My Globe and Mail op-ed last week argued that the U.S. is pursuing a two-pronged strategy on cross-border data: the CLOUD Act to assert legal access wherever data sits, and trade policy to pressure countries that try to move their data beyond that reach. This post provides the underlying data that the op-ed could not fit with a fuller picture of what the 2026 U.S. National Trade Estimate Report on Foreign Trade Barriers (NTE) actually says about cloud computing and data sovereignty across the globe.

The speed at which data sovereignty has moved onto the U.S. trade radar is truly remarkable. The 2025 NTE report contained 12 country-level data localization headings and a handful of cloud-specific sections covering China, South Korea, and the EU. There was no mention of Canada in connection with cloud computing or data sovereignty. The term “sovereign cloud” did not appear anywhere in the report.

One year later, references to cloud and data localization have increased by roughly 50 percent overall. Entirely new sections have appeared for Canada’s Sovereign Cloud Initiative, Japan’s sovereign AI cloud subsidies, Bolivia’s public cloud storage requirements, Colombia’s public cloud procurement framework, and South Korea’s restrictions on foreign cloud providers handling national core technologies. The term “sovereign cloud” appears for the first time, and Canada is named alongside it.

The report reveals several things about how the U.S. is approaching data sovereignty as a trade issue. First, the U.S. makes no distinction between legitimate security concerns and protectionism. For example, the report groups Canada’s sovereign cloud initiative, a direct response to the CLOUD Act’s extraterritorial reach, alongside Turkey’s blanket ban on public-sector cloud computing and China’s prohibition on foreign cloud providers. Countries with transparent, rule-of-law procurement processes are placed in the same category as countries with opaque regulatory regimes. In short, any measure that restricts cross-border data flows or disadvantages U.S. cloud providers is treated as a trade barrier.

Second, the report is strategically silent on the CLOUD Act. The report identifies more than 30 countries that restrict cross-border data access without once acknowledging the CLOUD Act as a driver of many of those responses.

Third, the El Salvador entry provides a preview of where things may be heading. The NTE cites its decision to permit cloud-based storage of credit history data, which came following U.S. engagement during trade negotiations, as a success story. This appears to be the template the U.S. wants to replicate with bilateral pressure leading to the rollback of data localization requirements.

What follows is a list of every country cited in the report on these issues, organized by the type of barrier the U.S. identified with data drawn directly from the report. The sheer breadth reflects a coordinated trade policy response to a global trend involving a structural shift in how governments relate to data.

i.Sovereign Cloud and Cloud Procurement Barriers

The report treats government cloud procurement restrictions as a distinct category of concern, presumably because they directly affect the market share of U.S. providers such as Amazon Web Services, Microsoft Azure, and Google Cloud in government contracts worldwide. Five countries are flagged for procurement-specific barriers in the 2026 report, all of which are new or substantially expanded compared with 2025.

Canada: The Shared Services Canada proposal to require that government purchases of cloud services process, transmit, and store all data exclusively in Canada, under the control of providers not subject to foreign laws permitting access without Canada’s prior written consent.

France: SecNumCloud requires that cloud providers handling sensitive government data be at least 61 percent EU-owned and immune from non-EU laws. The Prime Minister’s May 2023 circular defining “sensitive data” could further preclude foreign cloud suppliers from serving French public authorities.

Japan: A ¥72.5 billion (approximately C$628 million) subsidy program for domestic companies to purchase GPUs and build sovereign AI infrastructure, largely excluding foreign companies. Recipients include Sakura Internet, KDDI, and GMO Internet Group.

Bolivia: Supreme Decrees 5309 and 5468 require public-sector entities to store “non-public” government data within Bolivian territory by 2030, effectively barring U.S. cloud service providers from offering storage services to government institutions.

Colombia: Resolution 372 (June 2025) on public cloud procurement awarded additional points to suppliers with data centres in Colombia and included data sovereignty requirements restricting cross-border data flows.

ii.Cloud-Specific Regulation

A second tier of countries faces U.S. objections to regulatory frameworks that restrict how cloud services operate. These range from outright bans to certification schemes to registration requirements.

South Korea: The Cloud Security Assurance Program (CSAP) requires data localization of cloud systems, Korean-based operations personnel, and domestic encryption algorithms. No foreign cloud service provider has obtained mid-tier or higher certification. Separately, the Ministry of Science and ICT issued AI infrastructure procurement tenders accessible only to domestic bidders, and the Industrial Technology Protection Act bars foreign cloud providers from handling national core technology workloads.

EU: The proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS) is expected to become mandatory for parts of the public sector. France has pushed for stricter sovereignty requirements within the EU framework. The Digital Markets Act has launched three cloud-services-related investigations. The Data Act imposes portability and switching requirements on cloud providers along with restrictions on international transfers of non-personal data.

Hungary: State and local government bodies may only process data in systems operated within Hungarian territory, though electronic information systems can be hosted in EU Member States for organizations providing critical services such as energy, transportation, agriculture, and health.

Turkey: Public institutions have been prohibited from using cloud computing services since July 2019. The Central Bank prohibits the use of cloud services for certain financial workloads. The Capital Markets Board and TUBITAK impose data localization requirements on the cryptocurrency and R&D sectors.

Saudi Arabia: The Cloud Computing Regulatory Framework grants the CITC broad powers to require cloud and ICT service providers to install and maintain government filtering software.

Mexico: Concerns about the length and uncertainty of the approval process for electronic payment institutions seeking to use U.S.-based cloud computing services, with questions about whether approvals are tacitly conditioned on using local computing facilities.

Russia: In 2023, rules were dramatically tightened to specifically target foreign hosting and cloud storage providers, requiring registration with the Federal Tax Service, local offices, local bank accounts, and client identification. This is in addition to the comprehensive data localization regime established in 2016.

Serbia: State authorities must keep all electronic registries and records in Serbia, limiting the scope of cloud services using servers outside Serbian territory.

Vietnam: The expanded definition of telecommunications services now covers data centres, cloud computing, and Internet-based services with communications capabilities, thereby imposing notification, privacy, and cybersecurity obligations on cross-border providers.

UAE: ADHICS 2.0 allows cloud data services for health data storage within the UAE but restricts cross-border flows of health data.

Kenya: The Computer Misuse and Cybercrime Regulations of 2024 impose data localization and reporting obligations on providers of “Critical Information Infrastructure,” which includes cloud service providers.

iii. Broad Data Localization

The largest category covers countries that impose general data storage or processing requirements that indirectly affect cloud services. These are not cloud-specific rules, but they shape the operating environment for cloud providers.

China: Foreign companies established in China are prohibited from directly providing cloud computing services and must instead establish contractual partnerships with Chinese firms. The Cybersecurity Law, Data Security Law, and Personal Information Protection Law impose broad data localization mandates and restrictions on cross-border data transfers.

Bangladesh: The Personal Data Protection Ordinance introduces data localization requirements for certain restricted data categories, which could compel foreign providers to establish local data centres.

Ecuador: Data localization for reserved and confidential data. Cloud services from offshore data centres must be contracted through the state-owned National Telecommunications Corporation.

Ghana: The draft 2025 Data Protection Act encourages localization for data critical to national defence, national identity systems, and biometric, health, and children’s data.

South Africa: The 2024 National Data and Cloud Policy requires that data related to national security and sovereignty be stored within South Africa.

Nigeria: NITDA Guidelines require local storage of government data. The draft 2025 National Cloud Policy would require foreign cloud providers to invest locally or partner with domestic firms.

Pakistan: The Cloud First Policy (2022) imposes data localization on “restricted,” “sensitive,” and “secret” data classes. Financial regulators bar offshore cloud for core banking workloads. Securities regulators prohibit digital lenders from using cloud infrastructure outside the country.

Panama: Government cloud services for sensitive data must be physically located within Panama. Non-security data requires government approval for cloud storage.

Peru: The digital governance framework contains vague provisions that may lead to data localization requirements.

Israel: Cross-border transfer restrictions similar to GDPR, with recognition of the EU-U.S. Data Privacy Framework.

Norway: GDPR-based restrictions on cross-border personal data transfers through the EEA Agreement.

Switzerland: Restricts personal data transfers outside Switzerland except to countries with adequate protection.

iv. Financial Sector Data Localization

A final category targets financial data specifically, which is often the most commercially significant form of data localization because it directly affects the operations of global banks, payment processors, and fintech companies.

India: The Reserve Bank of India requires all payment system data to be stored on servers in India. Separately, the 2025 Department of Telecommunications instructions impose broader data localization requirements on satellite communications providers.

Indonesia: OJK regulations impose strict data localization rules for financial transactions.

El Salvador: Previously mandated on-site storage of credit history data. Following U.S. trade engagement, the 2025 amendments now permit cloud-based storage, cited by the NTE as a model outcome of what the U.S. regards as successful trade diplomacy on data issues.

The obvious takeaway from this data is that Canada is not an outlier. Being listed alongside more than 30 countries confirms that data sovereignty is a global structural trend. In fact, the NTE flags only the federal Shared Services Canada proposal, but the trend in Canada is growing. For example, Alberta has issued its own Sovereign Compute Environment procurement with requirements that go even further than the federal initiative, including Canadian ownership thresholds and an explicit prohibition on providers subject to the CLOUD Act or equivalent foreign laws. With Canadian governments at multiple levels moving in the same direction, the U.S. response is something Canada will need to confront directly as it pursues digital sovereignty.