Upgrade to High-Speed Internet for only ₱1499/month!
Enjoy up to 100 Mbps fiber broadband, perfect for browsing, streaming, and gaming.
Visit Suniway.ph to learn
Executive Order No. 119 places new rules on how government agencies classify, secure, and store official data as more public services move online and into the cloud
MANILA, Philippines – President Ferdinand Marcos Jr. signed Executive Order (EO) No. 119 s. 2026, Monday, July 13, updating the Philippine government’s rules for classifying and storing official digital data with a framework that’s responsive to the era of cloud computing, cybersecurity, and artificial intelligence.
The order amends the rules on how government agencies classify information based on security risks and establishes new rules on where different types of government data may be stored.
At its core, EO 119 seeks to answer three questions: What information does the government have? How sensitive is it? And where is it allowed to “live”?
For most Filipinos, the order won’t change how private companies handle their personal data. Instead, it changes how government agencies manage their own information — from military secrets and confidential records to public documents — as more government services move online.
Classifying government data
Instead of locking everything in the same vault, government agencies are asked to determine how damaging it would be if a piece of information were leaked, altered, or destroyed, with specific regard to the nature of digital data and where that data is physically stored. The greater the risk, the higher the level of protection it receives.
Government information will be grouped into two broad categories: Restricted Access Data and Open Access Data.
Restricted data is divided into 4 classifications summarized here:
- Top Secret – Information whose disclosure could cause exceptionally grave damage to national security or national interests.
- Secret – Information whose disclosure could seriously harm national interests or benefit a foreign state.
- Confidential – Information whose unauthorized disclosure could prejudice government operations, national interests, or public trust.
- Restricted – Information that requires protection but does not meet the thresholds of the higher classifications.
Everything else falls under Open Access Data, which may generally be disclosed to the public unless otherwise restricted by law.
The order also discourages agencies from unnecessarily over-classifying information — a practice that may limit transparency by keeping records hidden even when they pose little or no security risk.
Where is your data?
One of EO 119’s biggest changes is the creation of a “Data Residency Framework,” which determines where government information may physically be stored.
For the government’s most sensitive information, the rules are strict. Data classified as Top Secret or Secret must absolutely remain within Philippine territory or in facilities under Philippine sovereign control, such as embassies and diplomatic missions abroad.
Confidential data is limited in the same way as the first two but, “By way of exception, such data may be stored or processed outside Philippine territories, provided that the responsible agency obtains” the approval of the also newly proposed Joint Oversight Committee for Data Classification (JOC-DC), with safeguards for government control.
Less sensitive information under the Restricted classification, “shall be permitted to be stored on a secured cloud computing platform subject to encryption, risk mitigation, and other
cybersecurity requirements.”
Open Access Data are treated the same as Restricted but specifically mentions that they can be stored in computers “irrespective of the physical location of the platform or the ownership.”
The framework gives agencies clearer rules for adopting cloud technologies while attempting to ensure the country’s most sensitive information remains under a high level of protection.
Data residency vs. data sovereignty
Two terms you’ll likely hear more often are data residency and data sovereignty. While they sound similar, they address different aspects of data governance.
Data residency answers a physical question: Where is the data stored?
Under EO 119, the government’s most sensitive information must remain within Philippine territory, while less sensitive data may be stored elsewhere under defined security conditions.
Data sovereignty, meanwhile, answers a legal question: Who has authority over the data?
Even when government information is stored on cloud infrastructure outside the country under approved arrangements, Philippine agencies remain responsible for ensuring the data is managed, accessed, and protected in accordance with Philippine laws and national security requirements.
Who is watching the data?
To oversee the new framework, EO 119 creates the Joint Oversight Committee for Data Classification (JOC-DC), co-chaired by the Department of Information and Communications Technology (DICT) and the National Security Council.
The committee will issue implementing guidelines, establish classification standards, monitor compliance, and help ensure agencies do not improperly classify information that should remain accessible to the public.
The transition will take place over three years. Agencies must first inventory and classify their data before gradually complying with the new storage and security requirements, with the highest classifications prioritized during implementation.
Why it matters
Government agencies are increasingly relying on cloud services, artificial intelligence, and digital platforms to deliver public services. But as more government information moves online, protecting sensitive data becomes more complex.
EO 119 lays the groundwork for that transition by replacing a paper-era classification system with one built for the digital age. It aims to keep national secrets under tighter control while allowing less sensitive data to benefit from modern cloud technologies.
Following a call from the DICT to build its own data centers for the sake of data sovereignty in September 2025, the new EO is policy-side move hoping to strengthen cybersecurity, improve digital governance, and strike a balance between national security, transparency, and the growing demand for faster, technology-driven public services. – Rappler.com

1 hour ago
6


