In a move that blends geopolitics with digital ambition, Iran’s Information Technology Organization (ITOI) has reopened its doors to cloud service providers. The government agency issued a public notice seeking qualified vendors to support national IT systems, aiming to form an approved panel of at least three cloud operators capable of delivering everything from infrastructure to software services.
What stands out isn’t just the request itself, but the criteria. Despite long-standing tensions with the United States, ITOI explicitly requires cloud companies to meet the NIST SP 800-145 definition of cloud computing—an American standard from the National Institute of Standards and Technology. Alongside that, the agency is asking for compliance with global security benchmarks like ISO 27017 and ISO 27018, which focus on cloud safety and the protection of personal data.
It’s a sharp turn for a country often isolated from the global tech ecosystem. ITOI is casting a wide net, welcoming firms that offer private, public, hybrid, or community cloud models. Specialized services such as cloud migration, monitoring, and security are also in demand. Those that pass the evaluation will receive a government-issued “cloud service rating certificate,” effectively granting them a license to serve Iran’s public sector.
The timing of this move speaks volumes. ITOI’s silence during Iran’s 12-day internet blackout—sparked by cyberattacks during its conflict with Israel and the U.S.—left its digital strategy unclear. Now that its public channels are active again, this outreach feels like more than routine procurement. It suggests a reset, likely driven by both internal vulnerabilities and external pressure to modernize.
Even so, it’s unclear if any international vendors will actually participate. There are still significant legal barriers, especially in Western countries—sanctions make collaboration genuinely risky. Still, Iran aligning its practices with standards from organizations like NIST signals a calculated attempt to position its cloud sector as legitimate. Ultimately, the real measure will be whether this technical credibility can overcome years of entrenched geopolitical issues.
