Skip to content
Guide

Moving your small business to the cloud, without the sales pitch.

Most cloud migration articles are adverts wearing a hat. This one is different: what moving to the cloud actually involves for a UK small business, what the cloud genuinely does not do for you, where your data really lives, and who should not migrate yet. Every fact is sourced.

Published 2 July 2026

There is a reason every article about cloud migration reads like an advert: most of them are. This one is written for UK small business owners and office managers who want the actual picture, including the parts vendors skip. Every factual claim is backed by the sources listed at the end, most of them Microsoft’s and Google’s own documentation, the ICO, the NCSC and the Office for National Statistics.

The short version.

  • Moving to the cloud mostly means moving email, files and applications from equipment you own to services you rent, usually Microsoft 365 or Google Workspace. Most UK businesses have already moved: 69% of firms with ten or more employees used cloud computing in the ONS’s latest survey.
  • A wave of support deadlines is forcing the decision: Windows 10 and Exchange Server both stopped receiving security fixes in October 2025, and Windows Server 2016 follows in January 2027.
  • The cloud does not back itself up. Microsoft’s own documentation says your data remains your responsibility, and the built-in recovery windows are measured in days and weeks.
  • Where your data lives differs more than people assume: Microsoft 365 keeps UK data in UK datacentres; Google Workspace currently offers no UK region option.
  • Done in the right order, a small business migration is a sequence of small, reversible steps. Done in a panic, it is how data gets lost.

What moving to the cloud actually means.

For a typical small business it is three moves, not one:

  • Email from an in-office server (or an ageing hosted system) to Exchange Online or Gmail.
  • Files from a server in the corner or someone’s desktop to SharePoint, OneDrive or Google Drive.
  • Applications from installed software to web-based equivalents, where good ones exist.

You do not have to make all three moves, and you do not have to make them at once. Some businesses move email and files and keep one application on a local machine for years, entirely sensibly. Treating it as one all-or-nothing leap is the first mistake the brochures encourage.

Why now: the deadlines doing the pushing.

Cloud adverts have said “act now” for fifteen years. What is different in 2026 is that Microsoft’s support calendar has started saying it too:

ProductStatus
Windows 10Support ended 14 October 2025: no more security fixes without a paid extension
Exchange Server 2016 and 2019Support ended 14 October 2025; the paid extension expired in April 2026, so both are now fully unsupported
SQL Server 2016Support ends 14 July 2026, days after this guide was published
Windows Server 2016Extended support ends 12 January 2027

Two footnotes on those deadlines. First, unsupported software keeps running; the risk is that newly discovered holes never get fixed, which Microsoft itself says leaves machines “at a greater risk for viruses and malware”. Second, paid stopgaps exist: Windows 10 Extended Security Updates cost 61 US dollars per device for the first year through volume licensing, double every year after that, and deliver security-only fixes. There is a cheaper consumer route, recently extended to October 2027, but it excludes business-managed devices. ESU buys time to migrate properly; it is not a destination.

There is also a quieter pressure specific to email: Microsoft has a published enforcement system that can progressively throttle and eventually block mail sent from persistently vulnerable, out-of-date Exchange servers to Microsoft 365 recipients. If most of your customers are on Microsoft 365, an unpatched mail server slowly stops being able to talk to them.

The part nobody tells you: the cloud does not back itself up.

This is the single most useful thing in this guide, so it gets its own section.

Microsoft’s shared responsibility documentation is unambiguous: customers always retain responsibility for their data, identities and configurations, in every kind of cloud service, and Microsoft 365 is its own named example. The platforms protect their infrastructure superbly. Your deleted files are a different matter, and the built-in safety nets are bounded:

  • OneDrive and SharePoint: when a user account is deleted, their OneDrive is kept for 30 days by default, then sits in a recycle bin for 93 more, with restores getting progressively more awkward at each stage.
  • Exchange Online: items past their retention window are permanently deleted within 14 days by default, configurable to a maximum of 30.
  • Google Drive: emptied or auto-purged trash is gone after 30 days, with an admin able to pull it back for roughly 25 more; after that Google states it cannot be recovered.

None of this is a scandal; it is the deal, in writing. But it means “it’s in the cloud” and “it’s backed up” are different sentences. Something deleted quietly, maliciously or by a sync accident and not noticed for two months is gone under every default above. The fix is a separate backup of your cloud data, which is unglamorous, inexpensive and the first thing we set up after any migration. Government figures suggest most businesses have got at least part of this message: 74% back up to a cloud service. Fewer have asked what backs up the cloud itself.

Where your data actually lives.

For most small businesses this is a preference. For some, clients, contracts or regulators make it a requirement. Either way it should be a known fact, not a shrug:

  • Microsoft 365 stores UK customers’ data at rest for its core services (email, files, Teams) in UK datacentres, which Microsoft locates in Cardiff, Durham and London. That commitment applies by default on the ordinary Business plans; a paid add-on extends it to a longer list of services, though some ancillary tools live in wider European regions regardless.
  • Google Workspace currently offers no UK storage region: the selectable options are the United States or the European Union, and the entry-level Business Starter tier gets no choice at all. That is not a security verdict, but if “kept in the UK” matters to you, it is a real difference between the two platforms today.
  • The legal position, briefly. Moving your data to someone else’s computers does not move your responsibility: under UK data protection law you remain the controller of your data. Transfers to US-based services are covered by the UK-US Data Bridge, in force since October 2023, which permits transfers to certified US businesses. For a typical small business on mainstream platforms this works quietly in the background; if you handle unusually sensitive data, take specific advice rather than a paragraph in a guide.

Security, and the rulebook that changed in April.

The cloud platforms are run to a security standard no small business could afford to replicate, and that part of the sales pitch is true. What the pitch skips is that the burglar rarely attacks the datacentre; they attack your sign-in page. The NCSC’s Small Business Guide, reviewed in April 2026, opens with the sobering context: one in two small businesses suffers a cyber incident every year.

One rule change is worth knowing by name. From April 2026, the UK’s Cyber Essentials scheme makes multi-factor authentication mandatory on all cloud services in scope, and failing to have it is an automatic assessment fail. It also expects high-risk security updates installed within 14 days. If your business holds or wants Cyber Essentials, whether for contracts or insurance, your cloud accounts are firmly inside the certification now, and unsupported software that can never receive those updates is a hard problem.

What it costs.

We deliberately do not print prices here: subscription pricing changes often enough that any figure would date this guide within months, and the right mix of licences varies by business. But the shape of the change is consistent, and worth stating plainly:

  • You stop buying servers and start paying monthly. The five-figure replacement bill every few years disappears; a per-person subscription appears. Over a hardware cycle the totals are usually closer than either camp admits.
  • The savings that are real: no server hardware to replace, no out-of-hours maintenance on it, no separate spend on the resilience the platforms include.
  • The costs that creep: licence sprawl. Subscriptions are easy to add and rarely reviewed, and in our experience the tidy-up, removing unused licences and duplicate tools, is where cloud spending is most often rescued. Budget for a review a few months after migrating.

How a sensible migration runs.

The same four steps every time, and the order is the point:

  1. Audit before anything. What runs where, who uses what, which applications genuinely need a server, and what the internet connection can actually carry. A cloud office is only as good as the line it runs on.
  2. Move email first. It is the best-understood move with the most mature tooling, and it proves the approach with the least risk.
  3. Move files second, with structure. Lifting a chaotic file server into the cloud gives you chaos with a monthly fee. Agree the structure and permissions before the copy, not after.
  4. Deal with the stragglers deliberately. The old application that needs a server gets a considered home: a modern equivalent, a hosted version, or a planned stay of execution. Then the old kit is retired on purpose, after everything on it has been proven working elsewhere, never before.

Migrations fail in the gaps: the mailbox nobody mentioned, the folder that only syncs on one laptop, the application that quietly depended on the old server. The audit is what finds those before they find you.

Who should not migrate yet.

Honesty corner. Cloud is the right answer for most small businesses, most of the time. It is the wrong answer this year if:

  • Your connectivity is not up to it. If the office runs on a single struggling copper line, fix the connection first; a cloud office on bad internet is worse than the server it replaced.
  • A business-critical application has no good cloud path. Some industry software still runs best on a local machine. Migrate around it rather than forcing it.
  • You would be migrating in a panic. If a deadline above is already breathing on you, a short paid extension bought deliberately beats a rushed migration that loses a mailbox. Buy the time, then do it properly.

None of these mean never. They mean sequence: connection, then plan, then move.

Sources and further reading

  1. Microsoft: Windows 10 support has ended on October 14, 2025 support.microsoft.com
  2. Microsoft Learn: Extended Security Updates for Windows 10 learn.microsoft.com
  3. Microsoft Learn: Exchange Server 2016 and 2019 end of support learn.microsoft.com
  4. Microsoft Learn: SQL Server Extended Security Updates FAQ learn.microsoft.com
  5. Microsoft: Support for Windows Server 2016 will end in January 2027 support.microsoft.com
  6. Microsoft Learn: Shared responsibility in the cloud (updated May 2026) learn.microsoft.com
  7. Microsoft Learn: SharePoint and OneDrive retention and deletion learn.microsoft.com
  8. Microsoft Learn: the Recoverable Items folder in Exchange Online learn.microsoft.com
  9. Google Workspace Admin Help: choose a geographic location for your data support.google.com
  10. Google Drive Help: trash retention support.google.com
  11. Microsoft Learn: Microsoft 365 data locations learn.microsoft.com
  12. ICO: how does the UK Extension to the EU-US Data Privacy Framework work? ico.org.uk
  13. IASME: changes to Cyber Essentials for April 2026 iasme.co.uk
  14. NCSC: Small Business Guide (reviewed April 2026) ncsc.gov.uk
  15. ONS: management practices and the adoption of technology in UK firms, 2023 (published March 2025) ons.gov.uk
  16. DSIT: Cyber Security Breaches Survey 2025/26 (published April 2026) gov.uk
FAQs

Common questions.

Is the cloud secure enough for a small business?

The platforms themselves are run to a standard no small business could match on its own: that part of the bargain is real. The catch is that security of your accounts, settings and data stays your job. Strong sign-in protection matters most; since April 2026, Cyber Essentials treats multi-factor authentication on cloud services as mandatory, and missing it is an automatic fail.

Do we still need backups if everything is in the cloud?

Yes, and this surprises almost everyone. Microsoft and Google run resilient platforms, but their recovery windows for deleted data are measured in days and weeks, not years, and their own documentation says your data remains your responsibility. A separate backup of your cloud data closes that gap.

Where will our data actually be stored?

It depends on the platform. Microsoft 365 stores UK customers’ data for its core services in UK datacentres in Cardiff, Durham and London. Google Workspace currently offers no UK storage region: the choices are the United States or the European Union, and the entry-level tier gets no choice at all. For most small businesses this is a preference rather than a legal problem, but if your clients or regulator care where data lives, it belongs in the decision.

Our server still works fine. Why move now?

Working and supported are different things. Windows and Exchange versions that many small businesses still run stopped receiving security fixes in October 2025, and Windows Server 2016 follows in January 2027. A server that runs happily but no longer gets patched is quietly becoming the easiest way into your business, and replacement hardware for an ageing machine is money spent on the past.

Let’s work together to make technology
work for you.

Contact us today
Contact

Get in touch. We’re here to help.