ARTICLE
15 July 2026

Data Embassies: A Strategic Tool for Preserving Sovereignty and Digital Continuity

I
CMS INDUSLAW

Contributor

CMS INDUSLAW is a top-tier full-service law firm and the 7th largest in India* with offices in Bengaluru, Chennai, Delhi, Gurugram, Hyderabad and Mumbai, which give it a pan-India presence. With more than 400 lawyers committed to client service, CMS INDUSLAW advises clients globally on Indian law. CMS INDUSLAW supports its clients’ transactional goals, business strategies and regulatory and dispute resolution needs. The CMS INDUSLAW team collaborates across practice areas, sectors and locations, navigating legal complexities and resolving legal issues efficiently for its clients.
Data embassies represent a groundbreaking evolution in digital sovereignty, allowing states to extend diplomatic protections to critical infrastructure and data hosted in foreign territories. As global geopolitics becomes increasingly volatile and cyber threats intensify, how are nations leveraging this innovative concept to ensure governmental continuity and protect their most sensitive information beyond their borders?
India Government, Public Sector
CMS INDUSLAW are most popular:
  • within Government, Public Sector, Strategy and Transport topic(s)

1. Introduction

In recent times, one of the buzzwords in global governance and digital sovereignty, has been ‘data embassies’. The concept represents an evolution in how states are now looking to safeguard their sovereignty in the digital age. Similar to traditional embassies, which enjoy inviolability and immunity under international law, data embassies allow states to extend these protections to critical digital infrastructure and data hosted in foreign territories. Data embassies also ensure that essential public records and governance systems remain intact and accessible, even during times of domestic infrastructure disruption by happenings such as war, cyber conflict, or natural disaster.

2. Genesis of data embassies

What is a data embassy?

As the name suggests, data embassies are akin to how embassies operate, wherein one state maintains its presence in a host state for diplomatic purposes, and such state has sovereignty over the premises of its embassy in the host state. Accordingly, simply put, data embassies are data centres of a state located in a host state’s territorial jurisdiction. It is established through intergovernmental agreements between two states, pursuant to which the host state permits the other state to maintain designated servers within its territory. The originating state stores critical data in such servers and has ownership and maintains sovereign control over such infrastructure. It is important to note that the host state cannot compel the other state to provide access to data or disclose or exercise control over the servers, by virtue of the servers being located in the host’s territory. Any actions in relation to the data embassy and the data hosted therein, would require the consent of the state whose data is hosted in such data embassy.

Origins of the concept of data embassy

The first data embassy emerged in response to series of cyberattacks in Estonia in 2007, which exposed the vulnerabilities in the highly digitised state of Estonia. Given its digital governance model and predominantly paperless public administration system, the potential loss of digital state records and sensitive data posed an existential threat to the administrative and operational continuity of government functions. Estonia initially contemplated storing critical records in its traditional embassies, however, it did not proceed with this option given that such premises of the embassies lacked the sophisticated infrastructure and technical capabilities required to host and store sensitive data in a secure manner. Ultimately, Estonia identified Luxembourg as a suitable partner and, in June, 2017, entered into an agreement establishing the world’s first data embassy. This clearly established that the primary purpose of a data embassy extends beyond simple data backup. Its central objective is to safeguard the continuity of state functions, by ensuring continued access to key governmental data and systems.

3. Global prevalence of data embassies

Existing data embassies

The concept of data embassies is nascent and hence they are fairly limited in practice. However, with fast-changing and volatile global geopolitics, the concept is gaining traction. As set out above, the arrangement between Estonia and Luxembourg, is the first operational inter-state data embassy framework and was formalised through a bilateral agreement signed in 2017, which was ratified by a ratification law passed by the Luxembourg parliament to approve this bilateral agreement. Some years later, in 2021, a similar construct was adopted by Monaco with Luxembourg, pursuant to which Monaco launched its ‘e-embassy’, with the goal of safeguarding sensitive state data and digital services. This was also done by way of a bilateral agreement which was eventually endorsed by the Luxembourg parliament forming another legislation to ratify a Luxembourg-based data embassy. 

It has recently been reported that the idea of establishing data embassies has started gaining traction in other jurisdictions, including Singapore and across parts of Asia, where institutions have begun examining the legal and technical contours of the data embassy model.

Relevance of a data embassy 

Recent global developments indicate that data embassies serve as a critical tool for digital sovereignty, which allows states to safeguard essential public databases, especially in times of war, cyberattacks, or natural disasters. The primary purpose of a data embassy is to safeguard critical data of a state. In the event a country’s domestic digital infrastructure is compromised or becomes unavailable, having a data embassy in a different state helps ensure public services and government functions can continue in an uninterrupted manner. Accordingly, the data typically stored in a data embassy includes information that is essential to the day-to-day functioning of the state, as well as other sensitive records. This could include critical public records and registries which are key for effective governance of the state.

Data embassy arrangements also demonstrate the trust and diplomatic alignment between two states. Equally important is that they are supported by formal agreements and domestic legal measures grounded in public international law that provide a stable framework for hosting sovereign digital infrastructure that can provide clear clarity and comfort regarding sovereignty, jurisdiction, immunity, and the protection of critical state data. This is because it is key for a state to ensure that the host state, where it decides to establish its data embassy, is a state it shares a stable relationship with, and a state that can guarantee it robust legal protection. Additionally, it is also critical that the host state also demonstrates the presence of resilient and strong technical infrastructure.

In fact, data embassies can be understood to be akin to a digital insurance policy for states. Similar to how insurance policies protect against unforeseeable risks, data embassies safeguard the legal and administrative fabric of a country. By ensuring critical data is hosted and stored in secured servers in a trusted state, states can ensure that the key elements of their administration and governance are not hindered by unforeseen circumstances. Data embassies thereby serve as a strategic instrument for demonstrating sovereignty, because it ensures that a state’s core functions can survive crises, without disrupting public life. As sovereignty is no longer tied to land, data embassies demonstrate that sovereignty can be portable, digital and distributed too. 

While currently the prevalent use-cases for data embassies are to safeguard government-owned or controlled data, this concept can also prove to be helpful to private sectors, subject to its own limitations. In India, many sectors are already subject to data localisation requirements due to which storing data overseas may not always satisfy regulatory requirements, thereby reducing its practical viability in certain scenarios. Further, private sectors will also need to navigate aspects pertaining to regulatory oversight, law enforcement access, and compliance with foreign data protection frameworks which can prove to be compliance-heavy, thereby requiring significant effort and resource.

4. Legal jurisprudence relevant for Data embassies

Existing guidance on data embassies

At present, no state has issued any comprehensive standalone law specifically governing data embassies. Instead, data embassy arrangements are typically established through bilateral treaties or agreements between states, which set out the legal status of the premises, operational responsibilities in relation to the data, security and technical standards that must be ensured, and the immunities and privileges that are necessary to safeguard the servers and the data hosted therein. For instance, in the case of Estonia and Luxembourg, the two states signed a bilateral agreement signed in 2017, which provides the legal framework for hosting Estonian data and information systems in a dedicated government-operated data centre in Betzdorf, Luxembourg. The agreement sets the ground for cooperation between the states in relation to protection of the hosted infrastructure, which was further ratified by way of a legislation. 

The agreements pursuant to which data embassies arrangements are entered into heavily borrow from principles laid out in the Vienna Convention on Diplomatic Relations and Vienna Convention on Consular Relation. Specifically, the key principle of inviolability of diplomatic premises, archives, and official communications, is the core operating principle on which data embassies are based. Based on this, states that set up their data embassy in a foreign host state, exercise their sovereign control over that data maintained in such host state. 

Proposed framework by Saudi Arabia

One of the states that has attempted to formalise the construct of data embassies by way of a regulatory framework, is Saudi Arabia. In April 2025, Saudi Arabia proposed a dedicated legal framework for sovereign data centres and artificial intelligence (“AI”) hubs. The draft framework seeks to provide the legal basis to develop and deploy such data and AI-related technologies with an intent to position Saudi Arabia as a global hub for data embassies. The intent is to cater to businesses and consumers on a global level, and streamline access to such advanced technologies, as well as enable sovereign data-centre arrangements which protect data sovereignty beyond borders. 

The draft framework recognises three categories of ‘AI Hub’, ranging from state-controlled digital infrastructure to commercially-operated solutions. The first is a private hub, operated pursuant to a bilateral agreement with Saudi Arabia. Here, the guest country (that is hosting its data in the private hub) would be able to exclusively use such hub in accordance with its laws. The second is an extended hub, in which the operation of the hub is handled by a third-party ‘operator’ (based in Saudi Arabia), having an agreement with the regulators in Saudi Arabia, as well as an agreement with a ‘guest country’. Based on such arrangements, the operator would operate the hub in conformity with the guest country’s laws and regulations. The third is a virtual hub, which would be operated by an approved Saudi Arabia-based third-party ‘service provider’ to offer digital infrastructure services to its customers (similar to cloud services), where the hub will be operated as per the laws of a ‘designated foreign state’ (i.e., a state approved by Saudi Arabia for this purpose). 

Each of these hubs could either entirely be a data centre, or could be a part of the data centre, with proper demarcation. Given that the nature of each of these hubs are distinct, the proposed framework intends to prescribe different sets of rules for each category. The framework is still in a draft stage, which once finalised and issued, will mark a crucial development globally, as being the first dedicated framework for regulating data embassies and sovereign data infrastructure.

5. India’s status quo

Policy Initiative in India 

India does not presently have a dedicated legal framework that governs establishment and operation, of data embassies. However, at a policy-level, there have been discussions exploring this construct in the Indian context. In the Union Budget for 2023–24, the Indian Finance Minister made reference to India’s intention to facilitate the setting up of data embassies in the Gujarat International Finance Tec-City (“GIFT City”) for states seeking digital continuity solutions. This was an important policy move, because it signifies India’s move towards expanding its presence globally, as a hub for foreign states to ensure digital continuity.

GIFT City, which is India’s flagship international financial services centre, has been set up with an intent of operating as a global financial and technological hub. Given this, GIFT City has appropriate and adequate digital and technical infrastructure for foreign states to set up data embassies to host their critical data. Such infrastructure is deemed to be appropriate for states to have a secure and regulated environment for hosting their critical state information. As regards the regulatory framework that would be applicable to such data embassies, it was noted by a GIFT City official that local laws in India or the GIFT City would not be applicable, and that separate laws which would provide data embassies immunity similar to traditional embassies would be formulated. 

Prospective arrangements with other jurisdictions

While there is no dedicated framework governing data embassies yet, there appears to be emerging interest from different jurisdictions to explore diplomatic arrangements for data embassies with India. In 2025, it was reported that Singapore was actively considering the possibility of setting up a data embassy in GIFT City. More recently, it has been reported that India has explored reciprocal data embassy arrangements with the United Arab Emirates, under which each state could host secure repositories of strategic information for the other, and act as safe havens for each other in relation to their critical data. Arrangements of this nature could potentially put India at the forefront of global developments in relation to data embassies, and position India as a trusted state for this purpose. 

The foregoing developments suggest that India is beginning to view data embassies as not just an opportunity to expand its digital infrastructure ecosystem but also deepen strategic cooperation with other nations. If current discussions progress into formal arrangements, they could serve as an important first step in shaping India's approach to digital continuity and sovereign data resilience.

Regulatory considerations: How India can approach Data Embassies

For data embassies to operate meaningfully, India would need suitable legal framework that would govern such arrangements. For formulation of a dedicated framework, it is critical that lawmakers take into consideration factors dealt with in the Estonia - Luxembourg bilateral agreement, which serves as the pioneer arrangement in this regard. It will be critical for India to clearly define the legal status of the premises in which foreign sovereign data would be hosted, and ensure that such premises are treated as inviolable spaces that are exempt from search, requisition, or interference by authorities in India, to make it meaningful. It will also be critical to explicitly recognise all data and archives of the state setting up its data embassy in India to be in the sole control and authority of such state. Local laws, especially those that permit interception and governmental access to data, should not be applicable to the data embassies and the data hosted and stored therein. This would inculcate trust globally and ensure that sovereign data is always accorded adequate protection. 

Further, given the nascency of data embassies, there is a lack of judicial interpretation on prevalent norms governing data embassy arrangements. That said, with the concept of a data embassy being more widely adopted, in case of conflicts, relevant judicial authorities will have to take into account bilateral agreements governing the data embassy arrangement, along with regional data protection laws specifically governing cross-border data transfers (where applicable), to opine on and meaningfully resolve conflicts. In this scenario, establishing a clear statutory framework for such new-age digital infrastructure will be essential, providing judicial authorities with the necessary guidance to make informed and consistent determinations.

In addition to legal protections, the framework will also need to lay down appropriate technical standards and safeguards that would be adopted in India, to ensure that such data is secure at all times. In this regard, the framework can prescribe the minimum technical and physical security standards applicable to such facilities, including requirements relating to cybersecurity, disaster recovery, business continuity, encryption, auditability, and incident response. It is also critical that a robust dispute resolution mechanism that can be followed by the relevant state and India in case of conflict, such as those pertaining to access or operational failures, is clearly laid out as well. While a dedicated framework would set the groundwork for data embassy arrangements for India, it may have to be supplemented by relevant bilateral agreements, which would address specific geopolitical requirements and concerns. 

Further, before pursuing overseas data embassies, India should also strengthen its domestic sovereign cloud infrastructure through geographically distributed, government-controlled data centres with real-time replication and failover capabilities. This would ensure that critical public databases and digital services, such as identity systems, land registries, tax infrastructure, and welfare platforms, remain operational even in the event of cyberattacks, natural disasters, power outages, or regional disruptions. The immediate priority for India should therefore be to build sufficient recovery capabilities, ensuring that critical public databases and digital services can withstand routine operational, cyber, and disaster-related risks. A data embassy can then serve as an additional layer of protection for the most critical sovereign datasets.

The increasing interest in data embassies reflects a broader market shift towards digital sovereignty. Government bodies and regulated sectors are looking for a higher degree of control over where data is stored, who it is accessible to, and which regulatory frameworks have applicability over it, while still benefiting from the innovation and efficiency offered by digital infrastructure. To address this growing demand, major technology and cloud providers such as Microsoft have developed sovereignty-focused solutions that seek to balance these objectives through solutions such as data residency controls, customer-managed and controlled encryption, and compliance guardrails. One of the prime examples of advanced technological innovation combined with cloud capabilities and jurisdictional control, is that of sovereign cloud initiatives in Europe designed to meet sovereignty requirements. While these developments indicate the increasing need of data embassy models which may require support from private players, the success of data embassies will ultimately depend on the availability of robust legal frameworks. The features that distinguish a data embassy from ordinary cloud infrastructure, such as sovereign control, inviolability of the hosted infrastructure and data, immunity from certain forms of interference or enforcement measures, and jurisdictional limitations, cannot be achieved through technology alone. They require an enabling legal framework. Therefore, while secure technological infrastructure is essential, the success of data embassies will also depend on clear and effective legal frameworks that support these arrangements. 

India's evolving data governance framework may further strengthen its position as a credible jurisdiction for hosting sovereign data. The enactment of the Digital Personal Data Protection Act, 2023, marks a significant step towards establishing a clearer and more structured regime for the handling of personal data. Alongside sector-specific cybersecurity requirements, growing regulatory oversight of digital infrastructure, signals India’s commitment to a safe digital infrastructure. A transparent framework governing data processing, security obligations, accountability mechanisms, and government oversight can help build confidence that sensitive data will be managed appropriately. Additionally, to account for data embassies under the present legal framework, carefully tailored exceptions to the application of certain provisions may be relevant, such as under Section 69 of the Information Technology Act, 2000, and under relevant provisions of the Digital Personal Data Protection Act, 2023, insofar as they would otherwise apply to data embassy infrastructure. Over time, these developments may eventually lead to India being perceived as a trusted jurisdiction for digital infrastructure needs of other nations.

6. Conclusion

For India, the proposed establishment of data embassies in GIFT City, is a promising initiative which has the ability to position India as a trusted hub for digital continuity. However, for this to gain traction and be successful, a robust regulatory framework, which is in alignment with international precedents and principles of international relation, and which also factors in India’s geopolitical and legal considerations, and balances India’s national security interests, must be formulated. At a global level, the long-term success of such initiatives will depend not only on secure technological infrastructure and domestic regulation, but also on the development of a coherent international framework governing data embassies. At present, data embassies are established through bilateral arrangements, resulting in fragmented legal and operational standards. As more states seek to safeguard critical digital infrastructure beyond their borders, there is a growing need for commonly accepted principles governing issues such as the status of data embassies, the rights and obligations of host and sending states, inviolability, jurisdiction, and state responsibility. Having such a framework in place that is rooted in principles of public international law, will facilitate wider adoption of data embassies while ensuring that sovereign interests, national security, and international cooperation remain appropriately balanced. Additionally, how diplomatic immunity under the Vienna Convention on Diplomatic Relations, 1961 is applied to these digital environments, will also need to be re-evaluated. These steps, coupled with a standardised sophisticated infrastructure in states meeting global digital standards, would provide states the confidence required for establishing data embassies in foreign host states. 

7. References

  1. Agreement between the Republic of Estonia and the Grand Duchy of Luxembourg on the Hosting of Data and Information Systems, available here.
  2. ‘How Estonia Might Pave the Way for Reducing Uncertainty in Cyberspace’, Willem Verdaasdonk, Leiden Security and Global Affairs Blog, November 25, 2019, available here.
  3. Data Embassy, E-Estonia, available here.
  4. ‘Establishing the First Data Embassy in the World’, Observatory of Public Sector Innovation, available here.
  5. ‘Estonia’s Digital Embassies and the Concept of Sovereignty’, Georgetown Security Studies Review, available here.
  6. ‘Data Embassies: Protecting Nations in the Cloud’, Viona Rashica, March 06, 2025, DiploFoundation, available here.
  7. ‘Data Embassies: An Innovative Approach to Strengthening Digital Resilience in the Caribbean’, Tira Greene, Demetris Herakleous, United Nations ECLAC, available here.
  8. ‘E-embassies in Luxembourg’, Luxembourg Lu, available here.
  9. Vienna Convention on Diplomatic Relations, available here.
  10. Vienna Convention on Consular Relations, available here.
  11. ‘Setting Up of Data Embassies In India’, Unstarred Question No. 561, Rajya Sabha, February 07, 2025, available here
  12. ‘India explores setting up data embassy in UAE: What is it, role it could play’, Divya A, January 20, 2026, The Indian Express, available here.
  13. ‘India to Set Up Data Embassies for Digital Continuity with World’, Investing.com, February 01, 2023, available here.
  14. ‘Singapore “actively looking” to Set Up Data Embassy in GIFT City': IFSCA official’, Avinash Nair, The Hindu Business Line, February 10, 2025, available here.
  15. ‘Understanding Digital Embassies: How India and UAE are Exploring Secure Data Hubs, AI Collaboration, and Global Digital Infrastructure’, TOI Tech Desk, Gadget Now by Times of India, January 21, 2026, available here.
  16. ‘How it Works: The India-UAE plan to Offshore Sovereign Data’, Enterprise AM, May 04, 2026, available here.
  17. ‘Saudi Arabia Eyes Data Embassies Amid Sovereign AI Push: Here’s What We Know So Far’, Tasmin Lockwood, CNBC, December 09, 2025, available here.
  18. ‘CST Publishes a Public Consultation for the Global AI Hub Law’, Communication, Space and Technology Commission, April 14, 2025, available here.
  19. ‘Saudi Arabia Advances 'Data Embassies' Concept to Attract AI Infrastructure Investments’, Digi Times Asia, Ollie Chang, December 19, 2025, available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More