Qatar’s Cloud First Policy

The Cloud First Policy is a strategic framework developed by the Ministry of Communications and Information Technology (MCIT) in Qatar. It aims to drive the adoption of cloud computing across all government agencies. The policy is designed to modernise IT infrastructure, improve service delivery, and reduce costs while ensuring compliance with national regulations and data protection laws. By prioritising cloud solutions provided by endorsed cloud service providers (CSPs), the policy seeks to position Qatar as a digital leader in the region, fostering innovation and operational efficiency.

The policy applies to all government agencies managing IT infrastructure, platforms, applications, and e-services. It encompasses both new projects and existing systems undergoing updates or refreshes. Cloud service models such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) are central to this initiative, as are deployment models including public, private, and hybrid clouds. These elements align with Qatar’s broader digital transformation goals under the Qatar National Vision 2030 and the Cloud Policy Framework (2022).

By migrating government IT systems to the cloud, the policy seeks to unlock numerous benefits such as cost efficiency, scalability, enhanced security, and agility. In doing so, it also sets an example for private sector organisations to follow suit, encouraging a national shift toward cloud-based solutions.

Key policy objectives

• Accelerate the adoption and migration of government IT systems to endorsed CSPs, ensuring they are the first option considered.
• Maximise the benefits of cloud computing, including cost savings, scalability, improved security, and operational flexibility.
• Guarantee compliance with legal, regulatory, and security requirements in Qatar, particularly through data classification and risk assessment.
• Foster a coordinated and governed approach to cloud adoption across government agencies.

Scope and application

The Cloud First Policy is applicable to all government entities in Qatar. It focuses on any planned investments or upgrades related to IT systems, platforms, or infrastructure. This includes new developments, renewals, and maintenance activities. Agencies are required to consider cloud adoption strategies aligned with Qatar’s legal and regulatory frameworks, including the National Information Assurance Policy and the NCSA Cloud Security Policy.

The policy further emphasises the importance of ensuring data protection and security, particularly for classified data and personally identifiable information (PII). Government agencies must conduct detailed risk assessments and adopt safeguards, such as encryption, to ensure secure migration and storage of data.

Policy provisions

• Adoption and governance: Government agencies must evaluate and adopt cloud solutions offered by endorsed CSPs as a first priority. Any exceptions require formal approval. Agencies must develop cloud exit strategies and integrate cloud services into business continuity and disaster recovery plans.
• Data classification: Agencies must classify their data into five levels, ranging from public (C0) to national security (C4). Data at the C4 level is exempt from migration to the cloud. Personally identifiable information must be protected in compliance with Qatar’s data privacy laws.
• Data ownership and management: Agencies retain full ownership of their data throughout its lifecycle, while CSPs act as custodians. Agencies must ensure proper data destruction protocols and standard data formats to facilitate portability and compliance.
• Risk management and compliance: Agencies are required to perform regular risk assessments and audits to identify and address potential security or operational risks. The cloud exit strategy must be tested periodically to ensure its viability.
• Implementation progress and review: Agencies are responsible for preparing and submitting a cloud adoption report within three months of the policy’s release. Ongoing progress must be tracked, and compliance with the policy must be demonstrated when requested by the MCIT.

The MCIT, through its Cloud Computing and Networks Department, provides governance and support for the adoption of cloud services. This includes onboarding agencies to endorsed CSPs, managing cloud credits, and offering technical assistance for cloud migration. Additionally, MCIT will facilitate training programs to build cloud capabilities across government entities.

The policy takes effect immediately, requiring all government agencies to prioritise cloud migration and align their IT strategies with the guidelines provided.