The sovereignty question most organizations ask too late

Three years ago, digital sovereignty was a compliance topic. Today it sits at the intersection of cloud strategy, regulatory obligation, procurement access, and board-level risk. The organizations that filed it under 'future problem' are discovering it has become a present one.

• Gartnerⁱ forecasts that by 2027, three in four organizations will have restructured their cloud and data strategies specifically in response to sovereignty risk.
• IDC's 2025 Worldwide Digital Sovereignty Survey found that 40% of European organizations are already using sovereign cloud solutions, up from 30% the year before. With a further 31% planning adoption. Protection against extra-territorial data requests is now the top driver

But the numbers are not the real issue. The deeper problem is structural. Many of the cloud decisions organizations now depend on – where data resides, how much operational control is retained – were made over the past decade in a very different environment. Sovereignty was not a primary consideration. The environment has now changed, and many of those decisions are harder to defend than they were.

The question is no longer whether to act on sovereignty. It is how to act proportionately, without disrupting operations or trading one form of lock-in for another.

Four pressures that have converged

Sovereignty pressure does not arrive from a single direction. Four forces have converged over the past two to three years, and understanding which applies most directly is the starting point for any credible response.

1. Regulatory enforcement is accelerating

   Data localization requirements are expanding in scope across jurisdictions. For example, NIS2 and the EU Data Act are reshaping obligations across Europe. Australia's Security of Critical Infrastructure Act imposes new standards on operators of essential services, the US CLOUD Act creates extraterritorial reach over data held by US-headquartered providers. Obligations that existed in principle but were rarely tested are now being enforced. Organizations operating across multiple jurisdictions face a genuinely fragmented landscape, the posture that satisfies one market may conflict with another's requirements. Treating compliance as a retrospective exercise is becoming an expensive habit.

2. Concentration risk is under quantified

   Most enterprise cloud infrastructure sits within a very small number of vendor relationships. This creates exposure to outages, unilateral policy changes, pricing leverage, and the application of extra-territorial legal frameworks to data that organizations believe is locally compliant. Most organizations have not formally quantified this. When they do, the picture is often more acute than expected.

3. Sovereign cloud credentials are now a procurement condition

   Boards, regulators, and procurement bodies are asking specific questions about data location, access controls, and operational jurisdiction and expecting evidenced answers, not assertions. In public-sector and regulated-industry tenders, sovereign cloud credentials are increasingly a baseline qualification rather than a differentiator. Organizations that cannot demonstrate a credible posture are being excluded from processes they would previously have been well-placed to fulfil.

4. Sovereignty is not one problem

   The instinct when pressure becomes acute is to identify a sovereign cloud provider, migrate the relevant data, and treat the problem as solved. That approach is likely to result in complex, disruptive, and prolonged programs that carry significant business risk. This is why many early sovereignty programmes have delivered less than expected. A more effective starting point is to review the organization's current sovereignty posture across all relevant dimensions, assess the actual risk profile, and design a proportionate response from there.

For organizations operating across multiple jurisdictions, these principles rarely align uniformly. Each country may impose materially different expectations across data, operations, and technology. Accurately mapping those differences before designing a sovereignty strategy is critical. Without that foundation, programs risk becoming either disproportionately costly relative to actual exposure, or misaligned with the obligations that truly matter.

What the programs that deliver have in common

Across the sovereignty initiatives with lasting impact, three characteristics consistently emerge.

1. Design for adaptability, not for point-in-time compliance. With dependencies and regulations changing at speed, resilience now depends on the practical ability to exit, substitute, or replace components – rather than narrowly satisfying today’s requirements. A program with no room to evolve will need rebuilding within three to five years. Vendor lock-in is not only a commercial concern; it is a sovereignty risk in itself.
2. Invest in the services layer as seriously as the infrastructure layer. Infrastructure decisions are visible and discrete. By contrast, assessment, migration, managed operations, security, and ongoing compliance are where most of the long-term value is created but also where sovereignty programs most often break down when the services engagement is underinvested.
3. Treat sovereign capability as a strategic asset, not only a compliance burden.
   A well-understood and well-articulated sovereign posture can be a meaningful competitive advantage. Organizations that can clearly demonstrate how they manage data residency, access control, and operational independence are better positioned wherever trust, transparency, and control matter to customers, partners, or regulators. In an environment where data governance increasingly influences decision-making, sovereignty is not just about reducing risk – it is about differentiation, confidence and reputation management.

AI sovereignty

AI governance requirements are evolving faster than most other areas of sovereignty regulation. As AI embeds into customer-facing processes and core infrastructure, the origin, control, and auditability of models is attracting serious regulatory attention.

Organizations that have not treated AI sovereignty as a distinct dimension of their cloud strategy are likely to find it forced onto the agenda within the next two to three years.  And it’s not to be dealt with as a one-off exercise either, indeed, Gartnerⁱ recommends that: “Enterprises should treat sovereign AI initiatives as a recurring strategic input, rather than a disruptive, one-off event.”