Data sovereignty has fast become one of the most important topics in tech, with public sector organizations including data regulators and world governments taking an ever greater interest in the security and residency of the data processed by businesses in their territory.
A mixture of geopolitical tensions, privacy legislation, and supply chain scares have forced organizations to question the resilience of their stack, particularly in Europe.
Recent research from Gartner predicts that 61% of Western European CIOs and IT leaders will rely more closely on local providers by 2030. It also forecasts that 75% of all enterprises based outside the US will have established a digital sovereignty strategy by this time.
In January, 51% of UK businesses surveyed by OVHcloud identified data sovereignty as core to their data management strategy. There was no consensus among respondents of how to classify the issue, however, with a three way split between compliance, data portability, and data access and storage.
Even as data sovereignty is becoming more of a focus and concern for businesses, there’s still confusion and disagreement about the easiest path to success.
Pure Storage commissioned the University of Technology Sydney to take pulse survey responses from experts across Australia, France, Germany, India, Japan, New Zealand, and the United Kingdom.
The results show that organizations across the world understand the risk of inaction when it comes to data sovereignty, which is now not a tickbox exercise but a business imperative.
The vast majority of respondents – 92% – said failure to deal with data sovereignty will lead to reputational damage down the line, while 85% said it would erode customer trust.
Respondents also acknowledged that data stored internationally could be restricted by a foreign entity, with 100% identifying the potential for service disruption as a catalyst for investigating their data residency.
To prevent this, as well as to shore up resilience and meet growing legislative demand for data sovereignty, businesses need to assess how much of their critical data can be stored and processed in sovereign environments.
AI sovereignty is a new can of worms
As AI hype has reached fever pitch, IT administrators and business leaders have been forced to contend with widespread workforce adoption, leading to concerns over risks such as shadow AI.
Few businesses have firm digital sovereignty strategies at present – Gartner estimates just 10% – and AI only complicates this picture further.
Research by the University of Oxford shows that the US, China, and Europe make up nearly four-fifths (78%) of all global spending on cloud infrastructure, highlighting the global divide when it comes to sovereign data center capacity.
Of a total 132 ‘compute hubs’ that can handle training and inference needs for AI models, 75 (55%) were found in these three-largest spending regions.
This means that as businesses in other countries become more reliant on AI in their day to day operations, they may be forced to send data outside of their borders to be processed, putting it at risk.
Many countries are attempting to insulate themselves from this risk by pouring up-front investments into sovereign infrastructure for processing their own data. The United Arab Emirates (UAE), for example, has spent $148 billion on AI since 2024, having announced major partnerships such as Stargate UAE with OpenAI.
Hard ceilings like energy generation are clashing with the immense energy demand of data centers, however, limiting the pace and scale of buildout and dampening efforts to establish sovereign options for data processing.
In the interim, firms need to establish clear strategies for AI use and consider which workloads can still be run in the public cloud.
Earlier this year Andy Ward, SVP International at Absolute Security, told ITPro that businesses should question the use of certain AI models for business purposes on the grounds of data sovereignty.
Every time a worker accesses a tool like DeepSeek, Ward said, “that data is effectively leaving your organization and going straight into mainland China, where compliance, governance, everything's gone out the window at that point”.
At present there are clear geographic boundaries for models that businesses might think twice about using. But over time, every organization will need to audit how and where their data is processed in all of the major AI providers’ models.
“Increasingly it's going to be difficult to put data in one of the big players because you won't want to be putting commercially sensitive or private information about customers into an uncertain world,” one Australian AI expert told the University of Technology Sydney researchers.
“I think we can increasingly see people concerned about the privacy of these models and the sensitivity of sharing information, especially with overseas companies.”
The majority (78%) of respondents to Pure Storage’s research said they are signing data governance agreements into their commercial agreements, as well as diversifying their service provider and sovereign data center reliance.
In the near future, businesses will begin to reckon with the shocks of poor data sovereignty strategies. It’s up to today’s leaders to build data resilience through a targeted sovereignty strategy, as well as to identify the key partners who can help them achieve their goals when it comes to international data management.
-
Anthropic says MCP will stay 'open, neutral, and community-driven' after donating project to Linux FoundationNews The AIFF aims to standardize agentic AI development and create an open ecosystem for developers
-
Developer accidentally spends company’s entire Cursor budget in one sittingNews A developer accidentally spent their company's entire Cursor budget in a matter of hours, and discovered a serious flaw that could allow attackers to max out spend limits.
