A single procurement deal now ties the UK public sector to Microsoft in a relationship the Crown Commercial Service (CCS) expects will cost roughly £9 billion over five years. That figure—equivalent to more than the government’s entire school building capital programme for 2025-26—has thrust the Strategic Partnership Arrangement 2024 (SPA24) into a spotlight dominated by fiscal anxiety and weary ideological battles over software freedom. The question is not academic: is it time for ministers and procurement teams to aggressively pursue open source alternatives, or does the public sector’s deep-seated dependency on Microsoft reflect operational realities that outweigh potential savings?

The SPA24 Deal: What It Covers

SPA24, which replaced the earlier Digital Transformation Arrangement, came into force on 1 November 2024. It intentionally broadens access across central government, devolved bodies, and local public sector organisations to the full gamut of Microsoft products and services—from Microsoft 365 and Azure to Business Applications and, for the first time in this type of MoU, Microsoft Copilot. The arrangement is framed as a vehicle for “enhanced value” through central negotiation and aggregation, while preserving compliant procurement routes for individual organisations.

The mechanics are straightforward: CCS acts as an aggregator, running bulk-buying exercises through resellers to secure standardised pricing and terms. Public bodies are not forced to use SPA24; they can still run their own compliant procurements. The MoU also includes commitments to skills programmes and interoperability advice, explicitly designed to accelerate public-sector uptake of AI and cloud capabilities. Yet the Cabinet Office does not hold a single, detailed record of all Microsoft spending across departments and arm’s-length bodies, making central oversight patchy at best.

The Financial Reality: £9 Billion and What It Buys

The headline number—around £9 billion over five years—dominates public conversation because it is large, tangible, and politically salient in a tight fiscal environment. Parliamentary answers show that in the final five months of the 2024/25 financial year, public sector spending on Microsoft licences and related purchases via CCS-managed arrangements and their resellers hit about £1.9 billion. CCS expects comparable future spending patterns under SPA24, extrapolating to that five-year total. It is important to note that this is an agency projection, not a legally binding capped commitment.

Microsoft’s own financial firepower complicates the picture. In the quarter ended 30 June 2025, the company reported revenue of $76.4 billion and net income of $27.2 billion—margins that have not dipped below 30% in more than five years. Its market capitalisation sits comfortably above $3.5 trillion. Those numbers make it clear: aggregation discounts, while beneficial, are unlikely to fundamentally shift the pricing leverage of a vendor that is scarcely feeling competitive heat in enterprise and government markets.

Open Source: Fantasy or Fiscal Prudence?

Advocates of free and open-source software (FOSS) point to mature equivalents for many Microsoft-branded functions: LibreOffice for productivity suites, Linux for servers, PostgreSQL for databases, Kubernetes for container orchestration. The licence-cost savings can be immediate and dramatic. Beyond the balance sheet, open source offers sovereignty benefits—transparency over code, control over data handling, and freedom from a single vendor’s commercial roadmap. A broader mix of suppliers can also introduce genuine competition into procurement exercises, blunting the price escalation that accompanies lock-in.

Yet the real world is messier. Many government departments run bespoke applications and third-party integrations built tightly around Active Directory, Exchange, Teams APIs, and Office macros. Replacing these is simply not a one-to-one substitution. User experience and productivity take a hit when staff accustomed to Outlook and SharePoint are asked to switch to Thunderbird and Nextcloud overnight. Enterprise-grade support for open source can be costly, and managing SLAs across multiple suppliers adds overhead. Moreover, certain Azure features—especially in AI acceleration and identity services—are deeply embedded in both vendor and third-party solutions, making a “lift and shift” to FOSS stacks require substantial refactoring.

In short: open source can save money where workloads are modular, standard, and loosely coupled to the Microsoft ecosystem. But converting complex, integrated back-office environments into a hybrid or fully FOSS stack is a multi-year programme that demands a rigorous total cost of ownership (TCO) analysis, not just licence-fee avoidance.

The Hard Truth About Total Cost of Ownership

The £9 billion figure covers licence costs, but TCO is a far broader metric. A fair financial assessment must model migration costs—people, tools, and legacy application rework—along with training, transition time, ongoing support, multi-year licence inflation, and the opportunity cost of not investing in healthcare, school repairs, or other capital projects. In many real-world cases, short-term licence savings are swallowed by transition and integration expenses if the migration plan is not surgical and well-funded. This is not an argument against FOSS; it is a demand for honest accounting.

Vendor Lock-in and Sovereignty Risks

Consolidating large swathes of public-sector data and services on a single global cloud stack brings operational efficiencies, but it concentrates risk. The deeper public bodies embed Microsoft APIs and managed services, the harder and costlier switching becomes—not always through malice, but through the accretion of efficiency choices. Data sovereignty concerns also persist: while major cloud providers offer region guarantees, the legal reality remains that core services and AI tooling operate under foreign corporate governance regimes. For sensitive government data, questions of access, incident response, and jurisdiction cannot be waved away with marketing collateral.

Centralisation also creates high-value targets. A breach in a core identity service could propagate widely. And reliance on a tiny number of global platform providers exposes the public sector to geopolitical supply disruptions. Mitigations demand deliberate architecture: hybrid cloud strategies, robust identity and encryption models, multicloud redundancy for critical services, and contractual protections around data portability and exit support.

AI’s New Frontier: Copilot in Government

SPA24’s inclusion of Microsoft Copilot is a material change. Copilot processes text, files, and code to generate outputs, introducing fresh data-handling dilemmas. Prompt leakage—where sensitive inputs are logged or used to train models—is a genuine fear unless explicitly prohibited by contract. Model provenance and explainability become thorny in mission-critical contexts where hallucination or bias could have serious consequences. Public bodies must also ensure AI services meet standards for privacy, accessibility, and fairness. Any adoption of generative AI in government should require specific contractual clauses on data use, model training exclusions, rigorous red-teaming, and an approved risk assessment. Where such clauses are not ironclad, cautious, staged pilots are the only responsible path.

A Pragmatic Path Forward: Hybrid Procurement and Smart Migration

The best outcome is rarely full replacement or full entrenchment. A mixed architecture and procurement policy can achieve fiscal prudence and operational resilience. The government should preserve Microsoft where it delivers unique value—for example, specific enterprise-grade integrations or large-scale Azure capabilities tied to platform services—while using open source where it offers parity or superior economics, such as Linux server stacks, database engines, and container orchestration. All large-scale procurements should be required to present a “no-regret” argument for vendor choice that includes TCO modelling and an explicit exit plan.

Practical migration strategies need not be chaotic. The government can start by inventorying all Microsoft-dependent workloads and categorising them by business criticality and integration complexity. Low-hanging fruit—standalone desktop productivity clients with high interoperability—can move first. Medium-complexity workloads, like file servers and non-messaging collaboration, can follow with managed support contracts. High-complexity integration points, especially identity services, require adapters, rewrite schedules, and hybrid models that gradually decouple core dependencies. An “exit playbook” with mandatory contractual exit clauses, standardised data-export formats, and financial reserves for transition costs would turn ideology into a staged, risk-managed programme.

Competitive procurement must also force price discipline. Aggregated competitions should explicitly invite bids from managed open-source vendors, multicloud offerings, and hybrid solutions—not only from resellers of a single stack. This injects genuine competition without breaking operational continuity.

Transparency and Governance: Demanding Accountability

Parliament and taxpayers deserve better visibility. A single, searchable register of major software and cloud contracts—with values, renewal dates, and concentration risk assessments—should be mandatory. Departments should publish consistent TCO assessments for any project likely to change platform choices. Programmes projected to cost more than a defined threshold should require independent review and formal gateway approval with public reporting. And MoUs involving national infrastructure must include clauses protecting data portability, audit rights, and explicit exit support. These changes would increase accountability and make it harder for a single arrangement to entrench unintended costs.

The Bottom Line

The debate is not about categorically abandoning Microsoft—in many cases, that would be impractical and expensive. SPA24 delivers scale, convenience, and can accelerate AI and cloud adoption. But a decade of rising licence bills and increased dependency without a credible countervailing plan is not prudence; it is complacency. A responsible middle path exists: disciplined procurement, hardened contractual protections, visible spend tracking, and targeted open-source migration projects that reduce long-term exposure while preserving operational continuity. That approach gives the UK government the best chance of getting value for taxpayers, maintaining technical sovereignty, and avoiding the worst effects of vendor lock-in—without exposing frontline public services to sudden, expensive disruption.