On May 13, 2026, Argentina's newly created Centro Nacional de Ciberseguridad (CNC) published Disposición 1/2026 in the Boletín Oficial, approving a technical regulation that forces every National Public Sector entity running a data center or IT infrastructure to build real disaster-recovery capability. The rule applies to all bodies named in Article 8 of Law 24.156 — ministries, decentralized agencies, state enterprises, social-security funds — and gives them 180 days to comply. It is, in most respects, a serious and overdue piece of operational-resilience policy. But folded inside it is a quieter mandate that deserves scrutiny: backup processing must live on Argentine soil.
What the regulation actually requires
The core of Disposición 1/2026 is unobjectionable. Covered entities must classify their systems by criticality, write contingency and disaster-recovery plans, stand up an Alternative Data Processing Center, and prove it works with failover testing. The regulation sets concrete recovery targets rather than vague aspirations. For high-criticality systems, the Recovery Time Objective (RTO) must be under four hours and the Recovery Point Objective (RPO) under one hour; medium-criticality systems get 24 hours and four hours respectively; low-criticality systems may take one to five days, with backups verified by sampling. Within the 180-day window, each agency must file a disaster-recovery report with the CNC detailing the backup site, its technical characteristics, switchover test results, and these RTO/RPO parameters.
The standards baseline is mainstream international practice. The text explicitly aligns with NIST SP 800-34 Rev. 1 and SP 800-184, ISO/IEC 27031 and ISO 22301, and ENISA guidance — the same frameworks a competent private bank or cloud provider already uses. Anyone who has watched a ransomware incident freeze a tax authority or a hospital registry understands why a government would want this. The honest case for the rule is strong: public registries hold citizens' irreplaceable records, and 'restore from a backup nobody ever tested' is how data losses become permanent. Setting measurable RTO/RPO floors and demanding real failover drills is exactly the kind of evidence-based, outcome-focused regulation we generally favor.
The localisation clause is the contestable part
The friction is not resilience — it is geography. The regulation requires the backup center to be located within Argentine territory, physically separated from the primary site so that a single cyberattack, blackout, or natural disaster cannot take down both at once. The CNC's rationale for separation is sound; resilience does demand that primary and recovery sites not share a single point of failure. But 'separate' and 'inside the national border' are different requirements, and the regulation conflates them.
Geographic separation is a resilience principle. A border is a sovereignty principle. A Buenos Aires agency could achieve far stronger resilience by replicating to a hardened facility in Chile, Brazil, or a hyperscaler region in another continent than by standing up a second room a few hundred kilometers down the road — yet the rule, as written, would not credit the cross-border option even though it is more robust against a national-scale grid failure. When a resilience mandate is satisfied only by domestic infrastructure, it has quietly become a data-localisation mandate.
Why proportionality should worry regulators here
Data localisation imposes real, well-documented costs. Forcing duplicate domestic infrastructure raises per-agency capital and operating expense, fragments procurement away from competitive global cloud markets, and — counterintuitively — can reduce security by pushing smaller agencies toward under-resourced local facilities instead of mature hyperscaler regions with deeper redundancy and threat-detection budgets. The European Commission and bodies like the OECD have repeatedly found that hard localisation rarely delivers the security or sovereignty gains promised, while reliably raising costs. An agency with a modest budget that could rent resilient capacity from a global provider may now have to fund a second building.
There is also a sequencing problem. The 180-day clock is aggressive for entities that today have no tested DR plan at all, and the legal analysis published by abogados.com.ar notes the CNC still has to issue complementary resolutions, Business Impact Analysis templates, and implementation guides. Agencies are being asked to commit capital to in-country backup sites before all the technical guidance exists — a recipe for rushed, box-ticking compliance rather than genuine resilience.
A more proportionate path
None of this argues against the regulation's spine. Argentina is right to demand classified systems, tested recovery, and measurable RTO/RPO targets; those are the parts that actually protect citizens' data. The fix is narrow: treat geographic and provider diversity as the requirement, and let agencies meet it with any combination of domestic and trusted foreign infrastructure that demonstrably survives a single failure. If certain registries hold genuinely sovereignty-sensitive data — national-ID, defense, fiscal — carve those out for stricter domestic handling rather than applying a blanket border rule to every agency's email server.
Resilience and localisation are separable goals, and Argentina has bundled them. Keeping the outcome-based resilience floor while loosening the territorial clause would give the public sector stronger continuity at lower cost — and would let the CNC's otherwise commendable rule be judged on the security it delivers, not the borders it draws.