Over the last decade, questions about where data is stored and which country’s laws govern it, better known as data sovereignty, have shifted from a niche compliance consideration to a major political and business priority.
From a European perspective, the introduction of GDPR in 2018 was a significant catalyst for change, placing strict legal requirements on where data is stored, who controls it and how it can be transferred outside the European Union. Just prior to that, the U.S. CLOUD Act heightened concerns by allowing U.S. authorities to request data from American cloud providers, even if that data is stored in Europe. This triggered widespread debate about foreign jurisdiction over EU-based data.
Fast forward to today, and a climate of geopolitical tension has brought more urgency to the issues. The pace of change is accelerating, with November’s Gaia-X Summit, which serves as Europe’s forum for digital and data sovereignty, announcing the formal release of the Gaia-X Trust Framework, which defines how data can be shared, stored, and governed in a sovereign, interoperable, and audit-ready way.
This is significant because, for the first time, Europe now has a concrete, operational mechanism to enforce digital and data sovereignty. As a result, any organization operating across borders should now reassess its data location and ensure its hosting arrangements align with these emerging sovereignty requirements.
In practical terms, however, who should be taking notice? A common misconception is that data sovereignty is only relevant to large multinational enterprises. In reality, SMBs also face significant challenges, even though they often lack the legal or compliance resources available to bigger organizations.
For instance, smaller businesses typically rely heavily on third-party cloud providers and may not have full visibility into where customer data is stored. Equally, many lack the internal expertise to navigate cross-border data-hosting legislation. This means that even basic questions, such as ‘where is our customer data actually held, and under whose jurisdiction?’ cannot be easily answered. Organizations in this position need to put their data sovereignty exposure under the microscope and, if necessary, move assets closer to home.
On a broader level, many European organizations are questioning the risks of storing data in the American cloud on servers owned by U.S. hyperscalers. The fundamental concern is that data stored with U.S. providers is governed by U.S. law, which, as far as the EU is concerned, is foreign jurisdiction.
The obvious alternative is to evaluate data storage options within the European region, which offers the basis for stronger governance and more predictable oversight now and in the future.
A sovereign European cloud takes shape
That process is already underway, with Europe now investing heavily in its own sovereign cloud capabilities. For instance, the EU’s Important Projects of Common European Interest on Cloud Infrastructure and Services (IPCEI-CIS) represents a major step in building a sovereign European cloud campus.
The initiative is designed to protect sensitive data, support compliance with EU regulations and ensure Europe’s digital infrastructure is no longer dependent on U.S. cloud providers. Its focus is on creating cloud services that are governed entirely by Europe’s legal and regulatory frameworks, including GDPR.
Major multinational cloud providers such as AWS and Azure are paying close attention to this trend, as sovereign European cloud options become more attractive to organizations seeking certainty and control. This has led to a slew of investment announcements as U.S. hyperscalers look to establish EU-based infrastructure and ease concerns from regulators and customers alike. Whether this will fully address concerns about foreign jurisdiction, however, remains open to question.
At the same time, specialist European cloud providers already investing in regional sovereignty stand to play a significant role as adoption increases, particularly as they can offer locally governed data centers, GDPR-aligned operations and support models that avoid the cross-border data exposure associated with ‘follow-the-sun’ service teams.
But what are the practicalities of data repatriation? Clearly, once an organization decides to move data back under local governance, it needs a partner capable of guiding that process. This should be based on demonstrable expertise and recognized certifications, such as ISO-IEC 27001, which are essential for supporting restructuring and migration.
Providers must give clear, precise answers about data residency, particularly because vague claims such as “following best practice” are no longer sufficient. Instead, a credible provider should be able to confirm exactly which country, and ideally which data center, data is stored in. The best solutions will also offer end-to-end encryption, zero-trust architecture and sovereign security controls to minimize exposure to external threats.
Looking ahead, the direction of travel is increasingly clear. According to a recent report published by Gartner, “by 2030, more than 75% of all enterprises outside of the U.S. will have a digital sovereignty strategy”. As the report points out, CIOs and IT leaders must create and protect their organization’s digital sovereignty; no one else will do it for them.
By Terry Storrar, managing director UK, Leaseweb