South Africa has quietly executed one of the most consequential digital-policy reversals on the continent. The revised National Policy on Data and Cloud, championed by Minister of Communications and Digital Technologies Solly Malatsi — a Democratic Alliance appointee in the Government of National Unity formed in July 2024 — strips out the hard data-localisation requirements that defined the 2021 draft. In their place: voluntary incentives, Special Economic Zone (SEZ) tax breaks, and an explicit pitch to hyperscalers already pouring concrete in Johannesburg, Cape Town, and Isando.
It is a striking rebuke of the original draft, gazetted under the previous administration in April 2021, which would have required so-called 'critical information infrastructure data' to be hosted on state-owned infrastructure inside South Africa, with the State Information Technology Agency (SITA) and a proposed High-Performance Computing and Data Processing Centre as default custodians. That blueprint treated data as a sovereign asset to be corralled. The Malatsi revision treats it as an input to growth — to be governed, not warehoused.
What actually changed
The earlier draft was unusual even by emerging-market standards. It blended classic localisation language with proposed state ownership of data infrastructure and an assertion of government rights over data 'generated' in South Africa. Industry submissions — including from BUSA, the American Chamber of Commerce in South Africa, and the Internet Service Providers' Association (ISPA) — flagged conflicts with the Protection of Personal Information Act (POPIA), the Electronic Communications and Transactions Act, and South Africa's commitments under the African Continental Free Trade Area's emerging digital trade protocol.
The revised policy keeps the strategic ambition — South Africa as Africa's cloud and AI hub — but discards the coercive scaffolding. Instead, it leans on:
- SEZ incentives for hyperscale and colocation operators, including the existing 15% corporate tax rate available in designated zones.
- Voluntary data classification, with sensitive categories (health, biometric, certain government data) governed under POPIA and sector regulation rather than blanket residency mandates.
- Energy and grid-access commitments, recognising that load-shedding and Eskom transmission constraints — not legal residency — are the binding constraint on AI-era buildout.
The buildout the policy is catching up to
The revision lands in the middle of an unmistakable hyperscaler surge. Microsoft opened its Azure regions in Johannesburg and Cape Town in 2019 and has continued to expand capacity, with a multi-billion-rand investment announced in 2024 directed at AI infrastructure and skills. Amazon Web Services has operated its Cape Town region since 2020 — its first on the continent. Google Cloud confirmed a Johannesburg region as part of its Africa expansion. Teraco, acquired by Digital Realty in 2022, runs what is widely described as Africa's largest carrier-neutral data centre cluster, with its Isando, Bredell and JB campuses driving most of the continent's interconnection traffic.
A localisation mandate, layered on top of that capacity, would have created a strange policy contradiction: requiring data to stay in-country at the precise moment the country is finally building enough in-country capacity that most of it would stay anyway, for latency and cost reasons. The market was already localising. The law no longer needs to compel it.
The sovereignty critique — and why it overshoots
Civil-society voices and elements of the ANC have argued the rollback cedes digital sovereignty to American cloud providers. That critique deserves engagement rather than dismissal. Concentration risk is real: a handful of foreign-owned platforms intermediating critical workloads creates exposure to outages, foreign legal process (notably the US CLOUD Act), and pricing power.
But the previous draft's answer to concentration risk was state monopolisation, which simply swaps private concentration for public concentration — with worse uptime track records and weaker capital pipelines. The more durable answers run through:
- Competition policy: the Competition Commission's market inquiries into online intermediation platforms have been an effective, evidence-based check on platform power and translate directly to cloud markets.
- Sector-specific data rules: POPIA already provides cross-border transfer guardrails under section 72, and the Information Regulator can sharpen them for sensitive categories without blanket residency.
- Procurement leverage: government can require sovereign-cloud configurations, encryption-key custody, and contractual exit rights for its own workloads — getting sovereignty for the cases where it actually matters, without burdening the rest of the economy.
The proportionate path
South Africa's revision is a textbook case of proportionate, evidence-led regulation replacing performative sovereignty. The 2021 draft would have imposed system-wide costs to address concentration concerns that are better handled with surgical instruments. The 2026 revision keeps the surgical instruments — POPIA, competition law, procurement — and adds the carrots the country actually needs: SEZ tax treatment, energy access, and a clear signal to capital.
For the rest of the continent, the message matters. Nigeria's NDPR transfer regime, Kenya's Data Protection Act regulations, and the AU's Malabo Convention have all wrestled with the same question: how to assert digital agency without scaring off the infrastructure that makes agency possible. South Africa has now answered: build the capacity, write the targeted rules, and let the data flow follow the fibre.
The harder work — grid reliability, skills pipelines, and a credible AI-compute strategy that doesn't trip over export controls — remains. But Malatsi's department has at least cleared the policy underbrush. That is, in the African data-centre context of 2026, no small thing.