South Africa's New National Cloud And Data Policy: A Strategic Shift



ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
The Department of Communications and Digital Technologies officially published the National Data and Cloud Policy (GG No. 50741) on 31 May 2024, in line with section 3(1) of the Electronic Communications...
South Africa Technology
To print this article, all you need is to be registered or login on

The Department of Communications and Digital Technologies officially published the National Data and Cloud Policy (GG No. 50741) on 31 May 2024, in line with section 3(1) of the Electronic Communications Act, 2005 (the "Policy").

What is the purpose of the policy?

The Policy recognises that data and cloud technologies have a pivotal role to play in socio-economic development, government service delivery, and digital economic growth in South Africa.

Key objectives include:

  • Enhanced data security

The Policy aims to protect private and sensitive information from cyberattacks through the establishment of data protection protocols as required by the Protection of Personal Information Act, 2013 ("POPIA")

  • Digital transformation

The Policy aims to promote the use of technology in different sectors to increase productivity and efficiency

  • Improved public service delivery

The Policy aims to promote the use of cloud-based solutions, to help government departments offer better services to citizens and businesses

  • Economic growth

The Policy will enable more businesses to leverage technology, which will lead to increased job creation and economic growth

  • Enhanced collaboration

The Policy aims to facilitate enhanced collaboration among government departments, private entities, and research institutions, fostering the exchange of knowledge, data, and expertise

To whom does the policy apply?

The Policy has broad application in that its scope extends to:

  • national and provincial government
  • organs of state/public enterprises
  • private sector
  • general public/individual citizens and
  • data controllers and data custodians.

In addition, the Policy outlines the responsibilities of data centres operating in South Africa specifically:

  • Data centres must be built and operated in adherence to environmental legislation and building by-laws.
  • Data centres must not be built in restricted areas such as heritage sites, national key points, or land designated for land reform.
  • Data centres must not be located in areas prone to natural disasters or social disturbances.
  • Data centres must display or be able to provide verifiable certification credentials to all potential customers.
  • Data centres used by the government should comply with a fault-tolerant design that provides a minimum uptime of 99.995%.
  • Priority should be given to the self-provision of electricity and water for the operations of data centres to ensure continuous operation and reduce dependency on the national grids.

The above must be considered by (1) organisations using data centres in South Africa to host their data and ensure that their contracts with such data centres are updated to align with the above, and (2) data centres that operate in South Africa should consider the impact of the Policy on their operations and customer engagements.

What does it say about decentralising cloud services?

The new policy framework aims to migrate all government IT services to the cloud, fostering interoperability between various government departments and enhancing digital services for citizens. By decentralising cloud service providers, the Policy acknowledges the expertise and resources available within the private sector, which can enhance efficiency and innovation in public services. This is a departure from the draft version which stated that all government sectors should rely on a single, government-owned data centre for their IT needs, which had been a concern raised by many sectors and key stakeholders.

One of the notable provisions in the Policy is the requirement that data centre infrastructure used by government entities must be located within the country.

Is the policy binding?

Since there are already existing policies and legislation like POPIA, the Cybersecurity Policy Framework, and the Cybercrimes Act that address data governance and security, the Policy is aimed at reinforcing these laws.

The Policy still needs to undergo implementation which will be done through government consultations with key stakeholders and implementing agents such as SITA, relevant government departments and where necessary, industry and sector stakeholders. Structures comprising different professionals will be established to advise on the development of frameworks necessary to support the Policy's implementation, including a data advisory council with representatives from the public and private sectors, academia, and a data and cloud technical implementation task team comprising various government entities' representatives.

The Policy represents a strategic shift towards a more flexible and practical approach to cloud computing in the public sector, which impacts organisations in multiple industries. ENS' TMT team can offer assistance in reviewing the impact of the Policy on companies, get in touch with the team members below:

Reviewed by Ridwaan Boda, an Executive in ENS' TMT practice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More