The sharpest change in local government IT is this: councils are talking about it less as a technology function and more as a failure point for the whole organisation. Across 15 councils and 80 IT-related insights, cyber security is now being described in language normally reserved for major service collapse. One officer said bluntly: “if you have a cyber attack the financial reputational damage can be catastrophic.”
That matters because the market is not just buying protection. It is buying continuity, recovery, migration support and help with the messy business of making systems actually work after go-live. The procurement story is therefore broader than software renewals. It is about councils trying to keep finance, housing, contact centres, reporting and member-facing services alive while replacing old platforms, hardening security and undoing the damage caused by rushed implementations.
Cyber security has become the default board-level IT issue
The clearest sector-wide signal is the rise in cyber security as a live operational threat, not a compliance exercise. The insight base includes 25 pressure items, and several of the strongest are about resilience under attack. In one meeting, a senior officer warned: “Our biggest threat I would say at the moment is cyber security. You just have to listen what's going on the airlines Jaguar Land Rover just in the last week 10 days. Are we robust enough with our cyber security?”
That kind of language changes buying behaviour. Councils do not sound like they are shopping for a box-ticking security review; they sound worried about business interruption, recovery time and reputational loss. Pembrokeshire County Council went further in 2023, referencing the Redcar and Cleveland attack that cost “something like 8.7 million pounds” and Hackney’s prolonged recovery. The underlying point is obvious: cyber no longer sits in the IT budget alone, because the cost lands across every service.
For suppliers, this is where the opportunity sits: incident response retainers, penetration testing, disaster recovery, endpoint hardening, identity and access management, staff training, and recovery playbooks that are written for local government realities. Councils are increasingly signalling that they need something more than annual assurance. East Lothian Council’s internal audit even replaced a complaints audit with cyber security “given the heightened risk”. That is a procurement clue as much as a governance one.
For residents, the practical implication is less glamorous but more important: if a council gets hit, services you actually use — housing, benefits, council tax, reporting, repairs, call handling — can be disrupted for months, not days. That makes cyber expenditure a service continuity issue, not an IT preference.
Security work is being pulled into private sessions
A second pattern is how often councils are discussing ICT security behind closed doors. Glasgow City Council’s audit note said the ICT security and contract management report “had to be taken in private due to the nature of the report and were not able to discuss the detail of security or commercial matters in the public domain”. That tells suppliers something important: the most commercially interesting security work may not surface in a nice open tender notice until the council is already well into the process.
In practice, this tends to favour incumbents and framework suppliers who already understand the council environment. The longer a council keeps cyber and security discussions in private or semi-private audit settings, the more valuable trusted relationships become. That is especially true where the council is dealing with both technical vulnerability and contract governance weakness at the same time.
ERP is where the sector’s biggest financial and operational stakes are concentrated
If cyber is the most urgent threat, ERP is where the largest long-term procurement decisions are being made. Cardiff Council is already talking about its future ERP cycle in strategic terms, with members recommending early collaboration with Welsh authorities and regional bodies. One quote captured the timing perfectly: “we're putting the system in now, we all understand why. But then, almost immediately begin, right, when's the next milestone when we can start working together?”
That is the right question for suppliers to hear. Councils that have just entered or are about to enter ERP implementation are already thinking about the next replacement cycle, not just the current one. Cardiff’s advice is a reminder that ERP is no longer a one-off procurement; it is a recurring strategic programme with an unusually long tail. The winner is not simply the vendor with the best software, but the one that can support change, integration and future collaboration.
Birmingham City Council shows the opposite side of that market: the cost of getting ERP wrong. Its Oracle programme produced what the data calls a catastrophic failure, with an estimated £90m+ overspend against an initial £15m-£37m budget. The council said “the impact is so significant. It's not only cost significantly more to implement the ERP system, but there's a reality that you've not really been in control of your finances for the last three years.”
That is a market warning shot. It tells bidders and consultants that councils are now acutely sensitive to implementation risk, governance failure and incomplete go-live states. Birmingham’s case will make future buyers tougher on assurance, testing, and contract control. It also means there is likely to be demand for recovery support, controls remediation, audit support and programme rescue expertise — a niche but highly valuable market segment.
Glasgow City Council’s ERP situation underlines the same point from another angle. Its SAP system has been in place since 2004, and standard support ends on 31 December 2027. The council said the system is used to “perform accounting functions, pay suppliers, bill customers, meet statutory duty requirements and deliver HR services including payroll.” That is not a minor refresh; that is a replacement of the operating spine of the authority.
For suppliers, the critical thing is timing. A 2027 support cliff sounds distant until you account for procurement, data migration, testing and business change. In ERP, the buying cycle starts long before the replacement is formally approved. The market signal here is that councils are moving from “can we afford to replace?” to “can we survive not to?”.
The market has learned that change management is not optional
Cardiff Council’s warning is worth repeating because it goes to the heart of what vendors often underprice. The committee said: “one of the clear messages is being done to underestimate the change, and to underestimate the resources required to bring in the change.” That is the most commercially useful sentence in the sector data.
It means councils are beginning to understand that ERP cost is not just licence plus implementation. It is training, process redesign, parallel running, reporting rebuilds, data quality work, and user support after go-live. Suppliers who sell “implementation” without a serious change offer will struggle against councils that have learned the hard way. The best opportunity may be in business change resource rather than pure system delivery.
Councils are still buying hardware, but they are buying resilience rather than refresh for refresh’s sake
End-user equipment remains a steady spend line, but the rationale has shifted. Across the dataset there are 14 spending insights, and several of the approved contracts relate to three-year equipment supply via Crown Commercial Service frameworks. One report said the contract for laptops, desktops, tablets, mobile phones and peripherals sat within a £1.7m capital budget. Another added that officers wanted delegated authority because of “potential price increases from 2026 linked to global supply chain pressures.”
That tells you two things. First, councils are still doing standard replacement cycles, and those are reliable opportunities for hardware vendors and managed device providers. Second, procurement teams are nervous about supply risk and price volatility, which increases the value of flexible contracts, framework-compliant routes and stock management.
The point is not merely that councils are buying kit. It is that they are connecting kit replacement to transformation, flexible working and cyber resilience. That is why one contract award explicitly linked equipment renewal to the council’s transformation programme and maintaining cybersecurity and systems resilience. A device refresh is now a resilience project disguised as an IT store order.
For suppliers, this is where mid-value, repeatable income sits: device refresh, accessory supply, lifecycle management, deployment services, and endpoint security bundled with equipment replacement. The competition is usually fierce, but the buying signal is steady.
Finance systems are creating immediate technical and audit demand
The strongest short-term opportunities in the sector are around finance system migration. Kent County Council’s Oracle Cloud programme is already live in parts, with go-live scheduled for 18 August 2025 for finance and procurement modules. The council said it was “rapidly approaching what we'll call our go live”. Even where the timetable is live, there is clearly a post-go-live service requirement: cutover, data migration, support, controls testing and assurance.
This is where the market gets interesting for IT suppliers that also understand audit. The council data references an 88% user acceptance testing success rate and a critical go/no-go decision on 18 July 2025. That is a reminder that implementation risk is not just about software quality; it is about readiness gates, data integrity and the ability to pass governance scrutiny.
Glasgow’s separate Finance System Migration shows the same pattern in a later stage. The council is moving from e-Financial to Technology One, with the finance system due from 1 April 2026 and auditors identifying a “new significant risk” around data migration and system implementation. The quoted response is revealing: “we've engaged our IT audit team to complete detailed testing and evaluate the design and implementation of the controls around the new system and the data migration.”
That is a procurement opening for more than one market segment. It points to system integrators, testing specialists, data migration support, controls assurance, internal audit support, and post-implementation optimisation. Councils are treating these migrations as audit-sensitive programmes, which means assurance capability is now a selling point, not an afterthought.
Temporary bridge software is a market signal in itself
Pembrokeshire County Council’s FIMS bridge contract is a good example of how implementation programmes create secondary spend. The council approved a direct award to maintain existing FIMS during the Technology One implementation period, at a contract value of £565,737.28. The reason was simple: to prevent service disruption during a 26-month migration.
That kind of bridge contract is easy to miss if you only watch headline ERP awards. But it is often where near-term revenue sits for niche suppliers. Legacy support, interface maintenance, temporary licences, integration fixes and reporting workarounds are all monetisable while the main platform is being rolled out. If you sell into ERP programmes, the bridge spend is often as important as the core contract.
Shared services are under pressure, and single points of failure are being exposed
Not all IT pressure is about software. Some of the most telling insight in the dataset is about organisational fragility. A shared service told members that after the death of Tim Green, its Power BI expert, “we have been struggling to get to grips with providing some of the data in the same way... there is an issue around resilience and single points of failure... there does need to be given some thought to continuity planning, resilience management, and just the way that the responsibility is spread across the team.”
That is a stark admission. It shows that councils still rely heavily on individual technical specialists, and that data reporting capability can be far more vulnerable than formal governance structures suggest. For suppliers, this opens a market in managed reporting, capability transfer, documentation, and support models that reduce dependence on one person.
The same issue appears in shared technology governance more broadly. Where councils are merging services or depending on joint arrangements, procurement and continuity risks increase. Southwark’s formal notice of exit from the Brent, Lewisham and Southwark Shared Technology Service, with completion aimed for March 2028, is a reminder that shared services are not static. They can unwind, and when they do, contracts, licences and hosting arrangements all need rethinking.
For residents, the implication is straightforward: shared services can save money, but they can also create hidden fragility. If one specialist, one hosting arrangement or one integration layer fails, the user experience can deteriorate quickly.
CRM and customer contact systems are being used to reshape access to council services
One of the most commercially relevant patterns in the data is the investment in contact centres and CRM. These are not flashy projects, but they affect how residents reach the council and how performance gets measured. The sector insight says one council is switching on a new contact centre and CRM so that calls “will all be directed through one route into the council which will allow us to start immediately collecting data and reporting on the quality of our service.”
That is a strong signal. Councils want better data, more standardised routing, and more control over customer journeys. They are also clearly looking for systems that can support self-service and automation. In another case, a CRM replacement caused teething problems: multiple email notifications, fewer active member users, and the familiar “wee gremlins in the system.”
For suppliers, the opportunity is not just the CRM platform. It is implementation support, configuration, user adoption, workflow design, and post-go-live optimisation. Councils appear to be learning that a CRM that exists on paper is not the same as a CRM people actually use. That creates a market for training, service design and change support.
For the public, this affects whether requests are handled efficiently or get stuck in the cracks. A badly implemented CRM does not just frustrate officers; it can slow down responses to residents and elected members alike.
AI is entering council IT, but only with strong guardrails
AI is present in the dataset, but it is not yet the main event. The dominant message is caution. One council put it clearly: “At no point within Knowsley will AI ever make a decision. It's not there to do that. There has to be a human in the loop...”
That matters because it suggests councils are open to AI-assisted workflows, but not to ungoverned automation. The market opportunity is therefore in low-risk use cases: knowledge bases, call routing, triage, drafting support, and internal productivity tools with strong human oversight. Vendors who oversell autonomous decision-making are likely to hit resistance.
In local government, AI will be bought where it reduces pressure without creating legal or reputational exposure. That means governance, privacy notices, testing and “human in the loop” controls are not optional extras; they are the sale.
What the sector data says suppliers should do next
The IT market in local government is busy, but it is not broad-brush busy. The actionable opportunities are concentrated in a few areas:
- cyber security and recovery support, especially incident response, disaster recovery and resilience planning
- ERP migration, controls assurance and business change resource
- bridge software and temporary support around legacy finance systems
- end-user device refresh tied to transformation and cyber hardening
- CRM/contact centre implementation, optimisation and user adoption
- managed reporting and capability transfer to reduce single-person dependencies
The councils in play are Cardiff, Glasgow, Birmingham, Kent, Pembrokeshire, East Lothian, Gloucestershire, Central Bedfordshire, West Sussex, Stockport, Thurrock, Edinburgh, Kingston upon Thames, Wrexham and Solihull. The presence of 15 active councils across 80 insights suggests this is not a niche issue set; it is a sector pattern.
But the money is not evenly spread. The biggest procurement signals are in ERP, finance systems, cyber resilience and device replacement. The biggest operational warnings are in recovery, continuity and service interruption. Suppliers who pitch only software features will miss the bigger picture. The councils are buying survival, not just systems.
Actionable takeaways
For suppliers
Focus bids and account plans on the parts of the programme councils consistently under-resource: change management, data migration, testing, and post-go-live support. If you sell ERP, lead with control assurance and business transition, not just functionality. If you sell security, offer recovery and continuity as well as prevention.
For residents
Expect councils to keep spending on IT, but much of it will be invisible until something fails. Cyber incidents, finance system transitions and CRM teething problems can all affect how quickly you get a service or whether the council can process it properly. The key question is not whether your council has bought new software; it is whether that software is stable and usable.
For partners and integrators
The most valuable roles are now the ones that sit between systems: audit, data migration, temporary bridge support, reporting, and service redesign. Councils are signalling they need help joining things up, not just deploying products. That creates room for long-term advisory and managed service relationships — especially where support windows are tight, such as Glasgow’s 2027 SAP end-of-support deadline and Cardiff’s next-cycle ERP planning.