Thailand’s Digital Government Development Agency (DGA) has released drafts of two pivotal documents to guide Thai government agencies in adopting cloud technology and classifying data for cloud usage. These draft guidelines, open for public hearing through August 12, 2025, are part of the national “Go Cloud First” policy, which aims to accelerate digital transformation, improve efficiency, and ensure robust data security across the public sector. The new standards will have significant implications for both government agencies and cloud service providers operating in Thailand. Highlights of the draft guidelines are presented below. Government Cloud Usage Guidelines Cloud-first transformation: All government agencies are directed to prioritize cloud solutions for new IT projects, in line with the cabinet’s “Go Cloud First” policy. Cloud model selection: Agencies must assess their needs and select the most appropriate cloud deployment model—public, private, hybrid, or community cloud—based on the sensitivity of the data and operational requirements. Service types: The guidelines provide criteria for choosing between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), emphasizing the importance of using standard, non-customized services where possible. Cost management: Agencies are required to plan and separate cloud-related expenses, ensuring transparency and efficient budget allocation. Cloud migration: The guidelines outline the steps for migrating to the cloud and highlight the role of cloud service providers in facilitating the process, including supporting innovation and enabling smooth exit strategies. Procurement compliance: All cloud procurement must comply with public sector procurement laws and regulations. Only providers meeting government-mandated standards can be selected. Security and shared responsibility: The guidelines clarify the division of security responsibilities between cloud providers and government agencies. While providers manage infrastructure security, agencies remain responsible for data, application, and access controls. Legal framework: Agencies must comply with the Digital Government Administration Act, Cybersecurity