Australian government cloud mandate sparks migration warnings
As Australia prepares to enforce its whole-of-government cloud policy, industry experts warn agencies against rushed migrations, vendor lock-in and treating AI readiness as an afterthought
Australia’s whole-of-government cloud policy comes into effect on 1 July 2026, establishing cloud as the default when modernising IT infrastructure. The policy document, prepared by the Digital Transformation Agency (DTA), sets out five broad requirements.
They include the need for government entities to prioritise cloud technologies when modernising IT infrastructure; tap cloud technologies to drive innovation, including artificial intelligence (AI); adopt cloud securely and responsibly; actively manage and optimise cloud computing costs; and nurture cloud skills across the Australian Public Service (APS).
The first specific requirement of the modernisation policy is for agencies to adopt cloud solutions for all new digital and ICT initiatives and upgrades unless an alternative is justified.
However, Gartner director-analyst Adrian Wong warned that a blanket mandate overlooks the reality that an application or workload component may simply be a poor fit for a cloud solution. Legacy applications, for example, often fail to fully utilise cloud computing capabilities. This makes them technically mismatched and sometimes unexpectedly more expensive to run in the cloud than in a local datacentre.
There is cause for concern. Wong pointed out that while the policy frames this as a transition away from ageing systems rather than a strict requirement to migrate every existing legacy app to the cloud, aggressive timelines can drive poor decision-making.
If organisations feel rushed, especially if they lack adequate cloud planning and architectural expertise, they are more likely to pursue poorly conceived lift-and-shift migrations. These hurried efforts frequently fail to meet expectations and form the basis for cloud project failures.
The reasons for such failures, according to a Gartner report on handling cloud project failures, include workloads being inappropriate for the cloud, poorly chosen providers, bad design or implementation, inaccurate cost estimates and integration issues.
Some factors make workloads inherently more suited to on-premise deployment, Wong noted. These include high sensitivity to latency; strict data residency, compliance or sovereignty mandates that cannot be satisfied with public cloud solutions; unique service-level agreements that cloud providers might not be able to meet; and environments requiring enterprise-controlled assets.
“Ultimately, avoiding cloud dissatisfaction requires agencies to have the time and flexibility to perform a detailed application portfolio analysis. While prioritising modern cloud solutions is a strong strategic aspiration, enforcing rigid decommissioning pressures risks forcing bad long-term fits just to satisfy policy requirements,” Wong warned.
Vinayak Sreedhar, country manager for Australia and New Zealand (ANZ) at ManageEngine, an IT management and monitoring provider that serves federal, state and local government customers, said agencies shouldn’t underestimate the complexity of what lies ahead and that migrating away from legacy systems while ensuring ongoing compliance is no easy feat.
“The agencies most at risk are those without a clear picture of what’s being retired, when, and what is dependent on it,” Sreedhar said. “Moving fast without that clarity is how outages occur.”
AI and interoperability
Cloud platforms are seen as a way of creating a more connected, responsive and data-driven public sector, in part through the adoption of artificial intelligence (AI).
While prioritising modern cloud solutions is a strong strategic aspiration, enforcing rigid decommissioning pressures risks forcing bad long-term fits just to satisfy policy requirements
Adrian Wong, Gartner
While government entities are required to design for interoperability and portability to minimise supplier lock-in, they are only encouraged to ensure cloud services support open standards and application programming interfaces (APIs), and allow for data portability.
SUSE ANZ general manager Ben Henshaw suggested the language in the policy gives the impression that the DTA wants to avoid another “mother of all lock-in” situation that repeats historical problems with mainframes. Once data is locked into a particular cloud, it becomes very hard and costly to extract it into a format that can be deployed elsewhere.
Public clouds are designed as a “land grab” to capture as many departmental workloads as possible, Henshaw warned. “They’re not making it easy to get out because why would they? It’s not in their commercial interest to be open, interoperable, more standard spaces.” For example, hyperscalers each have their own domain-specific languages for creating templates that specify operating systems and software for virtual machines.
The government cloud policy highlights the design and procurement principles of selecting architectures that are open, interoperable, contestable and portable – ideally without needing to hire a thousand consultants for a replatforming exercise – but that remains a challenge, he suggested.
Part of the problem for governments and businesses alike is that a vast amount of money is spent simply keeping the lights on and upgrading, rather than on innovation. Replatforming with low cost and effort is the “secret sauce” of open source, and of companies like SUSE, because they are agnostic, Henshaw said. This allows agencies to spend more time deploying new features rather than draining budgets on system upgrades.
While SUSE’s cloud provider partners offer utility, Henshaw admitted they also pose risks and add cost because they rely on proprietary technology stacks, creating complications for multicloud environments. Departments such as education, health, defence, home affairs and Services Australia are complex organisations with vast use cases, and cannot source all their capabilities from a single provider like Amazon Web Services, Google Cloud, Microsoft Azure, Oracle or SAP. This makes interoperability, portability and integration vital.
Agentic AI is also gaining attention as a way to automate workflows. Different systems within a process will use different large language models (LLMs) of varying sizes, meaning data processing needs will be highly varied. At one extreme, soldiers have disconnected, intermittent and limited (DIL) access to remote systems, meaning processing must be done locally. At the other extreme, the health department processes large volumes of records to determine benefits or treatments.
With many LLMs available, both open source and proprietary, Henshaw said it is incredibly important for governments to retain sovereign control over their data and models. Governments are looking to open source LLMs to access the code, ensure explainability and govern the models.
According to Sreedhar, the explicit push to embed AI readiness across cloud platforms is forward thinking and necessary, but it isn’t a switch organisations can simply flip post-migration.
“How is the data structured, governed and stored? How much compute is being provisioned? And how will models eventually be deployed? These questions require deliberate architectural decisions from day one,” Sreedhar said. “Those that treat AI as a future add-on rather than a current design requirement will be hit with expensive infrastructure rebuilds in a few years’ time. The time to get this right is during the transition, not after.”
Security considerations
Henshaw pointed out that federal government agencies will have to navigate the cloud transition whether it proves hard or easy, especially when it comes to security.
“No one wants to be on the front page of the newspaper. Nobody wants to be the person who accidentally put information out into a public AI system that caused a whole lot of sovereign angst,” he said. A modern, defensible architecture is an essential, non-negotiable requirement for hosting and running AI workloads safely and securely.
As a supplier, part of SUSE’s job is to help government departments apply a modern defensible architecture, adhering to Essential Eight principles, the Australian Signals Directorate’s information security manual and ISO 27001. This ensures a zero-trust architecture that is portable, composable and interoperable. Without this, Henshaw suggested, federal agencies will lag in their ability to tap the technical benefits of AI.
Sreedhar warned that the sheer scale of the transition creates a much larger attack surface. Recent cyber security legislative reforms have sharpened obligations for critical infrastructure operators to protect business-critical data, but agencies should treat those obligations as a mere baseline.
“The vulnerability we see most often in cloud transitions isn’t technical – it’s the gap between IT teams and security teams during the migration itself,” Sreedhar said. “Security architects need to be part of the transition from procurement through to go-live and beyond.”
Skills uplift
A policy framework is only as good as the people who put it into practice, Sreedhar observed. The DTA has been clear that agencies must build the skills, infrastructure and governance required to meet community expectations, yet workforce capability is almost always the most underfunded component of digital transformation.
Getting the technology right matters, but so does building a public service that understands and owns what it’s building
Vinayak Sreedhar, ManageEngine
Agencies should be evaluating their internal capability right now, well ahead of the 1 July deadline, and investing in genuine skills uplift where gaps exist.
“Getting the technology right matters, but so does building a public service that understands and owns what it’s building,” Sreedhar said. This is especially vital for the policy’s fifth requirement, which explicitly demands agencies nurture cloud skills across the APS.
“Agencies won’t be able to satisfy the policy simply by pointing to cloud deployments. That’s the easy part,” Sreedhar continued. “Agencies need genuine workforce development strategies and plans to close identified skills gaps. One of the ways we’re addressing this at ManageEngine is at the operational layer, helping staff build fluency with hands-on training and tools spanning infrastructure, security and FinOps – the disciplines the DTA has specifically and rightly called out.”
Reflecting on the skills mandate, Henshaw described this aspect of the policy as a strong starting point that offers good principles and guidelines. “It’s there not as a stick, but as a compass,” he said.
