The pace of African data legislation is, by any measure, remarkable. As of early 2026, more than 40 countries across the continent have enacted data protection laws — representing approximately 80 percent of African Union member states. Thirty-eight have operational data protection authorities. The number of countries with dedicated legislation has grown from 36 in 2023–2024 to more than 40 in 2025, with further adoptions projected before the end of 2026.

The character of enforcement has also changed. Regulators across the continent have moved beyond awareness campaigns toward active adjudication — levying fines, securing convictions, and issuing binding orders. The grace period that characterised the first generation of African data protection is, by most accounts, over. Nigeria, Angola, and Morocco are racing to enact dedicated artificial intelligence legislation, shifting from voluntary ethical guidelines toward statutory compliance requirements.

For national NGOs (NNGOs) and civil society organisations (CSOs), however, the regulatory shift has created both opportunity and uncertainty. Anecdotal evidence suggests that many CSOs remain only partially aware of the operational impact of Nigeria’s Data Protection Regulation (NDPR) or the European Union’s GDPR on their work. In practice, nonprofits were not the primary targets of regulators such as NITDA or EU supervisory authorities during the early years of enforcement. It has taken time for the NDPR, issued in 2019, to establish the regulatory mechanisms necessary for consistent implementation.

As Oyebisi Oluseyi, Executive Director of the Nigeria Network of NGOs (NNNGO), observes:

“Asides from the private sector which seems to be catching up fast around data protection regulation, the public and civil society sector is slow to adapt to the shifting regulatory conditions now in place. Across Africa, the EUDPR is shaping how nonprofits process and use data. While nonprofits not the focus of many data protection regulations some African countries like Ghana, Kenya, Rwanda, Nigeria and South Africa have clear regulatory clauses on the use of nonprofit data.”

The Nigerian Cybercrime (Prohibition, Prevention, etc.) Act 2015 remains another area of concern for NNGOs and CSOs. Sections 24 and 38 have been widely criticised by civil society actors. Section 24, relating to cyberstalking, has been repeatedly cited in cases involving journalists and government critics. Section 38, outlining service provider duties regarding data retention, contains provisions that critics argue are vague and potentially unconstitutional. Civil society groups have approached the Supreme Court seeking judicial review of these sections due to concerns about their constitutionality and impact on civic space.

These tensions illustrate a broader point: Africa’s digital sovereignty debate is not only about infrastructure or foreign cloud providers. It is also about civic oversight, constitutional safeguards, and the ability of domestic institutions — including NNGOs — to shape how digital power is exercised.

As Oluseyi further argues:

“As AI pushes further the need for data protection, civil society across Africa must actively engage the conversation from the lens of ease regulatory compliance and protection of civic space. The focus of any data regulation for the nonprofit sector must be to cultivate public trust, inspire collaboration and not to overregulate.”

Yet the most consequential question about African data — where it physically resides — remains largely unchanged.

AI development requires vast computational resources, and Africa currently holds under 1 percent of global data centre capacity. Without access to large-scale infrastructure, researchers, startups, public institutions, and local civil society organisations face structural barriers to building, auditing, and deploying advanced AI systems at scale.

The issue is not only international but also regional. Microsoft’s South African cloud regions serve customers across Southern Africa, raising complex policy questions about whether neighbouring countries can permit their citizens’ data to be stored beyond their borders while still upholding domestic data protection laws.

The International Finance Corporation and GSMA estimate that the majority of data generated in Africa continues to be stored outside the continent, predominantly in European and North American data centres. The legal claim of sovereignty is therefore being asserted over data that physically exits that sovereignty at the point of storage.

In response, African governments have consistently urged global cloud providers such as Microsoft to invest in local data centres. By mid-2025, the continent hosted approximately 223 facilities across 38 countries — less than 0.02 percent of the global total of more than 11,800.

What 5.5 Megawatts Actually Means

To understand the infrastructure gap, it helps to understand the numbers.

Africa currently has an estimated 220–230 data centre facilities distributed across 38 countries. The market is projected to grow to $9.2 billion by 2029. Capacity, however, is concentrated in a handful of hubs: South Africa, Egypt, Kenya, and Nigeria. Most African countries rely entirely on offshore hosting.

Nigeria — the continent’s largest economy, with a fintech sector processing billions of dollars in daily transactions — has approximately 17 operational data centres. None currently exceeds 20 megawatts of capacity. Kasi Cloud’s Lekki facility, when complete, will be the first in the country to cross the hyperscale threshold. Its initial phase, expected in April 2026, will provide 5.5 megawatts.

For context, hyperscale AI campuses capable of training or serving large AI models typically target 50–100 megawatts or more of installed capacity. Dense GPU racks used for AI inference can draw between 50 and 150 kilowatts each. The power demands of current AI workloads are transformative — requiring infrastructure investment measured in hundreds of millions of dollars and years of construction.

Kasi Cloud’s facility represents genuine progress. It broke ground with $250 million in committed investment and targets 100 megawatts at full completion. It signals that private capital is beginning to take African digital infrastructure seriously. But between groundbreaking and a functioning hyperscale campus lies not only construction time, but the deeper challenge of reliable power supply. Nigeria’s national grid cannot currently support hyperscale operations at scale. Any facility targeting 100 megawatts will likely need to generate most of its own power.

Community Data Governance in an Infrastructure Vacuum

The civil society and NNGO models explored in the first article of this series — community data cooperatives, consent-at-scale mechanisms, benefit-sharing frameworks, and data trust models — represent innovative governance responses. They treat data as a collective resource requiring shared oversight rather than as a purely individual commodity.

Yet these models operate within physical constraints. A community data cooperative negotiating revenue sharing or accountability terms is often negotiating over data processed and stored in infrastructure that remains foreign-owned and foreign-located.

This does not invalidate community governance. Governance frameworks shift negotiating power and establish rights even when infrastructure is external. But both national and community data sovereignty remain provisional until physical infrastructure exists to support them.

For NNGOs, this reality has strategic implications. Advocacy around digital rights must increasingly include infrastructure literacy — understanding power generation, fibre routes, cloud architecture, and capital flows — not just legal reform.

This article is written as part of the Forus journalism fellowship programme. Learn more here