The Data Sovereignty Map: Which Countries Require Local Data Storage

A country-by-country analysis of data residency and data sovereignty requirements worldwide, covering the 40+ jurisdictions that mandate local data storage, the regulatory rationales driving these mandates, and the architectural implications for globally distributed infrastructure.

As of March 2026, at least 42 countries have enacted laws requiring some category of data to be stored within their national borders. That number was 35 in 2023. The acceleration is not a coincidence. It is the legislative expression of a geopolitical reality: data is power, and nations have decided that allowing their citizens’ data to reside in foreign jurisdictions – subject to foreign surveillance laws, foreign corporate governance, and foreign geopolitical interests – is an unacceptable sovereignty concession.

This map is a reference document. It catalogues the current state of data residency and data sovereignty requirements across the jurisdictions that matter most for technology companies, cloud infrastructure providers, and any organization processing personal data across borders. It is not legal advice. It is an intelligence assessment of the regulatory terrain, designed to inform architectural decisions about where data can go, where it cannot, and why the answer to that question is increasingly: nowhere outside the user’s own device.

Defining the Terms

Data sovereignty and data residency are related but distinct concepts, and the conflation of the two causes persistent confusion.

Data residency refers to requirements that data be stored in a specific geographic location. A data residency law might mandate that personal data of citizens be stored on servers physically located within the country. The data can potentially be accessed from elsewhere, but its storage location is fixed.

Data sovereignty is broader. It refers to the principle that data is subject to the laws and governance structures of the jurisdiction where it resides. Data sovereignty encompasses residency requirements but also extends to who can access the data, under what legal authority, and through what processes.

Data localization is the strictest variant: an absolute requirement that data not leave the country’s borders, sometimes prohibiting even temporary processing in foreign jurisdictions.

The distinction matters architecturally. A data residency requirement can be satisfied by running infrastructure in the required jurisdiction while maintaining centralized control from elsewhere. A data sovereignty requirement may demand that the infrastructure operator itself be subject to local law. A data localization requirement may prohibit cross-border data flows entirely, even for processing.

European Union

The GDPR does not mandate data localization within the EU. It restricts transfers of personal data to countries outside the European Economic Area unless an “adequacy decision” exists for the receiving country or an approved transfer mechanism (Standard Contractual Clauses, Binding Corporate Rules) is in place. As of 2026, the European Commission has issued adequacy decisions for 15 jurisdictions, including the United States (under the EU-U.S. Data Privacy Framework, adopted July 2023).

However, the practical landscape is more restrictive than the GDPR text suggests. The Schrems II decision invalidated the Privacy Shield framework in 2020, and while the Data Privacy Framework replaced it, legal challenges are ongoing. The Austrian NGO noyb filed a challenge to the DPF in September 2023, and the case is expected to reach the Court of Justice of the European Union by mid-2026. If the CJEU invalidates the DPF – as it invalidated Safe Harbor and Privacy Shield before it – transatlantic data transfers will once again lack a legal basis, effectively creating a de facto localization requirement for EU personal data.

The EU Data Act, which entered full application in September 2025, added a new layer by requiring cloud service providers to enable customers to switch providers and port data without excessive barriers. While not a sovereignty requirement per se, it reinforces the principle that EU organizations should be able to move data to EU-sovereign infrastructure on demand.

Multiple EU member states have imposed additional requirements beyond the GDPR baseline. Germany’s Federal Data Protection Act (BDSG) imposes stricter conditions on data processing by public sector entities, effectively requiring domestic processing for government data. France’s SecNumCloud certification, administered by ANSSI, has become a de facto requirement for government and critical infrastructure cloud contracts, and only providers with infrastructure and legal entities entirely within EU jurisdiction qualify. By January 2026, 14 providers had received SecNumCloud certification – none of them American.

Switzerland

Switzerland occupies a unique position. It is not an EU member state and is not subject to the GDPR directly, but its revised Federal Act on Data Protection (nFADP), effective September 2023, aligns closely with GDPR principles while reflecting Swiss constitutional privacy protections that predate the GDPR by decades.

Switzerland has an EU adequacy decision, meaning personal data can flow freely between the EU and Switzerland. But Swiss data protection law includes provisions that exceed GDPR requirements in certain areas, particularly regarding government surveillance. The Swiss Federal Intelligence Service (NDB) operates under significantly more restrictive legal constraints than the NSA (US), GCHQ (UK), or BND (Germany), and Swiss courts have consistently interpreted constitutional privacy protections broadly.

The combination of GDPR adequacy, constitutional privacy protections, strict surveillance limitations, and political neutrality has made Switzerland the jurisdiction of choice for privacy-sensitive infrastructure. Proton AG, Tresorit, Threema, and an increasing number of privacy-first companies are domiciled in Switzerland specifically because of this legal environment.

United Kingdom

Post-Brexit, the UK operates under its own Data Protection Act 2018 and the UK GDPR. The EU granted the UK an adequacy decision in June 2021, valid for four years and extended in 2025 for a further two years. However, the UK’s Investigatory Powers Act 2016 (the “Snooper’s Charter”) grants UK intelligence agencies broad data access powers that privacy advocates argue are incompatible with EU adequacy requirements.

The UK has not imposed data localization requirements for the private sector, but the National Cyber Security Centre (NCSC) has issued guidance recommending that UK government data be processed only in UK-based data centers operated by UK-headquartered providers. This soft requirement has hardened into procurement practice, effectively creating a public sector localization mandate.

Asia-Pacific: The Strictest Regimes

China

China’s data sovereignty framework is the most comprehensive and restrictive of any major economy. Three overlapping laws govern the space:

The Cybersecurity Law (2017) requires “critical information infrastructure operators” (CIIOs) to store personal data and “important data” collected within China on domestic servers. Cross-border transfers require a security assessment by the Cyberspace Administration of China (CAC).

The Data Security Law (2021) classifies data into tiers (core, important, general) and restricts cross-border transfers based on classification. “Core data” – defined as data affecting national security, economic lifelines, or public welfare – cannot leave China under any circumstances.

The Personal Information Protection Law (PIPL, 2021) imposes GDPR-like consent requirements plus a localization mandate for organizations processing personal information of more than one million Chinese residents. Cross-border transfers require either a CAC security assessment, a Personal Information Protection Certification, or Standard Contractual Clauses (modeled on but more restrictive than the EU’s SCCs).

In practice, the regulatory environment has tightened further since these laws were enacted. In March 2024, the CAC published updated rules requiring security assessments for any cross-border transfer of “important data” regardless of volume. The definition of “important data” remains deliberately broad, creating regulatory uncertainty that functions as a de facto localization incentive.

India

India’s Digital Personal Data Protection Act (DPDPA), enacted August 2023, does not impose blanket data localization but grants the central government power to restrict transfers of personal data to specified countries through executive notification. As of early 2026, no countries have been blacklisted, but the Reserve Bank of India (RBI) has mandated since 2018 that all payment data from transactions originating in India be stored exclusively on servers within India. This RBI mandate forced Visa, Mastercard, and numerous fintech companies to build Indian data center infrastructure.

The DPDPA’s transfer restriction framework – where the government can unilaterally add countries to a restricted list – creates ongoing uncertainty for organizations processing Indian personal data. The architectural response has been to default to Indian data residency even where not strictly required, because the cost of architecting for a potential future restriction is lower than the cost of emergency migration if a restriction is imposed.

Australia

Australia’s Privacy Act 1988, amended most recently in 2024, does not impose data localization but requires organizations to take “reasonable steps” to protect personal information transferred overseas. The Australian Prudential Regulation Authority (APRA) requires regulated financial entities to inform APRA before offshoring material data and to maintain the ability to repatriate data to Australian infrastructure within a defined timeframe.

The Australian government’s Hosting Certification Framework, introduced in 2023, requires that data classified as PROTECTED or above be stored in Australian data centers operated by certified providers. This effectively bars US hyperscalers from hosting the most sensitive government data unless they establish certified sovereign cloud operations.

Indonesia, Vietnam, and Southeast Asia

Indonesia’s Government Regulation No. 71 of 2019 requires “strategic electronic systems” to maintain local data centers and disaster recovery infrastructure within Indonesia. The scope of “strategic electronic systems” has expanded through subsequent regulations to include most public sector systems and significant private sector platforms.

Vietnam’s Decree 13/2023 requires local storage of personal data for any company providing services to Vietnamese users if Vietnamese authorities request data localization during an investigation. The trigger mechanism means companies must maintain local storage infrastructure on a contingency basis, even if not actively required.

Thailand’s Personal Data Protection Act (PDPA), fully enforced since June 2022, follows a consent-based transfer model similar to GDPR but includes provisions allowing the Thai government to designate countries as inadequate for data transfers – a power that has not yet been exercised but that creates latent localization risk.

The Americas: Federal Gaps and Sector Rules

United States

The United States has no comprehensive federal data privacy law and no general data localization requirement. This makes the US unusual among major economies and creates an asymmetric dynamic: the US demands and receives data flow access from other countries while imposing minimal restrictions on its own.

However, sector-specific requirements create patchwork localization effects. HIPAA does not mandate data localization for health data, but its security requirements and the liability framework create a strong incentive to keep health data within US-based, HIPAA-certified infrastructure. ITAR (International Traffic in Arms Regulations) strictly prohibits certain defense-related data from leaving US borders or being accessed by non-US persons. FedRAMP certification for government cloud services requires US-based infrastructure and US-person access controls.

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) further complicates the picture by asserting US government authority to compel US-headquartered companies to produce data regardless of where that data is physically stored. This extraterritorial reach is the primary reason European governments distrust US cloud providers with sovereign data, and it is the legal mechanism that the sovereign cloud movement is designed to circumvent.

Brazil

Brazil’s Lei Geral de Protecao de Dados (LGPD) follows the GDPR model, permitting cross-border transfers to countries with “adequate” data protection or under approved transfer mechanisms. Brazil’s data protection authority (ANPD) issued its first adequacy decisions in 2025, recognizing the EU, UK, and Switzerland. No blanket localization requirement exists, but Brazil’s Central Bank (BCB) requires that payment system data be accessible from Brazilian infrastructure with guaranteed availability.

Canada

Canada’s PIPEDA (and its provincial equivalents) do not mandate data localization, but British Columbia and Nova Scotia restrict public sector personal information to Canadian storage unless certain conditions are met. The proposed Consumer Privacy Protection Act (CPPA) would strengthen cross-border transfer requirements if enacted.

Middle East and Africa

Saudi Arabia

Saudi Arabia’s Personal Data Protection Law (PDPL), effective September 2023, requires that personal data be processed and stored within Saudi Arabia unless the Saudi Data and AI Authority (SDAIA) approves a cross-border transfer. Approval requires demonstrating that the receiving jurisdiction provides “adequate” data protection. As of early 2026, SDAIA has not published a formal adequacy list, creating de facto localization for organizations that cannot navigate the approval process.

UAE

The UAE’s federal data protection law (Federal Decree-Law No. 45 of 2021) permits cross-border transfers under adequacy or contractual safeguards, but the Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC) operate independent data protection regimes with their own transfer rules. The fragmentation across emirates and free zones means that data localization requirements in the UAE are effectively determined by the specific jurisdiction within the UAE where the data subject or processor is located.

South Africa

South Africa’s Protection of Personal Information Act (POPIA), fully enforced since July 2021, restricts cross-border transfers to jurisdictions with “adequate” data protection or under binding agreements. The Information Regulator has not issued formal adequacy determinations, creating practical uncertainty that encourages local processing.

Nigeria

Nigeria’s Data Protection Act 2023 requires critical data (undefined in specific terms) to be stored in Nigeria and restricts cross-border transfers without adequacy determinations or contractual safeguards. The Nigeria Data Protection Commission is still establishing enforcement infrastructure, but the legal framework is in place.

The Architectural Implications

The data sovereignty map reveals a world that is rapidly fragmenting along jurisdictional lines. The number of countries with some form of data localization requirement has grown from 35 to 42 in three years. No country has repealed a data localization law during this period. The direction of travel is unambiguous.

For organizations operating globally, the compliance landscape creates three architectural options:

Option 1: Jurisdictional Replication. Deploy separate infrastructure in every jurisdiction with localization requirements. This is the approach the hyperscalers are pursuing – AWS has 33 regions, Azure has 60+ regions, Google Cloud has 40 regions. The cost is enormous, the operational complexity is significant, and each new jurisdiction adds incremental expense. Only the largest organizations can afford this approach.

Option 2: Data Routing and Classification. Implement data classification systems that route different categories of data to different jurisdictions based on the applicable legal requirements. This is cheaper than full replication but requires sophisticated data governance infrastructure and creates a persistent risk of misclassification. A single misrouted data element can trigger regulatory liability.

Option 3: Eliminate the Data. If data does not persist, it does not have a residency. If the infrastructure retains nothing after processing, there is nothing to localize. Zero-persistence architecture does not solve the data sovereignty problem by distributing data to the right jurisdictions. It solves it by ensuring there is no data to distribute.

This third option is architecturally radical but legally elegant. A zero-knowledge proxy layer that processes encrypted data in RAM, returns results to the client, and retains nothing does not trigger data residency requirements because there is no data “at rest” to which residency requirements could apply. The data exists only in transit and only in encrypted form at the infrastructure layer. The plaintext exists only on the client’s device, which is inherently local.

The Stealth Cloud Perspective

The data sovereignty map is a document of political fragmentation and regulatory complexity. It describes a world where data has become a geopolitical asset, and nations are building legal walls to keep it within their borders. The compliance cost of navigating this landscape is substantial and growing. Every new localization requirement adds cost, complexity, and risk for any organization that processes data across borders.

Stealth Cloud’s architecture offers a different path through this landscape. Our zero-persistence, zero-knowledge design means that we do not store personal data in any jurisdiction. Encrypted data transits through edge nodes for processing and is not retained. The plaintext never leaves the client. There is nothing to localize because there is nothing at rest.

This is not a compliance workaround. It is an architectural position that addresses the underlying concern driving data sovereignty legislation: the fear that foreign infrastructure operators will access, retain, or misuse data that belongs to another nation’s citizens. When the infrastructure cannot access the data – when it processes encrypted inputs and returns encrypted outputs without ever possessing the decryption keys – the sovereignty concern is resolved not by jurisdictional compliance but by mathematical certainty. The architecture does not comply with data sovereignty laws. It transcends them.