When the New Zealand government refreshed its “Cloud First” policy in 2023, it updated a tech mandate, yes, but it also sent a clear message.
The policy signalled a cultural shift: a move away from fortress-like data centres and toward agile, scalable platforms that mirror the speed and complexity of modern regulatory demands.
In neighbouring Australia, similar moves are underway. As digital transformation reshapes how governments deliver services, it’s also altering how regulators work, think, and collaborate.
Across both countries and around the world, regulatory agencies are leaning into cloud adoption not as a mere IT upgrade, but as a foundational change to how they safeguard public interest. As governments and agencies push forward with cross-agency data sharing, real-time compliance monitoring, and citizen-centred services, cloud infrastructure is becoming less of a choice and more of a prerequisite.
A shared mandate, divergent landscapes
Australia and New Zealand both maintain formal Cloud First policies. Though mandates differ by jurisdiction and agency, when they’re present they tend to be broad in scope and ambitious in intent.
In Australia, the Digital Transformation Agency’s Secure Cloud Strategy instructs agencies to favour public cloud by default, avoid unnecessary customisation, and design services for resilience and rapid deployment. Its counterpart in New Zealand similarly mandates that agencies “move away from on-premises systems”, adopt sustainability principles, and account for Māori data sovereignty under Te Tiriti o Waitangi.
Yet beneath the policy alignment lie divergent realities.
Australia’s federated system means cloud strategy is mediated across Commonwealth and state lines, often requiring delicate coordination. New Zealand, by contrast, operates with more centralised oversight – giving it cleaner levers for whole-of-government shifts.
Both, however, face the same core challenge: how to move highly specialised regulatory agencies – many with decades-old systems and tightly scoped mandates – into a future defined by adaptability, interoperability, and risk-informed service delivery.
What cloud makes possible
For regulators, the value of cloud isn’t confined to IT efficiencies. Instead, it lies in what the infrastructure enables: real-time monitoring, automated compliance assessment, streamlined audit trails, and more effective engagement with both regulated entities and the public. In short, cloud modernisation creates the platform for smarter, faster, and more risk-responsive regulation.
These capabilities were once the stuff of dreams. Now, thanks to the cloud, they are attainable realities.
Agencies are increasingly able to scale systems based on fluctuating workload, deploy updates without service interruption, and integrate datasets once locked away in siloed formats. In practical terms, this means compliance teams can monitor risk signals across sectors in near-real-time, case managers can securely access records across jurisdictions, and policy teams can adjust regulatory parameters without waiting on a six-month system overhaul.
This flexibility is no longer a luxury. As regulators contend with rapid innovation cycles in everything from fintech to food safety, the ability to respond to emerging risks quickly and collaboratively has become part of their mandate.
Case studies in transition
Audit New Zealand’s 2022 adoption of a cloud-based technology solution is one example of how regulators are rethinking their approach to infrastructure. The agency’s rationale for the move reflects a broader shift toward adaptability and long-term value: it wanted to adopt solutions that would remain viable over the long term, emphasising adaptability and accessibility over custom-built features. That is a reflection of the evolving priorities shaping procurement decisions in the regulatory sector.
More broadly, over 140 public sector agencies in Australia – many with regulatory functions – now operate at least partially in the cloud. Some state governments, such as New South Wales, have publicly committed to shifting a quarter of their digital workloads to public cloud environments. In New Zealand, digital.govt.nz maintains a structured assessment framework for public cloud services, with a centralised registry of risk tools and templates to help agencies navigate adoption.
Rarely are these moves splashy. But cumulatively, they reflect a regulatory sector retooling itself. In other words, it’s not about chasing technology for its own sake, but meeting evolving expectations for accountability, speed, and service equity.
Collaboration through infrastructure
Regulators do not operate in isolation. Whether it’s environmental oversight or labour licensing, few issues sit neatly within one agency’s remit. The cloud is increasingly the infrastructure through which collaboration happens.
Federated identity platforms, common service integration tools, and cross-agency data hubs are making it possible for regulators to act on shared intelligence. Australia’s Secure Cloud Strategy envisions “shared platforms” and “federated identity for government” as central components of its regulatory digital future. In New Zealand, the government’s Marketplace is building a foundation for collaborative service procurement and delivery.
These arrangements are more than technical conveniences. They allow for integrated enforcement action, coordinated licensing, and sector-wide risk analysis. For regulated entities, it also means less duplication and clearer lines of communication.
Compliance in a distributed world
The shift to cloud has also forced a re-evaluation of compliance – that of both the regulator and the regulatee. Since data is no longer confined to physical servers, questions around jurisdiction, privacy, and sovereignty have become more pressing.
Regulators themselves are subject to evolving rules. In Australia, the Australian Prudential Regulation Authority (APRA) has replaced its earlier guidance on cloud outsourcing with a broader Operational Risk Management standard (CPS 230) that directly addresses digital dependencies. New Zealand’s Risk Discovery Tool for Public Cloud Services, meanwhile, walks agencies through more than 100 questions spanning sovereignty, privacy, and continuity.
These frameworks don’t eliminate risk, no. But they do help regulators move beyond vague anxieties and toward structured, scenario-based decision-making – a shift as philosophical as it is procedural.
International standards also shaping regulatory cloud adoption
Australia and New Zealand may be among the more proactive jurisdictions in promoting regulatory cloud transformation, but their activity is not happening in a vacuum. Around the world, regulators are drawing from shared frameworks that offer both reassurance and constraint as they modernise.
The Cloud Security Alliance (CSA) provides one of the most widely referenced matrices of cloud-specific controls, with its STAR certification now a key credential for many public sector contracts. The CSA Controls Matrix spans everything from identity management to supply chain risk, helping regulators assess provider transparency and security posture without needing to reinvent evaluation criteria.
NIST’s Cybersecurity Framework and companion publications such as SP 800-53 and SP 800-144 are also heavily relied upon by governments globally, including as foundational inputs to Australia’s and New Zealand’s secure cloud strategies. These documents offer scalable guidance on identity assurance, network configuration, incident response, and risk scoring, all critical areas for agencies overseeing public interest sectors.
ISO/IEC standards, especially 27001 (information security), 27017 (cloud-specific security), and 27018 (privacy for PII in public clouds), are often embedded in cloud procurement requirements across jurisdictions. These standards help harmonise expectations between domestic regulators and global providers.
Now, for those who don’t eat, sleep, and breathe IT frameworks and standards, all these numerical labels may seem abstract. But what these frameworks have in common is a shared emphasis on accountability, interoperability, and risk-informed decision-making. Together they give regulators a common language and a practical toolkit for managing trust, security, and complexity in a cloud-first world.
While international standards help align baseline expectations, regulatory cloud adoption also hinges on how jurisdictions manage data sovereignty, which is often the most contentious issue in cloud governance. Why? At its core, data sovereignty raises questions about who controls sensitive information, where it resides, and which laws apply. For regulators, this becomes especially fraught when using third-party cloud providers that store or process data across borders.
The General Data Protection Regulation (GDPR) in the EU, alongside frameworks like the EU-US Data Privacy Framework and APEC’s Cross-Border Privacy Rules (CBPR), offer models for how regulators can navigate jurisdictional friction without sacrificing accountability or collaboration. These are especially important for transnational regulators or those involved in information exchange with international counterparts.
Other emerging considerations include zero trust architecture (as advocated by NIST SP 800-207), AI governance frameworks like the OECD AI Principles, and sustainable cloud metrics like ISO/IEC 30134, all of which are shaping how regulatory agencies approach long-term cloud investment.
In sum, these frameworks are not just checklists. Like New Zealand and Australia’s cloud policies, they’re signalling mechanisms; they’re a way for regulators to communicate seriousness, readiness, and accountability as they navigate modernisation in a complex, globally interconnected environment.
The sticking points
Despite strong policy frameworks and growing momentum, barriers to cloud adoption persist. Procurement remains a sore spot.
Traditional capital expenditure models often simply don’t align with cloud’s pay-as-you-go structure, and that leads to budgeting complications. Head agreements for ICT services (standard government contracts that set fixed rules and prices for buying technology across multiple agencies) may not accommodate the nuance and flexibility required by cloud vendors, even at the infrastructure level.
Cloud services are fundamentally different. They’re dynamic, usage-based, and often require rapid scaling, tailored configurations, or even shared responsibilities between provider and agency. These nuances – think flexible provisioning, variable billing, real-time support, or integration with other services – may not be well accounted for in rigid, pre-negotiated agreements.
Then there’s the matter of skills.
Many regulatory agencies, particularly smaller ones, lack internal cloud expertise. No dedicated support means burdensome risk assessments, integration lags, and missed opportunities for innovation. Several reviews, including Australia’s 2025 Major Digital Projects Report and NZIER’s analysis of digital transformation in New Zealand, cite skills gaps as a key limiting factor.
Sometimes the necessary support for change, such as funding, legal clarity, and skilled people, simply isn’t in place yet.
The cloud-enabled regulator
So what does the next phase look like?
A fully cloud-enabled regulator would have much more than virtualised infrastructure. In adopting what is essentially a new operational paradigm, it would also gain new processes and capabilities.
To name a few:
- Workflow design that assume real-time data availability: As it stands, many regulatory workflows still rely on periodic data uploads or batch processing, and that delays insight and action. Real-time integration allows regulators to act on live data feeds, improving timeliness of interventions and responsiveness to emerging risks.
- Risk-based logic embedded into digital service delivery: Risk assessments are too often applied manually or at fixed review points, with limited personalisation of regulatory actions. In striking contrast, automated logic embedded in cloud-hosted systems enables continuous, dynamic tailoring of oversight based on real-time risk profiles.
- Platform flexibility to adapt regulation dynamically: Changes to regulatory frameworks generally require long development cycles and extensive IT reconfiguration. In the world of the cloud, platform-as-a-service models allow agencies to iterate on regulatory logic and deploy updates rapidly, aligning systems with evolving rules.
- Compliance monitoring and enforcement with advanced analytics and AI: Right now, compliance monitoring is largely retrospective, relying on audits or self-reports submitted after the fact. AI-powered analytics embedded in cloud environments allow for predictive monitoring and early identification of potential non-compliance.
- Collaborative platforms shared across agencies: Agencies typically manage their own siloed systems, making collaboration slow and coordination error-prone. With the cloud, shared infrastructure enables seamless data exchange and joint workflows, facilitating integrated oversight and coordinated enforcement.
- Trust that aligns with public expectations for transparency, privacy, and efficiency: Legacy systems often make it difficult for regulators to provide timely, clear information or demonstrate strong privacy controls. Conversely, modernised cloud platforms improve auditability, enhance user experience, and enable stronger safeguards for data protection, aligning public service delivery with public expectations.
Crucially, a cloud-enabled regulator retains its core mandate of public protection while becoming more responsive to the complex ecosystems it oversees.
Not just an upgrade
Cloud modernisation is reshaping the regulatory state not through flashy announcements, but through a series of deeply structural, often invisible shifts. These include revised procurement protocols, new policy guidelines, shared identity systems, and more nuanced interpretations of jurisdictional risk.
This is what makes regulatory cloud transformation fascinatingly distinct. While an observer would be tempted to think otherwise, it isn’t about digitising forms or moving files online. It’s about embedding a new operational model: one that rethinks time, risk, accountability, and infrastructure in regulatory work.
The shift is incremental, uneven, and at times it can get messy.
But it is real, and it is picking up speed. As cloud infrastructure becomes the spine of the modern state, regulators who delay the transition may risk not just inefficiency, but irrelevance.
How the cloud is becoming the nervous system of modern regulation
When the New Zealand government refreshed its “Cloud First” policy in 2023, it updated a tech mandate, yes, but it also sent a clear message.
The policy signalled a cultural shift: a move away from fortress-like data centres and toward agile, scalable platforms that mirror the speed and complexity of modern regulatory demands.
In neighbouring Australia, similar moves are underway. As digital transformation reshapes how governments deliver services, it’s also altering how regulators work, think, and collaborate.
Across both countries and around the world, regulatory agencies are leaning into cloud adoption not as a mere IT upgrade, but as a foundational change to how they safeguard public interest. As governments and agencies push forward with cross-agency data sharing, real-time compliance monitoring, and citizen-centred services, cloud infrastructure is becoming less of a choice and more of a prerequisite.
A shared mandate, divergent landscapes
Australia and New Zealand both maintain formal Cloud First policies. Though mandates differ by jurisdiction and agency, when they’re present they tend to be broad in scope and ambitious in intent.
In Australia, the Digital Transformation Agency’s Secure Cloud Strategy instructs agencies to favour public cloud by default, avoid unnecessary customisation, and design services for resilience and rapid deployment. Its counterpart in New Zealand similarly mandates that agencies “move away from on-premises systems”, adopt sustainability principles, and account for Māori data sovereignty under Te Tiriti o Waitangi.
Yet beneath the policy alignment lie divergent realities.
Australia’s federated system means cloud strategy is mediated across Commonwealth and state lines, often requiring delicate coordination. New Zealand, by contrast, operates with more centralised oversight – giving it cleaner levers for whole-of-government shifts.
Both, however, face the same core challenge: how to move highly specialised regulatory agencies – many with decades-old systems and tightly scoped mandates – into a future defined by adaptability, interoperability, and risk-informed service delivery.
What cloud makes possible
For regulators, the value of cloud isn’t confined to IT efficiencies. Instead, it lies in what the infrastructure enables: real-time monitoring, automated compliance assessment, streamlined audit trails, and more effective engagement with both regulated entities and the public. In short, cloud modernisation creates the platform for smarter, faster, and more risk-responsive regulation.
These capabilities were once the stuff of dreams. Now, thanks to the cloud, they are attainable realities.
Agencies are increasingly able to scale systems based on fluctuating workload, deploy updates without service interruption, and integrate datasets once locked away in siloed formats. In practical terms, this means compliance teams can monitor risk signals across sectors in near-real-time, case managers can securely access records across jurisdictions, and policy teams can adjust regulatory parameters without waiting on a six-month system overhaul.
This flexibility is no longer a luxury. As regulators contend with rapid innovation cycles in everything from fintech to food safety, the ability to respond to emerging risks quickly and collaboratively has become part of their mandate.
Case studies in transition
Audit New Zealand’s 2022 adoption of a cloud-based technology solution is one example of how regulators are rethinking their approach to infrastructure. The agency’s rationale for the move reflects a broader shift toward adaptability and long-term value: it wanted to adopt solutions that would remain viable over the long term, emphasising adaptability and accessibility over custom-built features. That is a reflection of the evolving priorities shaping procurement decisions in the regulatory sector.
More broadly, over 140 public sector agencies in Australia – many with regulatory functions – now operate at least partially in the cloud. Some state governments, such as New South Wales, have publicly committed to shifting a quarter of their digital workloads to public cloud environments. In New Zealand, digital.govt.nz maintains a structured assessment framework for public cloud services, with a centralised registry of risk tools and templates to help agencies navigate adoption.
Rarely are these moves splashy. But cumulatively, they reflect a regulatory sector retooling itself. In other words, it’s not about chasing technology for its own sake, but meeting evolving expectations for accountability, speed, and service equity.
Collaboration through infrastructure
Regulators do not operate in isolation. Whether it’s environmental oversight or labour licensing, few issues sit neatly within one agency’s remit. The cloud is increasingly the infrastructure through which collaboration happens.
Federated identity platforms, common service integration tools, and cross-agency data hubs are making it possible for regulators to act on shared intelligence. Australia’s Secure Cloud Strategy envisions “shared platforms” and “federated identity for government” as central components of its regulatory digital future. In New Zealand, the government’s Marketplace is building a foundation for collaborative service procurement and delivery.
These arrangements are more than technical conveniences. They allow for integrated enforcement action, coordinated licensing, and sector-wide risk analysis. For regulated entities, it also means less duplication and clearer lines of communication.
Compliance in a distributed world
The shift to cloud has also forced a re-evaluation of compliance – that of both the regulator and the regulatee. Since data is no longer confined to physical servers, questions around jurisdiction, privacy, and sovereignty have become more pressing.
Regulators themselves are subject to evolving rules. In Australia, the Australian Prudential Regulation Authority (APRA) has replaced its earlier guidance on cloud outsourcing with a broader Operational Risk Management standard (CPS 230) that directly addresses digital dependencies. New Zealand’s Risk Discovery Tool for Public Cloud Services, meanwhile, walks agencies through more than 100 questions spanning sovereignty, privacy, and continuity.
These frameworks don’t eliminate risk, no. But they do help regulators move beyond vague anxieties and toward structured, scenario-based decision-making – a shift as philosophical as it is procedural.
International standards also shaping regulatory cloud adoption
Australia and New Zealand may be among the more proactive jurisdictions in promoting regulatory cloud transformation, but their activity is not happening in a vacuum. Around the world, regulators are drawing from shared frameworks that offer both reassurance and constraint as they modernise.
The Cloud Security Alliance (CSA) provides one of the most widely referenced matrices of cloud-specific controls, with its STAR certification now a key credential for many public sector contracts. The CSA Controls Matrix spans everything from identity management to supply chain risk, helping regulators assess provider transparency and security posture without needing to reinvent evaluation criteria.
NIST’s Cybersecurity Framework and companion publications such as SP 800-53 and SP 800-144 are also heavily relied upon by governments globally, including as foundational inputs to Australia’s and New Zealand’s secure cloud strategies. These documents offer scalable guidance on identity assurance, network configuration, incident response, and risk scoring, all critical areas for agencies overseeing public interest sectors.
ISO/IEC standards, especially 27001 (information security), 27017 (cloud-specific security), and 27018 (privacy for PII in public clouds), are often embedded in cloud procurement requirements across jurisdictions. These standards help harmonise expectations between domestic regulators and global providers.
Now, for those who don’t eat, sleep, and breathe IT frameworks and standards, all these numerical labels may seem abstract. But what these frameworks have in common is a shared emphasis on accountability, interoperability, and risk-informed decision-making. Together they give regulators a common language and a practical toolkit for managing trust, security, and complexity in a cloud-first world.
While international standards help align baseline expectations, regulatory cloud adoption also hinges on how jurisdictions manage data sovereignty, which is often the most contentious issue in cloud governance. Why? At its core, data sovereignty raises questions about who controls sensitive information, where it resides, and which laws apply. For regulators, this becomes especially fraught when using third-party cloud providers that store or process data across borders.
The General Data Protection Regulation (GDPR) in the EU, alongside frameworks like the EU-US Data Privacy Framework and APEC’s Cross-Border Privacy Rules (CBPR), offer models for how regulators can navigate jurisdictional friction without sacrificing accountability or collaboration. These are especially important for transnational regulators or those involved in information exchange with international counterparts.
Other emerging considerations include zero trust architecture (as advocated by NIST SP 800-207), AI governance frameworks like the OECD AI Principles, and sustainable cloud metrics like ISO/IEC 30134, all of which are shaping how regulatory agencies approach long-term cloud investment.
In sum, these frameworks are not just checklists. Like New Zealand and Australia’s cloud policies, they’re signalling mechanisms; they’re a way for regulators to communicate seriousness, readiness, and accountability as they navigate modernisation in a complex, globally interconnected environment.
The sticking points
Despite strong policy frameworks and growing momentum, barriers to cloud adoption persist. Procurement remains a sore spot.
Traditional capital expenditure models often simply don’t align with cloud’s pay-as-you-go structure, and that leads to budgeting complications. Head agreements for ICT services (standard government contracts that set fixed rules and prices for buying technology across multiple agencies) may not accommodate the nuance and flexibility required by cloud vendors, even at the infrastructure level.
Cloud services are fundamentally different. They’re dynamic, usage-based, and often require rapid scaling, tailored configurations, or even shared responsibilities between provider and agency. These nuances – think flexible provisioning, variable billing, real-time support, or integration with other services – may not be well accounted for in rigid, pre-negotiated agreements.
Then there’s the matter of skills.
Many regulatory agencies, particularly smaller ones, lack internal cloud expertise. No dedicated support means burdensome risk assessments, integration lags, and missed opportunities for innovation. Several reviews, including Australia’s 2025 Major Digital Projects Report and NZIER’s analysis of digital transformation in New Zealand, cite skills gaps as a key limiting factor.
Sometimes the necessary support for change, such as funding, legal clarity, and skilled people, simply isn’t in place yet.
The cloud-enabled regulator
So what does the next phase look like?
A fully cloud-enabled regulator would have much more than virtualised infrastructure. In adopting what is essentially a new operational paradigm, it would also gain new processes and capabilities.
To name a few:
Crucially, a cloud-enabled regulator retains its core mandate of public protection while becoming more responsive to the complex ecosystems it oversees.
Not just an upgrade
Cloud modernisation is reshaping the regulatory state not through flashy announcements, but through a series of deeply structural, often invisible shifts. These include revised procurement protocols, new policy guidelines, shared identity systems, and more nuanced interpretations of jurisdictional risk.
This is what makes regulatory cloud transformation fascinatingly distinct. While an observer would be tempted to think otherwise, it isn’t about digitising forms or moving files online. It’s about embedding a new operational model: one that rethinks time, risk, accountability, and infrastructure in regulatory work.
The shift is incremental, uneven, and at times it can get messy.
But it is real, and it is picking up speed. As cloud infrastructure becomes the spine of the modern state, regulators who delay the transition may risk not just inefficiency, but irrelevance.
Paul Leavoy
RELATED POSTS
Australia’s regulatory crunch: what goes live
New Zealand’s online casino gamble: closing
April 2026 regulatory update: first evidence
POPULAR POSTS
Australia’s regulatory crunch: what goes live in 2026, and why it matters
New Zealand’s online casino gamble: closing a gap, or opening a new one?
April 2026 regulatory update: first evidence
Stay ahead of regulation
News, insight, and analysis weekly