Data sovereignty has rapidly ascended the priority list for businesses and governments over the last few years. As we approach 2026, it’s a matter that needs to sit at the top of any corporate agenda as the climate of geopolitical tension has added even more weight to where data is stored and which country’s legislation governs this.
In Europe, data sovereignty is hotly debated and for good reason. European leaders are only too aware that there is a risk that data held outside the region’s boundaries as well as some EU-based data, is in the grip of foreign jurisdiction. For example, the CLOUD Act ruled that US authorities had the right to request data from America’s cloud providers even if that data is located in Europe.
Local cloud providers offering local governance
Unsurprisingly this has ignited genuine concerns over data privacy, security and control. The reality is that if data is stored on servers owned by US based hyperscalers, this will ultimately will be governed by US law. So, many of Europe’s organisations are seeking an alternative; the obvious one is to use data storage options owned and located within the European region.
This trend is highlighted by a recent report from Gartner, finding that geopolitics will drive 61% of CIOs and IT leaders in western Europe to increase their reliance on local cloud providers. It is widely acknowledged that Europe’s cloud providers will enable true sovereignty in the region over the coming years, by offering clearer governance and more transparent oversight.
The role of the Gaia-X-Trust Framework
Recent events such as the Gaia-X-Summit in November strongly indicates that the urgency around Europe’s digital sovereignty is gaining pace. This forum, which is one for European digital and data sovereignty, announced the formal release of the Gaia-X-Trust Framework that specifies how data can be shared, stored and governed under European legislation.
This is a milestone in the quest for European data sovereignty, as it provides a formal, operational mechanism to organize and enforce sovereignty for Europe’s governments and digital businesses. In terms of action, this framework will spur any organisation with data held in different geographic locations to assess the compliance of this and ensure that its hosting arrangements are in line with these more formal measures.
Data sovereignty impacts even the smallest digital business
In reality, taking action on data sovereignty is not restricted to corporates. It is a complex issue that smaller businesses also need to address, and it’s a particularly tough challenge when these companies do not have the budgets or expertise on tap.
It is for this reason that smaller businesses might turn to third party cloud providers, which offer both the required geographic footprint and expertise to advise on data sovereignty strategy. Any trusted cloud provider should be transparent and exact about where an organisation’s data is stored, what the relevant governing laws are and be proficient in navigating things like cross-border data hosting legislation.
As a general rule, any business should expect an informed and accurate answer from their cloud provider about where data is actually held. If a provider falls short of this, then it warrants reviewing data arrangements and, if necessary, moving the location of data closer to home.
Certainty for Europe’s digital future
The European Union has already made significant steps towards its vision of a sovereign European cloud, with numerous organisations also heavily invested in this effort. One major project, the EU’s Important Projects of Common European Interest on Cloud Infrastructure and Services (IPCEI-CIS) represents a major step in building a sovereign European cloud campus.
This project focuses on the provision of cloud services that fall under Europe’s legal and regulatory guidelines, including GDPR. The vision is to ensure that Europe’s future digital economy is no longer dependent on US cloud providers and that sensitive data is fully protected from foreign law.
This is a venture that US hyperscalers are also involved in, conscious that European cloud options are offering the certainty, control and legal stance that they cannot guarantee. Many US headquartered providers have already made investment announcements into EU based infrastructure in an effort to ease valid concerns from regulators and business customers. The outcomes of these investments remain unclear.
Concurrently, specialist European cloud providers are poised to play a vital role in data sovereignty, as they can provide locally governed data centres, EU-compliant operations and support that protects data from cross-border exposure. As adoption of more localized cloud services increases, organisations need to be sure of a partner that can competently guide this process.
Not only should a partner demonstrate expertise, provide industry certifications such as ISO-IEC 27001, a cloud provider should be open and precise in answering questions about data residency and compliance. A vague answer about following best practices is simply not enough.
Gartner found that more than 75% of all enterprises outside of the US will have a digital sovereignty strategy by 2030, underpinned by a sovereign cloud strategy. For the majority of organisations, the choice of partner will make the difference in either success or failure to be sovereign ready. Europe’s leaders need to take the helm of this and ensure that their company’s data is suitably protected and aligned with the region’s goal of a sovereign digital ecosystem.
Terry Storer
Terry Storrar is Managing Director of Leaseweb UK. With over 25 years of experience in the technology sector, Terry is a proven leader, business founder, and turnaround specialist who drives growth and innovation at Leaseweb, a global provider of cloud hosting solutions. Terry leads the UK operations and oversees the strategic direction, customer engagement, and team development of the organisation.
