The South African (SA) government is committed to socio-economic transformation by reducing poverty and inequality, developing an inclusive economy and building capabilities1 in a manner which gives effect to the rights enshrined in SA's Constitution.2 The government recognizes that technology can play a key role in achieving these objectives.3 At Microsoft, we agree. We believe that hyper-scale cloud services, in particular, can play a pivotal role in helping SA unlock its key socio-economic objectives while ensuring a safer, more secure and more effective environment, which adheres to accepted international technical standards.4

Microsoft is proud to confirm that it meets regulatory and compliance requirements for use of the cloud in some of the most highly regulated industries across the globe and can help you to achieve compliance with the regulatory, and compliance requirements applicable in your sector.


Microsoft has led the cloud technology revolution in SA and provides its customers with state of the art cloud services. Its solutions such as Microsoft Azure, Office 365, and Microsoft Dynamics 365 power many different customers across the MEA region, including SMEs, large global corporates, public sector and non-profit organisations.

Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth, and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure, and legally compliant manner.

  • Cloud adoption in SA has, as in many other countries, been accompanied by potential concerns about regulatory compliance. These concerns generally relate to the ability of cloud service providers to ensure security and privacy compliance. This is changing as organisations can now move to the cloud in a way that meets and often exceeds their security and privacy requirements. Cloud solutions from leading providers such as Microsoft are now being recognised for their ability to offer these or higher levels of security and privacy compliance.

    At Microsoft, we welcome these positive developments and are pleased to have participated in a large number of compliance conversations with customers and regulators across sectors. As a result, we have developed a range of materials to help our customers in SA move to the cloud in a way that meets their regulatory requirements.

  • The laws governing the adoption of cloud computing in SA fall into two categories – general laws and regulations that apply to all organizations; and laws and regulations that only apply to organisations within specific sectors. There is presently no uniform regulation for cloud services in South Africa.

    • Currently in SA, data privacy laws are governed by SA's Constitution5 and the common law. The right to privacy is recognized as a fundamental right. The Protection of Personal Information Act 4 of 2013 ("POPIA") will soon come into force. POPIA will specifically regulate the collection, use and processing of personal data. It will impose obligations on organizations concerning matters such as notice, consent and purpose, disclosures, international transfers, security, data retention, data subjects' rights of access and correction, and subcontracting.

      POPIA will require responsible parties (data controllers) to have a written agreement with their cloud service providers and ensure that appropriate, reasonable technical and organisational measures are taken to protect personal information from loss, damage, unauthorised destruction, unlawful access, and processing.

      The Information Regulator, appointed under POPIA, is a new regulator that will have extensive powers to investigate and fine responsible parties. The Information Regulator will provide guidelines for compliance with POPIA. Microsoft intends to continue working closely with the Information Regulator.

    • King IV6 does not carry the force of law for most organizations7 but is widely recognised as setting the ‘Gold Standard’ for governance in SA. For technology and information, it calls for the implementation of policies and processes to achieve certain outcomes,8 which can be delivered by a move to the Microsoft cloud. These include aspects such as:

      • Business resilience;
      • Monitoring and appropriate responses to developments in technology;
      • Proactive intelligence monitoring to identify and respond to incidents such as cyber-attacks;
      • Managing performance and risks of third party and outsourced service providers;
      • An information architecture to support confidentiality, integrity and availability; protection of privacy of personal information; and
      • Compliance with relevant laws.
    • The use of encryption technology, which forms a key part of Microsoft's cloud service offerings, is also regulated.9 To this end, Microsoft has obtained registrations required by law.10

    • The Cybercrimes and Cybersecurity Bill is likely to impact on the requirements of our customers. Microsoft is closely monitoring this development and has made submissions to Parliament on this important Bill.

  • This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services.

    Click here to download the checklist.

  • 1South African National Development Plan
    2Constitution of the Republic of South Africa Act 108 of 1996
    3National Integrated ICT Policy White Paper
    4Electronic Communications and Transactions Act 25 of 2005
    5Constitution of the Republic of South Africa Act 108 of 1996
    6King IV Report on Corporate Governance for South Africa 2016
    7Listed groups will be bound in terms of the listing requirements of the Johannesburg Stock Exchange
    8See Principle 12 of King IV
    9Under the Electronic Communications and Transactions Act 25 of 2002, and also the Regulation and Interception of Communications and Provision of Communication-related Information Act 70 of 2002
    10Under Chapter V of the Electronic Communications and Transactions Act 25 of 2002



We build our services from the ground up to help safeguard your data


Our policies and processes help keep your data private and in your control


We provide industry-verified conformity with global standards


We make our policies and practices clear and accessible to everyone


*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.