On 13 July 2026, the President of the Philippines issued Executive Order No. 119 (“Order”), updating the government data classification framework and introducing a new data residency regime for government data. The Order took effect on 15 July 2026 immediately upon its publication in a newspaper of general circulation.

While the Order primarily governs government data, it expressly extends to private entities that process or store such data on behalf of government agencies. As a result, organizations providing cloud, outsourcing, or other data-related services to government clients must ensure that their operations comply with these new classification, security, and localization requirements.

Key takeaways

  • Government agencies must adopt a unified, risk-based classification framework and ensure that service providers handling government data comply with corresponding requirements.
  • Data residency obligations are linked to classification levels and may affect where government data can be stored or processed, including in outsourced or cloud environments.
  • Cross-border data transfers involving government data containing personal information require protections comparable to those under the Data Privacy Act of 2012.
  • Government agencies remain accountable for compliance but must implement safeguards that may flow down to private service providers.
  • A three-year phased implementation period provides time for affected organizations to review and align their infrastructure, contracts, and controls.

 

In more detail

Executive Order No. 119 introduces a comprehensive update to the Philippine government’s data classification system and establishes a structured data residency framework. While focused on government data, the Order is relevant to private sector organizations that provide data processing, storage, or cloud services to government agencies.

In particular, the Order creates classification-based obligations that government agencies must enforce, including through their engagements with private sector providers.

Scope of application

The Order applies to all government data in digital or hybrid form that is owned, processed, or controlled by national government agencies and related entities. While it does not apply directly to private sector data, it expressly covers government data that is processed or stored by private entities on behalf of government agencies, including in public-private partnerships, public services, and outsourced arrangements. Government agencies remain accountable for compliance and must implement appropriate safeguards when engaging service providers.

Updated data classification framework

The Order establishes a unified, risk-based classification system for government data, categorized into Restricted Access Data1 and Open Access Data2. Restricted Access Data is further divided into Top Secret, Secret, Confidential, and Restricted. Classification is based on potential harm from unauthorized disclosure, including national security, economic, or reputational risks.

For private sector providers, this framework determines the level of control, protection, and infrastructure requirements that may apply to data they handle.

Data residency requirements

The Order prescribes storage rules tied directly to classification levels. In summary:

  • Top Secret and Secret data must be stored within Philippine territory or areas under Philippine jurisdiction.
  • Confidential data must generally be stored within Philippine jurisdiction, although offshore storage or processing may be permitted on an exceptional basis subject to prior approval and safeguards.
  • Restricted data may be stored on secured cloud-computing platforms, subject to encryption and cybersecurity measures.
  • Open Access Data may be stored on secure cloud platforms regardless of physical location, subject to appropriate safeguards.

These classification-based requirements are likely to shape how private cloud and hosting providers structure their service offerings to government clients.

Cross-border data transfers

Cross-border transfers of government data are permitted but must align with the classification framework and forthcoming implementing guidelines. Where such data includes personal or sensitive personal information, the transferring entity must ensure a level of protection comparable to that required under the Data Privacy Act of 2012.

This framework may be relevant for organizations that provide offshore processing, regional service delivery, or global infrastructure supporting government operations.

Risk-based governance and security requirements

Government agencies are required to adopt a risk-based classification methodology, including data inventories, risk and impact assessments, and ongoing review processes. They must also maintain records in a central registry system and implement information security measures aligned with classification levels.

To the extent that data processing or storage functions are outsourced, private entities may be required to support these governance processes, including implementing appropriate controls, enabling auditability, and aligning with classification-driven safeguards.

Implementation timeline

The Order provides a three-year phased implementation period. The first year focuses on data inventory and initial classification, the second on compliance for higher-risk data (Top Secret and Secret), and the third on full compliance across all data categories.

During this period, agencies may continue using existing systems, but they must take steps toward alignment. This transition window may be critical for private sector providers to update contractual arrangements, infrastructure, and compliance frameworks.

How this affects your business

Private sector organizations that process, store, or otherwise handle government data in the Philippines, including cloud service providers, outsourcing partners, and contractors engaged in public sector projects, may be subject to downstream obligations under the Order. As government agencies are required to ensure compliance with data classification, residency, and security requirements, these obligations are likely to be reflected in contractual arrangements, technical standards, and operational controls imposed on service providers.

Businesses should therefore consider reviewing their data governance frameworks, infrastructure design, and cross-border data transfer practices to assess alignment with classification-based residency requirements and security expectations under the Order. Organizations supporting government clients may also need to evaluate whether existing cloud, hosting, and data processing arrangements can accommodate localization requirements for higher-risk data and support risk-based classification and audit processes.

Companies engaging with the public sector may further wish to revisit contractual terms, service delivery models, and internal compliance documentation to ensure that appropriate safeguards, reporting mechanisms, and accountability structures are in place.

For further information on how this development may affect your organization, please feel free to reach out to our team in Quisumbing Torres, and we will be pleased to assist.

 

Refers to official matters requiring protection in the interest of national security and is limited to four categories, in descending order of importance: (i) Top Secret, (ii) Secret, (iii) Confidential, and (iv) Restricted.

Refers to information or matters that do not fall within Restricted Access Data and do not involve national security, and may be designated as Unclassified or Open, subject to applicable laws, rules, and regulations.