Trust Services

Philippines Data Residency: What Executive Order 119 Means and How to Prepare

TL;DR — On 13 July 2026, the Philippines signed Executive Order No. 119, establishing a national data residency framework and a modern, risk-based data classification system for government data. Sensitive government data must now be stored within Philippine jurisdiction, cross-border transfers are controlled, and covered agencies have three years to comply. Though the order applies to the public sector today, the policy direction signals broader data sovereignty expectations ahead — making early preparation a strategic advantage.

The Philippines data residency landscape changed on 13 July 2026, when President Ferdinand R. Marcos Jr. signed Executive Order No. 119. For the first time, the country has a comprehensive framework that says clearly where government data must live, how it must be classified, and who is accountable for protecting it. For any organisation that stores or processes data on behalf of the Philippine government, the rules of engagement are now explicit.

Executive Order 119 updates a data classification structure that dates back to the 1960s and was built for a paper-based bureaucracy. In its place is a unified, risk-based model designed for cloud computing, cybersecurity threats and cross-border data flows. This guide breaks down what the order requires, who it covers, and the practical steps to prepare.

What Executive Order 119 Establishes

At its core, EO 119 does three things. It modernises the Government Data Classification Framework, it creates a mandatory data residency framework, and it sets up governance to oversee both. The order covers all government data in digital or hybrid form owned, processed or controlled by national government agencies, government-owned and -controlled corporations, and state universities and colleges. The Legislature, Judiciary, Constitutional Commissions and local government units are encouraged to adopt it.

A guiding principle runs through the entire order: all government data remains subject to the laws and jurisdiction of the Republic of the Philippines, regardless of where it is stored, processed or handled. Data sovereignty, in other words, follows the data.

The New Data Classification Framework

Under the updated framework, government data falls into two general classes, with classification driven by a risk-based assessment of the harm that unauthorised disclosure could cause.

Restricted Access Data

Data requiring protection in the interest of national security, split into four descending levels:

  • Top Secret — unauthorised disclosure would cause exceptionally grave damage to the nation.
  • Secret — disclosure would endanger national security or seriously injure national interest.
  • Confidential — disclosure would be prejudicial to national interest or cause administrative harm.
  • Restricted — information needing protection below the Confidential threshold.

Open Access Data

Information not involving national security, which may be designated Unclassified or Open, subject to applicable laws. To keep the system credible, EO 119 explicitly prohibits overclassification.

Data Residency Requirements by Classification Level

This is where the residency rules bite. Storage obligations scale with sensitivity:

  • Top Secret and Secret data must be stored within Philippine territory, or in territories over which the Philippines exercises sovereignty such as embassies and consulates.
  • Confidential data must, as a general rule, be stored within Philippine territory. Overseas storage is allowed only by exception, with prior approval from the Joint Oversight Committee for Data Classification (JOC-DC) and adequate safeguards.
  • Restricted data may sit on a secured cloud computing platform, subject to encryption, risk mitigation and cybersecurity requirements.
  • All other data, including Open Access data, may be stored on secure cloud platforms regardless of physical location or ownership, subject to the same safeguards.

Cross-Border Data Transfers and the Data Privacy Act

Cross-border transfers are permitted only in line with the classification framework and forthcoming implementing guidelines. Where government data contains Personal Information or Sensitive Personal Information, transfers must satisfy the Accountability principle under the Data Privacy Act of 2012 (RA 10173), meaning the Personal Information Controller must guarantee a comparable standard of protection abroad. EO 119 does not loosen existing privacy duties — it layers residency obligations on top of them.

Who Is Covered — and Why the Private Sector Should Pay Attention

EO 119 does not apply to private or commercial data owned by private entities. But it does reach private organisations that process or store government data on the government’s behalf — including firms in public-private partnerships, public utilities, critical infrastructure and strategic projects. Crucially, agencies that use cloud or third-party services remain responsible for compliance, and must build the right contractual and technical safeguards into their agreements.

The strategic signal matters as much as the letter of the order. Data residency requirements now anchored in the public sector tend to migrate outward. Regulated industries — banking and financial services first, given the Bangko Sentral ng Pilipinas’ existing technology risk expectations, then telecom, healthcare and beyond — should expect similar sovereignty thinking to shape their own obligations over time. Organisations that build residency-ready architectures now will adapt far more easily than those that wait.

The Three-Year Compliance Timeline

Covered agencies must achieve full compliance within three years, in phases:

  • Year 1 — capacity building, inventory of government data, and initial classification of datasets and workloads.
  • Year 2 — full compliance for Top Secret and Secret data.
  • Year 3 — full compliance for all remaining government data.

The DICT and NSC co-chair the JOC-DC, which must issue implementing guidelines and publish official training modules within 120 days of the order’s effectivity. In practice, the clock has already started.

How eMudhra Supports Philippines Data Residency Compliance

Meeting EO 119 is not only about where servers sit. It requires classifying data, controlling who can access it, proving integrity and authenticity, and demonstrating governance — all while keeping sensitive workloads inside Philippine jurisdiction. eMudhra’s digital trust portfolio is built for exactly this, and every solution supports flexible deployment: On-Premises, Private Cloud or SaaS, so data can remain in-country wherever residency demands it.

Sovereign trust infrastructure with CertiNext

CertiNext provides sovereign private PKI hierarchies, a certificate authority module and full certificate lifecycle management — issuance, renewal, revocation and discovery across the enterprise. Agencies can run their own in-country root and issuing CAs, keeping the roots of digital trust under national control rather than dependent on offshore authorities.

Identity and access control with SecurePass

SecurePass delivers IAM and multi-factor authentication — SSO, role-based access, federated identity and phishing-resistant MFA — so access to residency-controlled data is verified, least-privilege and fully auditable, supporting the information security officer role the order requires.

Trusted signing and workflows with emSigner

emSigner enables legally valid digital signatures and document workflows, backed by trusted certificates, so records handled under EO 119 carry verifiable authenticity and tamper-evidence — deployable within Philippine infrastructure.

As a globally recognised digital trust provider with WebTrust and ETSI-aligned practices, eMudhra helps organisations translate the requirements of EO 119 into a concrete, deployable architecture — from data classification through to sovereign infrastructure and audit-ready governance.

Frequently Asked Questions

When did Philippines Executive Order 119 take effect?

EO 119 was signed on 13 July 2026 and takes effect immediately upon publication in the Official Gazette or a newspaper of general circulation. Covered agencies have three years to reach full compliance.

Does EO 119 apply to private companies?

Not to their own commercial data. However, it applies to government data that private entities process or store on behalf of agencies — including public-private partnerships, utilities and critical infrastructure providers.

Which data must be stored inside the Philippines?

Top Secret and Secret data must be stored within Philippine territory or sovereign locations. Confidential data must generally stay in-country, with narrow exceptions. Restricted and open data may use secure cloud platforms with safeguards.

Are cross-border data transfers still allowed?

Yes, but only in line with the classification framework and implementing guidelines. Transfers of personal or sensitive personal information must meet the Accountability principle of the Data Privacy Act (RA 10173).

What should organisations do first?

Inventory the data you hold, classify it under the new framework, review where it is stored and who can access it, and identify residency gaps. eMudhra can support a readiness assessment and compliance roadmap.

Reference

This article is based on Executive Order No. 119 — “Updating the Government Data Classification, Establishing a Data Residency Framework, and For Other Purposes” — signed in Manila on 13 July 2026, which serves as the official reference document.

Prepare for Philippines Data Residency with eMudhra

eMudhra helps government agencies, banks and enterprises classify data, deploy sovereign digital trust infrastructure, and meet residency obligations on their terms — On-Premises, Private Cloud or SaaS. Talk to the eMudhra Philippines team for a readiness assessment and compliance roadmap.

Get in touch: Talk to eMudhra.

eMudhra Limited
About the Author

eMudhra Limited

eMudhra Editorial represents the collective voice of eMudhra, providing expert insights on the latest trends in digital security, cryptographic identities, and digital transformation. Our team of industry specialists curates and delivers thought-provoking content aimed at helping businesses navigate the evolving landscape of cybersecurity and trust services with confidence.

Ready to Try?

Talk to our team about how eMudhra can help secure your digital workflows with PKI, eSignatures and identity solutions.

Connect with sales