Why are enterprises shifting to sovereign clouds?
Gartner defines sovereign cloud as the “provision of cloud services within a jurisdiction meeting data residency requirements and operational autonomy.” According to the firm, this locally hosted infrastructure is intended to ensure that data, infrastructure, and operations are “free from control” and protected from the “influence and access” of external jurisdictions and foreign governments.
Increased geopolitical volatility, government-imposed restrictions, widely varying legislation, economic sanctions, and a broader risk identified by some as the “weaponization of IT” are pushing more organizations to seek sovereign alternatives to public and private cloud deployments, analysts note. Sovereign provides more control over enterprise data and technologies, as well as stricter requirements around data residency.
“Sovereign deployments boost infrastructure resilience to geopolitical instability and grant an enhanced level of continuity to enterprises whose business is more dependent on a well-functioning IT,” said Dario Maisto, Forrester senior analyst.
Sovereign-first is also an attractive option when enterprises have a regulatory obligation (or anticipate one), or when they rely on a third-party company for infrastructure or software that doesn’t align with their risk tolerance, said Jeremy Roberts, senior director for research and content at Info-Tech Research Group.
“Sovereignty means owning the important decisions around your software and infrastructure,” Roberts said.
Many enterprises are now finding themselves in situations where cloud services offered by major international companies are “no longer politically tenable,” he said. For instance, countries like France and Germany are moving away from big US tech companies as trade tensions ratchet up. Even though politics isn’t a direct concern, sovereign implementations can be appealing when companies like AWS and Microsoft have massive outages that impede the capability for their customers to do business.
“Sometimes enterprises can’t trust their providers to meet a service level for a critical system, or they think they could do it better,” said Roberts.
There’s also the question of data. “Many enterprises have large troves of valuable data, and third parties are a risk vector that might not be suitable for their tolerance,” he said.
The sovereign stack and 3 key pillars
Sovereignty isn’t just about where the server sits, however, but who has legal control over the data and silicon.
There are three widely accepted pillars of true digital sovereignty:
- Data sovereignty: Control over data location and access. Enterprises know where data resides and dictate who has access to it based on local privacy regulations and geographic boundaries. AI sovereignty is a natural extension of this as it becomes a mission-critical technology.
- Operational sovereignty: Visibility into and control over provider operations. Enterprises understand where data and mission-critical workloads are being processed. Technology management and operation are independent of interference and cannot be accessed by third parties or foreign governments.
- Technical sovereignty: Autonomy and continuity can avoid vendor lock-in. The tech stack (infrastructure, apps, AI models) operates independently, data is portable, and enterprises can operate their infrastructure even when cloud providers experience disruptions. Technical sovereignty now extends down to the chip level, as nations invest in local semiconductor pipelines to ensure the ‘silicon’ under the data isn’t subject to foreign supply chain sanctions.
However, there is “no ‘one-size-fits-all’ or ‘sovereign-by-design,’” according to Gartner. “Sovereignty is a spectrum that typically involves trade-offs in cost, scalability, data survivability and functional depth,” the firm notes.
“Particularly in a world of public clouds, every organization needs to be in control to be able to address their own risk management, compliance policies, culture, or business strategy and to address multiple regulatory requirements,” said Gartner analyst Rene Buest.
Challenges with cloud sovereignty
But like other cloud environments, sovereign cloud brings its own challenges, notably when it comes to cost, infrastructure complexities, lack of expertise, and a globally accepted definition of sovereignty.
“Globally connected cloud infrastructure is a major obstacle to data sovereignty as it is difficult to disentangle where data flows,” noted Gartner’s Buest.
Different types of data stored in the cloud have different requirements, she explained. Data incorporated into and used by AI models may also be governed under different data protection policies.
Additionally, public cloud providers are legally bound to their home country and must comply with its policies and laws, Buest said. For instance, the US Cloud Act, enacted in 2018, supports cross-border investigations and requires US-based tech companies to disclose electronic communications and data, regardless of where that is stored (in the US or elsewhere).
Buest pointed out that major cloud providers are making promises and pledges to ensure sovereignty, but some of those commitments have already been broken. For instance, Microsoft admitted to both Scottish police and the French Senate that it could not guarantee data would remain in their countries.
Encryption is often suggested as a way to address data sovereignty because the customer holds the key to protect data in motion, in use, and at rest. However, Buest noted, most regulators have not explicitly approved the use of encryption or other security measures or deemed them sufficient for compliance.
There may soon be a development here, however. In fall 2025, the European Commission released The Cloud Sovereignty Framework (CSF), a mandatory reference document for procuring cloud services in the EU. The goal is to ensure that cloud services used in the EU are under European control and shielded from other countries’ laws (such as the US Cloud Act). The Commission is defining a set of ‘sovereignty objectives’ to clearly define what sovereignty means, Buest said.
This framework has the potential to serve as an “official blueprint and guideline” for government bodies and decision-makers in enterprises beyond Europe, she noted.
Forrester’s Maisto agreed that, as of yet, there is no GDPR for sovereignty and “no legislation whatsoever in the world tells us what sovereignty is and isn’t.”
Overall, he described a “fundamental trade-off” between sovereignty and functionality: Where one increases, the other decreases, and vice-versa. For instance, sovereign private clouds and air-gapped solutions are “not vaguely on par” with their public cloud twin offerings.
For instance, a sovereign cloud might offer basic object storage and compute, but lack advanced serverless functions or proprietary AI-orchestration tools found in a global AWS or Azure region.
Further, enterprises often don’t take into account that the infrastructure layer is just one component of a digital sovereignty strategy, Maisto emphasized. SaaS tools represent a parallel risk, and organizations cannot just assume they will improve their digital sovereignty posture if they make non-sovereign SaaS run on sovereign clouds.
Enterprises will also likely face talent shortages when operations must be in-country but the skills may not be there, he noted.