Over recent years, the use of cloud computing has been rapidly adopted by businesses and, for many, has become an essential part of how services are delivered to customers. Last October, Ofcom opened a market study into the supply of cloud services in the UK to see if any regulatory intervention is required in this area. 

In April, Ofcom announced it was proposing to refer the market to the Competition and Markets Authority (CMA). In its interim findings, Ofcom found that the cloud market is highly concentrated, with two leading providers enjoying a combined market share between 60 and 70%. There is also evidence of limited competition – particularly in relation to existing customers, where Ofcom noticed significant price increases on contract renewal and high levels of profitability for the market leaders.

Against this background, Ofcom is concerned about three types of business practices: 

  • high charges applied when customers want to transfer data out and change platforms;
  • technical restrictions applied to limit interoperability and portability; and
  • committed spend discounts offered to retain/ tie in larger customers. 

According to Ofcom, these practices discourage customers from switching between cloud services providers and from splitting their cloud services needs across more than one provider. Ofcom's concerns are unlikely to be resolved as the market matures. Ofcom ran a consultation on its interim findings and proposed referral throughout April and May. Ofcom's final report of the study will be published by 5 October 2023. 


Ofcom's interest in cloud computing services is in line with UK regulators' ongoing focus on digital markets and the UK economy's resilience (See for example, our recent publication highlighting common trends in UK regulators' latest annual plans).  It also reflects the importance of cloud computing to UK businesses and consumers. 

Ofcom's proposal to refer to the CMA is a big step. Given the seriousness of its interim findings, it is likely that Ofcom will confirm its proposal and that the CMA will open an in-depth market investigation. The leading providers could offer a commitments package in order to avoid a CMA referral, though this is unlikely in the context of a sectoral market study. 

The recent introduction of the Digital Markets, Competition and Consumers Bill in Parliament, which occurred after Ofcom published its interim findings, could lead the regulators to envisage relying on the CMA's future regulatory powers in digital markets as an alternative to the market investigation route (See our recent publication on what you need to know and do in relation to the Bill). Given timings, a referral is more likely, though the CMA could rely on its digital market powers in the future to complement its action in this sphere.

If Ofcom confirms its referral, the CMA may ultimately impose a broad range of remedies to facilitate customer switching and healthier competition between providers. These may include: 

  • requiring exit fees to reflect the cloud services provider's actual costs of transferring data to another provider;
  • introducing measures to improve the interoperability of different cloud services; and
  • prohibiting loyalty-inducing fee structures such as committed spend discounts.

The Online Safety Bill (Bill) has reached the committee stage in the House of Lords and is currently undergoing review.

The Bill seeks to establish a new set of laws aiming to protect children and adults online by making social media companies more responsible for their users' safety when engaging with their platforms. It will also provide Ofcom with new powers enabling them to act as the online safety regulator. 

So far, Members of the House of Lords have put forward amendments to be discussed, covering subjects such as the reviewing of the complaints procedures, the duty of service providers to manage content surrounding suicide and self-harm and an Ofcom code of practice on violence against women and girls. 


Amendments to the Bill have been discussed during the House of Lords committee stage, which began in April and has run throughout May. A final sitting is scheduled on 22 June 2023. The amended bill will then make its way back to the House of Commons where the amendments will be considered before reaching the Royal Assent stage when the Bill will come into law.  The aim is for the legislation's long journey - which started with the "Online Harms White Paper" published in April 2019 - to finally conclude this summer.

As the parliamentary process reaches a conclusion, Ofcom (who will take on the role as the online safety regulator) continue to make preparations (by collecting evidence to inform its codes and guidance and engaging extensively across the industry), so that the regime can hit the ground running.

The Bill requires Ofcom to produce a substantial number of guidance papers and codes of practice, as well as numerous other registers, reports, pieces of advice, statements and research, which will apply to a huge range of services provided by multinational corporations and small or micro businesses.

Ofcom expect to take a phased approach to issuing draft codes and guidance for consultation post Royal Assent, with it aiming to issue draft codes of practice relating to the most significant online dangers within days of their powers becoming effective.

An impact assessment carried out by the government (relating to the first 10 years post implementation) estimated that businesses will incur (a best estimate) £65.3m in transition costs (such as reading and understanding the regulations, ensuring they have a user reporting mechanism in place and updating terms of service) and £289.7m (each year) in ongoing compliance (such as producing risk assessments, potential additional content moderation, employing age assurance systems, transparency reporting, conducting due diligence on advertisers, offering optional user verification and paying an industry fee).

The recommendation from Ofcom is that online platforms shouldn't wait until their guidance and codes are completed before starting to plan for how they can make changes to keep their users safer online, therefore work for Parliament may be coming to an end but for Ofcom and impacted businesses, the work is just getting started.


The UK Government has launched a new, enhanced security regime, known as GovAssure, to tackle the ever-growing threat from cyber-attacks. The scheme, run by the Cabinet Office's Government Security Group (GSC) with support from the National Cyber Security Centre (NCSC), will increase the UK's cyber resilience and help protect the Government's IT systems by using more stringent measures. 

Under the new security regime, a number of changes have been introduced:

  • all assurance measures that government departments have will be reviewed using the NCSC's Cyber Assessment Framework (CAF). The CAF was designed for making critical national infrastructure resilient to attack;
  • third parties will assess all government departments to increase standardisation and validate results; and
  • centralised cyber security policies and guidance to help government bodies identify the best approach.


The work of the government at all levels is helped by ever-present digital connectivity, but such connectivity also introduces significant cyber security risks. The cyber security risk may present itself from nation states or cyber criminals, with the government an attractive target with approximately 40% of the 777 incidents managed by the NCSC between September 2020 and August 2021 affecting the public sector.

In recent years, local councils have been hit by ransomware attacks, which impacted critical public services and there is also a constant threat from foreign states with the UK being the third most targeted country behind the USA and Ukraine.

The two main aims of GovAssure are to:

  • enable organisations to accurately assess the level of cyber assurance for their critical systems against a proportionate CAF profile, highlighting priority areas for improvement; and
  • allow the GSC and NCSC to take a strategic view of government resilience, to help inform a strategic roadmap.

The expectation is that there will be a variety of stakeholders involved in the completion of GovAssure within an organisation. This means that engagement on GovAssure will not only need to take place within the cyber team but with those from wider teams and business areas as well. Therefore the GovAssure lead within a government organisation will need to consider who to engage with and start this engagement early.

Key Contacts

Susan Garrett

Susan Garrett

Partner, Co-Head of Tech Group
Manchester, UK

View profile