Regulatory News
On-Premise

Data sovereignty & infrastructure: the situation in Africa

Jade Ferreol
Marketing Lead
0 minutes reading
January 8, 2026
Summary
Example H2

Introduction

Africa is often cited as a leader in mobile financial innovation, where Mobile banking services have bypassed traditional banking models. However, a parallel regulatory transformation is underway: the formalization of data sovereignty.

For years, African financial markets were a "grey zone" for cloud adoption: legally ambiguous and practically open. That era is over. Across the continent, central banks and data protection authorities are enforcing strict "Data Sovereignty" policies, driven by the need to ensure economic control, national security, and operational resilience.

The question facing CTOs and COOs of pan-African financial institutions is no longer just about connectivity; it is about jurisdiction.

This article explores the regulatory landscape in Africa, where the tension between rapid fintech growth and state control is reshaping financial infrastructure.

The regulatory spectrum: three different models

Unlike the unified GDPR block in Europe, Africa presents a fragmented reality. We categorize the key markets into three distinct operational models:

Model 1: the strict localization model

These nations view data as a strategic national asset. Regulations here are explicit: critical financial and government data must physically reside within national borders to ensure regulatory oversight and economic retention.

Model 2: the "control & accountability" framework

The "mature market" approach. Regulators allow cross-border data flows but impose heavy compliance burdens. You can use global cloud providers, but you bear 100% of the liability and must prove the "adequacy" of the foreign jurisdiction.

Model 3: the "prior authorization" model

This applies to economic blocs (like WAEMU) or nations with strict outsourcing controls. Cloud is theoretically legal, but the requirement for "prior assessment" or specific authorization creates a significant operational barrier.

Key markets analysis: a tour of the regulatory landscape

Here is how key African nations fit into this spectrum.

🇳🇬 Nigeria

Model: strict localization (Sector Specific)

The Central Bank of Nigeria (CBN) and NITDA maintain a strict stance on domestic processing to ensure the resilience of the national payment system.

  • Mandate: The CBN’s Guidelines on Point of Sale (PoS) Card Acceptance Services mandate that domestic transaction data must be switched and processed locally. Routing domestic payments through an offshore switch is a compliance violation.
  • Sovereign data: The NITDA guidelines require that "sovereign data" (government and citizen data) be hosted locally within Nigeria.
  • Implication: For payment processors and banks, local infrastructure for switching and core processing is effectively a license condition.

🇰🇪 Kenya

Model: control & accountability (active enforcement)

  • Data mandate: The Office of the Data Protection Commissioner (ODPC) is highly active. Payment companies must register as "Data Processors." Unlike passive jurisdictions, the Office of the Data Protection Commissioner (ODPC) actively audits compliance and issues significant fines for consent violations or unapproved transfers. There is increasing pressure to mirror "strategic" data locally.
  • Critical Infrastructure (CII): Recent designations of financial systems as "Critical Information Infrastructure" have raised the bar. This designation effectively forces core payment rails to reside locally to guarantee availability and national security.
  • Real-time pressure (ISO 20022): In late 2024, the Central Bank of Kenya migrated the high-value payment system (KEPSS) to ISO 20022. This standard demands "richer data" (e.g., purpose codes, legal entity identifiers) travel with every payment.
  • Implication: You are caught in a pincer movement. You must process more data per transaction (ISO 20022) to satisfy the Central Bank, but you must handle that data with extreme caution to satisfy the ODPC. A data leak here is not just a security failure; it is a guaranteed regulatory fine.

"BCEAO" Zone (WAEMU Region)

Covering: Ivory Coast, Senegal, Benin, Burkina Faso, Mali, Niger, Togo, Guinea-Bissau

Model: prior authorization (bureaucratic control)

The Central Bank of West African States (BCEAO) governs banking for these 8 Francophone countries.

  • Mandate: Under the Circular on Risk Management (Circulaire n°04-2017/CB/C), any material outsourcing arrangement must be submitted for prior assessment (appréciation préalable) by the General Secretariat of the Banking Commission.
  • Constraint: This authorization process can be lengthy. The regulator generally prefers data to remain within the community or be protected by strong local data protection laws (such as Senegal's CDP).
  • Implication: A standard global cloud strategy often faces delays here. The path of least resistance is often a local or regional datacenter partner within the WAEMU zone to satisfy regulatory comfort levels.

🇲🇦 Morocco

Model: prior authorization

Morocco aligns closely with European standards but imposes a strict bureaucratic layer for financial institutions, treating cloud adoption as a material outsourcing risk.

Mandate: Bank Al-Maghrib (The Central Bank) Directive on Cloud Computing requires credit institutions to obtain explicit prior authorization before outsourcing any "material activities" to the cloud, particularly if the data leaves Moroccan territory.Dual approval: Beyond the Central Bank, the data protection authority (CNDP) requires a separate authorization for any cross-border transfer of personal data. The "Transfer Request" must prove that the destination country offers protection equivalent to Moroccan law.Implication: Compliance is a two-step administrative hurdle. You cannot deploy a global stack without first securing approvals from both the financial regulator (BAM) and the privacy regulator (CNDP), a process that often necessitates local data residency to expedite approval.

🇪🇬 Egypt

Model: strict localization

Egypt views data through a lens of national security and rigid licensing. The regulatory environment effectively forces a "local-first" architecture for payment companies.

Mandate: The Data Protection Law (No. 151 of 2020) explicitly prohibits the transfer of personal data to recipients outside Egypt without a specific license from the Data Protection Center. Violations carry heavy financial penalties and potential criminal liability.CBE Control: The Central Bank of Egypt (CBE) maintains strict cybersecurity frameworks that mandate local hosting for core banking and payment processing systems. The regulator views offshore hosting of transactional data as a sovereignty risk.Implication: Global cloud strategies are effectively blocked for core payments. Payment processors and fintechs must deploy physical infrastructure within Egypt or utilize certified local cloud providers to obtain and retain their operating licenses.

🇹🇿 Tanzania

Model: strict localization (mission critical)

Tanzania has established itself as a strict jurisdiction for cloud usage in banking.

  • Mandate: The Cloud Computing Guidelines for Financial Service Providers (Bank of Tanzania) set a clear standard. They explicitly prohibit financial institutions from hosting "Mission Critical Systems" (such as core banking ledgers and customer databases) outside the country.
  • Transition: Institutions with existing offshore setups are required to repatriate critical workloads.
  • Implication: A hybrid model is mandatory. Non-critical applications may reside on public cloud, but the core ledger must physically reside in Tanzania.

🇿🇦 South Africa

Model: control & accountability (risk-based)

South Africa’s Protection of Personal Information Act (POPIA) aligns closely with GDPR, but recent policy shifts emphasize national security.

  • Mandate: Section 72 of POPIA permits cross-border transfers to countries with "adequate" laws. However, the National Policy on Data and Cloud (May 2024) introduces requirements for data deemed critical to "national security" to be stored within South Africa.
  • Liability: The Information Regulator places the burden on the responsible party (the bank) to ensure the operator (the cloud provider) is compliant.
  • Implication: While the private sector cloud market is open, banks are increasingly adopting local "Regions" (e.g., AWS/Azure Cape Town/Johannesburg) to mitigate cross-border legal risk and latency.

🇬🇭 Ghana

Model: control & accountability (audit-centric)

The Bank of Ghana (BoG) treats cyber resilience and auditability as top priorities.

  • Mandate: The Cyber and Information Security Directive requires financial institutions to ensure that the BoG has "unrestricted right of access" and audit capabilities over any outsourced infrastructure.
  • Friction: The regulator requires proof that the offshore host guarantees security levels equivalent to a local center, and that the BoG can conduct inspections if necessary.
  • Implication: Operational autonomy is limited by the ability to guarantee regulator access. If the BoG cannot audit a vendor easily, deployment may be blocked.

🇷🇼 Rwanda

Model: strategic hybrid (residency focus)

Rwanda is a technology hub but maintains strict control over data residency.

  • Mandate: The Data Protection and Privacy Law (2021) emphasizes the rights of the data subject and gives the regulator broad powers to mandate data residency for specific categories of sensitive data.
  • Sovereignty: There is a strong regulatory preference for utilizing the national data center infrastructure (AOS) for critical government and financial data.
  • Implication: Institutions often employ a "Mirror" strategy—processing in the cloud but maintaining a live, synchronized copy locally to satisfy residency requirements.

Strategic implications for the Financial Industry

This shift towards data sovereignty dictates three key requirements for infrastructure strategy:

  1. Latency as a performance requirement

In markets like Nigeria and Kenya, where mobile money transactions must settle in seconds, the latency introduced by routing data to Europe can be a performance bottleneck. Local deployment is not just a compliance requirement; it is a technical necessity for instant payments.

  1. The "community" strategy

For Francophone Africa, the WAEMU bloc functions as a single regulatory zone. A "WAEMU Strategy" often involves selecting a regional hub (like Abidjan or Dakar) to host the core stack, thereby satisfying the BCEAO's preference for regional retention and simplifying the authorization process.

  1. Infrastructure as a board-level risk

Infrastructure decisions have moved from the IT department to the Boardroom. In jurisdictions like Tanzania and Nigeria, non-compliance with localization rules threatens the banking license itself, making data sovereignty a critical governance issue.

Conclusion

The era of the "borderless cloud" in Africa is evolving into a federated model. Successful expansion requires an infrastructure strategy that respects these digital borders, prioritizing local resilience and regulatory compliance alongside technical scalability.

_____________________________________________________

If this topic resonates with your current challenges,

👉 Grab a 30-min slot and we can review your current process together.

Learn more about Marble

Watch a demo