The Australian Government’s cloud-first policy, formally articulated in 2013 and reinforced multiple times since, directs government agencies to consider cloud solutions before on-premise alternatives when procuring or developing ICT infrastructure.

The policy goal is sensible: reduce capital expenditure on data centres, improve agility, access better security through cloud providers’ expertise, and enable faster delivery of digital services.

More than a decade later, the reality is a patchwork. Some agencies have migrated extensively to cloud platforms. Others remain largely on-premise. The technical challenges of cloud migration have mostly been solved. The organizational, security, and cultural barriers remain substantial.

What the Policy Says

The Digital Transformation Agency’s cloud policy guidance directs agencies to use cloud services where it’s fit for purpose, secure, and cost-effective. The expectation is that cloud should be the default, with on-premise infrastructure requiring specific justification.

The policy encourages use of public cloud (AWS, Azure, Google Cloud) for unclassified workloads and certified cloud providers for PROTECTED workloads. Agencies are expected to assess cloud options early in procurement processes, not as an afterthought.

On paper, this is clear. In practice, implementation varies wildly across departments.

Who’s Moved to Cloud

Digital-native agencies like the Australian Taxation Office and Services Australia have substantial cloud footprints. ATO’s myTax platform runs on cloud infrastructure, handling millions of annual tax returns. Services Australia migrated myGov services to cloud hosting to handle load spikes during COVID-related payments.

These agencies had clear business cases: highly variable workloads that cloud autoscaling handles better than fixed on-premise capacity, and public-facing digital services where cloud providers’ global infrastructure improves performance and resilience.

Smaller agencies with limited ICT teams often moved to cloud earlier and more completely because they lacked the capability to run on-premise data centres competently. Using cloud managed services meant accessing enterprise-grade infrastructure without needing in-house expertise.

New digital initiatives across government — new websites, APIs, citizen-facing applications — are overwhelmingly cloud-hosted from launch. Building new services on cloud is straightforward. Migrating legacy systems is where progress stalls.

Who Hasn’t

Defence, intelligence, and national security agencies remain significantly on-premise for classified and sensitive workloads. This is partly policy (classified material has strict hosting requirements) and partly culture (deep institutional caution about external dependency).

Even for unclassified workloads, security and intelligence agencies move more slowly. The risk tolerance is lower, and the consequences of compromise are higher.

Agencies with large legacy systems — particularly those running decades-old ERP, HR, or financial management systems — face substantial migration complexity. These systems were designed for on-premise deployment, often tightly integrated with other on-premise infrastructure. Migrating them means replatforming or replacing entirely, which is expensive, risky, and politically difficult.

The case study of Queensland Health’s payroll system disaster remains in institutional memory. Large-scale system replacements can go catastrophically wrong, costing hundreds of millions and disrupting operations. Risk-averse agencies prefer the devil they know.

Agencies with highly customized infrastructure struggle with cloud migration. If your ICT environment involves specialized hardware, highly customized networking, or unusual security requirements, cloud’s standardized offerings may not fit cleanly.

The Barrier Isn’t Technical

The technology to migrate workloads to cloud is mature. Tools for assessing migration candidates, automating lift-and-shift migrations, and replatforming applications are widely available. AWS, Azure, and Google Cloud all have government-focused support teams.

The barriers are organizational and cultural.

Procurement complexity. Government procurement processes were designed for capital equipment purchases — buy a server, own it for five years, budget for replacement. Cloud is operational expenditure with variable costs. Adapting budgeting, procurement, and financial management processes to cloud’s consumption model requires policy changes at multiple levels.

Security certification burden. Agencies require evidence that cloud services meet government security requirements. The Information Security Registered Assessors Program (IRAP) assesses cloud services against the Information Security Manual, but the assessment process is time-consuming and expensive. Each major service within a cloud provider may need separate assessment. The certification lag means new cloud services take months or years to become available to government agencies.

Skills gaps. On-premise infrastructure teams have deep expertise in traditional IT operations. Cloud requires different skills — infrastructure-as-code, cloud-native architectures, DevOps practices. Retraining existing staff or hiring new talent with cloud skills is challenging within public sector salary constraints.

Vendor lock-in concerns. Once an agency commits to a cloud platform, migrating to another provider is expensive and complex. This creates long-term dependency on a single vendor, which conflicts with government procurement preferences for competition and flexibility. The concern is legitimate, though often used as an excuse for inaction.

Data sovereignty and control. Government data is politically sensitive. Hosting data in infrastructure owned and operated by US companies (even within Australian regions) creates genuine sovereignty concerns and perceived political risks. The government’s push for sovereign cloud providers (Australian-owned and operated) has had limited success because the commercial offerings lag behind AWS and Azure in capability and scale.

The Cost Reality

Cloud was supposed to save money. The reality is more complicated.

For agencies that migrate efficiently, optimize workloads for cloud, and decommission on-premise infrastructure, cost savings are real. The ATO has reported significant reductions in infrastructure costs through cloud migration.

For agencies that migrate poorly — running cloud instances inefficiently, maintaining on-premise infrastructure alongside cloud, or paying for unused cloud capacity — costs often increase. Cloud makes it easy to overprovision, and without active cost management, bills escalate.

The “lift and shift” approach — moving on-premise workloads to cloud with minimal changes — typically increases costs in the short term. The savings come from retiring on-premise infrastructure and optimizing applications for cloud-native architecture. That requires additional investment.

What Should Happen

Clear migration roadmaps at agency level. Cloud-first policy at a whole-of-government level is fine, but execution happens at the agency level. Each agency needs a multi-year migration plan, properly funded, with executive-level accountability.

Faster security assessment processes. IRAP assessments provide genuine value, but the timeline needs compression. Streamlined certification for commonly-used cloud services would reduce barriers without compromising security.

Skills investment. Agencies need dedicated funding for workforce upskilling in cloud technologies. This isn’t optional — the skills gap is one of the largest blockers to effective cloud adoption.

Better cost management tooling and expertise. Cloud cost optimization is a discipline in itself. Agencies moving to cloud need access to tools and expertise to manage consumption effectively. Technology strategy consultants increasingly work with government agencies on exactly this challenge — not just migrating to cloud, but ensuring the migration delivers value.

Sovereign cloud options that actually compete. If data sovereignty is a genuine policy requirement, government needs to invest in or procure Australian-owned cloud infrastructure that’s competitive with global providers. Current offerings aren’t compelling enough to drive uptake.

The 2026 Status

Government cloud adoption is higher than in 2013 but lower than policy intentions suggested. The easy migrations — new digital services, highly variable workloads, agencies without legacy constraints — have mostly happened.

What remains is harder: core operational systems, agencies with deep legacy infrastructure, workloads with complex compliance or security requirements, and politically sensitive data.

These won’t migrate quickly. Some may never migrate. The question isn’t whether cloud-first policy was right — it was. It’s whether government will invest the organizational effort, funding, and political capital required to follow through on the harder migrations.

Progress continues, but slowly. The gap between policy ambition and operational reality remains substantial.