Loading...

Cloud & Data Center Regulations

Data localization by sector, government cloud policy & CSP requirements

SBP BPRD C4/2024 Data Localization Cloud First Policy
Cybersecurity Data Protection
Share:
Ministry of IT & Telecom
Share:
Share:

Key Data & Rates

Pakistan Data Center & Cloud Infrastructure Overview
Major data centers and cloud infrastructure providers operating in Pakistan Verified May 3, 2026
Provider/FacilityLocationTypeTierKey Details Reference
PM Cloud StartupsNational (Ignite)Government CloudN/ACloud startup program launched 2026 IGNITE PM Cloud Startups Program
NADRA Data CentersIslamabad + RegionalGovernmentTier-III+Serves 220M+ citizens biometric data NADRA Data Centers
Supernet Data CenterKarachiCommercialTier-IIIMajor carrier-neutral facility PTA Data Center Guidelines
Cyber Internet ServicesKarachiCommercialTier-II+Largest ISP data center PTA Data Center Guidelines
PTA Critical Telecom DataNationwideRegulatoryN/ACritical Telecom Data Regulations (Nov 2020) PTA Critical Telecom Data Regula...
SBP Banking InfrastructureKarachi/IslamabadFinancialTier-III+SBP Cyber Shield launched Mar 2026 SBP Cyber Shield & Banking Infra...
Government Cloud (Federal)IslamabadGovernmentTier-II+Digital Nation Pakistan initiative MoIT&T Government Cloud Initiative
NLC Data CenterIslamabadGovernmentN/ANational Logistics Corporation NTC National Data Center
Share:
Source: PTA, Ignite/NITB, industry reports. Pakistan has 3+ major data centers with 1,000+ servers.
Source: PTA Cloud & Data Center Infrastructure Guidelines
Share:
Share:
Data Localization & Cloud Regulations
Data residency and localization requirements applicable in Pakistan Verified May 3, 2026
Regulation/StandardAuthorityData TypeRequirementStatus Reference
PECA 2016MoITTElectronic evidenceData preservation ordersActive PECA 2016 – Electronic Evidence
Critical Telecom Data RegulationsPTATelecom subscriber dataMust be stored in PakistanActive (Nov 2020) PTA Critical Telecom Data Regula...
Cyber Security Strategy 2023-2028PTA/MoITTCritical infrastructureSecurity framework complianceActive MoIT&T Cyber Security Strategy 2...
SBP Cyber ShieldSBPBanking/financial dataBanking data protectionActive (Mar 2026) SBP Cyber Shield Banking Data Pr...
5G Security GuidelinesPTATelecom network dataSecurity complianceActive (Feb 2026) PTA 5G Security Guidelines 2026
Aiming for: DPA PakistanMoITTPersonal dataData localization (pending)Draft stage - Digital Nation Bill Digital Nation Pakistan Bill 202...
NADRA Act/RegulationsNADRABiometric/citizen dataMust remain in PakistanActive NADRA Act – Biometric Data Prote...
National Cyber Security FrameworkNCERTAll critical dataFramework compliancePublished NCERT National Cyber Security Fr...
Share:
Source: PTA, SBP, MoITT, NCERT. No comprehensive data localization law yet - Digital Nation Pakistan Bill expected to address this.
Source: PECA 2016 & PTA Data Localization/Cloud Regulations
Share:
Share:

Details & Regulations

AUDIT CERTIFIED — MAY 2026
This policy has been verified against official government gazettes and source documents. View Audit Log
100% Verified

Cloud & Data Center Regulations — Complete IT Company Guide

Pakistan's cloud and data center sector is growing but regulatory frameworks are still evolving. Key considerations: sector-specific data localization, SBP cloud outsourcing framework, and recommended certifications.

Data Center RequirementsSOURCE VERIFIED

RequirementDetailsAuthority
PTA RegistrationRequired if providing ISP/hosting services to end-usersPTA
SECP RegistrationCompany incorporation required for data center businessSECP — Companies Act 2017
No Standalone LicenseNo explicit "data center license" exists currently — company registration suffices
Building CodesFire safety, electrical, structural compliance per local building authorityLocal authorities
EnvironmentalUPS, generators, cooling systems required for Tier II+ classificationBest practice
Physical SecurityAccess control, CCTV, security personnel, 24/7 monitoringBest practice
PSEB RegistrationRecommended for 0.25% WHT on export remittancesPSEB

SBP Cloud Outsourcing FrameworkSOURCE VERIFIED

Per BPRD C1/2025 (Consolidated Customer Onboarding Framework) and PSD C4/2025 (Tech Risk Framework), SBP has specific requirements for cloud outsourcing by regulated entities:

RequirementDetailsImpact on IT Companies
Data LocalizationAll banking/financial data MUST remain in PakistanIT companies serving banks must host locally — no AWS/GCP for bank data
Cloud Outsourcing Approval7-day advance written notice to SBP for material outsourcing; SBP approval for offshoreMust notify SBP before moving bank services to cloud
Third-Party Risk AssessmentBanks must conduct risk assessments of IT vendors annuallyIT vendors need SOC 2 / ISO 27001 certifications
Disaster RecoveryDefined RTO/RPO; annual BCP testing requiredIT vendors must demonstrate DR capabilities
EncryptionAES-256 minimum for data at rest and in transitMust implement encryption for all bank client data
Audit RightsSBP and bank auditors have right to inspect cloud infrastructureMust provide audit access and compliance reports
Critical: IT companies providing cloud services to banks/EMIs must comply with SBP cloud outsourcing framework. Offshore cloud hosting of banking data is prohibited.

Cloud Service Options for IT CompaniesSOURCE VERIFIED

Cloud ProviderRegionPakistan Data Center?SBP Compliant?Notes
AWSMultipleNo (Bahrain/Mumbai closest)No — for bank dataOK for non-banking IT exports
Google CloudMultipleNo (Mumbai closest)No — for bank dataOK for non-banking IT exports
AzureMultipleNo (UAE closest)No — for bank dataOK for non-banking IT exports
Storich (Local)PakistanYes — IslamabadPotentially yesPakistan-based data center
RapidCompute (Local)PakistanYes — KarachiPotentially yesLocal IaaS provider
NTC Data CenterPakistanYes — IslamabadYes — government cloudFor government projects
On-PremisesOwn facilityYesYes — if compliantFull control, full responsibility
Pro tip: For IT exports (non-banking), AWS/GCP/Azure are fine. For banking/fintech clients, you MUST host in Pakistan. Hybrid architectures (local for bank data, cloud for non-bank data) are becoming common.

Government Cloud (G-Cloud)SOURCE VERIFIED

Status: Draft Policy Under Development by MoITT/NITB
  • Proposed government-wide cloud infrastructure under NTC
  • Data sovereignty requirements for government workloads — all data must stay in Pakistan
  • Multi-cloud strategy being considered (NTC primary, approved private clouds secondary)
  • Security tiers for different data classifications (public, internal, confidential, restricted)
Current Practice
  • Government departments use NTC data centers (primary) — ntc.net.pk
  • Approved private cloud solutions for specific use cases
  • Limited commercial cloud with strict security requirements
  • NTISB security guidelines mandatory for government cloud

Source: NTC | MoITT

Data Localization Requirements by SectorSOURCE VERIFIED

SectorRequirementAuthoritySource
Banking/FinancialMandatory — all financial data in PakistanSBPBPRD Cloud Guidelines
TelecomMandatory — CDRs, subscriber data in PakistanPTAPTA Registration Rules 2000
GovernmentMandatory — all government data in PakistanMoITT/NITBG-Cloud Policy
HealthcareRecommended — patient records in PakistanProvincial DeptsDraft Digital Health Policy
E-commercePartial — payment data in PakistanSBP/FBRE-Payment Guidelines
General IT/SaaSNo strict requirement (may change with PDPB)
After PDPB EnactmentData Transfer Impact Assessments (DTIAs) required for cross-borderPDPB (draft)Pending

Recommended CertificationsSOURCE VERIFIED

ISO 27001
Information Security
PKR 500K-2M (estimated range — verify with provider)
ISO 22301
Business Continuity
PKR 300K-1M (estimated range — verify with provider)
SOC 2 Type II
International clients
USD 15K-50K (estimated range — verify with provider)
Tier Rating
Uptime Institute
USD 50K-150K (estimated range — verify with provider)

Cloud Deployment ChecklistSOURCE VERIFIED

Before Deploying to Cloud:
  1. Check if your data needs to stay in Pakistan (banking, government, telecom = YES)
  2. If serving banks/EMIs: ensure cloud provider has Pakistan data center OR use on-premises
  3. If serving government: use NTC data center or approved government cloud
  4. Obtain PSEB registration for 0.25% WHT rate on exports
  5. Implement SBP Tech Risk Framework if serving fintech
  6. Get ISO 27001 or SOC 2 for competitive advantage with banking clients
  7. Set up VPN registration with PTA if using international cloud services
  8. Implement data classification (public, internal, confidential, restricted)

Key Legal ReferencesSOURCE VERIFIED

ReferenceDescriptionSource
BPRD C1/2025Consolidated Customer Onboarding — includes cloud outsourcing provisionsSBP
PSD C4/2025Tech Risk Framework — 7-day outsourcing notice, data localizationSBP
BPRD Cloud GuidelinesCloud computing framework for banks (BPRD Circular 03/2020)SBP
CRMD CL01/2026Cyber Shield — cyber resilience for all SBP-regulated entitiesSBP
NTC StandardsGovernment IT security and cloud standardsNTC
NTISB GuidelinesTelco/ISP cybersecurity mandatory standardsNTISB
PTA RegulationsISP licensing, type approval for data center connectivityPTA
PDPB (Draft)Personal Data Protection Bill — data localization, DTIAs when enactedMoITT

Related PoliciesSOURCE VERIFIED

Pakistan Cloud First Policy 2022 — Key Provisions NEW

The Pakistan Cloud First Policy 2022 (approved February 25, 2022) mandates a cloud-first approach for government IT and establishes the regulatory framework for cloud adoption in Pakistan:

ProvisionDetailsIT Company Impact
Cloud-First MandateAll federal government entities must prioritize cloud-based solutions for new IT projectsMassive cloud procurement opportunities for IT companies serving government
Data ClassificationGovernment data classified into categories determining cloud deployment eligibilityCompliance with data classification requirements when hosting government data
G-Cloud MarketplaceGovernment cloud marketplace for standardized procurement of cloud servicesIT companies can list cloud services on G-Cloud for streamlined government procurement
Cloud Service Provider FrameworkLicensing and compliance requirements for cloud service providers serving governmentCSP registration, security certifications, and data sovereignty requirements
Data SovereigntyCritical/sensitive government data must remain within Pakistan's bordersOn-premise and Pakistan-based data center requirements for government cloud
Migration StrategyPhased migration of existing government systems to cloudLegacy modernization and cloud migration projects for government

Source: Pakistan Cloud First Policy 2022 (PDF) (Federal)

Cloud & Data Center Compliance Checklist
PTA Data Center Licensing Regulations 2020
Share:
PSEB Registration Rules 2004
Share:
MoITT Cloud First Policy 2022
Share:
NTISB Security Framework 2020
Share:
PECA 2016 / PTA Data Retention Rules
Share:
SBP BPRD Circular on Data Localization
Share:
PECA 2016 Sections 3-11
Share:
NADRA Verification Rules 2016
Share:
Checkboxes are saved in your browser
Source Citations (6)
National Cyber Security Strategy 2023-2028
https://www.pta.gov.pk/en/telecom-licensing
verified 2023 report
National IT Policy 2018
https://103.171.122.217/docs/National_AI_Policy_2025.pdf
pk_only 2018 law
SBP Cloud Computing Guidelines (BPRD 03/2020)
https://www.sbp.org.pk/bprd/2020/CL3.htm
verified circular
NITB Official
https://nitb.gov.pk/
verified website
Ignite PM Cloud Startups
https://ignite.org.pk/
restricted website
Pakistan Cloud First Policy 2022
https://103.171.122.217/docs/Pakistan_Cloud_First_Policy_2022.pdf
pk_only 2022 law
Related Topics
Share:
Cybersecurity Data Protection
Share:
Share: