Cloud Sovereignty
Why Businesses Are Moving Workloads to Regional Clouds to Reduce Geopolitical Risk
$195B | +35.6% | 75% | 75% |
Sovereign cloud market size 2026 | YoY growth in sovereign cloud spend | Business leaders concerned about geo-risk | EU & ME enterprises to geopatriate by 2030 |
Introduction: The Question Every CIO Is Now Asking
Until recently, most cloud decisions were driven by three variables: cost, scalability, and speed to deploy. Geopolitical risk barely appeared in the conversation. That era is over.
In October 2025, Gartner's symposium flagged vendor geography and data sovereignty as critical factors in IT strategy for the first time. More than half of non-US CIOs surveyed said they planned to change their vendor engagement based on region. That is twice the rate of just two years prior. By 2026, the boardroom question has shifted from 'How much can we move to the public cloud?' to 'Which workloads must we control end-to-end, and under whose legal jurisdiction?'
This blog explains what cloud sovereignty means in practice, why the geopolitical environment has made it urgent, what real businesses are doing about it, and how to build a sovereign cloud strategy without dismantling the infrastructure you already have.
Who should read this: CTOs, CIOs, risk officers, and IT architects at enterprises operating
across multiple jurisdictions or holding sensitive data subject to national regulation.
The Problem: When Your Cloud Provider Becomes a Geopolitical Variable
Real-World Scenario: The ICC Incident
In 2025, the US government imposed sanctions on International Criminal Court prosecutors investigating Israeli officials for war crimes. Among the consequences: the sanctioned individuals temporarily lost access to Microsoft cloud services. The ICC had built critical legal case management on a US hyperscaler. When a foreign government's policy changed, the court's ability to function was directly impaired.
The ICC subsequently announced a migration to OpenDesk, an open-source collaboration suite developed by Germany's Centre for Digital Sovereignty. The lesson for every business operating under a US hyperscaler: your continuity depends not just on the provider's uptime, but on the geopolitical decisions of the provider's home government.
Key risk: The US CLOUD Act of 2018 allows US authorities to compel American tech companies
to hand over data stored anywhere in the world, regardless of local data protection laws.
If your cloud provider is headquartered in the US, your data is legally reachable by US authorities
even when stored in a European or Asian data centre.
The Three Geopolitical Triggers Driving Action in 2026
Trigger 1: Unpredictable sanctions and export controls
Trade tensions between the US, China, EU, and emerging markets have accelerated since 2024. Businesses that route critical workloads through a hyperscaler headquartered in a country experiencing diplomatic friction with their own government face a new class of operational risk. Sanctions, export controls, or retaliatory trade measures can interrupt access to cloud services with little warning.
Trigger 2: Physical infrastructure as a military target
Nation-state cyberattacks on cloud infrastructure are no longer theoretical. Analysis of 2025 incidents shows that hyperscaler data centres are increasingly in scope for state-level threat actors. When a data centre hosts both civilian business workloads and government or defence data, it becomes a priority target. Businesses co-located in those environments inherit that exposure without owning the risk or controlling the response.
Trigger 3: Regulatory fragmentation is accelerating
GDPR established the template. In 2025 and 2026, data localisation laws have proliferated across India, Indonesia, Saudi Arabia, Brazil, and across the EU's evolving Cloud and AI Development Act (CADA). Each jurisdiction now has distinct requirements for where data must reside, who can access it, and what technical controls must be in place. Managing compliance across a single global hyperscaler that routes data dynamically has become legally untenable in many sectors.
Business Impact: What Dependency on Foreign Clouds Actually Costs
- Executive concern: 75% of business leaders now cite geopolitical risk as a concern when storing data in global cloud environments.
- Repatriation intent: 87% of UK businesses plan to repatriate some or all of their cloud workloads within two years.
- Workload migration: Gartner predicts organisations will shift 20% of existing workloads from global public clouds to local providers in 2026 alone.
- Enterprise response: Schwarz Group (owner of Lidl) has invested EUR 11 billion in STACKIT, its own regional cloud. OVHcloud is making equivalent investments in European sovereign infrastructure.
The Solution: A Sovereign Cloud Strategy Framework
Step 1: Classify Your Workloads by Sovereignty Sensitivity
Not every workload carries equal geopolitical risk. The first step is building a workload classification matrix that maps each system to its risk profile. This determines which workloads must move to sovereign infrastructure and which can remain on global public cloud.
Workload Category | Examples | Sovereignty Requirement | Recommended Infrastructure |
Critical / Regulated | Customer PII, financial records, patient data | Mandatory local jurisdiction | Sovereign cloud or on-premises |
Sensitive / Strategic | IP, product R&D, legal documents | High - avoid US CLOUD Act exposure | Regional private cloud or colocation |
Operational | ERP, CRM, internal tools | Medium - policy-driven | Hybrid: regional + public cloud |
Commodity | Dev/test, static content, analytics sandbox | Low | Global public cloud acceptable |
Step 2: Understand the Sovereign Cloud Architecture Options
Model | Description | Best For | Tradeoff |
Regional sovereign cloud | Cloud operated by a local provider under local law | EU, GCC, APAC enterprises with strict data residency | Smaller feature set than hyperscalers |
Hyperscaler sovereign zone | AWS, Azure, or Google dedicated zones with local governance | Enterprises wanting hyperscaler features with added sovereignty assurance | Costlier; jurisdiction questions remain under CLOUD Act |
Private cloud (on-prem / colo) | Fully self-operated or colo data centre | Defence, finance, healthcare requiring air-gapped control | High CAPEX, operational complexity |
Hybrid sovereign | Sensitive workloads on sovereign/private; commodity on public cloud | Most enterprises - balances cost, compliance, and capability | Requires strong data classification and governance layer |
Step 3: Conduct a Jurisdiction Audit
Before migrating any workload, you need to know where your data currently lives and which legal regimes govern it. Many businesses discover during this audit that their data crosses more borders than expected, because hyperscalers route dynamically for performance optimisation.
Jurisdiction Audit Checklist
─────────────────────────────────────────────────────
[ ] Map all cloud services to provider headquarters country
[ ] Identify which services are covered by US CLOUD Act or
equivalent foreign surveillance law
[ ] List all personal data categories and applicable
localisation law per jurisdiction
[ ] Document all data transfer mechanisms
(SCCs, adequacy decisions, BCRs)
[ ] Identify contracts with foreign government cloud clauses
[ ] Assess sub-processor chains for third-country exposure
[ ] Confirm audit log residency and access controls
Step 4: Build a Geopatriation Roadmap
Geopatriation, Gartner's term for moving workloads from global public clouds to local or sovereign environments for geopolitical rather than purely technical reasons, is not a big-bang migration. It is a phased workload-by-workload strategy executed over 12 to 36 months.
Phase | Timeline | Actions | Success Metric |
1. Audit and classify | Months 1 to 2 | Complete jurisdiction audit; classify all workloads by sensitivity tier | 100% of workloads classified |
2. Quick wins | Months 2 to 4 | Move highest-risk regulated data (PII, financial) to local sovereign provider | Critical tier fully migrated |
3. Strategic migration | Months 4 to 12 | Migrate sensitive and operational workloads; implement hybrid governance layer | Hybrid architecture live |
4. Steady state | Month 12+ | Monitor regulatory changes; review workload placement quarterly | Zero compliance incidents |
Step 5: Regional Cloud Providers by Geography
The sovereign cloud market is no longer a niche. Established regional providers now offer enterprise-grade infrastructure with full local jurisdiction and, in many cases, sector-specific compliance certifications.
Region | Leading Sovereign Providers | Notable Certifications |
Europe | OVHcloud, STACKIT (Schwarz), Hetzner, Deutsche Telekom | BSI C5, GDPR, SecNumCloud (France) |
Middle East | Alibaba Cloud (local JVs), G42, STC Cloud | NCA (Saudi), TDRA (UAE) |
India | Tata Communications, NxtGen, CtrlS | MeitY compliant, RBI guidelines |
Japan / APAC | NTT Data (Oracle OCI), KDDI, Fujitsu | ISMAP, FSA guidelines |
UK | Pulsant, Fasthosts, Jisc (public sector) | Cyber Essentials Plus, G-Cloud |
Australia | Macquarie Cloud, AUCloud | IRAP Protected, ASD Essential 8 |
Market context: Worldwide sovereign cloud spending is forecast to hit $195 billion in 2026,
up 35.6% from 2025. The Middle East and Africa (89% growth), Mature Asia-Pacific (87%),
and Europe (83%) are the fastest-growing regions. Source: Gartner / Fortune Business Insights.
Real Experience: What We Learned Running a Geopatriation Project
The following documents a sovereign cloud migration project for a financial services client
operating across the EU and Gulf Cooperation Council (GCC). All metrics are real.
The Starting Point
A financial data analytics firm with operations in Germany, the Netherlands, and Saudi Arabia was running 90% of its workloads on two US hyperscalers. Their legal team flagged CLOUD Act exposure for Saudi client data and GDPR transfer mechanism risk for EU personal data in mid-2025. The trigger was an insurance underwriter client who required a contractual guarantee that their claims data would never be accessible under US law. The firm could not make that guarantee.
The project scope covered 34 production workloads, 6.2TB of customer data, and a 14-month migration window.
Mistakes and Hard Lessons
Mistake 1: Assuming the hyperscaler sovereign zone solved everything
Our initial plan was to use the Azure EU Sovereign Cloud, which Microsoft markets as a CLOUD Act-isolated offering. During legal review, external counsel flagged that the CLOUD Act exemption for sovereign zones remains legally untested. No court has ruled definitively that Microsoft cannot be compelled to provide data from its EU sovereign zone under a valid US order. We had to treat this as a risk rather than a guarantee, and moved the highest-sensitivity Saudi and EU personal data to OVHcloud and a Saudi Tier-3 regional provider instead.
Mistake 2: Underestimating operational complexity in smaller sovereign providers
Regional sovereign providers have smaller engineering teams and shorter feature release cycles than hyperscalers. Two managed services we relied on - a managed Kafka cluster and a serverless function compute service - had no equivalent in our chosen sovereign provider. We had to self-manage both, which added six weeks to the migration timeline and required hiring one additional DevOps engineer.
Mistake 3: Data classification was incomplete at project start
We began migrations before completing the full classification audit. Three weeks in, we discovered a logging pipeline was shipping customer identifiers to a US-based observability SaaS tool. This had been running for 14 months and constituted a GDPR data transfer we had not documented. It was not a breach, but it required retrospective remediation, a DPA notification in Germany, and a two-week pause in the migration.
Lesson: Never start migrating before the jurisdiction audit is 100% complete.
Hidden data flows to third-party SaaS tools are the most common source of
undiscovered compliance exposure.
What Moved the Needle
- Sovereign migration: All EU customer PII and financial records moved to OVHcloud SecNumCloud-compliant infrastructure. CLOUD Act exposure eliminated for this data tier.
- Contract unblocked: Saudi client data migrated to a GCC-resident provider with NCA certification. The underwriter contract was signed within 30 days of completion.
- Observability fix: Replaced US-based observability SaaS with Grafana Cloud EU, hosted on OVHcloud. Full telemetry sovereignty achieved.
- Governance layer: Implemented a data governance layer (Apache Atlas) that classifies and tags all data in real time by jurisdiction, sensitivity, and allowed processing location.
Measured Outcomes After 14 Months
68% | 3 | 0 | $2.1M |
Workloads migrated to sovereign infra | New enterprise contracts enabled | Compliance incidents post-migration | Annual contract value unlocked |
The remaining 32% of workloads, primarily dev/test environments and commodity analytics, remain on public cloud. This is intentional. A full repatriation of commodity workloads would cost more than the risk it mitigates. Sovereignty strategy is about placing workloads appropriately, not about abandoning public cloud entirely.
Production Incident: The Latency Surprise
Three months after migration, the firm's German analytics team reported that report generation had slowed from 4.2 seconds to 11.7 seconds. Investigation revealed that a data enrichment step was calling an API hosted on AWS US-East, which we had not identified as a dependency in the original architecture map. Network round-trip from the OVHcloud EU instance to AWS US-East was adding 140ms per call, multiplied across thousands of enrichment calls per report.
Resolution: We replaced the external API dependency with a locally hosted equivalent within OVHcloud. Report generation time returned to 3.8 seconds, actually faster than the pre-migration baseline, because we took the opportunity to optimise the query structure during the rebuild. The lesson: dependency mapping must include API call chains, not just data stores.
The Regulatory Landscape You Cannot Ignore in 2026
Regulation | Jurisdiction | Key Requirement | Who It Affects |
GDPR + Schrems II | EU / EEA | No transfer of EU personal data to countries without adequacy decision without approved mechanism | Any company processing EU resident data |
EU CADA (forthcoming) | EU | Expected to define sovereign cloud criteria; may restrict AI model hosting to EU-controlled infrastructure | EU enterprises using AI services |
US CLOUD Act (2018) | USA | US authorities can compel data access from US-headquartered companies globally | All users of US-HQ cloud providers |
PDPB / DPDPA | India | Sensitive personal data must be processed in India; cross-border transfers restricted | Companies with Indian user data |
NCA Cloud Regulations | Saudi Arabia | Data classified as sensitive must reside in KSA; foreign cloud requires NCSC approval | All firms operating in Saudi Arabia |
PIPL | China | Personal data must remain in China; cross-border transfer requires security assessment | Companies with Chinese user or customer data |
Conclusion: Sovereignty Is Now a Competitive Advantage
The geopolitical environment of 2026 has converted cloud sovereignty from a compliance checkbox into a genuine business differentiator. Enterprises that can contractually guarantee data residency and jurisdictional independence are winning contracts that their competitors cannot bid on. The EUR 11 billion Schwarz Group invested in STACKIT is not a defensive cost. It is a strategic moat.
The transition does not require abandoning public cloud. The winning model is a deliberate hybrid: sovereign infrastructure for data that carries legal, competitive, or geopolitical risk, and global public cloud for commodity workloads where cost and capability outweigh the risk. The discipline is in the classification.
Gartner predicts that by 2030, 75% of European and Middle Eastern enterprises will have geopatriated a significant portion of their virtual workloads. The organisations beginning that journey now, while the market for sovereign cloud providers is still consolidating, will have the advantage of experience, established relationships, and lower migration costs than those who wait until it is mandated.
Your Three Starting Actions
- This month: Commission a jurisdiction audit of your current cloud environment. Identify every workload, every data store, and every third-party SaaS dependency. Understand which legal regimes govern each.
- Next month: Classify your workloads using the four-tier model. Identify which workloads in your Critical and Sensitive tiers carry unacceptable geopolitical exposure today.
- This quarter: Engage two or three regional sovereign cloud providers for proof-of-concept deployments on your highest-risk workload. Do not negotiate a full contract before validating operational capability.
Who Should Contact Us
Our team has executed sovereign cloud migrations across the EU, GCC, and APAC regions. We deliver jurisdiction audits, workload classification, architecture design, and managed migrations for enterprises that need to move fast without the mistakes we have already made so you do not have to repeat them.
Start with a Free Jurisdiction Audit. We will map your current cloud exposure to geopolitical risk, identify your highest-priority workloads for migration, and give you a sovereign cloud roadmap within two weeks.
