Principles of ASEAN Framework on Cross-border Cloud Computing

Principles of ASEAN Framework on Cross-border Cloud Computing

Asian Business Law Institute (September 2025)

Please contact abli_info@abli.asia for queries relating to these publications. 

This is the last deliverable under the ASEAN Framework on Cross-border Cloud Computing project (Project) ABLI was commissioned to undertake. The Project was proposed by Malaysia and approved by ASEAN. The implementing agency is Malaysia Digital Economy Corporation, a government agency under the purview of Malaysia’s Ministry of Digital.

All deliverables of the Project have been endorsed at the 6th ASEAN Digital Ministers Meeting held in Hanoi, Vietnam from 15 to 16 January 2026.

The ASEAN Framework on Cross-border Cloud Computing (ASEAN Cloud Computing Framework or Framework) targets two key pillars of legal and regulatory governance for cloud computing, i.e., cross-border data flow and protection of exported data. It begins with six General Principles that signal ASEAN-wide commitments to advancing cloud development and adoption in a trusted and secure manner.

To operationalize these high-level commitments, the Framework introduces a policy innovation called Trusted Data Corridor (TDC) where participating AMSs agree to adopt special rules within designated areas in place of their ordinary national regulations. In a TDC, data can flow freely between designated data centres as long as:

• the data protection standards of the participating AMSs are comparable to each other and in line with international standards; and
• the powers of the public authorities of the participating AMSs to access private sector entity data are aligned with international standards.

These features of a TDC are embodied in four Specific Principles, which are accompanied by step-by-step guidance on implementation, such as guidance on conducting a mapping exercise by AMSs to benchmark their applicable laws and regulations against neutral international and/or regional principles, standards and practices.

This tiering structure is an innovation by the Framework in recognition of the diverse national conditions of AMSs and is aimed at encouraging adoption by AMSs. An accompanying Addendum explores how the Framework can be applied to finance and health, two critical regulated industries where requirements on data protection and storage are particularly stringent.

Table of Content

Executive Summary 5

Acknowledgment 6

Summary of Principles of the Framework 7

Background and overview 10

Data, data centre and the digital economy 10

Cloud computing as a key enabler of the digital economy 10

ASEAN Framework on Cross-border Cloud Computing 12

Introduction 15

Two key pillars of legal and regulatory governance for cloud computing 15

Cross-border flow of data 15

Protection of exported data 16

Objectives of the ASEAN Cloud Computing Framework 17

Development of the ASEAN Cloud Computing Framework 18

Structure of the ASEAN Cloud Computing Framework 18

Scope of application of the ASEAN Cloud Computing Framework 19

General Principles 21

General Principle 1 23

General Principle 2 24

General Principle 3 24

General Principle 4 25

General Principle 5 27

General Principle 6 28

Trusted Data Corridor and Specific Principles 31

TDC overview 31

TDC archetypes 31

Specific Principles 32

Specific Principle 1 34

Specific Principle 2 35

Specific Principle 3 35

Specific Principle 4 37

TDC advantages 37

How to set up a TDC in ASEAN 39

Conclusion 42

References 43

Primary sources 43

Secondary sources 44

Annexure: Suggested key contents of an Agreement between AMS A and AMS B on the Establishment of a Trusted Data Corridor 46

Addendum: Application of the ASEAN Cloud Computing Framework to financial and health industries 51

Special circumstances of financial and health industries 51

Application of the ASEAN Cloud Computing Framework to financial and health industries 52

Location of computing facilities and data localisation 52

Public authority access to private sector entity data 53