DICT Cloud Shutdown Exposes Sovereignty Risk

What It Means

• The DICT cloud shutdown disabled 12 of 28 government digital systems because the agency could not afford additional cloud server capacity, forcing eGovPH offline twice in mid-April.
• DICT runs about 3,000 servers on a single cloud subscription, with 95 percent of that capacity hosting platforms owned by other agencies, meaning the agency pays the bill for systems it does not own.
• Around 90 percent of Philippine government data sits abroad, mostly in Singapore, with the country spending roughly ₱12 billion a year on foreign cloud services.
• BSP-licensed banks and e-wallets that integrated National ID e-Verify into their KYC pipelines now carry silent operational risk every time the eGovPH backend buckles.
• The next outage is not a question of if, but when. The 2026 budget cycle does not resolve this, and private institutions need their own contingency for government-hosted identity infrastructure.

DICT Undersecretary David Almirol Jr. told the Senate PROTECT Committee on April 29 that the agency had to disable 12 government digital systems because it could not afford to subscribe to a higher tier of cloud server capacity. The DICT cloud shutdown followed two eGovPH outages in mid-April. The first lasted close to five hours. The second ran six hours the following day. Both happened after the digital National ID e-Verify platform integrated with banks, GCash, Maya, and the DSWD.

DICT released a statement the next day calling it an “unexpected surge in user activity.” That framing does not survive contact with the facts.

The DICT Cloud Shutdown Was Not a Surprise. It Was a Stress Test the System Failed

A national platform should not treat high usage as an anomaly. High usage is the baseline. eGovPH was built to be the front door to government services. Forty million Filipinos have already downloaded it. Ninety million are registered on the National ID e-Verify platform. If a usage surge can take a system like this offline, the problem is not the surge. The problem is capacity planning that was either inadequate or ignored.

The DICT cloud shutdown also conflates two different root causes into one explanation. One is a capacity planning failure. The other is a funding and governance failure. The agency is treating them as the same story because separating them would expose decisions that should not have been made. They are not the same story.

The capacity planning failure is straightforward. eGovPH onboarded e-wallet integrators and government agencies on a single shared cloud subscription. Almirol himself acknowledged this in Filipino during the hearing: when banks, GCash, Maya, and DSWD activated the National ID verification simultaneously, the system got overwhelmed. That is not a usage anomaly. That is what happens when integration runs ahead of infrastructure.

The funding and governance failure is more uncomfortable. ₱500 million was allocated for the digital National ID under the 2025 General Appropriations Act. The Department of Budget and Management did not release the funds because DICT failed to meet its budget utilization rate. A 2024 Congressional Policy and Budget Research Department analysis found the agency left ₱5.84 billion of its 2023 budget unspent. So the agency that ran out of cloud capacity is also the agency that could not spend the money it had been given for adjacent projects. Both things are true at the same time.

This is a governance gap, not a budget shortage. A platform of this scale should not operate in a state where funding uncertainty affects reliability. That is a structural failure, not a temporary issue.

A Single Cloud Subscription, 28 Platforms, 1,000 LGUs

The architecture itself is the bigger story. DICT manages 28 platforms on its eGov cloud, including the eGovPH app, the digital national ID, e-Verify, eLGU platforms used by roughly 1,000 local government units, the eGov AI assistant, and beneficiary verification systems used by DSWD. About 3,000 servers run on this infrastructure. Almirol told senators that 95 percent of those servers host systems owned by other agencies. DICT, in his words, is paying the subscription for everyone else.

There is no isolation between public-service load and private-sector verification load. When GCash, Maya, GoTyme, UnionDigital, and the DSWD 4Ps program all hit the same backend at the same time, the LGU running its citizen permit system on the same cloud goes down with them. So does the BIR Digital TIN ID. So does the eGovAI assistant. The architecture treats all of them as equal traffic on a shared rail.

This is single-point-of-failure design at national scale. It saves money on the procurement line. It accumulates risk on the operational line.

The Sovereignty Exposure Behind the Outage

Around 90 percent of Philippine government data sits in foreign cloud infrastructure, mostly in Singapore data centers. The country spends roughly ₱12 billion a year on these services. This was disclosed during the House budget deliberations on September 30, 2025, when DICT and lawmakers both flagged it as a national security risk.

The numbers around domestic capacity are equally telling. DICT submitted a ₱2.3 billion request in 2024 for data center management. DBM approved ₱750 million. Almirol said publicly that the ideal allocation would be ₱15 billion. The agency requested ₱10.43 billion in the 2025 National Expenditure Program for the National Government Portal and the e-Government System Development program. None of this has produced a single domestic government data center. DICT itself confirmed that not one facility has been built.

So the digital identity records of more than 91 million Filipinos sit on infrastructure governed by a foreign jurisdiction. The platform that verifies those identities runs on a shared cloud the host agency cannot afford to scale. And the proposed solution, building domestic data centers at roughly ₱2.5 billion a year over three years, has been requested for years and consistently underfunded.

This is what cloud sovereignty risk looks like in operational terms. It is not a future problem. The DICT cloud shutdown made it current.

Private Banks and Fintechs Are Now Silently Exposed

The actor class most affected by this is one that does not show up in the news coverage: BSP-licensed financial institutions that integrated National ID e-Verify into their KYC pipelines.

Almirol said 91 million Filipinos are registered on the e-Verify platform, and that banks, GCash, Maya, and DSWD all activated the integration around the same time. That integration is not optional in a regulatory sense. BSP encourages National ID use. AMLC is tightening identity verification standards. The SIM Registration Act pulled telcos and digital platforms into the same identity infrastructure. The push toward National ID verification is structural across the entire BFSI sector.

When the eGovPH backend buckles, every institution running KYC against it absorbs the cost. A digital bank processing 50,000 verifications a day cannot tolerate a six-hour outage without revenue impact, customer service load, and BSP exposure on KYC completion timelines. Those institutions did not price this risk into their compliance models. They built integration assuming reliability. They got a single cloud subscription that the host agency cannot afford to scale.

There is no service-level agreement on this. There is no audit pathway. There is no compensation mechanism when DICT goes down. Private institutions have been pulled into a forced dependency on government-hosted infrastructure they cannot influence.

What Operators Should Watch

The 2026 budget cycle will determine whether DICT gets a discretionary capacity increase or continues operating under the same constraints into 2027. DBM Undersecretary Mary Anne dela Vega told senators that 95 percent of the 2026 DICT budget had already been released, but Senator Bam Aquino clarified that the issue at hand was the unreleased 2025 allocation. Those two things together describe a coordination problem between DICT and DBM that has not been resolved at the operational level.

For private institutions, the practical signal is straightforward. If your KYC pipeline depends on National ID e-Verify, you carry undisclosed operational risk every time the eGovPH cloud is under load. Internal contingency planning should assume periodic unavailability. BSP examiners will eventually ask about it. Customers will notice it sooner.

DICT closed its April 30 statement with a line about commitment to “secure, reliable, and accessible” digital public services. Reliability is not declared. It is demonstrated under stress. The system was stress tested twice in mid-April and failed both times. Until that is acknowledged plainly, every future enhancement will sound like a patch, not a solution.

More developments that reshape the operating environment in National Signal section of Hemos PH.