Government mandates audits, local data storage, and cloud adoption for the public sector under the Pakistan Cloud First Policy
Pakistan has begun accrediting cloud service providers as part of a new regulatory framework aimed at tightening data security standards and shifting public-sector digital infrastructure toward locally hosted cloud systems.
The initiative, launched under the Pakistan Cloud First Policy (PCFP), is being implemented by the Ministry of Information Technology and Telecommunication (MoITT), which has so far received six applications from cloud service providers seeking accreditation.
Under the policy, cloud firms must undergo strict security vetting and independent audits conducted by third-party auditors registered with the Pakistan Computer Emergency Response Team before they can operate within the approved framework.
IT Minister Shaza Fatima Khawaja said the accreditation system is designed to ensure higher security standards and protect sensitive government and citizen data from cyber threats.
She said the policy marks a shift toward requiring that Pakistan’s sensitive data be stored on servers physically located within the country, bringing it under domestic legal jurisdiction and control.
The framework also mandates that all public sector entities, including federal and provincial departments, use cloud services for new IT projects instead of developing independent data centres.
Officials said the transition process has already begun, with provinces aligning their own cloud policies with the federal framework to ensure coordinated implementation.
To manage the rollout, MoITT has established a dedicated “Cloud Office” responsible for overseeing accreditation and facilitating adoption across government institutions. In parallel, “Cloud Acquisition Offices” will be set up at the provincial level to assist departments in procuring cloud services.
A senior ministry official said accreditation is necessary because many government departments and private entities lack visibility into the security standards followed by cloud providers, creating potential governance and cybersecurity risks.
The official added that registration will also allow regulators to track cloud investment flows in the country and prevent inefficient or excessive spending on redundant infrastructure.
A separate ministry report stated that the shift to local cloud services is expected to reduce foreign exchange outflows by replacing imported IT services with domestic providers.
Policy oversight will be carried out by a national “Cloud Board” chaired by the IT secretary, with representation from all provinces to ensure unified implementation of the framework.
Reference Link:- https://profit.pakistantoday.com.pk/2026/05/26/pakistan-launches-cloud-provider-accreditation-under-new-data-localization-push