Must I store my data locally? The free flow of non-personal data
Adopted 2026-06-16 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
No, a government may in principle not require you to store your non-personal data in a specific member state. Regulation (EU) 2018/1807 prohibits unjustified data localisation requirements within the EU.
Short answer: No, in principle not. Regulation (EU) 2018/1807 prohibits governments within the EU from requiring you to store or process your non-personal data in a specific member state. You may therefore host your systems and data freely anywhere in the EU, except in exceptional cases of public security.
What the prohibition covers
The regulation governs the free flow of non-personal data within the EU. Data localisation requirements, meaning rules that prescribe that data must remain on the territory of a particular member state, are prohibited.
- Who is bound: the prohibition is directed at governments and public bodies
of member states, not at private parties dealing with each other.
- The only exception: a localisation requirement is allowed only if it is
justified on grounds of public security and is proportionate.
- Non-personal data: think of machine data, sensor data, anonymised data,
freight information and business data that cannot be traced back to a natural person.
Free choice and cloud portability
Besides prohibiting localisation requirements, the regulation promotes the free choice of storage and processing location. It also encourages switching between providers through self-regulatory codes of conduct for data portability, so that you are not unnecessarily locked in to a single vendor.
Mixed datasets and the GDPR
In practice, datasets often contain both personal and non-personal data. In that case:
- Non-personal part: falls under Regulation 2018/1807 and the free flow rules.
- Personal part: remains fully subject to the GDPR. The requirements for
transfer and protection of personal data do not change.
- If the two are inextricably linked, the GDPR applies to the whole dataset.
What this means for logistics
You may host your transport and logistics systems, planning data, track-and-trace and operational business data freely within the EU without being forced to use a Dutch or other national storage location. Note, however, that on top of this regulation the Data Act rules apply to switching between cloud services (cloud switching). Keep this in mind in contracts with your cloud provider.
Read more: the Transport & Logistics overview. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2018/1807/oj
Regulation (EU) 2018/1807: free flow of non-personal data.
Read next
AI agents in logistics planning: opportunities and rules
AI agents can plan, re-plan and adjust in logistics โ from trip planning to chain coordination. That touches the AI Act (oversight, classification), the Data Act (chain data) and liability for autonomous decisions.
Third-party ICT risk under DORA: contracts, register and oversight
DORA sets requirements for ICT outsourcing: mandatory contract clauses, a register of information on all ICT providers, and an EU oversight framework for ICT providers designated as critical.
Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet
A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.