Glossary · Strategic Concept Data Sovereignty
The principle that digital data is subject to the laws of the country where it is collected, stored, or processed.
## What data sovereignty actually means
Data sovereignty is the principle that digital data is subject to the laws of the country where it is collected, stored, or processed. The concept seems simple but has become operationally complex in a world of multinational cloud providers and cross-border data flows.
Data sovereignty operates on three levels:
**1. Where the data is physically stored** — the location of the servers, data centres, and backup infrastructure.
**2. Who controls access to the data** — the legal entity that operates the storage infrastructure and the laws that apply to that entity.
**3. Who can compel disclosure** — the legal mechanisms (warrants, subpoenas, intelligence orders) that can force disclosure of the data.
The naive understanding focuses only on level 1. The legally accurate understanding requires all three.
## Why physical location alone is insufficient
The example that makes this concrete: a European customer's data stored on Microsoft Azure servers in Ireland.
- **Level 1 (physical)**: data is in Ireland, an EU member state
- **Level 2 (control)**: data is controlled by Microsoft Ireland Limited, but Microsoft Corporation (US parent) has corporate control over the Irish subsidiary
- **Level 3 (compulsion)**: under the CLOUD Act, US authorities can compel Microsoft Corporation to produce the data, regardless of where it's physically stored
The data is in Ireland. EU data sovereignty is technically violated. US authorities can access it.
This is why "EU data residency" claims from US providers don't fully address data sovereignty concerns. Physical residency without legal residency creates the appearance of sovereignty without the substance.
## The three meaningful sovereignty conditions
For genuine data sovereignty, three conditions need to be met:
1. **Physical residency**: data stored on infrastructure in the target jurisdiction
2. **Legal control**: the entity operating the infrastructure is incorporated in the target jurisdiction (or in jurisdictions with equivalent legal protections)
3. **No external compulsion**: the operating entity cannot be compelled by external jurisdictions to disclose the data
EU-headquartered providers (Hetzner, Scaleway, OVHcloud, Infomaniak, etc.) meet all three conditions for EU data sovereignty. US providers with European subsidiaries meet condition 1 but not 2 and 3.
## Why this matters in 2026
Three trends make data sovereignty operationally relevant in 2026:
**1. EU regulatory enforcement is increasing.** GDPR enforcement has matured. The Schrems II ruling has made transatlantic transfers legally precarious. The EU AI Act, NIS2, and DORA all incorporate data sovereignty considerations.
**2. EU procurement requirements are tightening.** European public sector procurement increasingly requires EU-resident processing. Private sector procurement (especially in regulated industries) follows similar patterns.
**3. Geopolitical risk has materialized.** The 2020s have demonstrated that digital infrastructure is geopolitical infrastructure. Export controls, sanctions, and intelligence cooperation patterns affect what data can be processed where.
For European businesses, data sovereignty has shifted from "nice-to-have" to "operationally meaningful" status.
## Practical data sovereignty for businesses
Three practical approaches for European businesses:
### Approach 1: EU-resident processing for sensitive data only
Classify your data by sensitivity. Sensitive data (personal data, customer information, trade secrets) goes to EU-resident providers. Less sensitive data (general business operations, marketing analytics) can stay on US providers with documented controls.
This is the most common practical approach for European mid-market businesses.
### Approach 2: EU-resident processing for everything
For organizations with strong sovereignty preferences (regulated industries, public sector, privacy-focused brands), all data processing happens on EU-resident infrastructure.
This approach is operationally simpler (no data classification needed) but may sacrifice some technical capability (some specialized AI services, niche SaaS tools, etc.).
### Approach 3: Sovereign cloud for highest-stakes data
Some EU member states offer "sovereign cloud" frameworks (French Cloud de Confiance, German BSI C5 sovereign cloud, etc.) with explicit guarantees against external compulsion. For public sector and highly regulated industries, these are increasingly required.
Operationally complex and more expensive but provides the strongest sovereignty guarantees.
## Common confusions about data sovereignty
**"Data sovereignty means data localization."** Not exactly. Localization is the requirement to store data in a specific country. Sovereignty is broader — including who controls the data and who can compel disclosure. Localization can support sovereignty but doesn't automatically achieve it.
**"GDPR is the same as data sovereignty."** Related but distinct. GDPR primarily protects individual privacy rights. Data sovereignty is a broader concept including state-level concerns about jurisdiction and infrastructure control.
**"Encryption solves data sovereignty."** Partially true. Encryption with EU-controlled keys protects data confidentiality even on US infrastructure. But operational requirements (queries, indexing, analytics) often require unencrypted access, limiting how thoroughly encryption can solve sovereignty.
**"All EU data needs to stay in the EU."** Not legally required for most data. GDPR allows transfers with appropriate safeguards. Sovereignty considerations may favor EU-resident processing for some data, but it's a strategic choice, not a universal legal requirement.
## What to ask vendors about data sovereignty
For procurement reviewing data sovereignty claims:
1. **Where is the data physically stored?** (level 1)
2. **What legal entity controls access?** Where is it incorporated? (level 2)
3. **What legal mechanisms can compel disclosure?** What jurisdiction's laws apply? (level 3)
4. **What additional contractual or technical protections exist?** SCCs, encryption keys, access logs.
5. **What audit and reporting commitments exist?** Independent audits, transparency reports.
Vendors that can answer all five clearly are providing meaningful sovereignty. Vendors that focus only on physical location are providing partial sovereignty at best.
Was this helpful?
Thanks for your feedback!