The Tender Trap

How HMRC spent £473 million with no competition and called it procurement.

On 23 March 2026, HMRC published a contract award notice. It makes uncomfortable reading.

The UK’s tax collection agency has handed Amazon Web Services a £472.8 million contract to migrate services from three Fujitsu-run datacenters and host them for up to a decade. The contract runs from April 2026, with a minimum term of seven years and an option to extend to ten.

One bid was received. One bid was assessed. AWS won.

This is not a secret. It is in the contract award notice, published on find-tender.service.gov.uk, reference 026139-2026. Public procurement, publicly documented.

How you get to a single bidder

The tender was titled “Procurement for the provision of Hyperscaler Services to enable Data Centre Exit.” The specification required migration of services running on approximately a dozen operating systems including HP-UX, IBM AIX, and Sun Solaris, hosted in UK based cloud infrastructure, delivered by a supplier with a proven seven-year track record at hyperscaler scale.

That description fits two companies: AWS and Microsoft. Microsoft was not in the running. Google and IBM assessed the tender and decided not to bid further. Which left one.

When one company submits the only bid for a £473 million contract, the contracting authority has no negotiating leverage. None. The price is whatever the single bidder says it is, moderated only by the published evaluation criteria: 70 percent quality, 20 percent price, 10 percent social value.

Seventy percent on quality, twenty percent on price, for a contract with no competition. The price weighting is academic when there is nothing to compare it against.

The regulator noticed

This did not happen in a vacuum. In January 2025, the Competition and Markets Authority noted that AWS and Microsoft together account for up to 80 percent of UK cloud services and that competition was not working as well as it could. The CMA recommended a strategic market status investigation.

In March 2026, Conservative MP Julia Lopez asked the Department for Science, Innovation and Technology how much this limited competition was costing public sector bodies. Minister Kanishka Narayan confirmed the CMA had identified “a number of potential competition concerns with clear negative impacts for UK businesses, consumers and the public sector” without providing a cost figure.

The CMA’s own cloud inquiry lead quit in January 2026, citing the slow rate of progress.

HMRC awarded the single bidder contract two months later.

What AWS’s jurisdiction actually means

AWS is a US company. That is not an opinion, it is a legal fact with consequences.

Under the US CLOUD Act 2018, US law enforcement can compel US cloud providers to hand over data stored anywhere in the world, including data stored in UK-based AWS datacenters. A UK-based AWS region does not make your data UK-jurisdiction data. It makes it data stored in the UK on infrastructure operated by a company subject to US law.

Under FISA Section 702, US intelligence agencies can compel US companies to provide access to communications and data of non-US persons. AWS, as a US electronic communications service provider, falls within scope.

HMRC holds data on every taxpayer in the United Kingdom. National Insurance numbers. Income. Employer details. Bank accounts. Property. The complete financial picture of millions of people.

That data will now sit on infrastructure operated by a company that can be legally compelled, under US law, to provide access to it, without notification to the data subjects and without recourse through UK courts.

This is not a theoretical risk. It is the documented legal architecture of the arrangement. The UK government is aware of it. It awarded the contract anyway.

The question worth asking is not whether HMRC considered this. The question is whether anyone asked them to demonstrate how they assessed it, what mitigations are in place, and whether a Data Protection Impact Assessment covering CLOUD Act and FISA exposure was completed before the contract was signed.

Those assessments, if they exist, are public documents under FOIA. Watch this space.

What digital sovereignty actually costs

The UK government talks about digital sovereignty. It publishes strategies, frameworks, and guidance. It funds the Government Digital Service. It commissions reviews.

Then it awards decade long, single bidder contracts to US hyperscalers with no competitive tension, no negotiating leverage, and no exit strategy visible in the procurement documentation.

The Fujitsu relationship, itself a cautionary tale about longterm single vendor dependency for reasons that need no elaboration here, is being replaced with an AWS relationship on similar terms and a similar timescale.

At some point, sovereignty has to mean something operationally, not just rhetorically. A ten year hosting contract with a single US provider, awarded without competition, is not a sovereignty strategy. It is the absence of one.

The receipts are the point.

Primary source: Contract Award Notice 026139-2026, find-tender.service.gov.uk. Further reading: The Register, 25 March 2026.

— Alan