Tanzania’s New Cloud Computing Framework: A Paradigm Shift for Financial Services

The Bank of Tanzania (BoT) has implemented updates to the use of cloud computing services by financial institutions. The new Cloud Computing Guidelines for Financial Service Providers, issued in August 2025, fully replace the previous 2023 framework. Public participation is currently ongoing, with the deadline for submissions set at 31st December 2025. 

The most notable change is the shift in regulatory tone. The 2023 guidelines provided descriptive advice to financial service providers (FSPs), while the 2025 version adopts a more stringent approach with mandatory compliance requirements. This change indicates Tanzania’s intention to strengthen oversight of cloud adoption in the financial sector. The new framework also introduces clear sanctions that were previously absent. The Bank now has the authority to impose civil penalties on non-compliant institutions, suspend operations, revoke licences, or remove directors and officers. These enforcement powers grant the central bank significant influence over financial institutions.

The 2025 guidelines simplify how systems are classified. Mission-critical systems now include “core functions” rather than specific examples. The previous framework listed customer deposit management, trade finance, and HR as examples. This broader language could create interpretation challenges. Non-mission-critical systems are similarly defined in general terms as “auxiliary functions”. The 2023 guidelines provided specific examples, like marketing and sales tools. Without these examples, financial institutions may find it difficult to classify their systems accurately. This ambiguity might lead to over-classification of systems as mission-critical.

A new requirement affects FSPs already using cloud services. These institutions must obtain written approval from the BoT within 12 months, or they risk stopping cloud adoption entirely. Creating a pre-approved list of providers could help FSPs using recognised providers to go through a simpler approval process. Such a system might reduce compliance burdens while still maintaining regulatory oversight.

Risk management remains central to the framework’s approach. FSPs must demonstrate robust risk assessment capabilities before adoption. They must show adequate fallback arrangements and business continuity planning. The guidelines require comprehensive service level agreements and audit rights. Data protection provisions remain mandatory in cloud arrangements. FSPs must ensure their cloud contracts include appropriate data safeguards. Exit strategies are also emphasised as important to prevent vendor lock-in. Institutions are mandated to ensure their cloud solutions can facilitate clear pathways to migrate to other solutions.

The enhanced regulatory framework is likely to create short-term challenges for cloud adoption across Tanzania’s financial sector. Financial service providers face higher compliance costs and operational complexity as they manage the new requirements. In contrast, the 12-month retroactive compliance deadline adds immediate financial pressure for existing cloud users who must either secure approval or switch from current arrangements. The vague language around system classifications adds to these difficulties, as risk-averse FSPs may interpret the rules too conservatively, unnecessarily limiting cloud deployment scope. 

This regulatory transition marks a pivotal moment at which active industry involvement can significantly impact implementation outcomes. Cloud providers and financial institutions should see the current consultation period as a strategic opportunity. They can shape practical regulatory interpretations during the implementation process. The industry should propose workable compliance frameworks that satisfy supervisory requirements. Stakeholders must advocate for balanced policies that support rather than hinder innovation. Early and meaningful participation in this regulatory dialogue will determine whether the guidelines facilitate or obstruct Tanzania’s financial sector digitalisation.

Tanzania’s new cloud computing framework demonstrates increasing regulatory maturity in emerging markets. Financial institutions now face a more intricate compliance environment. The framework’s effectiveness will depend on the specifics of its implementation. Providing clear guidance on system classifications would assist FSPs in making well-informed choices. A list of pre-approved providers might promote adoption while ensuring oversight. The Bank of Tanzania’s enforcement approach will ultimately shape the framework’s influence on cloud adoption in the country’s financial sector.