By Kris Wiselka | March 2026

On-Premises vs Cloud for Regulated Businesses – Edinburgh Guide

The cloud vs on-prem debate is over for most businesses. But for regulated Edinburgh firms – financial advisers under FCA oversight, law firms bound by SRA standards, healthcare providers handling NHS data – it’s far more nuanced than “move everything to Azure.”

78% of UK financial services firms now use public cloud in some capacity, yet 54% still maintain on-premises infrastructure for their most critical workloads (FCA Technology and Innovation Report, 2024). That split isn’t reluctance to modernise. It’s a rational response to data sovereignty requirements, regulatory expectations, and the practical reality that some workloads genuinely belong on hardware you control.

This guide covers the real trade-offs for Edinburgh’s regulated sectors – not the cloud marketing pitch and not the on-prem nostalgia. By the end, you’ll have a clear framework for deciding which workloads belong where.

Cloud Security Guide Edinburgh Businesses

---

TL;DR: Most regulated Edinburgh businesses don’t need to choose between on-premises and cloud – they need both. The hybrid model keeps sensitive data processing on-prem while moving collaboration, email, and disaster recovery to the cloud. 78% of UK financial firms use cloud but 54% keep critical workloads on-premises (FCA, 2024). The right architecture depends on your regulatory obligations, not a technology preference.

---

What Do UK Regulators Actually Require for Data Hosting?

None of the major UK regulators prohibit cloud adoption outright. The FCA’s guidance on outsourcing and third-party risk management (PS21/3, 2021) requires firms to maintain operational resilience regardless of where data is hosted. The SRA’s requirements focus on client confidentiality and data protection rather than mandating specific hosting models. NHS Digital’s Data Security and Protection Toolkit (DSPT) assesses security practices, not infrastructure choices.

That said, each regulator has specific expectations that affect your architecture decisions. Understanding them prevents costly over-engineering and dangerous under-compliance.

FCA Requirements for Financial Services

The FCA requires firms to identify and map their “important business services” and set impact tolerances for disruption. Under PS21/3 operational resilience rules, firms must demonstrate they can stay within those tolerances even if their cloud provider experiences an outage. That doesn’t mean “don’t use cloud” – it means “have a tested plan for cloud failure.”

The FCA also expects firms to maintain adequate oversight of third-party providers. If you host client data in AWS or Azure, you need documented evidence of: data location (UK data centres), encryption standards, access controls, incident notification procedures, and exit planning. The FCA has explicitly stated that cloud concentration risk – relying on a single cloud provider for all critical services – is an area of regulatory focus.

SRA Requirements for Law Firms

The SRA Principles require solicitors to maintain client confidentiality. SRA guidance on cloud computing (SRA, 2023) confirms that cloud storage of client data is acceptable provided the firm maintains adequate security controls, conducts due diligence on the provider, and can demonstrate compliance with GDPR data processing requirements.

The practical implication: Edinburgh law firms can use cloud services for client data, but they must document their risk assessment, choose providers with UK data centres, and ensure they can retrieve all data if the cloud relationship ends.

NHS DSPT Requirements

The NHS Data Security and Protection Toolkit doesn’t mandate on-premises hosting. AWS, Azure, and Google Cloud all hold NHS Data Security and Protection Toolkit conformance for their UK regions. Edinburgh healthcare providers and NHS suppliers can use cloud services provided the data stays in UK data centres and the provider meets DSPT requirements.

No major UK regulator – FCA, SRA, or NHS Digital – prohibits cloud adoption for regulated data. The FCA’s PS21/3 operational resilience rules (2021) require firms to maintain service continuity regardless of hosting model, while the SRA’s cloud computing guidance explicitly permits cloud storage of client data with adequate security controls and UK data residency.

---

How Does the Cost Compare – CapEx vs OpEx?

The financial comparison between on-premises and cloud is more complex than vendor calculators suggest. Gartner found that organisations moving to cloud saw an average 15% increase in IT spending in the first year, with cost savings typically materialising from year three onwards (Gartner, 2024). The savings aren’t automatic – they require active cost management.

On-Premises Costs (CapEx Model)

A typical on-premises infrastructure refresh for a 50-person Edinburgh professional services firm includes:

• Two servers with hypervisor: £15,000-25,000
• Storage (SAN or NAS): £8,000-20,000
• Networking (switches, firewall): £3,000-8,000
• UPS and rack: £2,000-5,000
• Windows Server licences: £2,000-4,000
• Installation and configuration: £3,000-6,000
• Total upfront: £33,000-68,000

Amortised over five years with annual maintenance (£5,000-8,000/year), the total five-year cost is approximately £58,000-108,000. That’s £970-1,800 per month in equivalent terms.

Cloud Costs (OpEx Model)

An equivalent cloud setup for 50 users – two virtual servers, 2TB storage, backup, and networking – costs approximately £1,500-3,500 per month on Azure or AWS depending on instance sizes and storage tier. That’s £18,000-42,000 per year, or £90,000-210,000 over five years.

Cloud is often more expensive on a pure infrastructure comparison. Where it saves money is in reduced management overhead, eliminated hardware failure risk, and elastic scaling. If your Edinburgh business has predictable, steady workloads, on-prem can be cheaper. If your workloads fluctuate or you want to avoid hardware refresh cycles, cloud wins on flexibility.

What we’ve calculated for clients: For Edinburgh professional services firms with steady workloads of 30-80 users, on-premises infrastructure typically costs 20-40% less than equivalent cloud over a 5-year period when you factor in all costs honestly. The break-even point shifts toward cloud when you add disaster recovery, high availability, and the value of eliminated hardware management. The cheapest option for most is hybrid – on-prem for steady workloads, cloud for DR and burst capacity.

---

What About Data Sovereignty and UK Data Centres?

Post-Brexit, UK data protection operates under the UK GDPR and Data Protection Act 2018. Personal data can be stored outside the UK only in countries with an adequacy decision from the UK government. The EU received an adequacy decision, meaning data transfers to EU-based cloud regions are permitted. Transfers to the US operate under the UK Extension to the EU-US Data Privacy Framework (ICO, 2024).

For regulated Edinburgh businesses, the practical guidance is straightforward: use UK data centres. All three major cloud providers operate UK regions – AWS UK (London), Azure UK South (London) and UK West (Cardiff), and Google Cloud London. Choosing a UK region ensures data stays under UK jurisdiction with no cross-border transfer complications.

When On-Premises Data Sovereignty Matters

Some Edinburgh businesses face data sovereignty requirements that go beyond “UK data centres.” Defence sector contractors may have classified data handling requirements that prohibit cloud hosting entirely. Certain FCA-regulated activities may require physical control of hardware for audit purposes. Some client contracts explicitly mandate on-premises data storage.

These are edge cases, not the norm. But if your business operates under one of these constraints, cloud isn’t an option for those specific workloads regardless of cost benefits.

All three major cloud providers operate UK data centre regions – AWS London, Azure UK South/West, and Google Cloud London – satisfying UK GDPR data residency requirements. The ICO confirms that UK data protection law permits cloud storage provided adequate safeguards are in place (ICO, 2024). For most regulated Edinburgh businesses, “data sovereignty” is a solved problem in the cloud.

---

When Does On-Premises Still Make Sense?

Despite the industry narrative that everything should be in the cloud, specific workload patterns and regulatory requirements make on-premises infrastructure the better choice. IDC found that 37% of UK enterprises plan to increase on-premises spending in 2025-2026, driven by data sovereignty, performance requirements, and cloud cost optimisation (IDC UK IT Spending Survey, 2025).

On-premises makes sense for Edinburgh businesses when:

• Predictable, high-utilisation workloads: Database servers running at 70-90% utilisation 24/7 are cheaper on-prem than in the cloud
• Large data volumes with low latency requirements: Edinburgh engineering firms, media companies, or research organisations processing terabytes of data locally
• Contractual requirements: Client contracts or framework agreements that mandate physical data control
• Air-gapped environments: Defence, intelligence, or ultra-high-security environments with no internet connectivity
• Application compatibility: Legacy applications that require specific hardware, licensing models tied to physical servers, or software that doesn’t support cloud deployment

The common thread is control and predictability. If you know exactly what your workload looks like for the next five years and it doesn’t change, on-prem often wins on cost.

---

When Is Cloud the Clear Winner?

Cloud infrastructure excels in scenarios that on-premises struggles with. Flexera’s 2025 State of the Cloud Report found that 89% of enterprises have a multi-cloud strategy, with disaster recovery and business continuity cited as the top cloud use case by 63% of respondents (Flexera, 2025).

Cloud is the clear winner for Edinburgh regulated businesses when:

• Disaster recovery: Replicating your on-prem servers to Azure Site Recovery or AWS costs a fraction of maintaining a second physical site
• Email and collaboration: Microsoft 365 or Google Workspace in the cloud is superior to on-prem Exchange in every measurable way – uptime, security, compliance features
• Variable workloads: Seasonal businesses, project-based firms, or companies with unpredictable growth
• Remote workforce: Edinburgh firms with hybrid workers need cloud-accessible applications
• Compliance evidence: Cloud providers offer compliance dashboards, audit logs, and certifications that are expensive to replicate on-prem

The strongest argument for cloud in regulated sectors isn’t cost – it’s the security and compliance tooling. Azure’s Compliance Manager, AWS Artifact, and the built-in encryption, access logging, and threat detection in cloud platforms would cost tens of thousands to replicate on-premises.

---

What Does a Hybrid Architecture Look Like?

The hybrid model combines on-premises infrastructure with cloud services, keeping each workload where it performs best. According to Nutanix’s Enterprise Cloud Index (2024), 65% of enterprises are adopting hybrid cloud as their target operating model, up from 49% in 2022. It’s not a compromise – it’s increasingly the default architecture for regulated businesses.

A Practical Hybrid Setup for an Edinburgh Law Firm

Here’s what a hybrid architecture looks like for a 40-person Edinburgh law firm:

• On-premises: Case management system (bespoke, requires local SQL Server), document management with large file volumes, practice management database
• Cloud (Microsoft 365): Email (Exchange Online), Teams for collaboration, SharePoint for shared documents, OneDrive for individual files
• Cloud (Azure): Disaster recovery via Azure Site Recovery replicating on-prem servers, Azure AD for identity management, Microsoft Defender for Endpoint
• Connectivity: Azure ExpressRoute or site-to-site VPN connecting on-prem to cloud resources

This architecture keeps sensitive case data on servers the firm physically controls while moving collaboration, email, and backup to the cloud. It satisfies SRA client confidentiality requirements, provides disaster recovery that would be prohibitively expensive on-prem, and gives hybrid workers access to email and documents from anywhere.

What we’ve found works best: The Edinburgh law firms and financial advisers we work with almost always land on a hybrid model. They keep their core business application (case management, portfolio management, practice software) on-prem where it runs fastest and satisfies their compliance comfort level. Everything else – email, collaboration, backup, DR – goes to cloud. It’s not the simplest architecture, but it’s the one that satisfies both the compliance team and the finance team.

---

Feature Comparison – On-Premises vs Cloud vs Hybrid

Factor	On-Premises	Cloud	Hybrid
Upfront Cost	High (£33K-68K for 50 users)	Low (pay monthly)	Medium (reduced on-prem + cloud)
Monthly Cost	Low (maintenance only)	£1,500-3,500 (50 users)	£800-2,000 (reduced cloud footprint)
5-Year TCO (50 users)	£58,000-108,000	£90,000-210,000	£75,000-150,000
Data Sovereignty	Full physical control	UK data centres available	Sensitive data on-prem, rest in cloud
Disaster Recovery	Expensive (second site needed)	Built-in (geo-redundancy)	Cloud DR for on-prem workloads
Scalability	Limited by hardware	Elastic	Cloud handles burst capacity
Security Tooling	Self-managed (expensive)	Built-in (included in platform)	Cloud tools cover both environments
Regulatory Compliance Evidence	Manual documentation	Automated dashboards and logs	Best of both
Remote Access	VPN required	Native	Cloud services native; VPN for on-prem
Hardware Refresh Cycle	Every 4-5 years	Provider managed	Reduced on-prem footprint to refresh
Best For	Stable, predictable, high-security	Variable, remote-first, growing	Most regulated Edinburgh businesses

---

Frequently Asked Questions

Does the FCA allow client financial data to be stored in the cloud?

Yes. The FCA does not prohibit cloud storage of client financial data. Under PS21/3 operational resilience rules, firms must demonstrate adequate third-party risk management, data protection, and business continuity regardless of hosting model. Major banks including Lloyds, HSBC, and NatWest use AWS and Azure for regulated workloads. Edinburgh IFAs and financial planners can use cloud services provided they document their risk assessment and choose UK data centres with appropriate encryption.

What happens if our cloud provider has a major outage?

Major cloud outages do happen – Azure experienced a global outage in July 2024 that affected multiple services for several hours (Azure Status, 2024). The FCA expects regulated firms to plan for this scenario. Mitigations include multi-region deployment, on-premises fallback for critical applications, and documented business continuity procedures. A hybrid architecture provides inherent resilience because on-premises systems continue operating during cloud outages.

Is on-premises more secure than cloud?

Not inherently. Cloud providers invest billions in security infrastructure that no Edinburgh SME can match. Microsoft spends over $4 billion annually on security (Microsoft, 2025). The security risk in cloud isn’t the provider’s infrastructure – it’s misconfiguration by the customer. 82% of cloud breaches involve customer misconfiguration rather than provider vulnerability (IBM Cost of a Data Breach Report, 2024). On-premises gives you more control, but that control is only valuable if you have the expertise to exercise it correctly.

How long does a hybrid migration take for a 50-person Edinburgh firm?

A typical hybrid migration for a 50-person Edinburgh professional services firm takes 6-12 weeks. The first phase (2-3 weeks) covers Microsoft 365 migration – email, SharePoint, Teams. The second phase (2-4 weeks) sets up Azure AD, conditional access policies, and Intune device management. The third phase (2-5 weeks) configures disaster recovery, VPN connectivity, and on-prem to cloud integration. Allow additional time for user training and parallel running.

---

The Verdict – Hybrid for Most Regulated Edinburgh Firms

The on-prem vs cloud debate is a false binary for regulated Edinburgh businesses. Neither pure cloud nor pure on-premises satisfies every compliance, cost, and operational requirement simultaneously. The hybrid model does.

Keep your core business application and its database on servers you control. Move email, collaboration, and productivity to Microsoft 365. Use Azure or AWS for disaster recovery, backup, and any workloads that benefit from elastic scaling. Connect the two with a secure VPN or ExpressRoute.

That architecture satisfies FCA operational resilience requirements, SRA client confidentiality expectations, and NHS DSPT standards. It costs less than either pure approach over five years. And it gives your Edinburgh team the flexibility of cloud access without abandoning the control that regulators expect.

The first step is an honest assessment of your current infrastructure, regulatory obligations, and workload characteristics. Which applications must stay on-premises? Which can move to cloud immediately? Where does disaster recovery currently stand? Those answers shape the architecture.

---

About the author: Krzysztof Wiselka is the founder of Virtually Pro Ltd, 83 Princes Street, Edinburgh EH2 2ER. Virtually Pro provides cloud migration, hybrid infrastructure design, and compliance-focused IT consultancy for regulated Edinburgh businesses.

---