Desi data to get top secret & A-B sovereign cover under new cloud rules

New Delhi: Government databases and applications will now be categorised into three sets, with varying degrees of sovereign cloud cover - ensuring that all sensitive and critical data, such as Aadhaar, Voter ID, UPI and PAN, are completely kept off commercial public cloud providers and hosted only on fully sovereign, legally immune cloud systems.

In a March 20 office memorandum on 'Guidelines for Cloud Selection Framework', the Ministry of Electronics and Information Technology (MeitY) asked all ministries and departments to classify their applications and data as per the home ministry's National Information Security Policy & Guidelines before selecting any cloud service.Also Read: Data centre certification push to be tailored to make it AI ready

The order has pointed to essentially three categories - 'top secret', category A and category B. 'Top secret' and 'secret' data/information is strictly "not permitted to be hosted on cloud" platforms at all. All other applications and data are to be classified into category A and category B.

Category A, MeitY said, will include all data whose "unauthorised disclosure" can cause "damage to security of the organisation" and its functioning, and where any compromise can cause "serious harm to national security or national interests, disrupt government operations, business continuity, and result in financial losses". This would include Aadhaar, e-courts, PAN, passport, railways, tax systems, UPI and voter ID at the central level as well as land records, revenue courts, treasury, and jail records at the state level. These are now to be hosted either on government cloud services such as those provided by the National Informatics Centre or state cloud centres. The only other option will be sovereign cloud providers notified by MeitY as it will be backed by government vetting.


Category B will include applications and data meant primarily for official use that may not require strict protection against disclosure. This would include information that can be disclosed under the Right to Information Act, subject to the Digital Personal Data Protection Act. Data related to welfare schemes, websites, public grievances, feedback and events will fall under this category.

To ease cloud onboarding on MeitY-backed service providers, ministries will be allowed to take a faster "nomination" route instead of the time-consuming global tendering process.

The categorisation comes amid continued expansion of India's digital public infrastructure. Currently, much of this data is stored on off-the-shelf cloud systems, often of foreign origins, raising concerns over "backdoor access" to the database, officials in the know said. "The idea is to fully insulate confidential datasets and ensure there is no legal obligation to share that with any other entity. Sovereign capabilities have to be built domestically so that control and access are not in anyone else's hands," a senior official told ET.