The Ministry of Information Technology and Telecommunications ('MOITT') introduced, on 18 February 2022, the Pakistan Cloud First Policy. In particular, the MOITT highlighted the policy's application as guidance to all public sector entities, regulated sectors, and private sector organisations. Furthermore, the MOITT outlined that the policy defines a Cloud Service Provider ('CSP') as a third-party company that offers components of cloud computing such as infrastructure, software, storage, and application.  

More specifically, the MOITT detailed that the policy provides for technical and administrative controls to protect personal data, both stored and in transit, with measures including but not limited to, adequate technical controls, such as end-to-end encryption or tokenisation, as well as data loss prevention tools. In addition, the MOITT provided that although the policy does not implement data residency requirements, whenever there are legitimate use-cases requiring cross-border data flows, then, relevant stakeholders may consult the cloud office to ensure appropriate security standards and controls are in place for data flows. Finally, the MOITT noted the requirements of the policy will be enforced by a newly created cloud office, whose role includes the establishment of a wider compliance framework for CSPs.

You can read the policy here.