President Ferdinand R. Marcos Jr. has signed Executive Order (EO) No. 119, overhauling the country’s decades-old data classification rules to reinforce national data sovereignty, boost cybersecurity, and accelerate the secure digital transformation of the public sector.
Signed on July 13, EO 119 replaces the outdated guidelines set under Memorandum Circular (MC) No. 78 (s. 1964) and MC No. 196 (s. 1968). The new directive establishes a unified, risk-based framework governing data residency, cross-border transfers, and security controls across all government digital records.
“This Order shall cover all government data in digital or hybrid form, owned, processed, or controlled by national government agencies and instrumentalities, including government-owned or -controlled corporations, and state universities and colleges, insofar as it is consistent with existing laws, rules, and regulations,” President Marcos stated in the order.
“The Legislature, Judiciary, Constitutional Commissions, Office of the Ombudsman, and local government units are hereby encouraged to adopt the provisions of this Order.”
Under EO 119, government information is structured into two broad categories: Restricted Access Data (official matters requiring protection in the interest of national security) and Open Access Data (public information outside restricted tiers).
Within this framework, data will be categorized into four distinct security levels:
-
Top Secret: Critical national security data requiring the highest degree of protection.
-
Secret: Sensitive information where unauthorized disclosure would cause serious damage to national interests.
-
Confidential: Administrative or operational data requiring restricted access to prevent localized harm.
-
Restricted: Standard internal government operational files not intended for public distribution.
| Category | Coverage Status |
| Covered Entities | National Government Agencies (NGAs), Government-Owned or -Controlled Corporations (GOCCs), and State Universities and Colleges (SUCs). |
| Private Vendors & Contractors | Private entities processing or storing government data on behalf of agencies—including Public-Private Partnerships (PPPs), public utilities, critical infrastructure, and strategic projects—must comply. |
| Excluded Data | Commercial and private sector data owned strictly by private entities. |
| Optional Adoption | Local Government Units (LGUs), the Legislature, Judiciary, Constitutional Commissions, and the Office of the Ombudsman. |
To ensure accountability, the Executive Order establishes the Joint Oversight Committee for Data Classification (JOC-DC).
-
Annual Reporting: All covered agencies must submit an annual compliance report to the JOC-DC, which will consolidate and submit a comprehensive report directly to the President.
-
Phased Rollout: Covered entities have a three-year transition period from the order’s effectivity to achieve full compliance with the new standards.



