At a glance
The Whole-of-Government Cloud Computing Policy took effect on 1 July 2026, making cloud the default consideration for all new digital and ICT investment by non-corporate Commonwealth entities. The Digital Transformation Agency assesses proposals through the Investment Oversight Framework.
The policy sets five requirements: prioritise cloud, use cloud for innovation including AI, adopt cloud securely, manage cost through FinOps, and build cloud skills.
Requirement 2 makes AI explicit. Entities must provide sufficient cloud compute to support AI, and design for interoperability and portability to limit vendor lock-in.
Cloud planning is now mandatory inside each agency’s Digital Investment Plan, so the cloud-first default runs across the whole Commonwealth digital investment pipeline.
The policy covers public, private and hybrid cloud. Corporate Commonwealth entities may opt in, and the national intelligence community is out of scope.
Independent coverage has focused on execution risk, with legacy dependencies and rushed lift-and-shift migrations named as the main ways a cloud-first mandate goes wrong.
What the policy changes from today
From 1 July 2026, cloud is the default consideration for new Australian Government digital investment. The Whole-of-Government Cloud Computing Policy, published by the Digital Transformation Agency on 8 December 2025, requires non-corporate Commonwealth entities to adopt cloud solutions for all new digital and ICT initiatives and upgrades unless an alternative is justified. The DTA assesses digital investment proposals through the Digital and ICT Investment Oversight Framework, and cloud planning now sits inside each entity’s Digital Investment Plan from the outset.
The scope is specific. The policy binds non-corporate Commonwealth entities. Corporate Commonwealth entities are encouraged to apply it but can choose not to, and the national intelligence community is excluded. It covers public, private and hybrid cloud, and applies across procurement, transition, data migration and exit.
The policy sets five requirements.
Requirement | What entities must do |
1. Prioritise cloud | Adopt cloud for all new digital and ICT initiatives and upgrades unless an alternative is justified, embed cloud in Digital Investment Plans, and decommission legacy systems. |
2. Leverage cloud for innovation, including AI | Provide sufficient cloud compute to support AI, and design for interoperability and portability to limit vendor lock-in. |
3. Adopt cloud responsibly and securely | Comply with the Protective Security Policy Framework, the Hosting Certification Framework, the Information Security Manual and the ASD Cloud Security Guidance, and prepare governance and exit strategies. |
4. Manage and optimise cost | Apply FinOps practices, track unit economics, and use panels such as the Cloud Marketplace. |
5. Nurture cloud skills | Build and retain cloud skills across the APS through workforce planning. |
Source: Digital Transformation Agency, Whole-of-Government Cloud Computing Policy, July 2026.
The policy is built for AI
The clearest signal in the document is that it treats cloud as the route to public-sector AI. Requirement 2 tells entities to provide access to sufficient cloud computing capability to support innovative technology such as AI, and the DTA frames the whole policy as embedding AI-readiness across government platforms. That is the reason a modernisation policy carries an explicit compute mandate rather than a pure cost-and-security brief.
For the infrastructure market, that compute mandate turns government into a buyer for AI-grade capacity. Public-sector AI workloads need GPU-dense capacity and the power, cooling and networking that go with it, the same AI data centre profile driving the commercial build-out. Much of that capacity in Australia is being added by the hyperscalers and by the neocloud operators building GPU-first supply. One early example of the government buying directly is Anthropic’s first Australian Government contract.
A pipeline-wide default
The policy’s reach comes from where it sits in the investment process. Because cloud planning is mandatory inside every Digital Investment Plan and proposals are assessed against the policy at the Investment Oversight Framework, the cloud-first default applies across the forward pipeline rather than to one agency or one project. Requirement 1 also asks entities to prioritise moving off legacy systems and to maintain a decommissioning roadmap with milestones.
The default is now built into how the Commonwealth plans and funds digital investment, so it applies as contracts come up for renewal rather than through a single migration. For Australia’s data centre operators and the cloud providers they host, it sets a cloud-first default on the government workloads in that pipeline.
Execution is the harder problem
The direction is fixed, the migration is where independent coverage has concentrated. Computer Weekly reported expert warnings that agencies without a clear inventory of what is being retired, and what depends on it, are the ones most exposed to outages and cost overruns. The same coverage notes that legacy applications often run more expensively in the cloud than on-premises when they are lifted and shifted without redesign, and that the coordination gap between IT and security teams is where migrations tend to fail.
The policy anticipates some of this. It frames the shift as transition where it makes sense rather than a mandate to move every legacy application, and Requirement 1’s decommissioning roadmap is aimed squarely at the inventory problem. Requirement 3 keeps cloud adoption inside the government’s existing security frameworks, including the Protective Security Policy Framework and the Hosting Certification Framework, so the security bar does not fall as workloads move. Whether agencies have the cloud skills to execute is the open variable, which is why Requirement 5 makes workforce capability a formal obligation rather than an afterthought.
What to watch
The policy will be supported by annual reviews, the first indicator of how strictly the cloud-first default is applied through Investment Oversight Framework assessments. Four things will show how far it moves the market over the next year. The first is how the DTA treats hybrid and on-premises exceptions where a pure cloud solution is not justified, since that boundary decides how much workload actually moves. The second is how much AI-grade capacity the compute mandate in Requirement 2 pulls through to the hyperscalers and neocloud operators. The third is uptake of the Cloud Marketplace panel, the procurement channel the policy points agencies toward. The fourth is whether agencies can build the cloud skills Requirement 5 demands fast enough to migrate without the execution failures the early coverage has flagged.