Plus certificate, a current external penetration test report (CREST or NCSC CHECK accredited), the published sub-processor register with a documented 30-day change notice mechanism, the data-location statement (UK-only, EEA, global), and the exit and portability terms describing how the buyer's data is returned or destroyed at contract end. Buyers procuring NHS workloads additionally read the DSP Toolkit submission; buyers procuring FCA-supervised workloads additionally read the FCA SYSC 8 third-party risk pack.

• Service definition document — what the service does, who runs it, how to consume it, the shared-responsibility split, exit and portability terms; specificity wins business at call-off.
• Pricing document in CCS template — per-unit pricing, no hidden volume tiers; framework price list is in pounds sterling per CCS requirement (Yobitel's wider commercial pricing voice remains USD).
• Terms of service — must not conflict with framework agreement; suppliers commonly negotiate liability caps but cannot weaken framework terms.
• Mandatory declarations — Modern Slavery Act 2015, UK GDPR + DPA 2018, Equality Act 2010, financial standing, supplier conduct code.
• Cyber Essentials Plus certificate — framework minimum is basic Cyber Essentials; CE+ is the de facto expectation for hosting government data.
• ISO 27001 + 27017 + 27018 certificates — from UKAS-accredited certifying body; cloud overlays material for Lot 1 listings.
• SOC 2 Type II report — covering 6-12 month observation window; commonly bundled with ISO 27001 in evidence packs.
• NCSC Cloud Security Principles mapping — 14-principle self-assessment; the operative security layer underneath G-Cloud; covered separately in [[ncsc-cloud-security-principles]].
• Published sub-processor register — 30-day change notice mechanism; controller-objection email; the artefact buyers' procurement teams check first.
• DSP Toolkit submission — for NHS workloads; alignment to National Data Guardian's Data Security Standards.
• Exit and portability terms — how buyer's data is returned or destroyed at contract end; the procurement question most underestimated by suppliers.

Audit and accountability — how buyers consume the framework#

A buyer's procurement journey on G-Cloud has a defined shape that suppliers should understand because it determines what conversations land. The buyer begins on the Digital Marketplace, filters by lot and capability keywords, and produces a shortlist — typically three to seven candidate services. The buyer must keep an audit trail of why each service was shortlisted (capability fit, price tier, NCSC posture, regional reach) and the final award must be based on Most Economically Advantageous Tender (MEAT), typically a weighted combination of price and quality where quality covers security posture, SLA, exit terms and references.

Call-off contract terms inherit the framework terms but are negotiated within them. The maximum base term is 24 months, with optional extensions up to a further 24 months where the framework permits — total call-off length therefore caps at 48 months. Suppliers may not weaken framework terms in the call-off; buyers may not negotiate below the listed price. Where the buyer needs terms outside the framework's envelope they must run a fresh procurement under the Public Contracts Regulations 2015 — typically a full OJEU-style tender or a different CCS framework where one fits.

The security evaluation at call-off is supplier-led but buyer-verified. The buyer's security team issues a questionnaire mapped to the NCSC Cloud Security Principles and the supplier's published evidence pack; the buyer's procurement and legal teams review the BAA, sub-processor register, exit and portability terms and pricing; the buyer's accountable individual signs off the award. Total elapsed time from shortlisting to call-off signature typically falls in the 4-8 week range for a straightforward Lot 1 or Lot 3 award and 8-16 weeks for a more complex Lot 2 SaaS award with material data-protection considerations.

Once signed, the call-off has its own contract management cycle. Suppliers maintain the Digital Marketplace listing on a continuous basis — stale pricing or out-of-date capability descriptions kill credibility — and must update the listing on material change. CCS runs periodic compliance reviews of supplier listings and removes services that no longer meet framework terms. At call-off level, the supplier delivers under the framework SLA, reports incidents and breaches per the BAA terms, and at contract end returns or destroys customer data per the exit terms. Yobitel UK Sovereign maintains current Digital Marketplace listings under Lot 1 and Lot 3 and re-submits at each framework iteration.

• Buyer journey — Digital Marketplace filter; shortlist 3-7 candidate services; documented selection rationale (capability, price, NCSC, region).
• Most Economically Advantageous Tender (MEAT) — weighted price + quality where quality covers security, SLA, exit terms, references.
• Call-off term — 24-month base + optional extensions up to a further 24 months; total cap 48 months; fresh procurement required beyond.
• Pricing — buyers cannot negotiate below listed price; suppliers cannot weaken framework terms in call-off.
• Security evaluation — supplier-led evidence pack against NCSC Cloud Security Principles; buyer-verified at call-off through questionnaire.
• Award signature timeline — 4-8 weeks for straightforward Lot 1 or Lot 3; 8-16 weeks for complex Lot 2 with material data-protection.
• Listing maintenance — continuous; stale pricing kills credibility; update on material change; CCS periodic compliance reviews.
• Exit at contract end — return or destroy customer data per published exit terms; the most underestimated procurement question.
• Re-listing at framework iteration — re-submit under each new iteration; review current lot definitions which shift between iterations.

Mapping to other frameworks#

G-Cloud is one of several pre-competed UK public-sector procurement vehicles. The mapping below shows how G-Cloud relates to the adjacent frameworks a Yobitel customer might also be procuring through, and how it relates to the underlying security and procurement standards a buyer's procurement team is likely citing alongside it.

• G-Cloud is a procurement framework, not a security framework — the security layer underneath is the NCSC Cloud Security Principles; G-Cloud listing relies on supplier self-assertions evidenced by ISO 27001 / SOC 2 / CE+.
• Digital Outcomes (RM1043.x) is the sister framework for digital services that do not fit G-Cloud's cloud-specific lot structure; typically used for buyer-side delivery teams.
• Technology Services 3 (RM6100) is the broader-scope ICT procurement vehicle where G-Cloud's cloud focus is too narrow; covers hardware, network, telephony alongside cloud.
• NHS Shared Business Services operates parallel NHS-specific frameworks; G-Cloud and NHS SBS routes are often run in parallel for NHS workloads depending on the buyer.
• Public Contracts Regulations 2015 — G-Cloud sits within PCR 2015 as a pre-competed compliant route; buyers using G-Cloud do not need to run a fresh PCR-compliant tender.
• Government Security Classifications policy — G-Cloud handles OFFICIAL and OFFICIAL-SENSITIVE; SECRET and above use bespoke MOD or Single Source procurement.

UK, EU and US considerations#

G-Cloud is a United Kingdom procurement vehicle. It does not apply outside the UK public sector and is not used by EU or US buyers procuring on their own national frameworks. EU public-sector buyers use national frameworks under the EU Public Procurement Directive (Directive 2014/24/EU) — the Italian Sogei catalogue, the German GovTech framework, the French UGAP central purchasing body, each member-state-specific. US federal buyers use the GSA Schedule (Multiple Award Schedule), FedRAMP authorisation, and agency-specific procurement vehicles; US state and local buyers increasingly cite StateRAMP.

For Yobitel customers, G-Cloud is the published procurement route into UK public sector. Yobitel UK Sovereign's Lot 1 and Lot 3 listings make NeoCloud GPU capacity, Yobibyte clinical workspaces, InferenceBench evaluation programmes, Omniscient Compute capacity-planning engagements, Yobitel Managed Operations and Yobitel Professional Services directly procurable by UK central government, the NHS, devolved administrations, local authorities and the wider public sector without running a fresh competitive tender. Customers outside the UK public sector route through the commercial sales channel.

Cross-jurisdictional customers — UK headquartered with EU or US operations — typically procure through G-Cloud for their UK public-sector workloads and through the relevant national framework for their EU or US workloads. The underlying technical platform (Yobibyte, NeoCloud, Omniscient Compute) is the same; the procurement vehicle differs. UK GDPR and UK DPA 2018 govern data protection for the UK-procured workload; UK NCSC Cloud Security Principles govern the security posture; UK NHS DSPT governs NHS workloads; UK FCA SYSC 8 governs FCA-supervised workloads.

For UK-headquartered Yobitel customers that have US federal exposure, the layered procurement stance is: G-Cloud for the UK public-sector workload, FedRAMP-equivalent partner-cloud regions for the US federal workload, and a single Yobitel commercial contract spanning both. NeoCloud capacity for US federal workloads is sourced from FedRAMP-authorised partner regions; Yobibyte workspaces for US federal workloads run inside those boundaries; the UK commercial contract is the master agreement and the framework call-off contracts are downstream instruments inheriting its terms.

• UK — G-Cloud is the published procurement route; covers central government, NHS, devolved administrations, local authorities, wider public sector.
• EU — out-of-jurisdiction; national frameworks under EU Public Procurement Directive 2014/24/EU; each member state has its own (Sogei, GovTech, UGAP, etc).
• US federal — GSA Schedule, FedRAMP authorisation, agency-specific vehicles; out of G-Cloud scope.
• US state and local — StateRAMP and state-specific procurement; out of G-Cloud scope.
• Cross-jurisdictional Yobitel customer — G-Cloud for UK public sector, national framework for EU, FedRAMP-equivalent for US federal; same underlying Yobibyte / NeoCloud / Omniscient Compute platform; different procurement vehicles.
• UK regulators stacked on top of G-Cloud — NCSC Cloud Security Principles (security), NHS DSPT (NHS workloads), FCA SYSC 8 (FCA-supervised workloads), ICO under UK GDPR + DPA 2018 (data protection).

Common implementation gaps#

G-Cloud listings stumble in a remarkably consistent set of ways. The gaps below are the patterns CCS auditors, buyer-side procurement teams and supplier compliance teams have cited repeatedly. None is novel. Each is closable through deliberate planning at listing time and ongoing maintenance through the framework lifecycle.

The single largest gap is service-page staleness. A listing's pricing, capability description, regional footprint, sub-processor list and contact information must be kept current. Pricing that no longer matches commercial reality, capability descriptions that no longer describe the current product, and out-of-date contact information are the recurring CCS compliance review findings. The fix is a quarterly listing review tied to the supplier's product release cycle and a CCS-update gate at every material change.

Mis-categorisation across lots is the second pattern. A managed platform with a heavy services layer is usually Lot 3, not Lot 1; a SaaS application with significant managed-service customisation is usually Lot 3, not Lot 2. The wrong lot makes the listing invisible to the right buyers — buyers filtering for Cloud Hosting do not see services categorised under Cloud Software, and vice versa. The fix is to re-read the current iteration's lot definitions in detail and re-categorise at each re-submission.

Underestimated exit and portability terms are the third pattern. Buyers care intensely about how their data leaves the service at contract end — the format of the export, the timeline for return or destruction, the cryptographic-erasure attestation. Vague exit terms stall call-offs; specificity wins them. The fix is a documented exit and portability plan per service, tested at least annually with a sample buyer, and surfaced as a discrete section of the service definition document.

Stale evidence pack is the fourth recurring gap. The NCSC Cloud Security Principles mapping is a moving target — the 14-principle baseline is updated periodically by NCSC and the supplier's mapping must keep pace. ISO 27001 certificates expire on a three-year cycle with annual surveillance audits; SOC 2 Type II reports cover only the most recent observation window and must be refreshed annually; Cyber Essentials Plus certificates are annual. Buyers verifying at call-off will reject expired evidence. The fix is a calendar-driven evidence-refresh programme tied to the supplier's compliance team.

Mis-pricing in framework-mandated sterling versus the supplier's commercial-USD pricing surface is the fifth pattern. CCS requires the framework price list in pounds sterling; most modern cloud suppliers publish in USD elsewhere. Suppliers maintaining a single price list across both surfaces inevitably end up with one of the two out of sync. The fix is a discrete framework price list tied to the supplier's commercial USD pricing through a documented conversion methodology, reviewed quarterly.

Missing accessibility statement is the sixth gap, particularly for Lot 2 listings. UK public-sector procurement under the Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 requires accessibility statements aligned to WCAG 2.2 AA for buyer-facing applications. Lot 2 listings without an accessibility statement get rejected by accessibility-conscious buyers. The fix is a documented accessibility statement per buyer-facing listing.

• Service-page staleness — pricing, capability description, regional footprint, sub-processor list, contact info; quarterly review tied to product release cycle; CCS-update gate at material change.
• Lot mis-categorisation — managed platform with heavy services is Lot 3 not Lot 1; SaaS with significant managed-service customisation is Lot 3 not Lot 2; re-read lot definitions at each re-submission.
• Underestimated exit and portability terms — documented exit plan tested annually with sample buyer; surfaced as discrete section of service definition document.
• Stale evidence pack — NCSC mapping kept current; ISO 27001 3-year cycle with annual surveillance; SOC 2 Type II annual refresh; CE+ annual; calendar-driven evidence-refresh programme.
• Mis-pricing across framework-sterling and commercial-USD price lists — discrete framework price list tied to commercial USD pricing through documented conversion methodology; reviewed quarterly.
• Missing accessibility statement on Lot 2 — Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018; WCAG 2.2 AA target; per buyer-facing listing.
• Sub-processor register drift — published register out of sync with operational reality; 30-day notice mechanism not honoured; gate procurement on register update.
• Unclear shared-responsibility model — service definition vague on supplier vs buyer obligations; buyers will press harder on this at call-off.
• Treating framework as passive lead source — listing alone does not drive business; marketing + reference customers + NCSC posture do discovery, framework closes loop.
• Missing re-listing at framework iteration — service drops off catalogue when previous iteration retires; re-submit at each new iteration.

Cost of compliance#

G-Cloud listing is comparatively cheap. The cost is dominated by the evidence pack the framework requires (which most cloud suppliers hold for adjacent reasons — ISO 27001, SOC 2, CE+, pen tests) rather than by framework-specific paperwork. The figures below are typical UK market ranges for a mid-sized cloud supplier listing on G-Cloud. They are not Yobitel-internal numbers; they are presented so customers and partners building Yobitel-adjacent services can budget realistically when they consider their own G-Cloud listing.

Initial listing — service definition authoring, pricing document preparation, mandatory declarations, lot categorisation, Digital Marketplace setup — typically falls in the USD 5,000 to USD 25,000 range for a supplier with mature evidence in place. Annual maintenance — listing updates, re-submission at framework iteration, evidence refresh, accessibility statement maintenance — typically falls in the USD 5,000 to USD 30,000 range. The underlying evidence pack (ISO 27001, SOC 2 Type II, CE+, pen tests) is the dominant cost, and most listing suppliers already hold it for non-G-Cloud reasons.

Where this fits in the Yobitel stack#

Yobitel UK Sovereign is listed on G-Cloud Lot 1 (Cloud Hosting) and Lot 3 (Cloud Support). The Lot 1 listing covers NeoCloud GPU capacity in UK regions — H100 80GB HBM3 and H200 141GB HBM3e SXM5 capacity in UK London and UK Manchester regions, pinned by region affinity, with the NCSC Cloud Security Principles 14-principle posture already in place. The same Lot 1 listing covers Yobitel UK Sovereign region presence for Yobibyte workspaces — clinical-app workspaces for NHS workloads, general AI workspaces for central government and the wider public sector — with workspace-level sovereignty controls (region pin, sub-processor declaration, encryption key residency) surfaced as namespace labels that map directly into a buyer's G-Cloud response pack.

The Lot 3 listing covers Yobitel Managed Operations (24/7 NOC operating customer-owned infrastructure under the Yobitel managed-service contract), Yobitel Professional Services (architecture, migration, optimisation engagements), and InferenceBench evaluation programmes (regression and capability-baseline evidence for model-backed workloads). The Lot 3 split from Lot 1 is deliberate: a buyer wanting infrastructure procures under Lot 1, a buyer wanting an operational outcome procures under Lot 3, and a buyer wanting both procures under both with a single commercial relationship.

InferenceBench — the Yobitel public benchmarking and evaluation platform — contributes specifically to G-Cloud's continuous-improvement evidence pattern under principle 5 of the NCSC Cloud Security Principles. Lot 3 buyers procuring an InferenceBench evaluation programme receive reproducible, timestamped benchmark evidence against open and Yobitel-hosted models, which UK public-sector buyers cite as input to their own ongoing-authority-to-operate evidence trail. The benchmark methodology is published; the evaluation runs are open data.

Omniscient Compute — the Yobitel federated marketplace for compute capacity — treats G-Cloud-eligible UK regions as a default surface for any workspace classified for UK public-sector use. The marketplace surfaces only UK-region-pinned, NCSC-aligned providers when a workspace declares UK public-sector classification; the procurement path is the Yobitel UK Sovereign G-Cloud Lot 1 listing rather than separate marketplace-provider contracts. This means UK public-sector buyers procuring Yobitel get a single procurement path, a single SLA, a single audit-stream endpoint, and a single sub-processor register — even when the underlying capacity is federated across multiple Yobitel-managed provider relationships in the marketplace.

The honest scope of what G-Cloud delivers to a Yobitel customer. It delivers a published procurement path with pre-competed contract terms, removing the need for a fresh competitive tender. It delivers a buyer-friendly evidence pack mapped to NCSC Cloud Security Principles. It does not deliver a security certification — that remains the supplier's underlying NCSC + ISO 27001 + SOC 2 + CE+ posture, which Yobitel UK Sovereign holds and is independently auditable. The combination — listing for procurement, certification for security — is what makes Yobitel UK Sovereign a viable UK public-sector cloud at scale.