Data Sovereignty in the Era of Geopolitical Tensions and Artificial Intelligence

Escalating Tensions and Their Impact on Digital Security

In light of escalating geopolitical tensions around the world, from the war in Ukraine to conflicts in the Middle East and rising competition in the South China Sea, and even the Iran-Israel conflict, governments and businesses face a clear reality: digital systems are not immune to these pressures. British Prime Minister Keir Starmer recently affirmed at London Tech Week that methods of warfare have "profoundly changed," noting that Technology and Artificial Intelligence have become "embedded" in national defense. This necessitates a comprehensive reassessment of IT infrastructure management from a purely security perspective, requiring companies to review their data management technologies and practices to ensure their protection from increasing risks.

Significant Challenges: However, implementing this faces significant challenges. According to a recent study by Civo, 83% of IT leaders in the UK believe that geopolitical variables threaten their ability to control data, and 61% consider digital sovereignty a strategic priority. Nevertheless, only 35% of them accurately know where their data is stored. This gap is not just about regulatory compliance; it reflects a misalignment between infrastructure, policies, and adopted strategies.

Understanding Data Sovereignty: Definitions and Concepts

Data sovereignty is defined as a legal principle stating that data is subject to the laws and regulations of the country or region where it is created, stored, or processed. This concept ensures local control over data access, use, and storage, and is crucial for national security and the protection of citizens' personal data (Wikipedia, updated July 15, 2025). Data sovereignty differs from data residency, which refers to the actual geographical location where data is stored, and data localization, a requirement that data remains within the physical borders of a specific country, as some countries, such as Russia, may require their citizens' data to be stored entirely within local data centers (IBM, updated April 17, 2025).

“Wikidata-knowledge-graph-awhi-women-occupations-schools-2021-0216.png” — Source: Wikimedia Commons. License: CC BY-SA 4.0.

From Legal Challenge to Operational Priority

Data sovereignty is no longer merely an issue discussed by policy teams and legal departments. With increasing regulatory fragmentation, escalating cybersecurity risks, and the evolution of complex data ecosystems, organizations are compelled to consider sovereignty a vital operational concern. Whether it's determining who has access to your AI training data or ensuring healthcare providers meet national data residency requirements, data sovereignty today clearly defines the scope of what companies can and cannot do.

Legislations such as the EU General Data Protection Regulation (GDPR), which imposes fines of up to 20 million Euros or 4% of annual revenue for non-compliance (Oracle, updated August 26, 2024), along with the UK's evolving stance (no longer bound by EU data law but maintaining close alignment to ensure data flow), and increasingly stringent policies related to critical infrastructure, have begun to shape the concept of organizational resilience. As Lord Ricketts noted in the House of Lords last October, "the secure and efficient exchange of data underpins our trade and economic ties with the EU and cooperation between our law enforcement agencies." This trust is based on adopting a transparent and enforceable approach to data control.

Cloud Computing Challenges and the Necessity of Data Localization

Public cloud computing services have given many a false impression of agility. Speed of movement does not necessarily mean security. Data localization, jurisdictional control, and alignment of security policies have become pivotal elements in formulating long-term strategies, no longer mere impediments to short-term expansion. What does this mean for corporate IT? Simply put, it presents us with two choices: either design for resilience while maintaining full control, or prepare to face disruptions with every change in regulations and laws.

Infrastructure that considers sovereignty does not seek isolation but aims to provide complete clarity on data location, who has access to it, how it moves, and the policies governing it at every stage. This requires high transparency, auditability, and the ability to adapt continuously without having to completely rebuild systems with every new compliance rule.

A hybrid cloud and multi-cloud approach provides companies with great flexibility while keeping data governance at the core of operations. It's not about relying on a single cloud provider or building all infrastructure locally, but about applying policy-driven control across different environments and managing workloads in the context of data to ensure sovereignty.

For example, a financial services company may need to retain customer transaction data within UK borders while simultaneously wanting to run analytics via the cloud. With the right architecture, workloads can move freely, while sensitive data remains fully subject to governance controls. This represents the essence of data sovereignty in practice, not just a theoretical concept.

Generative Artificial Intelligence and Data Sovereignty

On the other hand, Generative AI adds a new layer of complexity to this landscape. Training models on private data, deploying inference on edge computing, or even simply sharing prompts across different geographical locations, all increase pressure on existing governance models.

While many organizations have rushed to adopt or develop AI tools, only a few have aligned these efforts with data residency or regulatory compliance requirements. Sovereignty is no longer just about data storage; it now encompasses aspects of computing, access patterns, and understanding how third-party AI models interact with your sensitive data.

In this context, the capabilities of edge computing and sovereign cloud will be absolutely essential. But their success hinges on empowering infrastructure teams with the necessary authority and support to build with data sovereignty in mind from the outset. This requires effective, cross-departmental collaboration that brings together legal, compliance, and IT teams. It also means choosing platforms that support location-aware deployment and actively enforce policies from day one.

“Wikidata-knowledge-grapher-2021-06.png” — Source: Wikimedia Commons. License: CC BY-SA 4.0.

Current Reality and Future Requirements

According to Nutanix's recent research on data sovereignty in the public sector, 94% of organizations in this sector are already using generative AI tools. However, 92% indicate that more can be done to secure these workloads, and 81% say their infrastructure needs improvement to support sovereignty requirements. These statistics highlight the significant challenges facing both public and private organizations, where complexities have reduced the effectiveness of governance and control.

Customers not only want to know where their data is but partners also aspire to understand how this data is used. With regulators increasingly expecting transparency, going beyond mere formal compliance, sovereignty in this context becomes a key indicator of trust. This is especially critical in vital sectors such as healthcare, education, and government, but is not limited to them. Any business operating in regulated markets or across borders needs to demonstrate clear data control. This is not just a formality; it has become essential for business continuity and reputation.

Practical Steps for Implementing Data Sovereignty

• Identify Data Location and Applicable Laws: First and foremost, clearly determine where your data is stored and the applicable laws and regulations in those regions. This identification is often complex and requires a precise understanding of different legal frameworks.
• Review Technical Infrastructure: Next, conduct a comprehensive review of your infrastructure to determine if it supports location-aware controls, hybrid cloud deployments, and detailed data auditing.
• Prepare for the Future of Generative AI: Consider future trends for Generative AI and the workloads it will generate. Is your organization prepared to scale these technologies without compromising data sovereignty requirements? And can your teams adapt quickly to changes in policies and regulations?

Data Sovereignty as a Business Strategy

Finally, digital sovereignty should be viewed not as a constraint, but as an integral part of business design strategy. Organizations that successfully implement this concept will not only be compliant with regulations but will also be more resilient, transparent, and prepared to face future challenges.

In a world where data moves faster than policies change, the ability to maintain control is not just good governance practice but a foundation for business success. And when geopolitics forces this issue, it may be the necessary impetus to implement data sovereignty correctly and effectively.