Many South African companies have no clear picture of where their data lives, which jurisdiction governs it or what happens if something goes wrong. And that uncertainty comes at a cost, says Richard Frost, Head of Technology Solutions and Consulting at Armata Cyber Security.

Three Amazon datacentres went offline early March 2026, and hundreds of companies discovered that their platforms were hosted in an unexpected region, or that their cloud workloads were being routed through a region that was currently in a conflict zone. The cloud had abstracted the physical reality so completely that the question of location wasn’t a primary consideration. This is a growing data sovereignty problem and companies need to become more aware of which country’s laws govern their data, what protections exist under those laws, and what recourse they have if something goes wrong.

When data is hosted in a jurisdiction with strong governance frameworks like South Africa under the POPI Act or Germany under GDPR, accountability is clear. When it sits in a jurisdiction with fragmented or weak data governance, the answer to what happens next is less certain. And that uncertainty is a risk that sits at the centre of every company’s security.

The growing geopolitical conflict has drawn new battle lines, ones that have a ripple effect across the globe. This new kind of war treats datacentres and cloud regions as strategic targets and not neutral utilities, and it is having a significant impact on multiple areas of the business. The first is cost. Hypercalers and enterprises are already operating in an environment of accelerating infrastructure spend. The five largest cloud providers, Amazon, Microsoft, Google, Meta and Oracle, are projected to spend between $660 and $690 on infrastructure in 2026 alone, nearly double 2025 levels. The majority of that combined spend is aimed at AI compute and datacentre capacity.

When geopolitical disruption forces providers to reroute and re-engineer regional infrastructure at speed, those costs do not sit within the hyperscaler. They translate into higher service costs, tighter SLAs and more complex procurement decisions for every business that depends on those platforms. And the enterprise is bearing the downstream pressure.

The second impact is operational. Gartner originally placed the average cost of IT downtime at $5,600 per minute back in 2014, today that figure is closer to $9,000-$14,000 per minute, depending on company size and sector. Now, looking at South Africa, the IBM 2025 Cost of a Data Breach Report puts the average breach cost at R44.1 million, with detection and escalation alone accounting for R17,5 million of that figure. Breaches involving data spread across multiple environments cost significantly more, in 2024 these breaches averaged R59m and 263 days and IBM’s 2025 update shows the same pattern with even higher cost and long lifecycles. These numbers are the measurable consequence of gaps in architecture and oversight that companies carry without realising it. And these gaps are, at their very core, data sovereignty failures. Data copied into jurisdictions that you can’t govern, systems you can’t see or cloud regions you were never meant to rely on.

The third impact is legal, and this is where data sovereignty moves from being a compliance concern into a genuine business risk. If something happens to your data in another country, what’s your recourse? How do you sue them? How do you gain compensation for the impact? These are questions few companies are asking and the impact is significant. South Africa’s POPI Act places clear obligations on cross-border data transfers, requiring that personal data moved outside the country receives equivalent protection under the destination jurisdiction’s laws. The amended POPIA regulations that came into effect in April 2025 strengthened overall enforcement and data subject rights, raising the stakes on getting cross-border transfers right.

The problem beneath all of this is that most companies don’t know where their data lives. Vendors make their own infrastructure decisions, and SaaS platforms, cloud services and third-party tools default to the infrastructure that works best for their global operations. This is not necessarily the same infrastructure that works best for their customer’s legal obligations.

Data should reside in South Africa or Germany because both countries have strong rules around the security of their datacentres. They’re all Grade Five and beholden to rigorous laws. If a breach occurs in a jurisdiction without equivalent governance, the business has limited legal standing or remediation pathways, or many sit within a regulatory framework that has no protection at all. Hosting in South Africa or a GDPR-compliant jurisdiction is the minimum viable option for a company operating under POPIA.

If your business has a primary datacentre in South Africa, you should be looking at a replication datacentre in a different region as a worst-case scenario. Should the datacentres in South Africa fail, there should be a site with your data replicated to it in a region that subscribes to the same level of data security and data privacy laws. That principle will put your business on a more stable and trusted footing as instability and changing war tactics put datacentres and data security at risk.