The past year has brought uncertainty for diversity in the tech sector as the landscape in the US turned sour, with President Donald Trump ordering the termination of diversity, equity and inclusion (DEI) projects and roles.

There were concerns that UK companies would follow suit, but as the year went on, it became clear that many are still leading the charge to improve diversity in the sector.

But research also found the number of women in tech is still growing very slowly, and women are leaving the sector in larger numbers, so as the year bows out, many questions remain about how the diversity landscape will look next year in the UK tech sector.

The write-up from the 2024 Computer Weekly and Harvey Nash Diversity in Tech event shone a light on the overlapping experiences of some underrepresented groups and how organisations can cater to these individuals.

While there has been an increasing focus on hiring specific groups of people, such as women or people of colour, this can overlook how having more than one of these characteristics can affect employee experience in the technology sector.

Firms need to better understand people’s individual experiences and make the work environment safe for everyone to better take advantage of the positives a diverse workforce can bring.

There are many reasons women avoid the technology sector, and a survey from recruitment firm Lorien found that a lack of work-life balance is a big barrier for women in tech.

Women are more likely than men to shoulder the burden of caregiving, whether for children or older family members, and without flexibility at work, this can be difficult to maintain.

Lorien’s research found that 45% of women have had difficulties with work-life balance in their role, making it the biggest barrier they have faced in their careers.

With artificial intelligence (AI) becoming increasingly embedded in everyday life, there has been a focus on ensuring the teams developing the technology reflect its diverse user base.

To this end, the UK government announced plans this year to increase the number of girls taking maths at A-level in a bid to encourage more girls into careers in AI.

As the year went on, more evidence emerged that a lack of flexibility is standing in the way of increased diversity in the tech sector.

Research conducted on behalf of the Department for Science, Innovation and Technology (DSIT) found that a lack of access to flexible working and unconscious bias are among the barriers preventing underrepresented groups from going into technology roles.

The hiring process, a lack of representation across job levels and a lack of flexible working arrangements were identified among the challenges DSIT flagged as needing “considered and sustained efforts” to address.

Further solidifying the dire state of affairs when it comes to the lack of women in the technology industry, the release of the Oliver Wyman and WeAreTechWomen Lovelace report confirmed that women are leaving the technology sector in large numbers.

Between 40,000 and 60,000 women are leaving digital roles each year, some for new roles and some to exit the sector, in many cases because of a lack of development opportunities in their careers.

Sadly, the technology sector lost a great in August, with the passing of Dame Stephanie Shirley at the age of 91.

A serial founder, entrepreneur and philanthropist, Shirley was part of the technology sector for more than 50 years, and was famously known for adopting her family nickname, Steve, to be taken seriously after efforts to start her own company fell on deaf ears once it was clear she was a woman.

Shirley was a pioneer in flexible working, founding a technology company called Freelance Programmers in 1962, where the staff of predominantly women worked from home selling software and programming.

She will be missed.

Research from The Adaptavist Group found that unequal access to AI is preventing women and people from underrepresented backgrounds from learning how to use the technology properly.

This is causing an “opportunity gap”, whereby AI training is more available to some than others – 84% of those from higher income households believe they’ve received good guidance on how to use AI compared with only 59% in the lower income bracket.

In November, Naomi Timperley, co-founder of Tech North Advocates, became the 14th person to be named Computer Weekly’s most influential woman in UK tech.

The announcement was made alongside the rest of the top 50, as well as Computer Weekly’s 2025 Rising Stars, and the list of women in tech Hall of Famers.

Throughout 2025, Beckie Taylor, public speaker and founder of Tech Returners, created a six-part documentary series called Breaking the sound barrier – voices unleashed, following the journeys of 10 women in technology as they learned skills in public speaking.

Aiming to help women at all stages in their careers build confidence, the documentary sought to show the progression of role models in the technology sector as they learn to take advantage of their influence in the sector.

While the technology sector claims it understands the need for diverse groups in senior positions, there remains a lack of women and underrepresented groups at the top.

The year rounded out with research from consultancy Think & Grow finding the UK’s fastest-growing technology startups and scaleups lack women in top positions.

According to the research, only 12% of the fastest-growing startups in the UK have a female CEO, chair or founder, and 36% have no women on their boards.

Source

In 2025, Computer Weekly’s police technology coverage focused extensively on developments in the use of data-driven technologies such as facial recognition and predictive policing.

This included stories on the Met’s decision to deploy permanent live facial recognition (LFR) cameras in Croydon and the Home Office launching a formal consultation on laws to regulate its use, as well as reports highlighting the lawfulness, necessity and proportionality of how UK police are using the technology.

Further stories continued Computer Weekly’s ongoing coverage of police hyperscale cloud use, after documents obtained from Scottish policing bodies revealed that Microsoft is refusing to hand them critical information about its data flows.

Computer Weekly also reported on efforts to change police data protection rules, which essentially legalise previously unlawful practices and pose a risk to the UK’s law enforcement data adequacy with the European Union (EU).

One investigation by freelance journalists Apostolis Fotiadis, Giacomo Zandonini and Luděk Stavinoha also revealed how the EU’s law enforcement agency has been quietly amassing data to feed an ambitious-but-secretive artificial intelligence (AI) development programme.

The Home Office formally opened a consultation on the use of facial recognition by UK police at the start of December 2025, saying the government is committed to introducing a legal framework that sets out clear rules for the technology.

The move – initially announced by policing minister Sarah Jones in early October 2025 after then home secretary Yvette Cooper told a Lords Committee in July that the UK government will create “a proper, clear governance framework” to regulate police use of the tech – marks a distinct shift in Home Office policy, which for years has claimed there is already “comprehensive” legal framework in place.

The Home Office has now said that although a “patchwork” legal framework for police facial recognition exists (including for the increasing use of the retrospective and “operator-initiated” versions of the technology), it does not give police themselves the confidence to “use it at significantly greater scale … nor does it consistently give the public the confidence that it will be used responsibly”.

It added that the current rules governing police LFR use are “complicated and difficult to understand”, and that an ordinary member of the public would be required to read four pieces of legislation, police national guidance documents and a range of detailed legal or data protection documentation from individual forces to fully understand the basis for LFR use on their high streets.

While the use of LFR by police – beginning with the Met’s deployment at Notting Hill Carnival in August 2016 – has ramped up massively in recent years, there has so far been minimal public debate or consultation.

UK police forces are “supercharging racism” through their use of automated “predictive policing” systems, as they are based on profiling people or groups before they have committed a crime, according to a 120-page report published by Amnesty International.

While proponents claim these systems can help more efficiently direct resources, Amnesty highlighted how predictive policing tools are used to repeatedly target poor and racialised communities, as these groups have historically been “over-policed” and are therefore massively over-represented in police data sets.

This then creates a negative feedback loop, where these so-called “predictions” lead to further over-policing of certain groups and areas; reinforcing and exacerbating the pre-existing discrimination as increasing amounts of data are collected.

“The use of predictive policing tools violates human rights. The evidence that this technology keeps us safe just isn’t there, the evidence that it violates our fundamental rights is clear as day. We are all much more than computer-generated risk scores,” said Sacha Deshmukh, chief executive at Amnesty International UK, adding that these systems are deciding who is a criminal based “purely” on the colour of their skin or their socio-economic background.

In June 2025, Green Party MP Siân Berry argued in the Commons that “predictive” policing technologies infringe human rights “at their heart” and should be prohibited in the UK, after tabling an amendment to the government’s forthcoming Crime and Policing Bill.

Highlighting the dangers of using predictive policing technologies to assess the likelihood of individuals or groups committing criminal offences in the future, Berry said that “such technologies, however cleverly sold, will always need to be built on existing, flawed police data … That means that communities that have historically been over-policed will be more likely to be identified as being ‘at risk’ of future criminal behaviour.”

Berry’s amendment would also prohibit the use of certain information by UK police to “predict” people’s behaviour: “Police forces in England and Wales shall be prohibited from … Predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of a natural person or on assessing personality traits and characteristics, including the person’s location, or past criminal behaviour of natural persons or groups of natural persons.”

In April, the Met Police announced it was planning to install the UK’s first permanent LFR cameras in Croydon, but critics raised concerns that this continues the force’s pattern of deploying the technology in areas where the Black population is much higher than the London average.

Local councillors also complained that the decision to set up facial recognition cameras permanently has taken place without any community engagement from the force with local residents, echoing situations that have happened in boroughs such as Newham and Lewisham.

According to data gathered by Green Party London Assembly member Zoë Garbett, over half of the 180 LFR deployments that took place during 2024 were in areas where the proportion of Black residents is higher than the city’s average, including Lewisham and Haringey.

While Black people comprise 13.5% of London’s total population, the proportion is much higher in the Met’s deployment areas, with Black people making up 36% of the Haringey population, 34% of the Lewisham population, and 40.1% of the Croydon population.

“The Met’s decision to roll out facial recognition in areas of London with higher Black populations reinforces the troubling assumption that certain communities … are more likely to be criminals,” she said, adding that while nearly two million people in total had their faces scanned across the Met’s 2024 deployments, only 804 arrests were made – a rate of just 0.04%.

In March 2025, Computer Weekly reported that proposed reforms to police data protection rules could undermine law enforcement data adequacy with the European Union (EU).

During the committee stage of Parliamentary scrutiny, the government’s Data Use and Access Bill (DUAB) – now an act – sought to amend the UK’s implementation of the EU Law Enforcement Directive (LED), which is transposed into UK law via the current Data Protection Act (DPA) 2018 and represented in Part Three of the DPA, specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three – which include allowing the routine transfer of data to offshore cloud providers, removing the need for police to log justifications when accessing data, and enabling police and intelligence services to share data outside of the LED rules – could present a challenge for UK data adequacy.

In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, but warned the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.

While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the government’s DUAB changes are seeking to solve the issue by simply removing the requirements that are not being complied with.

To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAB, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.

In August, Computer Weekly reported on documents obtained from the Scottish Police Authority (SPA), which showed that Microsoft is refusing to tell Scottish policing bodies where and how the sensitive law enforcement data uploaded to its cloud services will be processed.

Citing “commercial confidentiality”, the tech giant’s refusal to hand over crucial information about its international data flows to the SPA and Police Scotland means the policing bodies are unable to satisfy the law enforcement-specific data protection rules laid out in Part Three of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK.

“MS is unable to specify what data originating from SPA will be processed outside the UK for support functions,” said the SPA in a detailed data protection impact assessment (DPIA) created for its use of O365. “To try and mitigate this risk, SPA asked to see … [the transfer risk assessments] for the countries used by MS where there is no [data] adequacy. MS declined to provide the assessments.”

The SPA DPIA also confirms that, on top of refusing to provide key information, Microsoft itself has told the police watchdog it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure.

Further revelations published by Computer Weekly a month later showed that policing data hosted in Microsoft’s hyperscale cloud infrastructure could be processed in more than 100 countries.

This information was not provided to the policing bodies by Microsoft, and only came to light because of an analysis conducted by independent security consultant Owen Sayers, who identified from the tech giant’s own distributed online documentation that Microsoft personnel or contractors can remotely access the data from 105 different countries, using 148 different sub-processors.

Although the documentation – which is buried in non-indexed, difficult-to-find web pages – has come to light in the context of Computer Weekly investigating police cloud use, the issue of routine data transfers in Microsoft’s cloud architecture affects the whole of the UK government and public sector, which are obliged by the G-Cloud and Tepas frameworks to ensure data remains in the UK by default.

According to multiple data protection litigation experts, the reality of Microsoft’s global data processing here, on top of its failure to meet key Part Three obligations, means data subjects could have grounds to successfully claim compensation from Police Scotland or any other force using hyperscale cloud infrastructure.

In November 2025, freelance journalists Apostolis Fotiadis, Giacomo Zandonini and Luděk Stavinoha published an extensive investigation into how the EU’s law enforcement agency has been quietly amassing data to feed an ambitious-but-secretive AI development programme.

Based on internal documents obtained from Europol, and analysed by data protection and AI experts, the investigation raised serious questions about the implications of the agency’s AI programme for people’s privacy across the bloc. 

It also raised questions about the impact of integrating automated technologies into everyday policing across Europe without adequate oversight.

In May 2025, Computer Weekly reported on an equality impact assessment that Essex Police had created for its use of live facial recognition, but the document itself – obtained under Freedom of Information rules by privacy group Big Brother Watch and shared exclusively with Computer Weekly – was plagued with inconsistencies and poor methodology.

The campaigners told Computer Weekly that, given the issues with the document, the force had likely failed to fulfil its public sector equality duty (PSED) to consider how its policies and practices could be discriminatory.

They also highlighted how the force is relying on false comparisons to other algorithms and “parroting misleading claims” from the supplier about the LFR system’s lack of bias.

Other experts noted the assessment was “clearly inadequate”, failed to look at the systemic equalities impacts of the technology, and relied exclusively on testing of entirely different software algorithms used by other police forces trained on different populations to justify its conclusions.

After being granted permission to intervene in a judicial review of the Met’s LFR use – brought by anti-knife campaigner Shaun Thompson, wrongly stopped by officers after a false LFR identification – the UK’s equality watchdog said the forces’ use of the tech is unlawful.

Highlighting how the Met is failing to meet key legal standards with its deployments – particularly around Articles 8 (right to privacy), 10 (freedom of expression) and 11 (freedom of assembly and association) of the European Convention on Human Rights – the UK’s the Equality and Human Rights Commission (EHRC) said LFR should only be used where necessary, proportionate and constrained by appropriate safeguards.

“We believe that the Metropolitan Police’s current policy falls short of this standard,” said EHRC chief John Kirkpatrick.

The EHRC further highlighted how, when used on a large scale, even low-error rates can affect a significant number of people by brining unnecessary and unwanted police attention, and warned that its use at protests could have a “chilling effect” on people’s freedom of expression and assembly.

Senior police officers from both the Met and South Wales Police have previously argued that a major benefit of facial-recognition technology is its “deterrence effect.”

A comparative study of LFR trials by law enforcement agencies in London, Wales, Berlin and Nice found that although “in-the-wild” testing is an important opportunity to collect information about how AI-based systems like LFR perform in real-world deployment environments, the police trials conducted so far have failed to take into account the socio-technical impacts of the systems in use, or to generate clear evidence of the operational benefits.

Highlighting how real-world testing of LFR systems by UK and European police is a largely ungoverned “Wild West”, the authors expressed concern that “such tests will be little more than ‘show trials’ – public performances used to legitimise the use of powerful and invasive digital technologies in support of controversial political agendas for which public debate and deliberation is lacking, while deepening governmental reliance on commercially developed technologies which fall far short of the legal and constitutional standards which public authorities are required to uphold”.

Given the scope for interference with people’s rights, the authors – Karen Yeung, an interdisciplinary professorial fellow in law, ethics and informatics at Birmingham Law School, and Wenlong Li, a research professor at Guanghua Law School, Zhejiang University – said that evidence of the technology’s effectiveness in producing its desired benefits “must pass an exceptionally high threshold” if police want to justify its use.

They added that without a rigorous and full accounting of the technology’s effects – which is currently not taking place in either the UK or Europe – it could lead to the “incremental and insidious removal” of the conditions that underpin our rights and freedoms.

Source

Two recently disclosed vulnerabilities discovered in Fortinet’s product portfolio have prompted a pre-holiday warning for defenders after being added to the Known Exploited Vulnerabilities (KEV) catalogue run by the US’ national cyber agency this week.

The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719, enable a threat actor to bypass FortiCloud single sign-on (SSO) authentication via a maliciously crafted security assertion markup language (SAML) message. According to Fortinet, they are present in multiple versions of FortiOS, FortiWeb, FortiProxy and FortiSwitchManager.

It should be noted that while the vulnerable feature is not enabled by default in factory settings, it does activate automatically if and when a device is registered to the FortiCare tech service via the GUI unless the customer admin has explicitly opted out of this.

In a statement, the US Cybersecurity and Infrastructure Security Agency (CISA) said: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”

Initially reported by Fortinet on 9 December, multiple third parties are now reporting exploitation activity in progress against CVE-2025-59718 and CVE-2025-59719.

According to Rapid7 analysts – who have been trapping multiple exploit attempts against its honeypots after a proof-of-concept exploit was posted to GitHub, many of the observed attacks have seen attackers authenticate as the admin user and immediately download the target’s system configuration file – these can often hold hashed credentials.

“As a result, any organisation with indicators of compromise [IOCs] must assume credential exposure and respond accordingly. A vendor patch is available, and organisations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are underway,” said the Rapid7 team.

Arctic Wolf researchers said that besides applying the available updates from Fortinet, organisations finding that they are affected should reset their firewall credentials as a precaution, on the basis that they may have been compromised and exfiltrated, and limit access to firewall and virtual private network (VPN) appliances to trusted internal users.

As its products are deeply embedded in many networks Fortinet is frequently targeted by threat actors as an initial access point to their victims’ wider IT environments, so further attempts against the latest pair of flaws are considered highly likely.

Christmas presents

Besides the Fortinet authentication bypass issues, CISA has added a few more high-profile flaws to the KEV catalogue in the run-up to the festive break.

These include CVE-2025-69374, an embedded malicious code vulnerability that has arisen in ASUS Live Update after unauthorised modifications were made in a supply chain cyber attack.

Multiple Cisco products, including AsyncOS software, Cisco Secure Email Gateway and Secure Email, and Web Manager appliances are at risk from an input validation vulnerability, tracked as CVE-2025-20393, via which a threat actor may be able to execute arbitrary commands with root privileges.

Finally, SonicWall users should address CVE-2025-40602, a missing authorisation flaw enabling privilege escalation on the appliance management console of SMA1000 series secure access gateways.

At the time of writing, none of the above-listed vulnerabilities have been observed being used in ransomware attacks.

Source

Ilexx/Getty Images

While some consumers spend hours researching must-add Google Chrome extensions, most don’t consider which ones they need to delete. Following a seven-year cyberhacking campaign that infected roughly 4.3 million Chrome and Edge browsers with spyware, it might be time to do just that. Dubbed ShadyPanda by the cybersecurity research firm Koi Security, which first reported the scheme in December 2025, the group operated several legitimate browser extensions for years before weaponizing them to collect its users web browsing data. According to Koi Security, the Chinese hacking group is a quintessential example of how malicious actors attack popular marketplaces like Google and Microsoft Edge, accumulating customers before pushing through software updates that infect victims with dangerous malware. Following the report, several additional extensions involved in the project were publicly identified by the Hacker News:

• Clean Master: the best Chrome Cache Cleaner
• Speedtest Pro-Free Online Internet Speed Test
• BlockSite
• Address bar search engine switcher
• SafeSwift New Tab
• Infinity V+ New Tab
• OneTab Plus:Tab Manage & Productivity
• WeTab 新标签页
• Infinity New Tab for Mobile
• Infinity New Tab (Pro)
• Infinity New Tab
• Dream Afar New Tab
• Download Manager Pro
• Galaxy Theme Wallpaper HD 4k HomePage
• Halo 4K Wallpaper HD HomePage

When Koi broke the story, many of these applications were still active in both Google Chrome and Microsoft Edge browser stores. However, according to a statement given to The Hacker News, Microsoft stated that it had removed all the extensions identified in the scam. Following the scheme, experts suggest users remove any unrecognized browser extensions, review privacy permissions, and focus only on trusted developers. For the industry writ large, the case is a fascinating look into an ever-evolving threat landscape, providing key lessons for preventing future attacks.

Shadypanda’s early hacking operations

Greggory Disalvo/Getty Images

ShadyPanda published the first of its 150+ web browser extensions in 2018, garnering nearly 4.3 million users over six years. These applications operated legitimately for seven years, gaining the trust of an expanding user base. The first attack occurred in early 2024, converting 145 wallpaper and productivity applications into vectors for mass affiliate fraud, in which hackers injected tracking codes whenever users made purchases on popular webstores to secretly steal commissions from marketplaces like Amazon and Booking.com. The group also used Google Analytics to track, log, and sell users’ browsing data.

The group initiated a bolder, second crime wave in 2024, where applications like Infinity V+ used search redirection, cookies, exfiltration, and search query harvesting techniques to log and monetize users’ browser activity without their consent. Although these attacks were easily identified and disrupted by security professionals, with several applications removed within weeks of their orchestration, they set the table for the organization’s longer, more prolific attacks. Taking five of the organization’s most popular browser extensions, many of which were uploaded as early as 2018 and garnered Featured and Verified status, the group uploaded malicious software updates that infected over 300,000 Chrome and Edge users with malware.

Following the malicious updates, which took advantage of users’ automated update settings, these five extensions, including Speedtest Pro-Free Online Internet Speed Test and Clean Master, created a backdoor through which ShadyPanda could deliver ransomware, execute credential theft, steal browsing data, and conduct corporate espionage. The success of these attacks set the groundwork for what would become a four million+ victim spyware scam.

Beware of spyware

Bankmini/Getty Images

Shadypanda’s next scam attracted four million Microsoft Edge users through extensions like WeTab. Published by StarLab Technology, WeTab garnered over three million users alone. Disguised as productivity tools, these spyware extensions operated legitimately for two years before quietly collecting the entirety of their users’ browsing data, ranging from search queries, keystrokes, mouse movements, and scroll behavior to browser fingerprints like screen resolution, language, and viewing time. Extensions like WeTab then exfiltrated this information to 15 Chinese domains.

Although less invasive than the group’s previous scam, it was much more prolific and exhibited the same ability to push RCE backdoors into users’ systems. Together, Shadypanda’s operations offer several lessons for users, developers, and browser marketplaces. Critically, it points to a major security flaw within the broader extension and app marketplace, where due diligence processes end at the approval stage, thus allowing hackers to attack victims through malicious software updates, often manipulating security-minded auto-update settings. As Koi Security points out, however, these problems go far beyond ShadyPanda and their over four million users.

Instead, they reflect broader vulnerabilities in online marketplaces, setting the stage for prolonged hacking operations by criminal networks and state-sponsored groups. As such, marketplaces must adjust their security apparatuses accordingly. For users, it highlights a key vulnerability: trust. Whether it’s an abundance of faith in download numbers, online reviews, or verification badges, users must be vigilant in researching everyone they allow to access their data, as dangerous malware can lurk in everything from video games to iPhone applications. Even AI browsers have been found to spy on their users, underscoring the need for consumers to better assess the security of their data.

Source

Growing customer use of artificial intelligence (AI) alongside the continued draw of live sports and major gaming releases has resulted in record levels of data consumption across the networks of Virgin Media O2, including an 8% rise in broadband usage and an 18% rise in mobile traffic.

The analysis of traffic on the leading UK operator’s infrastructure 2025 year in review is based on combining broadband, mobile and movement data, with national polling findings to reveal the human behavioural insights behind the network data.

From an enterprise perspective, the data revealed that office attendance remained steady in 2025, with insights from AI-enabled mobile data and insights provider O2 Motion, which uses anonymised and aggregated data from O2’s mobile network, showing commuter levels falling just 1% from 2024. Despite this, the study said there was clear evidence of a generational divide, with early career workers returning in greater numbers while mid-and-late career groups continue to step back. 

Tuesday was the most popular day for workers to head to the office, with Wednesday leapfrogging Thursday as the second busiest. O2 Motion data showed that Friday is the most popular day for Brits to work from home, which the company said was no surprise as broadband data reveals a drop in traffic on Friday afternoons during the summer months as many remote workers clock off early. 

In a year that saw more than 20 days of strikes across Britain’s travel network, three-quarters of people (75%) were affected by travel disruptions. During September’s London Tube strike, O2 Motion data found that footfall across the capital was down 16%. For those that did brave the commute, 30% walked to work, 24% drove and 9% jumped on a rental e-bike.

In the realm of fixed broadband, the research found that live music and gaming releases continue to drive data spikes. Broadband data usage continued to rise and was up by 8% in 2025 compared with a year earlier. The biggest spikes were driven by football and gaming releases, with Liverpool’s Champions League football win against Real Madrid in early November and the release of Call of Duty: Black Ops 7 coming out on top.

As drama-fuelled TV sparked online conversations and offline watercooler moments – from Adolescence, to Traitors and Stranger Things – and Celebrity Traitors created a cultural moment of its own, Thursday broadband spikes were the norm as Brits bundled episodes to watch together.

The key theme of mobile traffic on the O2 network was that people in the UK were scrolling, chatting and embracing AI more than ever, despite nearly three-fifths of Brits (58%) saying that they began the year with a plan to reduce the time they spent on their phone.

The usage data showed that instead it was another record-breaking year for mobile data usage, which was up 18% on an annual basis. Despite their intentions, many people admit that they used their phone more frequently to stay in touch with friends and family (55%), scroll on social media (44%), and use AI tools (41%). Overall use of AI was becoming increasingly normalised, with 47% agreeing that it is totally accepted in most areas of life now.

Commenting on the trends revealed by the survey, Virgin Media O2 chief technology officer Jeanie York said: “It is clear that this demand has been driven by the continued excitement surrounding gaming and sports, with several significant game releases and many exciting Champions League matches causing large spikes across our networks. We are investing and innovating to ensure we continue to provide the connectivity that is underpinning the lives of our customers, including AI, which customers are using more than ever before.”

Source

As the calendar turns the final pages on 2025, the information technology sector stands at a critical juncture regarding its environmental commitments. This year was not marked by technological breakthroughs solving decarbonisation, but by the decisive maturation of sustainability from a strategic differentiator into an operational and regulatory imperative.

This transition involved a painful reckoning with data complexity, supply chain reality, and the sheer energy appetite of modern computing, driven primarily by the rapid proliferation of artificial intelligence (AI).

We entered 2025 with goals framed by aspiration; we exit under the binding mandate of actuality. The central shift is profound: IT sustainability is no longer a parallel environmental, social and governance (ESG) initiative.

It has become deeply intertwined with core business continuity, geopolitical supply chain risk, and mandatory financial disclosure. While this shift signals progress, momentum is driven more by necessity and the threat of liability than by shared ethical commitment.

The conversation evolves from aspirational to accountable

The most profound shift over the past year has been the forced elevation of the sustainability dialogue directly onto the executive committee’s core risk portfolio. This movement is not voluntary; it is driven by impending regulation and the sobering realisation that environmental failure now carries direct, auditable financial penalties and board-level liability.

Only a year ago, discussions circled around unquantifiable reputational benefits. Today, the lexicon is dominated by acronyms signalling mandatory compliance: CSDDD, CSRD, and the tightening of the SBTi Net-Zero Standard V2. These frameworks compel executives to move past narratives and confront the granular, auditable data attached to every asset, vendor, and cloud usage.

For the CIO, this manifests in two critical areas. First, energy efficiency is decisively reframed as a cost of doing business, crucial for operational expenditure control amid volatile global energy markets. Second, the sudden energy demand of generative AI has triggered a rapid, internal debate on responsible compute architecture.

Leaders are increasingly compelled to justify AI investment not solely on traditional ROI, but via a nascent “return on compute” model that necessarily integrates and accounts for carbon expenditure. This makes the environmental cost of IT an integrated input in the total cost of ownership calculation, rather than a polite footnote.

Despite this high-level engagement, progress remains complicated. The IT function often lacks the authority to enforce change across complex internal silos, and the necessary budget and risk tolerance for truly transformative shifts remain stubbornly limited.

Genuine progress where the green shoots are taking hold

Despite systemic inertia, 2025 delivered solid, tangible progress in certain operational domains, offering a partial blueprint for future net-zero efforts. Our confidence is bolstered by three examples, though it is crucial to understand that wide-scale adoption across the average enterprise remains nascent and often confined to pilot programs:

1. Decoupling cloud growth from carbon: Hyperscale cloud providers have largely won the battle for renewable energy procurement. The next frontier — optimising physical operations — has seen enterprise engagement. We saw accelerated adoption of advanced liquid cooling technologies (still primarily concentrated in hyperscale environments, but critical for future AI scaling). Enterprises optimising workloads for low-carbon regions and utilising serverless architectures successfully decoupled rapid cloud expansion from a proportional rise in emissions. This success belongs predominantly to the hyperscalers, and enterprise optimisation remains an ongoing campaign.

2. Maturing the circular IT model (As-a-Service): The year 2025 saw the Managed Device-as-a-Service (MDaaS) model transition into a critical environmental enabler. By outsourcing the entire device lifecycle, enterprises commit practically to refurbishment and robust reverse logistics. Successful enterprises leverage these contracts to guarantee asset re-entry into the value chain via certified refurbishment, drastically reducing e-waste. The caveats are two-fold: MDaaS adoption is far from universal, and the verification of these circular chains still lacks necessary, robust third-party scrutiny.

3. The nascent rise of green software engineering: The formal emergence of green software engineering (GSE) is perhaps the most encouraging development. For too long, the environmental focus was only on hardware. This year, organisations began measuring code energy consumption — optimising algorithms and refactoring applications to reduce reliance on resource-intensive computing.

An important development this year was the publication of the W3C Web Sustainability Guidelines (WSG) Draft Note. Developed through a global, collaborative effort — in which I was pleased to participate — the guidelines offer a structured and internationally relevant set of best practices for reducing the environmental footprint of web products and services. While the scope focuses specifically on the web rather than the full breadth of enterprise IT, the Draft Note nonetheless represents a significant step forward for the industry.

The persistent gaps undermining net-zero momentum

For all the genuine acceleration, 2025 was equally defined by two persistent, critical gaps that threaten to derail net-zero pathways and demand urgent attention.

1. The Scope 3 emissions chasm: The most pervasive and frustrating gap remains the measurement and meaningful reduction of Scope 3 emissions, particularly from purchased goods and downstream asset end-of-life.

Despite regulatory urgency, the vast majority of enterprises still rely on highly aggregated, industry-average supplier data (spend-based or activity-based), which is neither auditable nor sufficient for mandatory disclosure. The necessary mechanism — detailed, granular product carbon footprints (PCF) provided by every vendor — is simply not available at scale or with sufficient fidelity.

The problem persists because it requires collaboration across complex, often proprietary global supply chains. Suppliers are reticent to disclose granular data, citing competitive concerns, while buyers lack the leverage to mandate it. The result is a ‘Scope 3 plateau’: targets are set, but underlying emissions remain stubbornly high, creating a significant credibility risk. We are still largely measuring a reflection, not the reality.

2. The generative AI energy debt: While AI is a powerful tool for sustainability optimisation, the immediate, unmanaged energy demand of Large Language Models (LLMs) represents a profound and growing gap. The speed of AI adoption, combined with the inherently expensive High-Performance Computing (HPC) required, creates an “energy debt” that offsets hard-won gains elsewhere.

The challenge is governance. Enterprises are deploying AI solutions without robust, mandatory policies on model selection, inference efficiency, or resource decommissioning. Crucially, most organisations remain focused on achieving initial ROI metrics, relegating energy efficiency to an optional performance tweak. Failure to enforce a framework for ‘responsible compute’ risks the transformative power of AI being negated by its own expanding environmental impact. This is the single greatest risk to the IT sector’s net-zero journey.

Strategic priorities for 2026 and beyond

As the IT Sustainability Think Tank looks towards 2026, the focus must shift from identifying the problem to systematically closing the remaining gaps with institutional discipline. We must treat these priorities as non-negotiable elements of future business resilience:

1. Mandate data granularity for Scope 3: Leverage procurement influence to force supplier compliance on verifiable Product Carbon Footprints (PCF). The mandate must be non-negotiable, enforced with clear vendor scorecards and contractual requirements.
2. Institutionalise green software engineering: Invest heavily in training and tooling to embed energy efficiency into the software development lifecycle (SDLC). Software architecture must be treated with the same environmental scrutiny as data centre cooling, making efficiency an audited requirement.
3. Govern the AI energy cost: Implement a Responsible AI framework that includes mandatory energy consumption metrics and resource allocation policies for all Generative AI deployments.

The year 2025 was when IT sustainability moved into the board’s audit file. Next year must be the year we finally gather the granular data, enforce the necessary discipline, and manage the rapidly growing energy appetite of our own invention. The time for aspirational statements is definitively over; the urgent task now is to move these nascent efforts into full, verifiable accountability.

Source

wisely/Shutterstock

Google’s December 2025 security update patched 107 vulnerabilities for Android devices. For a complete catalog of all the issues, you can refer to the update notes hosted on the the Android Security Bulletin; including the two high-severity flaws listed at “critical” and “severe” levels. According to the bulletin, the patch will fix a critical security vulnerability in the Android Framework. It will also include patching vulnerabilities at the system and kernel levels, along with listed vulnerabilities for MediaTek, Qualcomm, Arm, and Unisoc components.

For example, two vulnerabilities listed on the bulletin were CVE-2025-48572, an Android Framework privilege escalation vulnerability; and CVE-2025-48633, an Android Framework information disclosure vulnerability. Both vulnerabilities, if left unfixed, could leave your Android device open to attackers who can modify system settings and take control of it.

This most recent security patch was released on December 5, 2025, for devices running Android 13, 14, 15, and 16. The bulletin also notes that within 48 hours of publication, the corresponding source code patches will be available in the Android Open Source Project (AOSP) repository. You can also find the AOSP links in the bulletin. Though, if you are eager to keep your device protected, Android phones should have the update ready to download and install via settings.

Update your Android phone’s security regularly

Primakov/Shutterstock

It’s already recommended not to skip out on Android updates if you have them. Updates are designed to fix bugs, vulnerabilities, optimize system performance, and bring new features. Some manufacturers will have scheduled updates you can customize or push through manually via Software update settings. Google releases major security patches to address software flaws. If these flaws are not addressed, you risk exposing your device to major cybersecurity threats. Bad actors can target these vulnerabilities to inject malware, remotely hack (denial-of-service and remote execution), as well as commit data theft.

Exploits at the Framework level are dangerous and are often considered the scariest. The Android Framework is composed of prebuilt classes, interfaces, and services that provide higher‑level access to the operating system. This is responsible for managing core functionalities, including the user interface, hardware interactions (such as sensors), and background services. It’s also the foundation used for building Android applications, which is done through the Framework’s API. 

Apps access the API to perform their primary operations, such as managing contacts, accessing the camera, and using location services. Any compromises to the Framework could grant unauthorized users system-level access, leaving your device and information completely open and making attacks difficult to defend against; like with zero click exploits potentially infecting devices without any user input.

Source

Kevin Carter/Getty Images

E-commerce giant Amazon is about to close out an impressive 2025 and is looking forward to an even bigger 2026. Fans of shopping at Amazon for groceries can look forward to an expansion of stores across the next year. Amazon is going all-in on its robotaxi service, not for deliveries, but to transport people. And for those who sell products on Amazon, there is a massive change in that sellers must label and prepare products for shipping themselves, a service that was previously handled by Amazon.

Amazon itself and Prime, with its impressive perks available to users, have grown massively since its inception. Amazon has the biggest U.S. market share for e-commerce, towering over competitors like eBay and WalMart. Its revenue has grown rapidly year-over-year, achieving billions of dollars worth of sales every year. All of this growth and success has enabled it to look ahead to 2026 with an innovative eye. Its plans for the new year aim to expand its services, provide more customer offerings, and continue to win over consumers in the e-commerce market.

Grocery delivery and robotaxis

Ablokhin/Getty Images

Amazon offers grocery delivery to homes for both Prime and non-Prime members, though non-Prime members have to pay an additional fee, making it worth it as a Prime member. Amazon currently offers same-day grocery delivery to over 2,000 cities and is looking to expand that even more across 2026. Driving this demand is Amazon’s focus on the quick delivery of perishable grocery items, like fruits and vegetables, which top Amazon’s perishable delivery charts. Since produce can go bad fairly quickly in your kitchen, it’s easy to see why fast delivery of such items would be a target for Amazon in 2026.

Robotaxis are ramping up activity in a handful of states where you can ride one in the U.S. Amazon refers to its service as Zoox, which can hold up to four passengers at a time, and it’s already being used by Amazon workers. Zoox will start giving rides to people in Las Vegas and in the greater San Francisco Bay area in 2026.

Since it is a driverless vehicle, there is no steering wheel, but there are screens for each passenger that display their personal routes to their destinations along with estimated arrival times. The tech doesn’t stop there, as it also offers charging ports and wireless charging pads for your phones, tablets, and other devices. Each seat also has its own climate control. The purpose of the robotaxis is to help with smoother transportation in busy metropolitan areas.

A new shipping system for sellers

Nomads Image Lab/Shutterstock

Amazon is a good platform for both large and independent sellers to list products. For independent sellers, it offers a reputable e-commerce service, integrated marketing, and a better way to get more visibility. Previously, Amazon would label and package items itself on behalf of sellers in what was known as Fulfillment by Amazon (FBA) shipments. That ends on January 1, 2026, as sellers will be responsible for that part of the fulfillment themselves from now on.

This puts a bigger burden on sellers, prompting them to take care of the extra cost and supplies. If they can’t handle it on their own, they will have to work with certified third-party logistics providers. This goes beyond just ensuring the product is in a box with a label. There are compliance guidelines that must be adhered to, and it’s on the seller now to understand those.

For those who purchase from Amazon but don’t sell, this could mean higher prices on items to recover the operational costs. Some prices on Amazon have already increased due to tariffs. For sellers, this means reworking current operations to comply with these new rules. Whether you think the changes Amazon has planned for 2026 are positive or not, the e-commerce giant is ready to kick off the new year with ambition and innovation.

Source

The government procurement chiefs at the Crown Commercial Service (CCS) are gearing up for the 2026 launch of the 15th iteration of the government’s G-Cloud procurement framework, having treated the purchasing agreement to the biggest revamp in its history.

The framework’s value and length are both markedly larger and longer, respectively, compared with previous iterations of the framework, with CCS introducing changes to seemingly make G-Cloud better suited for larger cloud deals.

For example, the estimated framework value for G-Cloud 15 is tipped to be £14bn, with the agreement set to run for four years to September 2030.

In contrast, the previous iteration was valued at £4.8bn and will have run for two years by the time it ends.

Another sizeable change is the introduction of eight-year contracts for cloud hosting deployments under G-Cloud 15, when the maximum contract length permitted under G-Cloud 14 was half that length at four years. For the non-cloud hosting lots, contracts called off under G-Cloud 15 can be a maximum of six years.

Based on all of the above, it’s fair to say G-Cloud 15 marks a radical departure for the framework, with all the changes that CCS has planned for it.

Here, we take a deep dive into CCS’s proposed framework tweaks, and find out why it’s feared some of these changes risk making the framework less accessible to small and medium-sized enterprises (SMEs).

How different is G-Cloud 15 to what’s gone before?

Compared with the first-ever iteration of G-Cloud, which made its debut in spring 2012, G-Cloud 15 is a world apart.

When it made its debut, the framework was pitched as a means of opening up government IT deals to SMEs and supporting the growth of the UK’s own homegrown market of cloud providers.

This was at a time when the awarding of lengthy and expensive contracts to big tech firms and systems integrators (SIs) was the norm, and G-Cloud was intended to help break the hold these firms had on public sector IT procurement.

To this end, G-Cloud contracts were initially capped at 12 months in length, to give buyers the freedom to switch out their cloud providers regularly for cost or performance reasons.

The framework was also regularly updated (with new iterations launching every six months) to ensure the public sector was getting access to the latest and greatest tools and technologies the burgeoning cloud market had to offer.

“The G-Cloud tenets were around innovation and getting SMEs into public sector IT, and introducing a fresh approach, niche tools and cost-effective solutions, and actually freeing up departmental procurement professionals [because it was easier to use],” Bill McCluggage, a former director of IT strategy and policy in the Cabinet Office and deputy government CIO from 2009 to 2012, told Computer Weekly.

“And the customers loved it because it meant they didn’t have to go through a big, costly, long-winded, complex procurement process that – by the time you got through the other end of it – your requirements have literally changed.”

And while the framework initially helped to give homegrown cloud firms and SME tech providers a leg-up into government IT deals, the picture has steadily changed over the past decade or so. Specifically, since the hyperscalers began opening UK datacentres in late 2016.

Evidence of this can be seen from glancing at the government’s Digital Marketplace sales figures. These confirm the tech suppliers making the most amount of sales from the framework these days are big tech firms such as Amazon Web Services (AWS), IBM, Microsoft, and consultancies and SIs such as Deloitte, Capgemini and Accenture.

“[The framework has] slowly but surely been grasped by the procurement professionals in CCS and tailored into a traditional, risk-averse framework that now starts to look as if it’s favouring the big hyperscalers and the SIs again,” said McCluggage.

What’s the timeline for G-Cloud 15 to start?

The invitation to tender (ITT) part of the procurement process for G-Cloud 15 began on 23 October 2025, and would-be suppliers have until Friday 30 January 2026 to apply for a place on the framework, which is expected to go-live in September 2026.

How does G-Cloud 15 differ to G-Cloud 14?

There are quite a few differences between the two purchasing agreements, with the number and structuring of the framework lots for G-Cloud 15 looking significantly different. This is mainly because G-Cloud 15 is covering the work of the Cloud Compute framework, as well.

For example, Cloud Hosting is now spread across two lots (dubbed Lot 1a and Lot 1b) rather than one.

Lot 1a is for suppliers specialising in the provision of “core” infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) subscription services, while Lot 1b covers the same types of services when used to host information that is classified as being above the “official” government data security classification level.

The framework’s Cloud Software Lot has also been similarly split into Lot 2a, covering the provision of infrastructure software-as-a service (ISaaS), and Lot 2b, which covers software-as-a-service (SaaS) offerings.

Lot 3, covering Cloud Support services, remains intact, but Lot 4, which was run as a standalone framework to G-Cloud 14 for public sector IT buyers that wanted to run their own competitive processes for more complex cloud support contracts, is being discontinued.  

As previously stated, G-Cloud 15 is set to run for four years, while G-Cloud 14 was initially a two-year framework (that got extended by an additional six months).

Meanwhile, the maximum amount of time that contracts can run for has doubled (in the case of the cloud hosting lots) to eight years in G-Cloud 15. This works out at five years for the initial term of the contract, with buyers offered up to three optional extensions of 12 months.

For the other G-Cloud 15 lots, the maximum amount of time that contracts can run for is six years, consisting of an initial period of four years, with buyers offered up to two optional extensions of 12 months.

For context, all G-Cloud 14 contracts, regardless of the Lot they were called off from, could run for an initial 36-month period, with the option given to extend them by a further 12 months if needed.

What other changes has CCS introduced?

As well as a rework of the G-Cloud 15 Lot structures, CCS is considering introducing enhanced applicant vetting procedures for Lot 1a and Lot 1b participants, specifically.

As previously detailed by Computer Weekly, CCS is reportedly considering making potential suppliers:

• Undergo more rigorous financial vetting than required under the previous iteration of the framework.
• Possess an expanded number of mandatory ISO accreditations than before, or provide proof that work to acquire them is underway by the time the application deadline for G-Cloud 15 closes in January 2026.
• Where Lot 1b applicants are concerned, they must possess insurance cover in excess of £75m to secure deals through G-Cloud 15.

How will the financial vetting procedures for G-Cloud 15 differ to what’s gone before?

Participants in G-Cloud 15’s cloud hosting lots will need to participate in a more in-depth Gold Standard Financial Viability Readiness Assessment (FVRA).

This process typically involves suppliers having to participate in a detailed assessment of their financial affairs, involving the supply of extensive information about their businesses, which will be subject to tight scrutiny by CCS.

Under the previous iteration of the framework, all suppliers – regardless of lot – were subject to less onerous checks that would only involve them having to participate in a full FVRA if they did not meet an initial credit score screening test. This system remains in place for Lot 2a, Lot 2b and Lot 3 providers under G-Cloud 15.

What kind of accreditations are participating suppliers expected to have?

The CCS has confirmed it is now mandatory for suppliers wishing to participate in its Cloud Hosting Lots to possess the ISO 9001, ISO 20000-1, ISO 27001 and ISO 27018 certifications.

CCS initially stated in its tender documents that suppliers would need to be in possession of these mandatory accreditations by the time the application deadline for G-Cloud 15 closes in January 2026.

However, it appears, in response to supplier pushback, CCS’s stance on this matter has now softened.

“Following a review of requirements and the current capability and capacity issues that exist within the market, CCS has decided to amend its position concerning ISO accreditation,” CCS has confirmed.

“The ISO standards listed are still mandatory … to operate in Lots 1a and 1b. However, the requirements on bidders will now be that if they do not currently hold the required ISO certification, they must evidence to CCS, before the application deadline of 30 January 2026, that they have begun the process of certification … This should take the form of an authorised third-party confirmation from an ISO accreditation body.”

G-Cloud suppliers have previously been exempt from needing the Cyber Essentials accreditation. Is that the case this time around?

No – under the terms of G-Cloud 15, all participating suppliers will now need to hold a Cyber Essentials accreditation.

CCS previously stated this would just be mandatory for G-Cloud 15’s Cloud Hosting participants, but – in an email to suppliers dated 5 December 2025 – it confirmed this condition now applies to all suppliers.

“Suppliers awarded a place on the framework on either Lots 2a, 2b or 3 will be required to obtain a valid Cyber Essentials certificate for themselves and ensure any of their subcontractors who process personal or official data have a Cyber Essentials certificate,” the email, seen by Computer Weekly stated.

“Evidence of your certification is required within 12 months of the award date of the G-Cloud 15 framework. Certificates will be monitored by CCS, and any suppliers who fail to provide a valid certificate within 12 months of the award date will be suspended from the framework. Suspended suppliers can be reinstated as soon as they provide a valid Cyber Essentials certificate to CCS.

“Bidders who already have a Cyber Essentials certificate should provide it with their tender,” it added.

And what’s with the changes to the insurance requirements?

Details of G-Cloud 15’s reworked insurance requirements are laid out in a “Joint Schedule 3” document CCS has previously shared with potential suppliers.

It stipulates that suppliers wanting to secure contracts under framework Lot 1a, Lot 2a, Lot 2b and Lot 3 “shall hold” separate private indemnity, public liability insurance and employers’ liability insurance with cover that totals at least £7m.

As such, suppliers must have separate professional indemnity insurance and public liability insurance of at least £1m each, as well as at least £5m in employers’ liability insurance. Incidentally, these levels of insurance are the same as those required of suppliers on G-Cloud 14.

However, suppliers vying for contracts awarded under Lot 1b, which covers IaaS and PaaS services used to host data that is above the “official” security grading, must have in place separate private indemnity, public liability and employers’ liability insurance that totals at least £75m, the document states.

These changes appear to raise the barriers to entry to G-Cloud quite significantly. What has been the response to them?

As previously reported by Computer Weekly, concerns have been raised by various sources in the G-Cloud supplier community that G-Cloud 15 looks set to finally put paid to the notion that the framework is SME-friendly, based on the changes CCS is planning to introduce.

Speaking to Computer Weekly, Nicky Stewart, a senior advisor to pro-cloud market competition advocacy group The Open Cloud Coalition, echoed these concerns.

“G-Cloud began as a revolutionary initiative designed to shatter the IT ‘oligopoly’ [of big tech firms and SIs], enabling the government to ‘pay less, get more, and get it sooner’ by allowing SMEs and new market entrants access to the market to compete with the oligopoly,” she said.

“G-Cloud, in its initial iterations, genuinely enabled this aspiration. SMEs and new market entrants grew, hired, created wealth and helped to underpin the government’s digital transformation. But along the way, G-Cloud lost its way.”

An “absence of competition” within G-Cloud paved the way for a new “duopoly” of suppliers emerging – namely AWS and Microsoft – that, in time, SMEs would find difficult to beat on price and – ultimately – would lose out on business to.

And G-Cloud 15 seems to be continuing a marked shift that started with G-Cloud 14, in terms of the framework becoming harder for SMEs to get a foothold in.

“G-Cloud 14 saw a shift, not towards competition and diversity, but towards alignment with the CCS Public Sector Contract,” she said. “This meant financial tests from the outset and, initially at least, much tougher insurance requirements. Previously, buyers would perform their own due diligence and determine their insurance requirements.

“G-Cloud 15 takes this shift to a new level … the insurance, financial and accreditation requirements are all significant barriers to entry. These, coupled with a potential eight-year term for cloud hosting call-off contracts, risk undermining G-Cloud’s initial principles of diversity and competition, and could nullify any meaningful impact that G15 could have had in terms of diversifying and strengthening the government’s unhealthily concentrated cloud market.”   

Why has CCS decided to make such big changes to how G-Cloud this time around?

The reasoning for pushing through many of the proposed changes to the framework can be traced back in part to the fact that when G-Cloud 15 launches, it will not only be replacing G-Cloud 14, but also the need for CCS to roll out a third iteration of its hyperscale-focused Cloud Compute framework.

The latter was created as a purchasing agreement for large-scale, high-value public sector cloud contracts, and so it is thought that CCS is putting suppliers through heightened financial vetting and requiring more accreditations to make sure they have what it takes to deliver on these types of deals.

What difference will adding the Cloud Compute framework to the G-Cloud purchasing agreement make?

The government’s Cloud Compute framework was originally created and introduced so that large, hyperscale deals of that ilk would no longer be funnelled through the more SME-friendly G-Cloud setup. However, that purchasing agreement – over two iterations – has struggled to find its footing with public sector IT buyers.

CCS has confirmed there will be no third iteration of the Cloud Compute, as the principles of that framework are set to be incorporated into G-Cloud 15.

This is thought to be why G-Cloud 15’s value has ballooned between iterations, and why G-Cloud 16 is not expected to make an appearance until 2030 at the earliest.

Why exactly is CCS merging the Cloud Compute framework with G-Cloud?

The official line on this is that merging the two frameworks will allow Cloud Compute to “leverage” G-Cloud’s popularity, with the latter purchasing agreement described by CCS in the G-Cloud 15 tender document as the “largest framework of its kind in the public sector”.

Reading between the lines, this could be interpreted as an admission from CCS that the Cloud Compute framework never quite delivered on what it was intended to, and under-performed.

The first iteration, which went live in 2021, reportedly generated very few sales, with a 2023 investigation by Computer Weekly uncovering just one contract – totalling £750,000 – called off under the £750m Cloud Compute 1 framework.

The framework’s second iteration, Cloud Compute 2, has fared a little better since it went live in November 2023, having undergone a revamp by CCS to make it more accessible to SME suppliers.  

According to contract data supplied to Computer Weekly by public sector-focused analyst Tussell, there have been at least five deals totalling £10.8m called off under Cloud Compute 2 since it went live – the largest of these being a £5m contract awarded by the Department for Work and Pensions to Oracle in May 2024.

For a framework valued at £1.35bn, though, it’s not a great sales track record, particularly as it’s a purchasing agreement intended for large-value cloud deals to be pushed through it.

To put that figure into context, during the 2023–24 financial year, the amount of cloud spend – as confirmed by CCS – transacted through the G-Cloud framework totalled £3.1bn.

Source

Mobile connectivity across the UK is becoming faster and more responsive on average; a marked gap still persists between the quality of experience in urban and rural areas; and the gap between the best and worst-performing local authorities remains significant, according to research from Ookla.

The analyst’s Speedtest Intelligence report for 2025 takes an overview of mobile network performance across the UK, focusing on outcomes at local authority level and how those outcomes have changed over time.

The study was based on millions of samples from mobile devices connected to a cellular network, comparing results from Q1–Q3 2025 with the same period in 2024. For each local authority, the report considered not only typical speeds, but also the experience of slower connections, and the relationship between population density and mobile outcomes. At UK and country (nation) level, it drew on national aggregate metrics (2025 to date) for the UK, England, Scotland, Wales and Northern Ireland.

Fundamentally, the research found that population density correlates strongly with better outcomes, and that practically, the findings illuminate the urban-rural digital divide, showing that where you live in the UK largely dictates your mobile experience.

Analysis of local authority outcomes revealed what Ookla called the “stark” extent of regional variation in and across nations in the UK. Despite the general upward shift in the overall local authority distribution over the past year across key mobile performance indicators, the range remains large and many rural local authority areas are still stuck with not-spots despite the progress of the government’s shared rural network (SRN) scheme. Areas that were strong performers in 2024 generally remained strong, and many of the weakest authorities in 2024 still sit near the bottom of the distribution in 2025.

On a country level, UK mobile performance improved notably between 2024 and 2025, with the national median download speed rising from approximately 55.02Mbps to 63.03Mbps. This represented a year-on-year increase of around 15%. Median upload speeds inched up from 7.80Mbps to 8.21Mbps, while median latency improved marginally from 52ms to 50ms.

England and Northern Ireland saw the strongest gains, while Wales remained the slowest nation and Scotland’s median slipped from 49.13 to 46.05Mbps despite improvements in several local authorities. Overall, though, the UK rates badly compared with European peers such as Germany and the Republic of Ireland.

Drilling deeper, the study showed that the gap between local authorities remained stark. In Q1–Q3 2025, median speeds ranged from just over 10Mbps in the Shetland Islands to just over 100Mbps in Leicester. Around 28% of local authorities had fewer than 60% of test samples meeting a 25Mbps download threshold, indicating persistently poor connectivity for many in the UK.

Including the aforementioned Leicester, top performers included Nottingham, Derby, Bridge of Don, Thurrock and Stoke-on-Trent. These areas typically combine median download speeds in the mid-80s to 100Mbps, roughly three-quarters or more of samples reaching 25Mbps, and relatively strong results even in the slowest 10th percentile (generally around 8–11Mbps).

In addition to the Shetland Islands, the country’s weakest performers included the Isle of Anglesey, Fermanagh and Omagh, Denbighshire, Pembrokeshire, Orkney, and Cornwall. These areas have median download speeds mostly in the mid-teens to low-20s – excluding the Shetland Islands – with less than half of samples reaching 25Mbps and 10th-percentile speeds typically in the 1.5–3Mbps range, highlighting large not-spots for a significant share of users there.

Looking at the companies driving the industry, the study noted that heavy capital spending by the UK’s operators was driving improved outcomes. It added that the UK remains one of only a handful of countries in Europe and globally where at least three operators have “aggressively” deployed 5G standalone across a significant footprint.

Virgin Media O2 has already reported 70% population coverage and BT/EE boasts a similar level. VodafoneThree has committed to invest £11bn in its UK network over the next decade, including £1.3bn of capex in year one.

Source