Licensing20 February 2026Public consultation

MPTC Publishes Draft Licensing Framework for Commercial Data Centres

A draft framework for commercial data centre operations addresses licensing categories, technical resilience, security, customer disclosure and cross-border interconnection.

Scope

The draft framework covers commercial data centre operators offering colocation, cloud hosting or managed services to third-party customers. Captive facilities used by a single operating group are treated separately.

The distinction between operator, service provider and cloud customer is important because obligations attach to different actors in the stack.

Technical resilience

Baseline resilience expectations include redundant power, redundant cooling, environmental monitoring and documented business continuity arrangements. Alignment with recognised international tier or design standards is encouraged.

Where a facility departs from standard practice, the framework encourages documented explanation rather than silent deviation.

Security

Physical and information security controls should be commensurate with the sensitivity of hosted workloads. Third-party assurance reports are recognised as evidence of the controls in place.

Customer disclosure

Operators are expected to provide customers with clear information on the location of workloads, cross-border data flows, incident notification procedures and exit assistance in case of contract termination.

Cross-border interconnection

Cross-border network connectivity from a data centre may involve international capacity arrangements that require notification. The framework encourages open connectivity ecosystems while respecting the underlying capacity authorisation rules.

Legal and regulatory framework

The data centre licensing framework sits within Cambodia's broader telecommunications legal framework, principally the Law on Telecommunications (2015), the sub-decrees on licensing and spectrum management, and successive Prakas issued by the Ministry of Posts and Telecommunications and the Telecommunication Regulator of Cambodia.

Where a specific instrument has not yet been formally adopted, operators should read announcements together with existing licence conditions, general regulatory duties and international commitments Cambodia has undertaken through the ITU and ASEAN.

Because ministerial and regulatory instruments in Cambodia are frequently updated, compliance teams should not rely on a single Prakas in isolation but should trace the underlying legal basis and any amending texts before assuming a rule applies.

Who is affected

Cambodia-licensed mobile network operators, fixed operators, internet service providers, tower and passive-infrastructure providers, satellite and VSAT operators, equipment importers and vendors, enterprise connectivity buyers and investors evaluating market entry should all monitor the data centre licensing.

Foreign companies providing cross-border digital services to Cambodian customers should also assess whether their commercial model creates a nexus that brings them within scope, even if they do not hold a Cambodian licence.

Group companies with a Cambodian subsidiary should ensure that head-office compliance policies are localised and do not simply mirror requirements from another jurisdiction, as Cambodian requirements often differ in detail even where the overall policy objective is similar.

Practical compliance considerations

Operators should map current internal practices against the direction of the data centre licensing framework and identify areas where documentation, disclosures, contracts, technical measures or governance need to be strengthened.

A written internal impact assessment — capturing which business lines are affected, which teams own each obligation, and what evidence would be produced in a regulator inspection — is a low-cost step that materially improves readiness.

Where obligations are not yet in force, boards and executive committees should be briefed on likely direction of travel so that budget cycles, procurement decisions and vendor contracts already reflect anticipated requirements rather than being retrofitted later at higher cost.

Interaction with other regimes

The data centre licensing framework does not operate in isolation. Companies should consider how it intersects with data protection expectations, cybersecurity obligations, consumer-protection rules, tax and foreign-exchange controls, and — where relevant — sectoral rules for banking, e-commerce or critical infrastructure.

Contracts with vendors, roaming partners, tower companies, cloud providers and interconnection counterparties should be reviewed to allocate responsibility and cost for any additional obligations that arise.

For groups operating in multiple ASEAN jurisdictions, alignment with regional peers can reduce friction, but Cambodia-specific carve-outs are usually required rather than a purely regional template.

Timing and monitoring

The regulatory calendar in Cambodia often compresses between announcement and effective date. Operators that wait for a formally adopted text before starting work frequently find themselves with only weeks to implement changes that require quarters of preparation.

Legal and compliance teams should establish a monitoring routine covering MPTC and TRC official channels, the Royal Gazette, and industry association updates, and should record the date each new document is reviewed together with a short internal note on its impact.

Where uncertainty remains, engaging early with the regulator through industry associations or bilateral technical meetings is usually more effective than waiting for enforcement action to clarify the intended interpretation.

How Lex Civora supports clients

Lex Civora advises Cambodia-licensed operators, foreign investors and vendors on the practical implications of the data centre licensing, including gap analyses against existing licence conditions, drafting of internal policies and customer-facing documentation, and structured engagement with MPTC and TRC.

For matters that touch adjacent regimes — data protection, cybersecurity, consumer protection, tax and foreign investment — we coordinate with specialist counsel so that the client receives a single integrated compliance view rather than fragmented advice.

Where a matter is time-sensitive, we can deliver a focused risk brief within a short timeframe to inform board or investment-committee decisions while the full compliance workstream is being scoped.

Last verified: 14 July 2026

This article is provided for general information only and does not constitute legal advice. Regulatory positions may change; readers should verify obligations against the current official publication or seek professional advice before acting.

Related insights