Choose the Right CMS: Avoid a Public Sector Headache
A faulty CMS drains budgets, frustrates citizens, and can land agencies on the wrong side of the law.
Written by Vegard Ottervig on
Public sector organizations sit at a crossroads: citizens expect Amazon‑smooth self‑service, while new laws tighten the screws on accessibility, security, and tender transparency.
A modern CMS is the engine of that experience. Yet a poor choice locks in technical debt, invites compliance fines, and can crumble under peak traffic.
Below we frame the stakes, surface early pitfalls, and equip procurement leads with a quick self‑audit.
Learn more: 6 Steps to Procure a Future-Proof Public Sector CMS »
Digital Ambitions Meet Legal Reality
Norway now ranks 4th on the OECD Digital Government Index, reflecting a national push for user‑centred, joined‑up services . The Government’s 2024‑2030 Digitalization Strategy calls on every public body to build “seamless digital journeys” and reuse data across agencies . But that mission comes with guard‑rails:
- Universal design: Public sites must satisfy 48 separate WCAG 2.1 success criteria under EN 301 549 from January 2023.
- Accessibility enforcement: The Authority for Universal Design of ICT now carries an explicit mandate to sanction non‑compliant bodies.
- Procurement transparency: All high‑value ICT tenders must be published on Doffin and—above EU thresholds—on TED.
CMS 101: Why It Matters to Non‑tech Buyers
A content management system lets staff publish and govern web content without coding, while exposing APIs for integrations like ID‑porten or case handling systems.
In practice, the CMS becomes the digital front door for everything from crisis bulletins to permit applications. Choosing wisely therefore shapes user trust and operational costs.
Compliance Stakes You Can’t Ignore
| Requirement | What the law demands | Risk of a weak CMS |
|---|---|---|
| WCAG 2.1 / EN 301 549 | 48 criteria for public bodies, incl. keyboard navigation and contrast | Formal sanctions and reputational damage |
| GDPR & Infosec | Adequate security controls (Art. 32) or face fines | Data‑breach liability; negative press |
| ISO 27001 expectation | Many tenders cite certification to prove best‑practice infosec | Extra audit costs or disqualification |
Hidden Costs of “Good Enough” Platforms
- Vendor lock‑in: Proprietary stacks hamper future migrations and inflate day‑rate customizations.
- Performance meltdowns: Norway's Altinn-service once buckled under tax‑deadline traffic, spotlighting the price of limited scalability.
- Legal friction: CMS contracts that can’t slot into the Norwegian SSA‑L SaaS template trigger lengthy legal reviews and project delays .
Your Five Minute Self Audit
- User journeys: Do you know your top five citizen “tasks to be done”?
- Accessibility gaps: Have you run a WCAG 2.1 audit in the past 12 months?
- Integration map: Which back office systems must talk to the CMS?
- Security posture: Can vendors evidence ISO 27001 or equivalent?
- Procurement route: Open, restricted, or competitive dialogue: Have you aligned with competitive dialogue rules?
If any answer feels shaky, it’s time for deeper due diligence.
Next Step: Get the Full Checklist
This article primes the conversation; the real work starts with a structured requirements list. Read the free checklist “What You NEED to Remember in Public Sector CMS Procurement” for a step‑by‑step worksheet covering stakeholder workshops, evaluation matrices, and agreement clauses.
👉 See the checklist here—and move your CMS tender from guesswork to governance.
Frequently asked questions
Why is it important to conduct market dialogue before launching a tender?
Market dialogue helps you understand the supplier landscape, uncover realistic requirements and alternative solutions, and ensure that the specification of requirements is relevant and feasible.
Should external advisors be considered in the procurement process?
External advisory services contribute with procurement expertise and experience, and can support you in navigating regulations, requirement specifications, and process structure. This is especially useful when internal capacity is limited.
How do you ensure that the CMS solution supports universal design on the website?
All public websites must follow the requirements for universal design, based on the WCAG 2.1 standard. This should be included in the requirements specification, and the supplier must be able to document how the solution is tested and revised for accessibility.
How do you ensure that the CMS solution is secure and protects information security?
Ask the supplier to document how they work with security, both technically and organizationally. Certifications such as ISO 27001 are a good indication that security is systematically ensured. In addition, you should request routines for updating, patching, and handling security incidents.
Which government standard contract should be chosen for CMS delivered as a service by a supplier?
For CMS delivered as a service (SaaS), it is generally recommended to use SSA-L (the government’s standard contract for ongoing services). This covers, among other things, requirements for service levels (SLA), follow-up, changes, and termination of the contract.
Vegard Ottervig
Vegard Hovland Ottervig holds a Master's degree in film studies and has worked with journalism and marketing since 2010. He loves cycling, philosophy, gaming, and writing.