The Bank of Tanzania (BoT) has released new regulations governing the adoption and use of cloud computing solutions by financial service providers, marking a significant step in modernizing the country’s financial sector while strengthening safeguards against cyber risks and data sovereignty concerns.

The framework is seeking to provide regulatory clarity for financial institutions while reinforcing consumer protection and financial stability.

The new framework, titled “Cloud Computing Guidelines for Financial Service Providers, 2025”, has been issued under Section 71 of the Banking and Financial Institutions Act, 2006, and Section 56(3) of the National Payment Systems Act, 2015. 

The guidelines provide detailed requirements for financial institutions intending to adopt cloud-based solutions and set clear criteria for approval, monitoring, and compliance.

BoT governor Emmanuel Mpawe Tutuba, who signed the guidelines in Dodoma last week, said the measures are designed to “facilitate the safe adoption of modern technology in the financial sector while safeguarding the interests of depositors, maintaining market confidence, and preserving systemic stability.”

The guidelines are expected to shape the digital strategies of banks, mobile money operators, microfinance institutions, and other regulated financial entities in the coming years, reinforcing Tanzania’s efforts to modernize its financial ecosystem in line with global best practices.

According to the BoT, the guidelines aim to strike a balance between fostering technological innovation and ensuring the safety, stability, and integrity of Tanzania’s financial system.

The central bank defines cloud computing as the outsourcing of IT systems to a network of remote servers hosted by a third party, accessible through the internet, rather than relying on in-house hardware and software investments. These services may be hosted in public, private, or hybrid models.

While cloud solutions offer efficiency and cost savings, the BoT stressed that adoption will be strictly vetted based on data residency requirements, cybersecurity risks, and other regulatory parameters.

The guidelines make a clear distinction between mission-critical and non-mission-critical systems.

Mission-critical systems—such as core banking platforms, payments infrastructure, and databases essential for operations—cannot be hosted outside Tanzania. The central bank emphasized that these systems must remain within local primary data centers or cloud providers with infrastructure inside the country.

On the other hand, non-mission-critical systems, which support auxiliary functions but are not vital for a financial institution’s survival, may be considered for cloud hosting subject to prior written approval from the Bank.

“This classification ensures that while financial service providers can leverage cloud efficiency, the core systems that sustain financial stability remain under national jurisdiction,” the Bank said.

Financial service providers intending to migrate non-mission-critical systems to the cloud must seek prior approval and demonstrate compliance with detailed evaluation criteria.

Institutions will be required to present a five-year cost-benefit analysis comparing cloud adoption with on-premises arrangements, outline datasets involved in the migration, and provide a clear cost allocation methodology. They must also demonstrate how the arrangement may affect their tariff structures, earnings, solvency, liquidity, and overall risk profile.

Due diligence on prospective cloud providers will form a central part of the assessment. Providers must prove strong cybersecurity protections such as encryption, multi-factor authentication, vulnerability management, and strict access controls. 

They must also demonstrate compliance with relevant regulations, guarantee high uptime, offer flexible scalability, provide transparent billing, and show the ability to integrate seamlessly with the financial institution’s existing systems.

Importantly, the guidelines prohibit vendor lock-in, ensuring that financial institutions retain the ability to migrate outsourced services back to in-house systems or to another provider if needed.

Financial service providers that had already adopted cloud computing before the issuance of these guidelines have been given twelve months to apply for written approval or discontinue such arrangements.

The BoT also requires all cloud computing contracts to be in writing and approved by the Bank prior to implementation. Contracts must include detailed service level agreements, monitoring provisions, audit rights, and access rights for the Bank.

Among the mandatory contractual clauses are clear termination procedures, contingency arrangements for business continuity, provisions for data privacy and confidentiality, and exit strategies in case of insolvency or winding up of the cloud provider.

Furthermore, financial institutions will be expected to conduct annual reviews of their cloud providers to ensure operational stability, security compliance, and continuity preparedness.

Each financial institution must formulate and submit to the Bank a comprehensive cloud computing policy before adoption. The policy must address monitoring mechanisms, supervisory roles, dispute management, data recovery, acquisition processes, contingency planning, and exit strategies.

The Bank emphasized that “no cloud computing service is risk-free,” and urged institutions to adopt policies that embed risk management into their digital transformation strategies.

The guidelines also provide for tough sanctions against institutions or officials who breach the provisions. Penalties range from civil money fines, suspension of lending and investment operations, restrictions on deposit-taking, and disqualification of defaulting officers, to the ultimate sanction of license revocation.

The Bank further dis-applied the Cloud Computing Guidelines for Financial Service Providers, 2023, replacing them with the 2025 version, which provides more detailed criteria and stricter oversight measures.

The issuance of these guidelines comes at a time when the financial services industry in Tanzania is increasingly embracing digital transformation. Cloud computing offers opportunities for innovation, efficiency, and improved customer services, but also raises risks related to cybersecurity, data control, and operational resilience