Cloud: Government Poised to Launch ‘Go Cloud First’ Policy – Implications and Preparations
In a significant step toward digital transformation, the Thai government is poised to fully implement its “Go Cloud First” policy, mandating the prioritization of cloud computing for public sector IT infrastructure and services. Approved by the Cabinet in September 2023 and further reinforced in June 2024, this initiative aligns with the National Strategy (2018–2037) and the Digital Government Organization Act B.E. 2562 (2019). The Digital Government Development Agency (DGA) has released key drafts in July 2025, including frameworks and guidelines, with implementation slated to begin on October 1, 2025. This move aims to enhance efficiency, security, and service delivery across government agencies, marking a pivotal shift from traditional on-premises systems to scalable cloud solutions.
The policy encompasses a comprehensive framework for cloud management, data classification, and usage guidelines, ensuring that cloud adoption supports national goals of digital economy growth while safeguarding data sovereignty. As Thailand joins global peers in leveraging cloud technology, this article explores the policy’s details, its anticipated effects, and the necessary preparations for cloud service providers.
Overview of the Cloud-First Policy and Guidelines:
The “Go Cloud First” policy requires all government entities—including central administrations, local governments, state enterprises, and independent organizations—to adopt cloud services as the primary IT approach. Key documents outline the roadmap:
- Cloud Management Framework (Version 7): This draft announcement establishes preferences for public clouds, mandates data centers within Thailand (with exceptions requiring DGA approval), and requires sovereign clouds for highly sensitive data. Agencies must design cloud-native systems, implement security measures, and connect to a central management platform overseen by the DGA.
- Cloud Data Classification Guideline (Version 1.0): Data is categorized into three levels—Official (low-risk), Protected (medium-risk), and Highly Protected (high-risk)—based on the CIA triad (Confidentiality, Integrity, and Availability) and risk assessments. Highly Protected Data must use community or sovereign clouds to maintain sovereignty and comply with laws like the Personal Data Protection Act B.E. 2562 (2019).
- Government Cloud Usage Guideline (Version 1.0): This provides principles for procurement, security, and best practices, emphasizing public clouds first, followed by private, community, or hybrid models. It covers service types (IaaS, PaaS, SaaS), migration strategies, cost management, backup protocols, and exit planning to avoid vendor lock-in.
These guidelines, developed by the DGA and approved for consultation by the Digital Government Development Committee (DGDC) in July 2025, ensure procurement aligns with the Public Procurement and Supplies Administration Act B.E. 2560 (2017), promoting transparency and value for money.
Effects of the Policy Implementation:
The adoption of cloud usage under the “Go Cloud First” policy is expected to yield multifaceted benefits, transforming government operations and the broader economy. Key effects include:
- Enhanced Efficiency and Service Delivery
By shifting to cloud-based systems, government agencies can achieve greater scalability and flexibility, enabling faster deployment of digital services. This will reduce downtime, streamline data sharing among agencies, and improve citizen access to services such as e-government portals, potentially cutting administrative delays by up to 50% in routine processes. The policy’s emphasis on cloud-native designs will foster innovation, allowing for rapid updates and integration with emerging technologies like AI and big data analytics.
- Cost Savings and Resource Optimization
Traditional IT infrastructure often involves high upfront costs for hardware and maintenance. The pay-per-use model of cloud services is projected to lower expenses by 20-30%, freeing up budgets for other priorities. Tools like pricing calculators and billing alerts will enable real-time monitoring, preventing overspending and promoting fiscal responsibility.
- Improved Security and Data Sovereignty
With mandatory data classification and security standards aligned with the Cybersecurity Act B.E. 2562 (2019), the policy will bolster defenses against cyber threats. Requiring data storage in Thailand enhances sovereignty, reducing risks from foreign data breaches and ensuring compliance with national laws. This could lead to fewer incidents of data loss, build public trust in digital government services.
- Economic and Societal Impacts
On a macro level, the policy will stimulate the domestic cloud market, creating jobs in IT and related sectors while attracting investments from global providers. It supports Thailand’s digital economy ambitions, potentially boosting GDP growth through increased productivity. However, challenges such as the need for workforce upskilling and potential initial disruptions during migration must be managed to mitigate short-term effects.
Overall, these effects position Thailand as a regional leader in digital governance, aligning with ASEAN’s digital integration goals.
Addressing Potential Concerns and Global Precedents:
While the “Go Cloud First” policy promises substantial advantages, it has sparked debates regarding potential risks, particularly in areas of national security, data sovereignty, and privacy. Critics argue that relying on cloud services, especially from foreign providers, could lead to loss of control over sensitive data transferred abroad, increasing vulnerabilities to cyber-attacks or unauthorized access. Concerns include jurisdictional ambiguities, where foreign governments might compel access to data under their laws, potentially violating Thai data secrecy and personal privacy protections. Additionally, there are worries about unencrypted data exposure, misuse through AI analysis by providers for business or intelligence purposes, and broader implications for financial institutions handling critical economic data. These issues underscore the need for robust local cloud development, stringent data classification, encryption, multi-factor authentication, and continuous monitoring to safeguard national interests.
However, these concerns can be effectively mitigated, as evidenced by successful cloud adoptions in Western financial sectors. Major banks in the US and Europe have embraced cloud technologies from providers like AWS, Azure, and Google Cloud, demonstrating that with proper safeguards, the benefits outweigh the risks. For instance, JPMorgan Chase and Bank of America have partnered with Microsoft Azure to enhance their operations, leveraging the platform for improved resilience and innovation in services like fraud detection and customer analytics. Wells Fargo employs a multi-cloud strategy with both Azure and Google Cloud, focusing on scalability and data management while maintaining compliance with stringent regulations such as the Gramm-Leach-Bliley Act. In Europe, HSBC and Barclays have integrated AWS for core banking functions, achieving cost efficiencies and faster digital transformations without compromising security. Capital One, a prominent US bank, completed a full migration to AWS, resulting in enhanced agility and reduced infrastructure costs, serving as a model for secure cloud usage in regulated environments. These examples illustrate how Western banks navigate similar sovereignty and privacy challenges through hybrid models, data localization where required, and advanced encryption, leading to operational improvements and regulatory adherence.
Cloud providers further bolster these efforts with robust policies designed to resist unwarranted government or third-party data access. Amazon Web Services (AWS) adheres to the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which requires legal processes like warrants for data disclosure, and publishes transparency reports detailing government requests while challenging overbroad demands in court. Microsoft Azure emphasizes data sovereignty through regional data centers and commitments to only disclose data when legally compelled, often pushing back against requests lacking proper authorization under frameworks like the EU’s GDPR. Google Cloud similarly prioritizes user privacy, offering tools for data residency and encryption keys managed by customers, and has a history of litigating against U.S. government surveillance orders to protect client information from unauthorized access. These policies, combined with compliance certifications like ISO 27001 and SOC 2, enable providers to safeguard data against external pressures, providing reassurance for Thai agencies adopting cloud solutions.
Preparations for Cloud Providers:
To capitalize on this opportunity, cloud service providers must align with the policy’s stringent requirements. The DGA will evaluate and certify providers, publishing an approved list for government procurement. Key preparations include:
| Aspect | Requirements | Actions for Providers |
| Compliance and Certification | Providers must meet DGA standards for security, data classification, and management. Certification may involve fees and annual reviews. | Undergo DGA evaluations, implement controls per the Cybersecurity Standards for Cloud Systems (2024), and prepare documentation for audits. |
| Data Localization | Data centers and storage must be in Thailand, with sovereign cloud options for sensitive data. | Invest in local infrastructure or partner with Thai entities to ensure compliance, avoiding offshoring without approvals. |
| Security and Best Practices | Support VPCs, encryption, vulnerability testing, and backup/recovery tools. | Enhance offerings with features like AWS Backup or Azure Backup, provide training on secure configurations, and develop exit strategies to prevent lock-in. |
| Service Models and Scalability | Offer IaaS, PaaS, SaaS with flexible pricing and migration support. | Customize solutions for government needs, including pricing calculators and alerts, while ensuring interoperability with existing systems. |
| Ecosystem Engagement | Participate in public consultations and DGA collaborations. | Engage in training programs, contribute to the cloud ecosystem, and monitor updates via DGA resources like https://kb.dga.or.th/cloud/. |
Providers who proactively address these areas will gain a competitive edge in serving Thailand’s public sector, estimated to expand significantly under the policy.
Conclusion:
The Thai government’s launch of widespread cloud usage through the “Go Cloud First” policy represents a forward-thinking commitment to digital excellence. By fostering efficiency, security, and innovation, it promises substantial benefits for citizens and the economy. While valid concerns exist, global precedents from Western banking sectors and strong provider policies demonstrate viable paths to secure implementation. Cloud providers, in turn, must prioritize compliance and localization to thrive in this evolving landscape. As implementation unfolds, ongoing collaboration between the DGA, agencies, and industry stakeholders will be crucial to realizing the full potential of this transformative initiative.
Key Takeaways:
Enhanced Data Security: Compared to the current decentralized systems used by individual agencies, the cloud-based approach with standardized security protocols and centralized oversight will provide stronger protection for government data.
Strategic Shift: Thailand’s “Go Cloud First” policy, effective October 2025, mandates cloud prioritization for government IT, aligning with national digital economy goals.
Operational Benefits: Cloud adoption will enhance efficiency, reduce costs by 20-30%, and improve service delivery through scalable, cloud-native systems.
Security and Sovereignty: Strict data classification and local storage requirements ensure compliance with Thai laws, reducing cyber risks and enhancing trust.
Global Precedents: Western banks like JPMorgan Chase and HSBC demonstrate secure cloud use, mitigating concerns about data privacy and sovereignty.
Provider Readiness: Cloud providers must invest in local infrastructure, comply with DGA standards, and offer robust security to serve Thailand’s public sector effectively.
Government Control: Regardless of which cloud provider the government uses, the government retains sovereignty and control over its data through mandated localization and policy safeguards.
Author: Panisa Suwanmatajarn, Managing Partner.
Other Articles
- Proposed Amendments to Anti-Corruption Legislation to Align with OECD Standards
- Notification of the Competent Officer on Exchange Control (No. 38) — Draft Amendment
- Thailand’s Proposed Updates to the Non-Preferential Certificate of Origin Framework for Exports to the United States and the European Union
- Thailand’s Expanding Trade Network: Key Updates on FTAs with Partner Countries
- Thailand FDA — Proposed Food Labelling Rules for Prepackaged Foods
- U.S. Tariff Developments Post Supreme Court Ruling