Marcos OKs EO to strengthen government data security, support digital infrastructure growth
- Data Security, DICT, Digital Infrastructure, Order No. 119, President Ferdinand Marcos Jr., PSAC
-
Photo courtesy of PCO
President Ferdinand R. Marcos Jr. has signed Executive Order No. 119, updating the government’s data classification rules and establishing a framework for the storage and processing of government information.
Titled “Updating the Government Data Classification, Establishing a Data Residency Framework, and for Other Purposes,” EO 119 introduces a risk-based approach to protecting sensitive government data while providing clearer rules for cloud services, data centers, and other digital infrastructure providers.
“For decades, government data classification relied on Memorandum Circular No. 78 (s. 1964), a framework developed during the paper-based era. With the rapid growth of cloud computing, artificial intelligence (AI), and digital services, the Philippines needed an updated policy that protects sensitive government information while enabling secure innovation and technology investments,” DICT said.
“Issued ahead of the Private Sector Advisory Council (PSAC) on Digital Infrastructure, EO 119 addresses a key regulatory gap identified by industry stakeholders: the need for clear and internationally aligned rules on government data classification, storage, and protection,” it added.
The Department of Information and Communications Technology (DICT) developed the framework following consultations with more than 50 stakeholders, including national government agencies, security institutions, privacy regulators, foreign chambers, business groups, cloud service providers, telecommunications companies, and digital infrastructure operators.
The DICT also reviewed 18 formal position papers in developing the policy, which seeks to balance national security requirements with the need for predictable rules supporting cloud adoption and digital infrastructure investments.
Under EO 119, safeguards will be applied based on the sensitivity of government information instead of imposing a blanket data localization requirement.
Top Secret and Secret data must be stored within Philippine territory, including authorized facilities in Philippine embassies and consulates.
Confidential data must generally remain in the Philippines but may be stored or processed offshore with the required approval and appropriate security safeguards.
Restricted and Open Access data may be stored or processed through secure cloud platforms, subject to encryption, cybersecurity measures, and internationally recognized security standards.
EO 119 applies only to government data and does not regulate commercial or other data owned by private entities.
The risk-based framework is expected to provide technology companies, cloud providers, and data center operators with clearer guidance on the government’s data storage and security requirements.
“With a more predictable policy environment, the Philippines strengthens its competitiveness in attracting investments in data centers, cloud computing, and emerging technologies such as artificial intelligence,” DICT said.
EO 119 also establishes the Joint Oversight Committee for Data Classification, which will oversee the implementation of the new framework.
The committee will be co-chaired by the DICT and the National Security Council, with representatives from the Department of the Interior and Local Government, National Intelligence Coordinating Agency, Department of Foreign Affairs, National Privacy Commission, Philippine Statistics Authority, and National Archives of the Philippines.
The committee must issue the implementing guidelines within 120 days from the effectivity of the executive order.
Covered government agencies will be given a three-year transition period to comply with the new requirements.
During the first year, agencies must conduct data inventories, begin classifying their information, and carry out capacity-building activities.
Full compliance with the requirements for Top Secret and Secret data will be required during the second year.
By the third year, agencies must comply with the rules covering all remaining government data classifications.
“Data is the foundation of our digital future. We must protect critical government information while ensuring that the Philippines remains open to innovation, cloud technologies, and global digital partnerships,” DICT Secretary Henry R. Aguda said.
