19.11.2025

Cloud Sovereignty: A Critical Pillar for Modern Multinational Enterprises (Part 3)

In the first part of this series, we defined IT sovereignty as the ability to control your digital assets under jurisdictions and protections you choose. The second part took the discussion down to the foundations: infrastructure—data centers, servers, and operational processes that may look like commoditized utilities, yet play a central role in the sovereignty debate. This third part turns to one of the most strategically significant layers of all: the cloud.

For many years, cloud adoption has been synonymous with agility, scale, and innovation. Yet as digital ecosystems become deeply intertwined with geopolitics and regulation, one question has risen from the background to the boardroom: How sovereign is your cloud?

Cloud sovereignty is no longer a theoretical concept reserved for the public sector. It has become a strategic imperative for multinational enterprises that operate in complex jurisdictions, manage sensitive data, and depend heavily on global cloud providers. At stake is nothing less than operational continuity, legal compliance, and long-term freedom of choice.

So, what does cloud sovereignty really mean—and why does it matter now?

Cloud Sovereignty Defined

Cloud sovereignty refers to an organization’s ability to store, process, and manage data under the legal, operational, and security conditions of its choosing, without unwanted foreign access or influence. It ensures that:

• Data location is controlled and transparent
  
• Administrative access is restricted to trusted, locally governed personnel
  
• Data is protected with strong encryption and customer-managed keys
  
• Cloud operations comply with applicable local and regional regulations
  
• Critical workloads remain resilient even under geopolitical pressure
  
• In short: enterprises want to harness modern cloud technologies without relinquishing control over their most valuable digital assets.

The Rise of Cloud Sovereignty as a Board-Level Issue

1. Geopolitical realities are reshaping digital risk

In Europe and many other regions, cloud infrastructure is dominated by non-domestic providers. U.S. hyperscalers hold an estimated 70-80% share of the European cloud market, a level of concentration that creates both strategic and jurisdictional exposure.

This matters because certain foreign laws—most notably the U.S. CLOUD Act—allow authorities to compel U.S.-based cloud providers to hand over data they control, even if the data is stored in another country. For multinational enterprises, this introduces a sovereign risk that cannot be ignored.

2. Compliance pressure is intensifying

Regulations such as GDPR, NIS2, sector-specific rules, and the upcoming EU AI Act impose strict requirements on how and where sensitive data must be processed. For many organizations, cloud sovereignty has shifted from a theoretical discussion to a regulatory necessity.

3. AI is amplifying dependency

AI workloads require substantial computing power—capacity largely provided today by a small number of global cloud operators. As AI becomes central to competitive differentiation, companies increasingly recognize the need to govern where training data resides, how models are hosted, and who can access derived insights.

The Risks of Non-Sovereign Cloud Models

Multinational enterprises face several risks when relying fully on foreign-operated cloud services:

Jurisdictional Exposure

If a cloud provider is headquartered in, or legally controlled from, another country, that country’s authorities may impose lawful access demands—even for data stored elsewhere.

Operational Dependency

An outage, policy shift, legal dispute, sanctions event, or security incident involving a foreign hyperscaler can impact business continuity across all regions simultaneously.

Data Confidentiality Concerns

Cloud operators typically maintain privileged administrative access for operations and maintenance. Without strong technical and contractual safeguards, this creates a vulnerability for sensitive workloads.

AI and Data Leakage Risks

Routing sensitive or proprietary data to foreign-hosted AI services can create compliance issues and risk unintended retention or exposure of training or inference data.

Strategies to Achieve Cloud Sovereignty

Modern cloud strategies allow organizations to balance innovation with sovereignty.

1. Sovereign or locally operated cloud environments

These environments ensure:

• Clear data residency within a chosen jurisdiction
  
• Local administrative and operational control
  
• Protection from non-trusted foreign legal influence
  
• They are often backed by national certification schemes (e.g., EU or country-specific sovereignty standards) that formally guarantee compliance and independence.

2. Hybrid and multi-cloud architectures

A pragmatic approach in which organizations combine:

• Sovereign clouds for sensitive and regulated workloads
  
• Global public clouds for scalable, less sensitive workloads
  
• This diversifies risk, prevents lock-in, and preserves access to global innovation where sovereignty is not a primary concern.

3. Strong encryption and customer-managed keys

Client-side encryption and external key management ensure:

• Providers only ever hold encrypted data
  
• Decryption keys remain exclusively under the customer’s jurisdictional control
  
• Legal orders to cloud providers cannot grant access to readable data
  
• This is one of the most effective and regulator-aligned technical measures for sovereignty.

4. Confidential computing

Trusted execution environments keep data protected while in use, reducing exposure when workloads run on infrastructure operated by external or foreign entities.

5. Federated and regionalized AI

Many multinational enterprises are adopting:

• Local AI training and inference for sensitive data
  
• Federated learning, which enables model training without moving raw data across borders
  
• Open-source or self-hosted AI models to ensure full control over data and model behavior
  
• These approaches reduce reliance on foreign-hosted AI platforms while preserving the benefits of advanced analytics.
  

When Is Cloud Sovereignty Critical—And When Is It Optional?

Cloud sovereignty is critical when:

• Processing regulated, proprietary, or highly sensitive data
  
• Supporting national infrastructure or essential services
  
• Managing strategic AI models or decision-making systems
  
• Business continuity must be ensured regardless of geopolitical events
  

Cloud sovereignty is optional or less stringent when:

• Operating public, low-risk, or anonymized workloads
  
• Handling high-volume compute tasks with no sensitive data
  
• Running development, test, or non-critical applications
  
• Leveraging globally distributed services where sovereignty risk is low
  
• The most effective enterprises take a workload classification approach, applying sovereignty controls proportionally to business and regulatory risk.
  

Acceptable Foreign Dependencies: A Pragmatic Balance

Enterprises do not need an entirely domestic technology stack to remain sovereign. In practice:

• Foreign hyperscalers remain valuable for non-sensitive workloads or elastic compute
  
• Sovereign clouds can be built on foreign hardware or software as long as operational control, keys, and governance remain local
  
• Open-source or pre-trained models developed abroad can be deployed under local governance with no sovereignty risk
  
• Multi-cloud strategies reduce lock-in and single-country dependency in a realistic, sustainable way
  
• Sovereignty is not about closing doors—it is about ensuring you have the freedom to choose without hidden constraints.
  

Conclusion: Cloud Sovereignty as a Catalyst for Trust and Innovation

The cloud remains the backbone of global digital transformation. Yet the conditions for operating internationally have changed: regulatory scrutiny, geopolitical complexity, and the rapid growth of AI require a new level of strategic control.

Cloud sovereignty enables enterprises to:

• Comply with regional and sector-specific regulations
  
• Protect their highest-value digital assets
  
• Reduce jurisdictional and vendor risk
  
• Innovate confidently with modern cloud and AI technologies
  
• Far from limiting what organizations can do, sovereignty provides the trust foundation that enables secure, responsible, and scalable digital innovation.
  

What comes next?

In the fourth part of this series, we will explore AI sovereignty — how organizations can harness advanced intelligence while retaining full control over their data, models and decision-making.