In the CSIR's sprawling campus in Pretoria, tucked behind a security gate that looks like it was designed in 1987 and has not been significantly updated since, there is a server room that the organisation's chief information officer will not allow to be photographed. It is not classified in any formal sense. The equipment inside is not unusual. The reason for the restriction is simpler: it is the demonstration node for a national cloud infrastructure project that, if it reaches full deployment, will change where the South African government, its banks, and its intelligence services store their data. Currently, the answer to that question — where does South Africa's most sensitive information live — is mostly abroad.
The project is called SANCLOUD, and it was formally announced in October 2025 by a consortium that includes the CSIR, Nedbank, Standard Bank, MTN, Vodacom, and three mid-sized local technology companies. Its stated goal is to provision sovereign, locally operated cloud infrastructure capable of hosting national-critical data by the end of 2027. The impetus is a confluence of pressures building since at least 2021: the Protection of Personal Information Act's data-residency provisions, increasingly awkward conversations between SARS and foreign cloud providers around audit access, and a growing diplomatic discomfort with the fact that significant volumes of state communications pass through data centres in jurisdictions with their own active intelligence interests.
Dr Lungelo Mthembu, SANCLOUD's project director and a former senior technologist at Amazon Web Services' Cape Town office, describes the challenge with the flat frankness of someone who has spent time on both sides of the equation. "We are not building South Africa's answer to AWS," he says from his Pretoria office, a whiteboard dense with architecture diagrams behind him. "We are building a floor — a minimum viable sovereign infrastructure that ensures the most sensitive categories of data cannot leave the country by default. If you want to run your recommendations algorithm on US servers, fine. If you're running the SAPS biometric database, it should be in Pretoria or Cape Town. Not Dublin."
If you're running the SAPS biometric database, it should be in Pretoria or Cape Town. Not Dublin.
The technical and financial challenge is formidable. Building hyperscale-grade cloud infrastructure from scratch requires capital expenditure in the range of R15 to R20 billion over the project's first phase, according to a feasibility document reviewed by Kopje. The consortium is structured to distribute that outlay: the state contributes through the CSIR and the Department of Communications and Digital Technologies, while private sector partners contribute both capital and operational expertise. The foreign direct investment component remains unresolved, with disagreements over how much of the project's ownership can be ceded to foreign capital while retaining the sovereign designation.
The geopolitical context sharpens the urgency. The American CLOUD Act grants US law enforcement access to data held by US-headquartered cloud companies regardless of where those servers physically sit — a provision South African legal experts have long flagged as incompatible with POPIA's intent, if not its technical letter. The EU's move toward its own sovereign cloud frameworks under GAIA-X has provided both a template and diplomatic cover for South Africa's approach. Within the African context, Rwanda and Kenya are both further advanced in their own data-residency infrastructure programmes — a fact that several members of the SANCLOUD consortium mention, with varying degrees of urgency, when discussing timelines.
The CSIR server room, for all its unglamorous hardware and its 1987 security gate, is doing something more consequential than it looks. It is asking, in technical terms, a question South Africa has avoided in political terms for the better part of a decade: on whose terms does a post-colonial state manage its own data infrastructure? The answer the SANCLOUD consortium is proposing is imperfect, commercially complicated, and at least two years from full realisation. It is also, in the current geopolitical climate — where data has become one of the primary instruments of statecraft — arguably the most important infrastructure project in the country. The servers are modest. The stakes are not.
