Veronika Kosareva, Product Manager at UzCloud
A few years ago, choosing a cloud provider for an Uzbek company was simple: Digital Ocean, Hetzner, AWS — cheap, fast, familiar. That choice is no longer straightforward. It's not about the quality of global services — it's a new reality: local legislation and strict regulatory requirements now dictate the terms. Cost and data transfer speed are no longer the only criteria. Today, legal security and strict compliance with government standards have come to the forefront.
Legal considerations
The starting point is Law No. 547 of the Republic of Uzbekistan "On Personal Data" (ZRU-547). It requires personal data operators to store and process data of Uzbekistan citizens on servers physically located within the country.
If your application collects names, phone numbers, addresses, or payment data of Uzbekistan citizens, that data must be stored on servers inside the country. Foreign servers — such as AWS European regions — do not meet this requirement. Violations carry administrative fines and suspension of systems by the regulator.
Alongside the core personal data law, sector-specific regulations are in effect. For the financial sector, there are three key documents:
- Law No. ZRU-964 (2024) establishes unified cybersecurity standards for banks, non-bank credit organizations, and payment system operators. Banks can now face sanctions not only for data breaches but also for any cyber incident.
- Central Bank Resolution No. 19/1 (2025) requires banks to host all databases and servers on the bank's premises, its branches, other banks, the Central Bank's cloud data centers, or government data centers. Global platforms like AWS or Azure are not adapted to these requirements.
- Central Bank Resolution No. 13/1 (2024) sets specific technical and organizational requirements for payment system operators and payment service providers.
Key infrastructure requirements:
- All primary and backup information systems must be physically deployed within the Republic of Uzbekistan
- For systemically significant payment organizations, the backup data center must be at least 50 km from the primary one; for other market participants — no closer than 5 km
- All information systems working with international payment systems must comply with the PCI DSS standard
The final regulatory layer — Law No. ZRU-764 "On Cybersecurity" (2022) and Presidential Decree No. PP-167 (2023) — firmly established the status of critical information infrastructure (CII) objects. For banks, telecom, the public sector, and energy, mandatory backup, incident monitoring, and strict access control have become baseline requirements for legitimate operation.
The established regulatory framework changes the logic of IT infrastructure selection. Today, using a foreign cloud requires complex compliance setup from local businesses. A sovereign cloud, on the other hand, addresses the issue of regulatory compatibility from the very start.
Access speed
For companies operating in the local market, the geographic distance of infrastructure directly translates into high network latency. For example, a server in Frankfurt or Moscow produces latency of 60 ms or higher to an end user in Uzbekistan, according to WonderNetwork. While these delays remain acceptable for most standard web resources, for fintech transactions, real-time APIs, and high-load government systems, this leads to a noticeable drop in performance and service quality.
A foreign provider wins if you serve an audience outside Uzbekistan — speed and availability for international users will be higher.
Payment for services
Invoices from foreign providers come in dollars or euros — and every payment automatically becomes a foreign currency transaction. Conversion costs, bank fees, and exchange rate fluctuations are added to the service cost, which can significantly inflate the final amount during volatile periods. A separate risk is the payment process itself: many companies use intermediaries or virtual card schemes, adding opacity and operational risks.
Working with a local provider completely eliminates currency risks. Direct settlements in the national currency without intermediaries or conversion make the IT budget transparent and expenses predictable even in the long term.
Support and time zone
Technical incidents don't follow a work schedule. The time zone difference with foreign providers often leads to delayed responses: when your service goes down at 3 AM Tashkent time, the foreign provider is just starting their workday — waiting for a response stretches into hours, and the language barrier slows down diagnostics.
A local engineering team operates in the same time zone, speaks Russian and Uzbek, and understands the specifics of Uzbekistan's regulatory context.
Key takeaways
When choosing a cloud provider, Uzbek businesses today must consider multiple factors simultaneously: legal requirements, operational costs, access speed, and support quality. Foreign providers offer wide server geography and global coverage — and for companies with an international audience, these remain strong arguments.
For companies working with data of Uzbekistan citizens, choosing a local cloud becomes a conscious step toward legal resilience. Compliance with ZRU-547 standards and regulatory requirements is the foundation, complemented by the absence of currency risks, simplified payments, and support that operates in your rhythm and in your language.
Ultimately, the optimal cloud infrastructure configuration is determined by two key vectors: the geography of a business's market presence and the specifics of the current regulatory landscape. Companies that build the right data architecture now will avoid painful and costly migrations in the future.