Cloud Migration in Australia: Navigating IRAP and Sovereign Cloud Requirements
Australian enterprises face unique cloud migration challenges shaped by IRAP assessments, sovereign data mandates, and sector-specific compliance. Learn how to build a cloud strategy that satisfies regulators while unlocking scalability across mining, banking, and government.
Australia's cloud computing market is projected to exceed AUD 20 billion by 2027, driven by digital transformation mandates across government, financial services, and resources sectors. Yet migrating to the cloud in Australia is not simply a lift-and-shift exercise. Organisations must contend with the Information Security Registered Assessors Program (IRAP), the Hosting Certification Framework, and evolving sovereign data requirements that dictate where and how sensitive workloads can run. For enterprises operating in regulated industries, the path to cloud demands careful planning, deep compliance knowledge, and architecture decisions that balance agility with sovereignty.
Understanding IRAP and the Hosting Certification Framework
IRAP is the Australian Signals Directorate's (ASD) mechanism for independently assessing the security posture of cloud service providers. Any organisation handling government data classified at PROTECTED or above must use cloud services that have been assessed by an IRAP assessor against the Information Security Manual (ISM). AWS, Microsoft Azure, and Google Cloud all maintain IRAP-assessed regions in Sydney and Melbourne, but the scope of assessed services varies significantly between providers. Understanding exactly which services carry IRAP assessment coverage, and which do not, is critical before architecting workloads. A common mistake is assuming that an entire cloud platform is IRAP-assessed when only a subset of services within specific regions holds that status.
The Hosting Certification Framework, introduced by the Digital Transformation Agency (DTA), adds another layer. It classifies hosting providers into tiers based on their ability to handle different data classifications. Certified Strategic providers can host data up to PROTECTED, while Certified Assured providers handle up to OFFICIAL:Sensitive. Enterprises pursuing government contracts or handling citizen data must map their workloads to the appropriate certification tier, ensuring their chosen cloud provider and region meet the required standard.
Sovereign Cloud: What It Really Means in Australia
Sovereign cloud has become a buzzword, but in the Australian context it carries specific legal and operational weight. True sovereign cloud means data residency within Australian borders, operational control by Australian-cleared personnel, and immunity from foreign jurisdiction orders such as the US CLOUD Act. AUCloud, Vault Cloud, and Macquarie Government have built dedicated sovereign cloud platforms targeting defence and federal agencies. Meanwhile, the hyperscalers have responded with dedicated sovereign regions. Azure's Australian regions offer data residency guarantees, and AWS has established a dedicated Sydney region with IRAP-assessed services. The key question for enterprises is whether their workloads genuinely require sovereign infrastructure or whether IRAP-assessed hyperscaler regions provide sufficient assurance. Over-specifying sovereignty requirements can inflate costs by 30 to 50 percent without delivering proportionate risk reduction.
Cloud Migration Patterns for Australian Mining and Resources
The mining and resources sector, concentrated in Perth and across Western Australia, presents unique cloud migration challenges. Remote mine sites with limited connectivity demand hybrid architectures that combine edge computing at the pit face with centralised cloud analytics in Perth or Sydney. Companies like BHP, Rio Tinto, and Fortescue have adopted multi-cloud strategies, running operational technology workloads on private infrastructure while pushing analytics, machine learning, and corporate systems to the public cloud. Latency-sensitive applications such as autonomous haulage systems and real-time ore grade analysis require edge nodes with local processing, synchronising data to the cloud during connectivity windows. AWS Outposts and Azure Stack HCI have gained traction in this space, offering cloud-consistent infrastructure that can operate in disconnected or intermittently connected environments.
Financial Services Cloud: APRA CPS 234 and Beyond
Australian banks and insurers operate under the Australian Prudential Regulation Authority's CPS 234, which mandates specific information security capabilities for entities handling financial data. Cloud migrations in banking must address CPS 234's requirements for asset classification, access controls, incident management, and third-party risk management. The Big Four banks, Commonwealth Bank, Westpac, NAB, and ANZ, have all committed to significant cloud adoption, but each has taken a different path. CBA's partnership with AWS and Microsoft, and NAB's multi-cloud strategy, reflect the sector's recognition that cloud is no longer optional. For mid-tier banks and fintechs operating out of Sydney and Melbourne, cloud-native architectures offer competitive advantages in time-to-market and scalability, provided they can demonstrate APRA compliance throughout the migration lifecycle.
- Map every workload against IRAP assessment scope and Hosting Certification Framework tiers before selecting cloud services
- Evaluate whether sovereign cloud is a genuine regulatory requirement or an assumed preference, and right-size your sovereignty posture accordingly
- Design hybrid architectures for remote and edge use cases, particularly in mining and resources where connectivity is intermittent
- Address APRA CPS 234 requirements early in financial services migrations, embedding compliance controls into CI/CD pipelines
- Establish data residency controls using cloud-native policy engines to prevent accidental data egress from Australian regions
- Plan for multi-region resilience within Australia, leveraging Sydney and Melbourne availability zones for disaster recovery
- Engage IRAP assessors early in the migration program to avoid costly rearchitecture after assessment findings
Government Cloud Adoption: The Canberra Perspective
Federal government agencies based in Canberra have accelerated cloud adoption under the Digital Transformation Agency's cloud-first policy. However, government cloud migration is layered with additional requirements including security clearance mandates for operations staff, data sovereignty guarantees, and integration with legacy systems that may have been running for decades. The Protected Utility Program has driven standardised desktop and productivity workloads to cloud, while mission-critical systems require bespoke migration approaches. State governments in New South Wales, Victoria, and Queensland have launched their own cloud strategies, creating a fragmented but maturing public sector cloud landscape that demands nuanced navigation.
Building a Migration Roadmap That Works
Successful cloud migration in Australia requires a phased roadmap that sequences workloads by complexity, compliance requirements, and business value. Start with non-sensitive workloads to build organisational capability and cloud maturity, then progress to regulated workloads once governance frameworks are proven. Invest in cloud centre-of-excellence teams that understand both the technical and regulatory landscape. Train architects in ISM controls, IRAP processes, and sector-specific regulations. Most importantly, treat cloud migration not as a technology project but as a business transformation that reshapes how your organisation operates, innovates, and competes in the Australian market.
