Sri Lanka wants feedback on Sovereign Cloud Strategy

The Information and Communication Technology Agency of Sri Lanka (ICTA) has launched a public consultation on a Cloud Policy and Strategy for Sri Lanka. The draft documents outlining the strategy, which will boost Sri Lanka’s digital landscape by ensuring secure and innovative cloud computing practices that support national interests and stimulate inclusive growth, were released for stakeholder comments.

The government aims to generate a strong regulatory framework for sovereign cloud operations, focusing on data localization, classification, and security standards to confirm compliance with national laws, which will contain supervision for cloud provider certification, audits, and ongoing compliance monitoring.

The key aims of the Cloud Policy and Strategy are to protect national data through local storage and governance, construct a secure and robust cloud infrastructure, allowing global cloud providers to run under strict regulations, drawing investments to boost the digital economy, and nurturing innovation in public sector services.

Creating a regulatory framework for data security, assisting public-private partnerships, creating an interoperable cloud system, and launching Digital Sovereignty Zones for critical data, along with risk mitigation and the need for a governance framework to outline institutional roles, are included in the strategy.

Stakeholder comments are essential for honing the strategy, the ICTA said, noting that targeted areas of interest include the regulatory framework’s strength, the public-private partnership model’s practicality, and the strategy’s effect on local businesses. The document defines different sensitivity levels for data sovereignty, going from full sovereignty with strong localization to global hosting with local oversight, each with detailed prerequisites for data management and hosting.

The guidelines also say that cloud services must line up with data classification tiers, prioritize conformity with local laws, and foster competition and innovation. Digital Sovereignty Zones are underscored as secure environments for hosting sensitive data, certifying exclusive control by Sri Lankan authorities and compliance with rigid cybersecurity protocols. This framework aims to retain digital independence while efficiently managing detailed workloads.

Critical government data should stay within sovereign environments, while less sensitive workloads can be hosted on public or hybrid clouds with appropriate controls.

The governance framework for the sovereign cloud must distinctly define institutional roles, with the Ministry of Digital Economy leading policy direction, the Digital Economy Authority managing regulation, and the GovTech Agency managing technical execution. The Data Protection Authority will impose data protection laws, while the Telecommunications Regulatory Commission will regulate infrastructure.

Cloud service providers must submit themselves to certification and accreditation to operate within the sovereign cloud framework, with security audits and data residency checks. A national data classification policy will sort data into public, sensitive, and critical categories, making sure that appropriate controls and compliance requirements are applied.

The Digital Economy Ministry is prioritizing cloud and digital ID as high-priority projects. A Request for Proposals for a vendor to implement the Sri Lanka Unique Digital Identity (SL-UDI) system was issues at the end of June.

Article Topics

cloud computing  |  data protection  |  digital economy  |  digital identity  |  Sri Lanka