Pakistan’s First Cloud Policy Yet to Be Enforced Four Years On, Audit Flags Data Security Risks
ISLAMABAD
Pakistan’s first National Cloud Policy has yet to be implemented four years after its approval, with an official audit warning that delays in licensing data centres and migrating government systems to the cloud have increased cybersecurity and regulatory risks.
The policy required sensitive government and citizen data to be stored on servers located within Pakistan and directed public institutions to adopt cloud infrastructure instead of establishing independent data centres.
However, auditors found that the country has yet to introduce a functional licensing regime for data centres, while unregistered facilities have continued to emerge, creating gaps in regulatory oversight and exposing critical data infrastructure to potential cyber threats.
The audit said the policy envisioned a comprehensive framework covering data centre licensing, cybersecurity standards, infrastructure requirements and the migration of government data to secure cloud platforms, but key provisions remain unimplemented.
It also noted that the Pakistan Telecommunication Authority (PTA) has not finalised the promised licensing framework despite existing laws already requiring data centres to be licensed.
Responding to the audit, the PTA said a new regulatory framework is currently under development and that conventional licensing has not been enforced while the updated regime is being prepared.
The audit warned that the continued absence of a licensing framework has weakened regulatory oversight and increased risks to data security, raising concerns over the protection of sensitive public-sector information.




