NEWS
Pakistan Opens Cloud First Accreditation as Six Providers Apply
Pakistan’s Cloud First Policy has shifted from approval to enforcement, with the Ministry of Information Technology and Telecommunication now formally accrediting cloud service providers. Six applications are under review four years after the cabinet signed the framework in February 2022, and once enforcement bites, federal and provincial departments cannot build separate data centres for new IT projects.
Cybersecurity rules dominate the official messaging, yet ministry briefings tie the policy’s revival to a separate target: keeping more government IT spending physically inside Pakistan as imported services climb.
The First Six Applicants Are in Review
The names of the applicants have not been disclosed. The ministry confirmed receipt on May 26, with Federal Minister for IT and Telecom Shaza Fatima Khawaja saying applicants face a security review and an audit by a third-party assessor registered with the Pakistan Computer Emergency Response Team (PKCERT, the national cyber-incident response agency).
That four-year wait between approval and enforcement matters more than the launch event itself. The Cloud First Policy text was signed on February 25, 2022, but the operational scaffolding to enforce it (a Cloud Office sitting inside the ministry, published accreditation criteria, provincial alignment) only fell into place across late 2025. Federal departments kept buying servers and floor space in the interim as if the rule did not exist.
Three Pakistani operators control roughly 65% of installed data-centre capacity inside the country: Pakistan Telecommunication Company Limited (PTCL, the country’s largest fixed-line carrier), Multinet Pakistan, and Supernet Limited, per a 2025 sector reading from Mordor Intelligence. All three are plausible accreditation candidates. Data Vault Pakistan, which launched a sovereign artificial intelligence cloud with NVIDIA in November 2025, has not yet submitted an application.
Six entrants is a thin field. It signals how few Pakistani companies meet the residency, capital, and security baseline the ministry wrote in, and how much room remains for new sovereign-cloud entrants if the framework goes the distance.

What the Accreditation Audit Demands
Accreditation rests on three pillars: data residency, a documented security posture, and an independent audit. Each provider applying must demonstrate that the servers holding Pakistani government data sit physically inside the country and remain under Pakistani legal jurisdiction. That single requirement reshapes the eligible bidder pool more than any other clause.
The security review uses ministry-set benchmarks aligned with domestic and international standards. Applicants then submit to a third-party assessment whose findings the ministry reads against its register criteria. The Interim Cloud Office has published the accreditation criteria for cloud service providers, which specify the documentation and on-site review schedule for each applicant.
What an accreditation file typically covers:
- An independent audit by a PKCERT-registered third party
- A security review against the Cloud Office’s published benchmarks
- Proof of data residency inside Pakistan’s geographic boundaries
- Listing on the accredited register before any public-sector contract is awarded
Five Data Classes, Two Storage Homes
Where a given dataset lands depends on how the ministry classifies it. Pakistan’s Cloud First Policy text sorts public-sector data into five classes, each routed to a specific kind of cloud, with security requirements scaling from baseline to highest.
For the first time, the policy ensures that Pakistan’s sensitive data is stored on servers physically located within the country, which will help keep national data under Pakistan’s legal control.
That was Shaza Fatima’s framing at the ministry briefing. The classification grid translates the intent into procurement rules.
| Data Class | Security Tier | Hosting Destination |
|---|---|---|
| Open | Baseline | Public cloud, registered provider |
| Public | Baseline | Public cloud, accredited provider |
| Restricted | Intermediate | Government cloud, accredited provider |
| Confidential / Sensitive | Enhanced | Government cloud, accredited provider |
| Secret | Highest | Private cloud or government cloud |
The split between public and government cloud is the operative line. Anything classed Restricted, Confidential, or Secret has to sit on a government-controlled environment, not a multi-tenant public service. For accredited providers, that means two markets: a competitive multi-tenant tier for low-classification workloads, and a smaller, higher-margin tier where only operators running dedicated government infrastructure can play.
Classification also matters at the procurement layer. A department buying email or file storage for general staff is dealing with Public data and a wider vendor list. A department storing tax records or biometric identifiers is dealing with at least Confidential, narrowing the pool to providers running hardened, single-tenant infrastructure inside Pakistan. The accreditation register turns that distinction into a vendor shortlist rule rather than a guideline.
The Foreign Exchange Argument Driving Cloud First
The ministry’s rationale, repeated in official briefings, is that public-sector cloud spending currently leaks abroad because most workloads run on foreign infrastructure. Shifting those workloads to operators with physical capacity inside Pakistan retains the spend domestically and trims foreign-exchange outflows at a time when the State Bank of Pakistan, the country’s central bank, is still rebuilding reserves.
The arithmetic is suggestive rather than definitive. The ministry has not published a forex-saving estimate, and the cloud spending it would redirect is folded into broader IT-services imports that Pakistan’s trade data does not break out cleanly. What the sector data does show is a domestic data-centre market climbing fast enough to absorb the demand the policy would create.
- 23.53 MW of installed data-centre IT load inside Pakistan in 2025
- 53.30 MW projected by 2030, a 17.77% compound annual growth rate per a Mordor Intelligence sector model
- $3.8 billion in Pakistan IT services exports for fiscal 2025, the country’s main offsetting foreign-exchange line
- $400 million in foreign direct investment directed at telecoms infrastructure that feeds carrier-neutral data centres
Pakistan’s macro backdrop sits behind the policy. The country still imports the bulk of its computer hardware and a substantial share of its enterprise software, per the US Department of Commerce country commercial guide. Any cloud workload running outside Pakistan adds to that services-import line. The rule treats every public-sector cloud project as a foreign-exchange decision, not just an IT one.
The Hyperscaler Question
None of the three global hyperscalers run a region inside Pakistan. Amazon Web Services (AWS, the cloud arm of Amazon) serves Pakistan from Mumbai and Bahrain. Microsoft Azure routes through UAE North or Singapore. Google Cloud uses Mumbai as the nearest region. For data classified Restricted or above, none of those routes satisfies the residency clause as written.
That leaves the hyperscalers two paths: build inside Pakistan, or restrict their bids to the lowest data class. A partnership model exists in parallel, where a global provider puts its software platform on a local partner’s hardware footprint, the way Microsoft has structured sovereign-cloud arrangements in France, Germany and several Gulf markets. Whether any of the current Pakistani applicants is a hyperscaler partnership entity is not public. Asia-Pacific governments are increasingly building data sovereignty rules into procurement rather than relying on contractual protections alone, and Pakistan’s register is a particularly stringent version of the same idea.
Hyperscalers that decide the federal market is not worth a build will cede it to PTCL, Multinet and any new sovereign-cloud entrants that pass the audit. That outcome marks the policy’s intent clearly, regardless of whether the unit economics of a Pakistan region pencil out for AWS or Azure.
How the Provinces Plug In
The federal cabinet’s policy is not self-executing across the provinces. Each province has approved its own version of the framework aligned with the federal model, and each will run a Cloud Acquisition Office to procure services for its line departments.
At the top sits the Cloud Board, chaired by the federal IT secretary, with representation from every province. Its role is policy coordination, not procurement.
Below it, the federal Cloud Office handles accreditation, runs the audit pipeline and maintains the register. It is the central choke point: until a provider lands on the register, no province can buy from it.
At the provincial level, the Cloud Acquisition Offices act as buying agents for departments that lack the technical staff to evaluate cloud contracts on their own. The structure mirrors how some federal systems handle critical-infrastructure procurement, with national accreditation and provincial purchasing.
That layered design also explains why the rollout is incremental rather than instant. A provincial Cloud Acquisition Office needs staff, training and contractual templates before it can spend; the accreditation register needs providers on it before provinces have anything to buy. Until both sides are live in the same province, departments default to the existing on-premises pattern.
Where the Roll-Out Could Stumble
Three pressure points sit in plain view. The first is the grid. Pakistan’s data-centre market grows against persistent electricity tariff escalation and reliability gaps; the Pakistan data-centre market sizing from Mordor flags elevated power costs and submarine cable redundancy as the two biggest drag factors on capacity growth. A residency policy is only as resilient as the kilowatts and bandwidth underneath it.
Talent is the next constraint. Outside Karachi, Lahore and Islamabad, certified operations staff are scarce, and accreditation requires audited security operations on a rolling basis, not a one-time check. Smaller providers will struggle to staff the audit cycle even when their hardware passes.
Hyperscaler absence is the third pressure point. If global cloud platforms stay regional rather than in-country, departments running modern AI workloads face a stark choice: re-platform onto smaller domestic providers without the feature breadth of AWS or Azure, or classify those workloads downward to keep them in scope. The latter is exactly the behavioural workaround a residency rule is supposed to prevent. Other jurisdictions experimenting with public-sector AI procurement, including New Zealand’s government AI drive, have run into the same tension between sovereignty rules and feature parity.
Six months from now, the accreditation register will tell the test result. If the list grows to eight or ten providers covering the full data-class spectrum, Pakistani public-sector IT spending begins shifting onshore at scale and the foreign-exchange case holds. If it stalls at four or five names concentrated in the lower classes, departments quietly continue buying servers, and the framework joins the longer list of approved-but-deferred Pakistani IT policies.
-
AI1 month agoSpaceX’s Google Deal Turns a Rocket Company Into a Cloud Landlord
-
CRYPTO1 month agoXPL Rallies 30% Ahead of Plasma One Card Tier Launch
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
AI1 month agoMoonshot AI Targets $30 Billion in China’s Fastest AI Funding Sprint
-
AI1 week agoWhatsApp Meta Business Agent Reaches India, With a New Pricing Meter
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
