Nobody calls a meeting about backups. They are the least glamorous line in any technology budget — right up until the one day they become the only thing that matters, at which point a deeply unfashionable question suddenly outranks everything else: the system’s crashed, so where’s the backup? For most of Sub-Saharan Africa, the answer exposes a contradiction that no localisation law has yet solved.

Here is the killer fact:

Across the forty-eight countries of Sub-Saharan Africa, only one — South Africa — can host a government-wide system and keep a properly separated, resilient backup of that data entirely within its own borders on a major cloud platform. Every other country must, in practice, send its backup copy abroad. And even South Africa’s apparent self-sufficiency turns out to be fragile: the moment a US-based provider is involved, a foreign government can reach the data no matter where it physically sits.

This is the trap at the heart of the data-sovereignty debate. The same body of security best practice that the sovereignty movement implicitly relies on — keep your data safe, keep it backed up — requires that a second copy be placed far away. Hard data localisation requires that nothing leave the country. In most of Sub-Saharan Africa, those two demands cannot both be met. You can be resilient, or you can be local, but you cannot be both.

The basic principle: a backup must sit somewhere else

Before localisation enters the picture, it is worth establishing one thing plainly: keeping a backup in a separate place is not an optional nicety. Across the standards and laws that regulated organisations actually have to follow, it ranges from firm good practice to outright legal obligation. And the reason given is always the same — a backup is only useful if a single disaster cannot destroy it along with the original. That means putting it somewhere else.

The European Union’s Digital Operational Resilience Act (DORA), which has applied to banks, insurers and other financial firms since 17 January 2025, is unusually explicit. For the most critical financial infrastructure — central securities depositories — it requires that the secondary processing site be “located at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile and to prevent it from being affected by the event which has affected the primary site” (DORA, Article 12(5)). In plain language: your backup site must be far enough away to be hit by different problems than your main site. This is the geographic-separation rule stated, almost word for word, as binding law.

The EU’s other major cybersecurity law, the Network and Information Security Directive (known as NIS2), points the same way. It obliges “essential and important entities” — which expressly includes cloud-computing and data-centre operators — to put in place “business continuity, such as backup management and disaster recovery” (NIS2 Directive, Article 21). And the EU’s General Data Protection Regulation (GDPR), the benchmark that much of Africa’s own data-protection law is modelled on, requires every organisation handling personal data to ensure “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (GDPR, Article 32) — which in practice means a tested, separate backup.

The widely used information-security standard ISO/IEC 27001:2022 asks that backups be held “in an appropriate location that is environmentally protected, physically separate from the source data, and securely accessible” (ISMS.online on ISO 27001). The payment-card industry’s mandatory security standard (PCI DSS) goes further for card data, advising firms to “store media in an off-site facility, such as an alternate or backup site or commercial storage facility” (PCI DSS v4.0.1). The most familiar version of all is the industry rule of thumb known as “3-2-1”: keep three copies of your data, on two kinds of storage, with one of them off-site, for “geographic and network separation” (Veeam).

Whether the language is “should” (the standards) or “must” (DORA, NIS2, the payment-card rules), every authority justifies the off-site backup on the same ground: geographic separation. Those two words are where the collision with data localisation begins. A localisation law says the data must not leave the country; the backup rulebook says a copy must sit far enough away to survive a local disaster. In a large country with several data centres, both can be true at once. In most of Africa, as the next sections show, they cannot.

The big global clouds: one country, mostly one location

The three dominant cloud providers — Amazon Web Services (AWS), Microsoft Azure and Google Cloud, collectively known as the “hyperscalers” because of the vast scale of their data centres — concentrate their entire Sub-Saharan presence in a single nation. In cloud terms, a “region” is a cluster of data centres in one geographic location. The hyperscalers’ own managed backup services keep all copies inside one of their own regions. Having two regions in different places is what makes an in-country backup possible.

  • AWS has one African region: Cape Town (af-south-1), which opened in 2020 (AWS region list; launch date per AWS announcement).
  • Microsoft Azure has two African regions, but both are in South Africa: South Africa North (Johannesburg) and South Africa West (Cape Town) (Azure geographies).
  • Google Cloud has one African region, in Johannesburg — its first and still its only one on the continent (Google Cloud).

Everywhere else — Kenya, Nigeria, Ghana, Senegal, Ethiopia, Tanzania, Angola and the rest — there is no full cloud region at all. What exists are smaller outposts: network connection points and limited compute extensions (for example, AWS’s “Local Zones” in Nairobi, tethered back to the Cape Town parent region), none of which can independently hold a real backup (AWS).

This produces a three-tier reality:

Tier 1 — South Africa. The only country where both the main copy and a separated backup can sit on a big global cloud inside national borders. Even here there is a catch: only Microsoft Azure offers genuine in-country separation, Johannesburg to Cape Town (roughly 1,300 km apart by road) — exactly what the backup rules demand. The Cape Town option is now a restricted region, “reserved for South Africa North customers requiring in-country disaster recovery” (Azure Speed). AWS and Google have only one region each in South Africa. A single region does spread across several availability zones (AWS says these sit up to ~100 km apart), so it survives a single data-centre failure — but every copy still shares one metro and one regional risk profile, so a backup with a genuinely distinct risk profile must still go abroad.

Tier 2 — the pending exception. Microsoft and the Emirati firm G42 announced a $1 billion “East Africa Cloud Region” at a geothermal-powered site in Olkaria, Kenya, billed as a “trusted data zone” and promised to be running within two years of its May 2024 launch (Microsoft). As of 2026 it is delayed amid disputes over energy and capacity-payment guarantees with the Kenyan government, and reportedly “requires further structuring” (Ubergizmo). Even if it is built, it would be a single Kenyan region with no in-country partner — repeating the one-region problem rather than solving it.

Tier 3 — everyone else. No region at all, so on any of the three big clouds the data and every backup necessarily leave the country, landing in South Africa or Europe. For these countries, a strict “every copy stays inside our borders” rule simply cannot be met on a global cloud.

The local-operator option — which mostly isn’t there

If the big global clouds cannot keep African data at home, perhaps the growing number of African and independent data-centre operators can. The honest answer: for a joined-up, government-wide system or a large regulated enterprise, only two countries can do this well, and a third can do it adequately. The rest cannot.

The test is strict, and it follows directly from the guidelines discussed above: an in-country backup that genuinely meets best practice needs (a) at least two separate, enterprise- or government-grade (Tier III) data centres, and (b) enough distance between them that a single disaster cannot knock out both. Many countries now have one such data centre. Almost none have two suitably separated, properly certified ones.

South Africa — capable, comfortably. It has data centres in several cities (Johannesburg, Cape Town, Durban) and is by far the continent’s deepest market, holding roughly 41% of all of Africa’s data-centre capacity, led by (US-controlled) operators such as Teraco and Digital Realty (Mordor Intelligence). Distance, scale and proper certification all come together here.

Nigeria — capable, and notably so for government. The federal government’s own provider, Galaxy Backbone, runs data centres in Abuja and Kano (roughly 350 km apart). The Kano site became the first in Nigeria to earn the highest “Tier IV” resilience certification, built expressly to provide “cloud, disaster recovery and business continuity services” to public and private bodies (Huawei Digital Power; Uptime Institute). On the commercial side, Africa Data Centres has announced sites in Lagos, Abuja and Port Harcourt, including an explicit “backup centre in Lagos” (Estate Intel).

Kenya — capable in principle, but a weaker second site. There is real depth in Nairobi (operators including Africa Data Centres, iXAfrica, PAIX and Wingu) plus two facilities run by Digital Realty in Mombasa, roughly 440 km from Nairobi by road (Africa Data Centres; Digital Realty). On paper the Nairobi-to-Mombasa gap provides separation, but almost all of the high-grade certified capacity is clustered in Nairobi.

Everywhere else — effectively not. The usual pattern is a single data centre per country, typically one operator in the capital. Raxio, the leading operator working across several countries, runs essentially one facility each in Uganda, Ethiopia, Mozambique, the Democratic Republic of Congo, Côte d’Ivoire, Angola and (soon) Tanzania (Raxio Group). National data centres in Ghana, Rwanda, Togo, Benin and Ethiopia are typically single government facilities, not separated pairs (Africa Data Centre Association). The industry’s own continental body puts it bluntly: across Africa, “disaster and redundancy backup systems are often hosted overseas due to limited domestic infrastructure” (Africa Data Centre Association, Data Centres in Africa 2026).

The count. Of the roughly 48 Sub-Saharan countries, just 2 can meet the test well (South Africa and Nigeria), 1 can do so adequately (Kenya), and roughly 45 cannot keep a properly separated, enterprise- or government-grade backup within their own borders today. Two fair caveats: the market is moving fast (around 100 megawatts of new East African capacity is expected by 2030 — D4D Hub, East Africa Data Center Markets Brief), and “a facility exists” is not the same as “it is affordable, available and certified for the particular job in hand.”

The CLOUD Act: why even in-country data may not be sovereign

Suppose a country clears every hurdle above — it has two separated, certified data centres, and it keeps both the main copy and the backup inside its borders. Is its data now sovereign? Not necessarily — because control follows the provider, not the server.

The United States’ Clarifying Lawful Overseas Use of Data Act of 2018 (the CLOUD Act) requires providers subject to U.S. jurisdiction to “disclose all data in their possession, custody, or control… regardless of the location of the data” (Belfer Center). It applies to any provider that operates or has a legal presence in the United States, and US courts “can require parent companies to provide data held by their subsidiaries” (CLOUD Act summary). In other words, where the data physically sits does not shield it.

European regulators have made the same point repeatedly: “even if data is hosted in Frankfurt or Paris, if it’s managed by a U.S.-based provider, it can legally be accessed by U.S. authorities, without involving the user” (Wire). Put simply, as Exoscale frames it, the CLOUD Act “shifts jurisdiction from where the data sits to who controls it” — jurisdiction follows the provider, not the server (Exoscale).

This is the decisive twist for African data sovereignty. A Kenyan or Nigerian agency that dutifully keeps all its data in-country, but does so on one of the big American clouds, has achieved physical localisation without legal sovereignty — its data is still reachable by a foreign government because the provider is American. The Belfer Center at Harvard puts the implication directly: local data storage “does not remove the risk of foreign government access requests,” and localisation is “proving ineffective” at improving security (Belfer Center).

African governments are more exposed here than European ones. The CLOUD Act allows the United States to sign reciprocal access agreements with trusted partners, but the only two ratified so far are with the United Kingdom (in force 2022) and Australia (in force 2024) (BSA TechPost). No African state has one. So African governments have neither a deep enough pool of local providers to avoid the American clouds, nor a treaty to govern foreign access when they do use them.

In fairness, the providers push back. Amazon Web Services reports “zero disclosures of AWS enterprise or government customer content stored outside the U.S. to the U.S. government” since it began publishing the figure in 2020, and notes that the Act lets providers challenge conflicting orders in court (AWS). That is a genuine operational reassurance — but it describes how the companies have chosen to behave, not a legal power they have given up. The legal reach is still there.

The “sovereign cloud” offer — and who really controls “control”

The big providers have an answer to all of this, and it is needs consideration. Their “sovereign cloud” products make a simple-sounding promise: store your data in our cloud — wherever the storage happens to sit, which need not be inside your country — but keep unfettered control over it. You hold the encryption keys; no cloud operator can read or move your data without you; and, they argue, you can verify that non-access technically rather than simply trusting it (Microsoft). It is a genuinely attractive pitch, and the market believes in it: worldwide spending on sovereign-cloud services is forecast to jump about 35% to roughly $80 billion in 2026, with the Middle East and Africa among the fastest-growing buyers (ChannelDive).

The contradiction is in that one word, control. Sovereignty has three layers, and they are not the same thing:

  • Data sovereignty — control over who can technically read the data (encryption keys, access logs).
  • Operational sovereignty — control over who runs and maintains the systems day to day.
  • Legal-jurisdictional sovereignty — which government’s courts can ultimately compel disclosure.

The hyperscalers’ sovereign-cloud offerings can deliver the first two layers. They cannot deliver the third. The reason is the CLOUD Act, as discussed above: as long as the provider is ultimately a US company, a US court can reach the data, and the encryption-key controls do not override that. Amazon’s new European Sovereign Cloud, for instance, is operated by a German company that is nonetheless wholly owned by Amazon.com Inc — which keeps it within reach of US law, unlike Amazon’s China regions, which are operated by independent local partners (Sinnet and NWCD) rather than by AWS itself (AWS China regions; InfoQ).

The providers say so themselves when pressed. Under oath before a French Senate committee in June 2025, Microsoft France’s legal director Anton Carniaux was asked whether he could guarantee that French customer data would never be handed to US authorities. His answer: “No, I cannot guarantee that” (Convotis; The Register). Representatives of all three big providers have similarly confirmed they would comply with a valid US court order (Nextcloud). Critics have a blunt name for selling the first two layers while implying the third: “sovereignty washing” (VSHN).

So the question “who defines, determines and polices control?” has an awkward answer. The provider defines control (it writes the terms and designs the key system), the provider determines it operationally — and a foreign court, not the customer, ultimately polices it. There is a tier that does close the gap: in Europe, providers such as Microsoft now offer their technology through government-approved local partners independent from the US parent (Bleu — a Capgemini/Orange venture — in France, and Delos in Germany), which operate the service locally (Forrester); Google offers a comparable model in France via S3NS (S3NS). Sub-Saharan Africa has no equivalent hyperscaler-technology-via-local-operator tier — though African-owned providers such as Cassava are beginning to build an indigenous sovereign-cloud alternative. And residency-focused laws — South Africa’s POPIA (Protection of Personal Information Act) and its 2024 National Policy on Data and Cloud, for example — address where the data sits, not which government can ultimately reach it (SA National Policy on Data and Cloud, Government Gazette 2024). The sovereign-cloud offer is real and useful, but for an African government it solves the residency and access-control problems while side-stepping the jurisdiction problem.

Conclusion: resilient, local, sovereign — pick at most two

The off-site backup requirement is not a footnote to the localisation debate; it is the fault line running through it. Stack the findings:

  1. Off-site backup is effectively mandatory, and its entire rationale is geographic separation (DORA, NIS2 and the GDPR in European law, echoed by ISO/IEC 27001 and the payment-card rules).
  2. On the hyperscalers, only South Africa can keep both primary and separated backup in-country — and even then only via Azure’s restricted Cape Town region.
  3. The hyperscalers’ own “sovereign cloud” products tighten data-residency and operational controls but cannot deliver legal sovereignty while the provider remains US-controlled — by their own admission under oath.
  4. Beyond the hyperscalers, only South Africa and Nigeria (and, marginally, Kenya) have two separated, certified facilities to make in-country resilience real. For ~45 countries the second site simply doesn’t exist, so the backup goes abroad.
  5. Even where data is kept in-country, using a US-headquartered provider leaves it legally reachable under the CLOUD Act — physical localisation without sovereignty.

The result is a genuine trilemma for African governments and large enterprises. Resilient, local, sovereign — you can generally have at most two. Choose hyperscaler resilience, and your backup (and your jurisdiction) leaves the country. Choose strict localisation on local infrastructure, and in most countries you forfeit the geographic separation that resilience demands. Choose in-country hyperscaler hosting where it exists, and the CLOUD Act means you have localised your data without making it sovereign.

This is why data-localisation laws, written to keep national data at home and beyond foreign reach, so often produce the opposite of their intent: they push African data either offshore (to satisfy resilience) or onto US-controlled platforms (to satisfy availability), and in both cases out of true national control. The escape route is not legislation but infrastructure — a second, separated, certified, non-US-controlled facility in-country. Today, almost nowhere in Sub-Saharan Africa has one.

The way out: localise to the region, not the nation

Everything above treats the nation as the unit of localisation — and that is precisely what traps most of Sub-Saharan Africa. The geographic-separation requirement at the heart of off-site backup does not actually care about borders; it cares about distance and independent risk. A backup in Dar es Salaam is just as safe from a Nairobi flood as one in Mombasa — arguably safer. The problem is only that crossing the border is currently treated as a sovereignty failure. Change the unit of localisation from the country to a trusted regional bloc, and the arithmetic transforms.

The logic is straightforward. Under hard national localisation, a country needs two separated, certified facilities of its own — a test only South Africa and Nigeria clearly pass. Under regional localisation, the bloc as a whole needs two separated, certified facilities somewhere among its members, with data permitted to flow freely between them. The second site no longer has to be in the same country — only in the same trusted zone. Suddenly a single national data centre, useless on its own for resilience, becomes a valid backup partner for a neighbour’s.

Africa already has the political vehicles for this. A number of the regional economic communities (REC) have begun explicitly contemplating regional data hosting:

  • The East African Community (EAC) has gone furthest. Its E-Commerce Strategy recommends regional investment in cloud and data-hosting capacity specifically “to minimise the transfer of data outside the EAC,” and warns that national localisation rules “derail the free flow of data within the EAC” (CIPIT, Strathmore University).
  • The West African Economic and Monetary Union (WAEMU/UEMOA) shares a single currency and a deep tradition of pooled institutions, making a pooled data zone a natural extension.
  • The broader ECOWAS and the sixteen-member SADC both contain at least one heavyweight data-centre nation plus several supporting markets.

Overlaying each bloc on the verified facility footprint — using the principle that a bloc qualifies if it contains at least two separated, enterprise/government-grade facilities in different member states, between which data may flow freely — the situation looks (theoretically) less desperate:

Regional bloc Members Anchor + partner facilities (different countries) Qualifies? Countries newly able to comply
SADC 16 South Africa (~64 facilities, ~41% of African capacity), plus Tanzania, Angola, Mauritius, Mozambique, Zimbabwe, Botswana, Zambia (Mordor Intelligence; Data Center Map) Yes, strongly All 16
ECOWAS 15 members (12 active; 3 suspended 2023–24) Nigeria (~28 facilities; Galaxy Backbone Tier IV at Kano), plus Ghana, Senegal, Côte d’Ivoire (Uptime Institute; Data Center Map) Yes, strongly All 12
EAC 8 Kenya (Nairobi: Africa Data Centres, iXAfrica, PAIX, Wingu), plus Tanzania (Raxio Dar es Salaam), Uganda, Rwanda, DRC (Africa Data Centres; Raxio Group) Yes All 8
WAEMU/UEMOA 8 Côte d’Ivoire (Raxio Grand Bassam) and Senegal as a separated pair, plus Togo, Benin (Raxio Group; Data Center Map) Yes All 8
ECCAS (Central Africa) 11 Weaker: Angola (~10) and DRC (~4) anchor, but most members single-facility (Data Center Map) Marginally Most, via Angola/DRC

The headline result reverses the gloomy national count. Under national localisation, 2 countries comply comfortably and roughly 45 cannot. Under regional localisation pooled at the level of the four well-resourced blocs above — EAC, WAEMU, ECOWAS and SADC — every one of their member states would gain access to a geographically-separated, certified backup site inside a trusted zone. Allowing for overlapping memberships, that is on the order of 35–40 Sub-Saharan countries moved from “cannot comply” to “can comply” — without a single new data centre being built. The infrastructure already standing simply has to be allowed to serve its neighbours.

Three conditions are required to make this real rather than rhetorical:

  1. A legal free-flow zone. Member states must agree that data moving to another bloc member is not an export for localisation purposes — the EAC’s own strategy language already points this way (CIPIT). The continental scaffolding exists in the AU’s Malabo Convention (in force since June 2023, though still only around fifteen ratifications — AU treaty status) and the emerging AfCFTA Protocol on Digital Trade, both of which call for harmonised, interoperable data regimes rather than fortress-by-fortress rules (CIPIT, Strathmore University).
  2. Mutual adequacy. Each member must recognise the others’ data-protection standards as adequate — exactly the harmonisation Malabo was written to produce — so that a Kenyan agency backing up in Tanzania is not breaching its own privacy law.
  3. Non-US-controlled operators. The CLOUD Act problem is solved. A pan-regional operator such as Raxio, Africa Data Centres or a national champion — incorporated and controlled within the bloc, with no US legal nexus — delivers the separated second site and keeps it outside foreign jurisdiction. Regional pooling is therefore the one configuration that can satisfy all three corners of the trilemma at once: resilient (separated backup), local (inside the trusted zone) and sovereign (no US-controlled provider).

None of this would be working against the grain of African policy — if anything, it supplies the missing piece the continent’s own instruments have been circling for years. The African Union’s Data Policy Framework, endorsed by the Executive Council in 2022, already treats hard national localisation as a weakness rather than a virtue: it lists “localisation rules that limit the cross-border flow of information necessary for local value creation” among the continent’s structural weaknesses, and warns that such rules “may inadvertently retard or counteract the objects of more far-reaching regional policy frameworks” (AU Data Policy Framework, 2022). Most tellingly, it concedes the very trap described here — that “policies such as data localisation will not be plausible without the necessary structural and institutional requirements for their effective evolution and implementation, in particular with reference to digital capabilities.” In other words, the Union itself recognises that a localisation law without the data-centre base to honour it is a hollow instrument. Its remedy is precisely the regional one: a continental “Digital Single Market” in which “data can flow across borders as freely as possible,” underpinned by harmonised rules, because “standardised rules on cross-border flows are a prerequisite for the anticipated benefits of [the African Continental Free Trade Area].”

That direction of travel is visible across the AU’s other recent instruments. The Continental Artificial Intelligence Strategy calls explicitly for Member States to “promote national and regional data pools” and to enable cross-border data sharing among AU Member States, grounded in the Malabo Convention and AU Data Policy Framework (AU Continental AI Strategy, 2024) — almost exactly the legal free-flow vehicle this paper argues for. There is even a discernible shift in continental thinking: the earlier Digital Transformation Strategy for Africa (2020–2030) urged Member States to “adopt a law on the localization of data with respect for the privacy of African citizens and residents” (AU Digital Transformation Strategy, 2020), yet only two years later the Data Policy Framework had pivoted toward harmonised cross-border flow and away from fortress-by-fortress rules. The continental position, in short, has already begun moving from the national instinct toward the regional one.

What the AU instruments do not yet do is connect this free-flow vision to the unglamorous mechanics of resilience. They speak of trade, value creation and a single market; none of them addresses the off-site backup requirement, the geographic-separation rule, or the CLOUD Act exposure that together make regional pooling not merely desirable but technically necessary. That is the gap this paper fills: the political vehicles, the harmonisation tools and the continental will already exist — what has been missing is the recognition that the same regional architecture is also the only configuration in which most African states can keep a resilient, sovereign backup at all.

This is the optimistic reading of an otherwise discouraging map. The national-localisation instinct is understandable but self-defeating: it locks each country inside borders too small to hold a resilient, sovereign system. Regional localisation keeps the data African, keeps it backed up, and keeps it beyond the reach of foreign subpoenas — turning forty-odd individually-stranded markets into four or five viable digital sovereignty zones. The hardware is largely already in the ground. What is missing is the agreement to let Nairobi’s backup live in Dar es Salaam, and Abidjan’s in Dakar.