Asian Business Law Institute

September 2025

This is the last deliverable under the ASEAN Framework on Cross-border Cloud Computing project (Project) ABLI was commissioned to undertake. The Project was proposed by Malaysia and approved by ASEAN. The implementing agency is Malaysia Digital Economy Corporation, a government agency under the purview of Malaysia’s Ministry of Digital.

All deliverables of the Project have been endorsed at the 6th ASEAN Digital Ministers Meeting held in Hanoi, Vietnam from 15 to 16 January 2026.

The ASEAN Framework on Cross-border Cloud Computing (ASEAN Cloud Computing Framework or Framework) targets two key pillars of legal and regulatory governance for cloud computing, i.e., cross-border data flow and protection of exported data. It begins with six General Principles that signal ASEAN-wide commitments to advancing cloud development and adoption in a trusted and secure manner.

To operationalize these high-level commitments, the Framework introduces a policy innovation called Trusted Data Corridor (TDC) where participating AMSs agree to adopt special rules within designated areas in place of their ordinary national regulations. In a TDC, data can flow freely between designated data centres as long as:

• the data protection standards of the participating AMSs are comparable to each other and in line with international standards; and
• the powers of the public authorities of the participating AMSs to access private sector entity data are aligned with international standards.

These features of a TDC are embodied in four Specific Principles, which are accompanied by step-by-step guidance on implementation, such as guidance on conducting a mapping exercise by AMSs to benchmark their applicable laws and regulations against neutral international and/or regional principles, standards and practices.

This tiering structure is an innovation by the Framework in recognition of the diverse national conditions of AMSs and is aimed at encouraging adoption by AMSs.

An accompanying Addendum explores how the Framework can be applied to finance and health, two critical regulated industries where requirements on data protection and storage are particularly stringent.