Netherlands data localisation APAC

Dutch Data Sovereignty Push Exposes Companies to APAC Localisation Crunch

As the Netherlands blocks US cloud acquisitions and backs European infrastructure, Dutch firms with APAC operations face overlapping data localisation mandates from India, Vietnam, and China.

APAC Data Localisation at a Glance People of Internet Research · Netherlands RMB 10M China max data penalty Maximum fine under amended Cyberse… 60 days Vietnam CTIA deadline Filing window for cross-border tra… May 2027 India DPDPA compliance Expected deadline for full complia… peopleofinternet.com

Key Takeaways

On May 25, 2026, the Dutch government exercised its investment screening powers under the Wet toetsing investeringen, fusies en overnames (TIMO) to block US IT services giant Kyndryl from acquiring Solvinity, a Dutch cloud services provider. The stated grounds: concerns that US CLOUD Act authority could expose sensitive government data to American federal demands. A month earlier, The Hague had signed a framework agreement with STACKIT — the cloud platform of Germany's Schwarz Group — to migrate ministerial workloads away from US hyperscalers. The message from the Netherlands was unambiguous: European digital sovereignty is policy, not aspiration.

But Dutch companies with Asia-Pacific operations are discovering that data sovereignty cuts both ways. While the Netherlands works to insulate Dutch government data from extraterritorial foreign access, a growing cluster of APAC jurisdictions have enacted their own data localisation mandates, requiring that data about their citizens be stored on domestic soil. Dutch firms caught between EU compliance requirements and APAC market entry demands now face a genuine trilemma: satisfy GDPR's standards for cross-border transfers, meet Europe's evolving digital sovereignty expectations, and comply with what are often conflicting APAC localisation regimes — all simultaneously.

The APAC Patchwork

India is the most consequential jurisdiction for Dutch companies with South Asian operations. Under Rule 15 of the Digital Personal Data Protection Rules, notified on November 13, 2025, the Central Government may designate countries to which personal data transfers are prohibited — a "negative list" model that inverts the EU's adequacy approach. Rather than proactively certifying safe destinations, India will publish a blocklist of restricted ones. Industry groups expect the list to arrive by mid-2026, with full compliance required by May 2027. Until the list appears, companies are structuring data infrastructure around an unknown variable.

Vietnam's Personal Data Protection Law, which moved toward full implementation in 2026, goes further. Transfers of "core" or "important" personal data outside Vietnam require prior government approval, and companies must file a Cross-Border Transfer Impact Assessment within 60 days of initiating any cross-border data transfer. The definitions of "core" and "important" data remain legally ambiguous under current drafting, creating compliance uncertainty for foreign operators who cannot know in advance whether their datasets fall into a restricted category.

China's framework is the most mature and the strictest. The Cybersecurity Law — reinforced by January 2026 amendments that raised maximum penalties to RMB 10 million — requires Critical Information Infrastructure Operators in telecoms, finance, and energy to store personal and "important" data domestically, with mandatory security assessments before any cross-border transfer.

The Compliance Gap

The standard EU mechanism for lawful data transfers to non-adequate countries — Standard Contractual Clauses (SCCs) under GDPR Article 46 — provides a legal basis for EU-to-third-country data flows. Among major APAC jurisdictions, only Japan and South Korea hold full EU adequacy decisions. For India, Vietnam, and China, SCCs remain technically available but are structurally insufficient when the destination jurisdiction simultaneously mandates local storage.

The tension is not merely procedural — it is architectural. A Dutch company cannot fully comply with a Chinese mandate to keep data within China's borders and simultaneously maintain EU-level data protection standards if that data must be accessed, audited, or otherwise processed from Amsterdam. SCCs were designed to bridge divergent legal systems; they were not designed to reconcile contradictory localisation mandates.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has identified digital resilience and cloud dependencies as strategic enforcement priorities for 2026–2028, signalling that Dutch companies' cross-border data practices will face closer scrutiny from the home front as well. For businesses operating in APAC markets, both ends of the data pipeline are now under active regulatory watch.

The Case for Localisation — and Why It Fails the Proportionality Test

The case for data localisation is not frivolous. Governments across Asia and the Global South have legitimate concerns: foreign state surveillance, the asymmetric market power of US and European hyperscalers, and the practical difficulty of enforcing local consumer-protection law against companies whose infrastructure sits in another hemisphere. India's negative-list model is a deliberate attempt at calibration — restricting identified high-risk destinations rather than blocking all outbound flows. Vietnam's impact assessment requirement directly mirrors the Transfer Impact Assessment that EU companies themselves must complete when sending data to non-adequate countries under GDPR. Regulators in Jakarta and Hanoi are not inventing new concepts; they are adapting European ones.

When every jurisdiction insists on local storage, the outcome is not a network of protected data — it is a fragmented internet where only the largest multinationals can afford to operate globally.

The problem is proportionality and cumulative burden. Each localisation mandate requires companies to maintain in-country data infrastructure — dedicated servers, local legal entities, independent security audits — in each market separately. These costs fall disproportionately on Dutch and European SMEs that lack the capital to replicate infrastructure across a dozen APAC jurisdictions. In practice, data localisation functions as a market-concentration mechanism that benefits incumbent hyperscalers capable of absorbing compliance costs at scale, while pricing out the smaller firms that might otherwise offer competitive alternatives.

The Proportionate Alternative

The EU has a demonstrated and effective alternative: mutual adequacy. The adequacy decisions with Japan (2019) and South Korea (2021) show that rigorous bilateral negotiations — examining surveillance law, judicial redress mechanisms, and sector-specific protections — can produce frameworks that protect consumers without mandating local data silos. The EU-Brazil mutual adequacy arrangement formalised in January 2026 extends the model to a major emerging market, establishing a template applicable across the Global South.

As an EU member state with a substantial tech sector, deep APAC trade relationships, and demonstrated willingness to exercise digital sovereignty instruments, the Netherlands is well-positioned to advocate within EU institutions for accelerating adequacy negotiations with India and ASEAN partners. The Solvinity decision showed the Netherlands understands the value of keeping data within trusted jurisdictions. The next test is whether it can champion bilateral frameworks that extend that trust across the Pacific — rather than allowing an accelerating race toward incompatible sovereign data walls to determine the architecture of global digital trade.

Sources & Citations

  1. Jones Day: Dutch Government Blocks Kyndryl-Solvinity Deal
  2. Brussels Signal: Dutch Government Shifts to EU Cloud Provider
  3. India DPDP Rules 2025 — Rule 15: Cross-Border Transfers
  4. European Commission: GDPR Adequacy Decisions
  5. InCountry: Southeast Asia Data Protection Laws 2026
  6. Joy Wang: China Data Localisation Requirements for Foreign Companies