From 1 July 2026, cloud becomes the default consideration for new ICT investments across the Australian Government. Here’s what the policy means, who it applies to, and why organisations, including those supporting government, should be preparing now.
By NEXTDC
Last updated: 26 June 2026
The Australian Government’s Whole-of-Government Cloud Computing Policy, commonly referred to as the Cloud-First Policy, marks a significant milestone in Australia’s digital transformation journey.
Effective from 1 July 2026, the policy establishes cloud computing as the default consideration for new ICT investments across Australian Government agencies. More than a technology initiative, it provides a strategic framework for how agencies will plan, procure, secure and modernise digital infrastructure to deliver secure, trusted and resilient government services.
While the policy applies directly to Australian Government agencies, its influence extends well beyond government. Enterprise organisations, cloud providers, systems integrators, managed service providers, software vendors and infrastructure partners supporting government should understand how the policy may influence future procurement, infrastructure strategy and technology investment decisions.
For organisations that have already embedded sovereign, compliant and highly connected infrastructure into their operating model, or are advising agencies that must, the policy formalises a direction that forward-looking organisations have already been moving toward. NEXTDC’s facilities are purpose-built to support exactly this: IRAP-assessed environments, Hosting Certification Framework (HCF)-certified facilities, and a nationwide interconnection ecosystem connecting government agencies to the cloud providers, carriers and partners they need.
Table of Contents
- Why Was the Policy Introduced?
- Why This Matters Now
- Policy at a Glance
- What Is the Whole-of-Government Cloud Computing Policy?
- Does This Mean Everything Must Move to Cloud?
- Who Does the Policy Apply To?
- Why Should Enterprise Organisations and Technology Partners Care?
- Cloud as the Foundation for AI
- The Five Key Policy Requirements
- Key Takeaways
- Suggested Preparation Timeline
- Official Australian Government Resources
- Planning for 1 July 2026?
| Executive Summary |
|
The Whole-of-Government Cloud Computing Policy:
|
Why Was the Policy Introduced?
Government agencies are under increasing pressure to deliver secure, reliable and digitally enabled public services, while responding to growing cyber security risks, evolving citizen expectations and rapid advances in technology.
The Whole-of-Government Cloud Computing Policy has been introduced to help agencies:
- Modernise ageing ICT infrastructure
- Improve cyber security and operational resilience
- Deliver more responsive digital government services
- Improve interoperability across government
- Better manage cloud investment and expenditure
- Reduce reliance on legacy systems
- Enable emerging technologies such as Artificial Intelligence (AI)
- Establish a more consistent approach to cloud adoption across government
Ultimately, the policy aims to ensure government technology investments remain secure, scalable and capable of supporting Australia’s future digital economy.
Why This Matters Now
Although the policy commences on 1 July 2026, infrastructure planning and government procurement often span several years. Technology decisions being made today, including infrastructure investments, cloud strategies and supplier selection, may continue supporting government services well beyond the policy’s commencement date.
Organisations that prepare early will be better positioned to:
- Align future ICT investments with government direction
- Strengthen procurement readiness
- Demonstrate compliance with security, sovereignty and hosting certification requirements
- Support evolving ISM, PSPF and HCF obligations
- Avoid costly redesigns later
- Build AI-ready infrastructure for future government workloads
| Infrastructure planning decisions made today will shape an organisation’s ability to support government programs for years to come. The organisations best placed to support agencies under the new policy are those building compliant, sovereign and highly connected infrastructure now. |
Policy at a Glance
| Policy Overview | |
| Official Policy | Whole-of-Government Cloud Computing Policy |
| Common Name | Australian Government Cloud-First Policy |
| Effective Date | 1 July 2026 |
| Applies To | Non-Corporate Commonwealth Entities (NCCEs) |
| Primary Objective | Cloud becomes the default consideration for new ICT investments |
| Deployment Models | Public, Private, Hybrid and Multi-Cloud |
| Supports | Security, resilience, sovereignty, interoperability, AI readiness and cost optimisation |
| Official Guidance | digital.gov.au |
What Is the Whole-of-Government Cloud Computing Policy?
The policy establishes cloud computing as the preferred approach for new digital and ICT investments across Non-Corporate Commonwealth Entities. Importantly, it does not mandate a single cloud provider or deployment model.
Instead, it establishes principles that help agencies determine the most appropriate infrastructure based on:
- Security and sovereignty requirements
- Operational and business outcomes
- Cost, performance and risk
Agencies may adopt public cloud, private cloud, hybrid cloud or multi-cloud depending on the needs of each workload. This principle-based approach provides flexibility while encouraging modern, secure and resilient infrastructure decisions.
Hybrid and multi-cloud environments, connecting on-premises and cloud workloads across multiple providers, will remain central to how agencies deliver digital services under the policy. Neutral colocation and interconnection infrastructure, such as that provided by NEXTDC, plays a critical role in enabling agencies to connect to multiple cloud platforms, carriers and partners without lock-in, while maintaining full sovereignty over where their data physically resides.
Does This Mean Everything Must Move to Cloud?
No. The policy does not require agencies to immediately migrate every existing workload to the cloud. Instead, cloud becomes the default consideration whenever agencies:
- Invest in new ICT
- Replace ageing infrastructure
- Refresh technology platforms
- Modernise applications
- Deliver new digital services
Existing environments can continue operating while agencies transition over time through planned investment cycles. This creates an opportunity for agencies to host legacy assets alongside cloud workloads in a colocation environment, reducing complexity, preserving existing value and enabling a self-paced transition to modern infrastructure.
Who Does the Policy Apply To?
The policy is mandatory for Non-Corporate Commonwealth Entities (NCCEs). These are Australian Government departments and agencies that legally form part of the Commonwealth of Australia.
Corporate Commonwealth Entities, including organisations such as Australia Post, CSIRO and Airservices Australia, are encouraged to adopt the policy where appropriate.
Why Should Enterprise Organisations and Technology Partners Care?
Although the policy applies directly to government agencies, its impact extends throughout Australia’s government technology ecosystem. Organisations supporting government, including systems integrators, cloud providers, managed service providers, software vendors, telecommunications providers and enterprise organisations, should expect agencies to increasingly assess suppliers against infrastructure capability.
Future procurement decisions are likely to place greater emphasis on:
- Security and cyber resilience
- Operational and infrastructure resilience
- Data sovereignty and physical hosting location
- Alignment with the Hosting Certification Framework (HCF)
- ISM and PSPF compliance
- Interoperability and cloud-neutral connectivity
- Scalability to support evolving workloads
As agencies modernise, infrastructure capability will become an increasingly important component of demonstrating readiness to support government programs. For organisations partnering with NEXTDC, this means access to HCF-certified, IRAP-assessed colocation infrastructure, the foundation for sovereign, compliant and cloud-ready environments.
Cloud as the Foundation for AI
Artificial Intelligence is becoming a strategic priority across government, from citizen services and automation to advanced analytics and decision support.
AI workloads require scalable, highly connected and resilient infrastructure. They also demand high-density power, low-latency connectivity and access to a broad ecosystem of AI platform providers.
NEXTDC’s AI Factory infrastructure is purpose-built for exactly this: high-density compute environments, advanced cooling architectures and direct access to Australia’s largest partner ecosystem, giving government agencies and their technology partners the infrastructure foundation to deploy AI securely, responsibly and at scale.
The Whole-of-Government Cloud Computing Policy helps establish the infrastructure conditions needed to support future AI adoption while enabling agencies to modernise ICT environments securely.
The Five Key Policy Requirements
The policy establishes five strategic expectations for Commonwealth agencies.
1. Prioritise Cloud Computing
Cloud should become the default consideration for new ICT investments. Agencies are also expected to incorporate cloud planning into future Digital Investment Plans, ensuring cloud adoption is considered as part of long-term investment and transformation strategies.
2. Leverage Contemporary Cloud Technologies
Agencies should adopt technologies that improve interoperability, portability and flexibility, while reducing unnecessary vendor lock-in. This reinforces the value of cloud-neutral interconnection infrastructure that enables agencies to connect to and move between cloud providers without dependency on a single platform.
3. Adopt Cloud Securely and Responsibly
Cloud environments should align with Australian Government frameworks including:
- Protective Security Policy Framework (PSPF)
- Australian Signals Directorate Information Security Manual (ISM)
- Hosting Certification Framework (HCF)
- Privacy Act and Australian Privacy Principles
Security, governance and resilience should be embedded throughout the cloud lifecycle. Infrastructure sovereignty remains an important consideration when determining where critical workloads and sensitive government data should reside. NEXTDC’s facilities are certified under the Hosting Certification Framework and support IRAP-assessed environments, providing agencies with a direct pathway to sovereign, compliant hosting.
4. Optimise Cloud Investment
Agencies are encouraged to implement effective governance and FinOps practices to improve visibility, accountability and optimisation of cloud expenditure. A hybrid or multi-cloud strategy, anchored in a neutral colocation environment, provides the operational control and cost transparency needed to manage cloud investment effectively.
5. Build Organisational Capability
Successful cloud adoption requires more than technology. Agencies should continue developing the governance, operating models and workforce capability required to manage modern cloud environments securely and effectively.
Key Takeaways
- The policy becomes effective 1 July 2026
- Cloud becomes the default consideration for new ICT investments
- The policy supports public, private, hybrid and multi-cloud
- Security, sovereignty and resilience remain central to infrastructure decisions
- AI readiness is becoming an increasingly important consideration
- Government procurement expectations are likely to evolve alongside the policy
- The policy has implications not only for government agencies but also for organisations delivering technology and digital services to government
- HCF certification, IRAP assessment and ISM alignment will become key supplier differentiators
Suggested Preparation Timeline
| Now | Next | 1 July 2026+ |
| Review ICT roadmap and infrastructure strategy against the policy’s five requirements | Assess cloud, security, sovereignty and supplier readiness. Evaluate HCF certification and IRAP compliance gaps. Engage NEXTDC to explore compliant colocation, interconnection and AI-ready infrastructure options | Whole-of-Government Cloud Computing Policy takes effect. Procurement decisions increasingly weighted toward security, sovereignty, resilience and HCF alignment |
Official Australian Government Resources
| Resource | Purpose | Official Website |
| Whole-of-Government Cloud Computing Policy | Official policy and implementation guidance | digital.gov.au/cloud-policy |
| Australian Government Architecture | Government cloud architecture principles | architecture.digital.gov.au |
| Hosting Certification Framework (HCF) | Government hosting certification requirements | hostingcertification.gov.au |
| Protective Security Policy Framework (PSPF) | Government protective security requirements | protectivesecurity.gov.au |
| ASD Information Security Manual (ISM) | Australian Government cyber security guidance | cyber.gov.au |
Planning for 1 July 2026?
The Whole-of-Government Cloud Computing Policy is more than a cloud adoption initiative, it signals how Australian Government agencies will plan, procure and operate digital infrastructure for years to come.
Whether your organisation is reviewing its cloud strategy, ICT roadmap, procurement plans or AI initiatives, now is the time to ensure infrastructure decisions align with evolving government expectations.
NEXTDC partners with government agencies, enterprise organisations, cloud providers and technology partners to deliver secure, sovereign and highly connected digital infrastructure, supporting hybrid cloud, AI-ready workloads and mission-critical environments. Our HCF-certified, IRAP-assessed facilities, combined with Australia’s largest interconnection ecosystem, provide the infrastructure foundation agencies and their partners need to meet the policy’s requirements confidently.
| Speak to an infrastructure specialist about HCF-ready colocation and cloud-neutral connectivity, visit nextdc.com or contact your NEXTDC account manager. |
