For public sector institutions, a website is not simply a communications channel. It is part of the organisation’s public service infrastructure: a place where residents, businesses, partners and oversight bodies access information, complete tasks and assess the institution’s transparency. Because of this, decisions about hosting should be treated as governance and risk-management decisions, not just technical ones.
It is common for a website developer to offer hosting as part of the project. While this may appear convenient at the procurement stage, it can create long-term dependency and reduce the institution’s control over a critical digital asset. In many cases, hosting the website with an independent, professional provider is the safer and more sustainable option.
Why developer-controlled hosting can create unnecessary risk
1. Independence and operational control
When the same supplier both builds and hosts the website, the institution can become overly dependent on one company. If the relationship deteriorates, the supplier changes its business model, or support becomes slow, the institution may struggle to make changes or move the site quickly.
For public bodies, this is especially important. Procurement rules, framework changes and internal governance decisions may require a change of supplier at short notice. Independent hosting makes it easier to appoint a new development partner without disrupting public access to essential information and services.
2. Clear ownership of infrastructure and data
Institutions should always know where their website is hosted, who administers the servers, and who has access to the content management system, backups and domain settings. If these details sit only with the developer, the organisation may not have full practical control over its own website.
This matters not only for continuity, but also for accountability. Public sector decision-makers need a clear record of suppliers, systems and responsibilities so that they can manage risk properly and respond to audits, incidents or supplier transitions.
3. Better compliance and GDPR oversight
Website hosting can involve the processing of personal data, even on relatively simple public sector websites. Contact forms, event registrations, analytics tools, cookies, user accounts and server logs may all fall within GDPR considerations. If hosting is bundled informally with development, the institution may not have sufficient visibility over where data is stored or how it is protected.
Using a professional hosting provider with clear contractual terms makes it easier to confirm data location, security measures, retention practices and incident response arrangements. This supports stronger compliance management and helps institutions demonstrate that they have exercised appropriate oversight of processors and sub-processors.
4. Security, resilience and business continuity
Professional hosting providers are typically better equipped to deliver structured security controls, monitoring, patching, backup routines and disaster recovery processes. A developer may be highly capable at design and implementation, but that does not automatically mean they operate hosting infrastructure to the standard expected for public-facing government services.
For EU public sector institutions, resilience is not optional. Website downtime can interrupt access to statutory information, public notices, service updates and accessibility statements. Independent hosting arrangements can make it easier to define service levels, backup frequency, recovery expectations and escalation procedures in a way that supports operational continuity.
5. Accessibility and performance responsibilities
Accessibility is not only about design and content. Hosting quality also affects whether users can reliably access the website, including people using assistive technologies or older devices and slower connections. Poor hosting performance can undermine an otherwise compliant website.
A suitable hosting provider should support stable uptime, fast loading times, secure connections and predictable performance. These factors help institutions meet their obligations to provide digital services that are usable, inclusive and consistently available to the public.
Questions every institution should ask its developer
If your website is already live and you are unsure where it is hosted, this should be clarified immediately. Decision-makers do not need to manage the technical details themselves, but they should ensure the organisation has full visibility and documented control.
- Where is the website hosted?
The institution should know the hosting provider, the country or region where the infrastructure is located, and whether any third parties are involved. This is important for security, procurement oversight and GDPR accountability. - Who owns the hosting account?
The hosting contract should ideally be in the institution’s name, not the developer’s. This makes it much easier to retain control if the supplier relationship changes. - Who has administrative access?
You should have a clear list of who can access the server, CMS, database, backups and domain settings. Access should be limited, documented and reviewed regularly. - How are backups managed?
Ask how often backups are taken, where they are stored, and how quickly the site can be restored. Public institutions should not discover backup weaknesses only after an incident occurs. - What security measures are in place?
This includes patching, malware monitoring, firewall protection, SSL certificates and incident response procedures. Security responsibilities should be defined contractually rather than assumed. - Can the website be transferred easily?
The institution should be able to move the website to another provider without excessive delay, cost or technical obstruction. Avoid arrangements that create supplier lock-in.
A practical approach for public sector organisations
In many cases, the most robust model is for the institution to contract directly with a trusted hosting provider and then grant the developer the access needed to build and maintain the website. This keeps strategic control with the organisation while still allowing the developer to do their work efficiently.
It also supports better governance. The institution retains visibility over hosting, domains, backups and access rights, while procurement and legal teams can review contracts for compliance, security and data protection requirements. If a new supplier is appointed later, the transition is usually far simpler.
Conclusion
Hosting a public sector website with the developer may seem convenient, but convenience at the start of a project can lead to avoidable risk later. For institutions that must ensure transparency, continuity, accessibility and compliance, independence matters.
By using an appropriate hosting provider and keeping contractual and administrative control within the organisation, public sector bodies can reduce supplier lock-in, strengthen GDPR and security oversight, and ensure that their website remains a reliable public service asset over time.