Data sovereignty in South Africa has crossed from compliance aspiration to active enforcement reality, and the gap between boards that understand that and those that don’t is no longer theoretical.
TrendAI country MD Gareth Redelinghuys has published a position paper on the subject that goes further than the company’s recent infrastructure announcement in establishing what the regulatory basis for urgency actually is. The commercial interest is transparent, TrendAI sells locally governed data centre infrastructure, and the argument that organisations need South African soil under South African legal accountability is an argument for the product category they operate in. That doesn’t make the argument wrong. The facts it rests on hold up independently of who’s presenting them.
The enforcement gap that’s closing
POPIA has been fully enforceable since July 2021, but the Information Regulator spent the first years building institutional capacity. That phase appears to be over. The Regulator’s office is now processing an average of 198 breach notifications per month, a volume that signals functional enforcement infrastructure rather than a body still standing up its processes.
The more structurally significant development is the FSCA’s Joint Standard 2 of 2024. For financial institutions, this standard inserts board-level accountability into cybersecurity governance explicitly. The accountable party for cybersecurity failure isn’t the IT manager or the CISO. It’s the board. That’s a direct legal consequence, not a recommendation, and it applies now.
Together, these two frameworks have effectively closed a grace period that many South African organisations were still operating inside, a window in which POPIA existed on paper but enforcement remained light enough to treat as a future problem.
What physical residency doesn’t guarantee
The dimension that tends to get the least attention in local data sovereignty conversations is the US CLOUD Act. If a cloud provider is headquartered in the United States, US authorities can compel access to data held on that provider’s servers regardless of where those servers physically sit. A Johannesburg data centre operated by a US-headquartered company doesn’t make that data subject to South African jurisdiction alone. Physical residency and legal jurisdiction aren’t the same thing, and most local cloud migration decisions haven’t been made with that distinction clearly drawn.
For POPIA compliance purposes, this matters in ways most organisations haven’t formally assessed. The question of whether data is protected under South African law depends on which law can actually reach it.
What the paper doesn’t address
TrendAI’s position paper treats the regulatory “what” with precision. The “how” is where the gaps are. Cloud migration in South Africa has been deep and in many cases fast. For organisations already substantially dependent on hyperscalers headquartered outside the country, the path to meaningful data residency isn’t a procurement decision — it’s a multi-year infrastructure realignment that carries its own cost, complexity, and continuity risk. Naming the problem is easier than solving it for organisations mid-migration.
SABRIC’s figure of R2.2 billion in annual losses to cyberattacks on South African banks captures direct financial losses only. It excludes the reputational exposure of a publicly disclosed breach, the operational disruption of a ransomware event, and the regulatory consequence of a formal POPIA notification. The Postbank breach illustrated all three materialising simultaneously, and the lasting damage wasn’t the breach, it was the governance failure that made the breach possible.
What’s actually changed
South African organisations in financial services can no longer treat cybersecurity governance as an IT function with board oversight; the FSCA Joint Standard makes it a board function with IT execution. POPIA enforcement has moved past the point where delay functions as a strategy.
Local infrastructure is one credible answer to the jurisdiction question. Whether it’s the right answer for any specific organisation depends on what a proper data residency audit reveals, and most South African organisations haven’t conducted one with the specificity the Regulator would now require.