European legal departments find themselves at a critical juncture. While they handle significantly more private data than their global counterparts – with 27% managing over 30% private data compared to just 14% globally according to Kiteworks’ “Data Security and Compliance Risk: 2025 AI Report” – they are falling behind in implementing comprehensive governance controls. This disconnect between responsibility and readiness reveals a troubling trend that could reshape how organisations approach data sovereignty in Europe’s stringent regulatory landscape.
Governance gap
Our report paints a picture of legal departments caught between old practices and new realities. While 52% of organisations globally have implemented comprehensive governance controls for data tracking, only 35% of legal departments can make the same claim. Even more concerning, 19% of legal departments have no plans to implement such controls at al. Triple the global average of 6%.
This governance gap matters because European organisations operate under some of the world’s strictest data protection laws. The GDPR does not just require organisations to protect data; it demands they know where that data lives, how it moves, and who can access it. Therefore, data sovereignty, where data is subject to the laws of the country where it is stored and processed, has become a cornerstone of European regulatory thinking.
Reactive approach to AI security
When it comes to AI adoption, legal departments display a curious mix of caution and complacency. Over a third (35%) of legal teams rely on warnings about sharing private information with public AI tools but implement no formal monitoring or enforcement mechanisms. This approach, where employees are essentially being asked to self-police, stands in stark contrast to the 20% global average for such informal controls.
The irony is palpable. Legal departments, tasked with ensuring compliance and managing risk, are more likely than other departments to rely on trust rather than technology. Only 15% have technical controls that block access to public AI tools on company devices, compared to 20% globally. This hands-off approach becomes particularly problematic when considering that 31% of legal professionals cite private data leakage through AI model outputs as their top security concern.
European data sovereignty challenge
For European organisations, data sovereignty is not just a technical challenge, it is a fundamental business requirement. Over three-in-five (62%) legal departments have partially implemented data sovereignty measures, compared to 47% globally. However, full implementation lags significantly, with only 15% of legal departments achieving comprehensive data sovereignty compared to 34% globally.
This partial implementation approach reflects the complexity of maintaining data sovereignty in practice. European organisations must balance multiple competing demands: the need to innovate with AI, the requirement to comply with GDPR and emerging AI regulations, and the practical challenges of controlling data flows in an interconnected digital ecosystem.
The stakes are particularly high given the volume of private data legal departments handle. With legal teams managing client information, case files, contracts, and regulatory correspondence, a data breach or sovereignty violation could have cascading consequences across multiple jurisdictions.
Building effective data governance
The path forward requires legal departments to shift from reactive to proactive governance strategies. The survey indicates that 39% of legal departments favour a balanced approach using data minimisation and selective privacy-enhancing technologies for higher-risk AI applications. This measured approach makes sense, but implementation remains the challenge.
Effective data governance for maintaining sovereignty requires several key components. First, organisations need visibility into their data landscape. You cannot protect what you cannot see, and the current state where many legal departments lack comprehensive tracking capabilities creates blind spots that regulators will not ignore.
Second, technical controls must match policy ambitions. Issuing warnings about AI usage without implementing monitoring creates a false sense of security. European organisations need systems that can enforce data residency requirements, track cross-border data flows, and ensure AI systems process data in compliance with local laws.
Third, governance must evolve with technology. The traditional approach of periodic compliance audits, still favoured by 29% of legal departments, cannot keep pace with AI’s rapid deployment. Real-time monitoring and automated compliance checks using AI data gateways are becoming necessities rather than luxuries.
Training and culture challenge
An often-overlooked aspect of data sovereignty is the human element. The survey shows that only 19% of legal departments measure employee training completion rates as a key metric for data protection effectiveness. This suggests that many organisations underestimate the role of education in maintaining data sovereignty.
Creating a culture of data protection requires more than policies and technology. It demands ongoing education about why data sovereignty matters, how individual actions impact compliance, and what is at stake when controls fail. European employees need to understand that data sovereignty is not just about following rules. It is about preserving the digital autonomy that underpins European values.
Looking ahead
The convergence of AI adoption and data sovereignty requirements creates both challenges and opportunities for European legal departments. Those who successfully navigate this transition will need to embrace three key principles.
First, governance must be comprehensive and proactive. The days of reactive compliance are ending. European organisations need systems that anticipate regulatory requirements and adapt to changing data flows automatically.
Second, technology and policy must work in harmony. Having strong policies without technical enforcement is like having laws without police. Organisations need to invest in tools that make compliance automatic rather than aspirational.
Finally, data sovereignty must become embedded in organisational culture. Every employee who touches private data becomes a guardian of sovereignty. Training, awareness, and accountability must extend beyond the legal department to encompass the entire organisation.
The data suggests that European legal departments stand at a crossroads. They can continue with partial measures and reactive approaches, risking regulatory action and data breaches. Or they can seize this moment to build robust governance frameworks that protect data sovereignty while enabling innovation. The choice they make will determine not just their compliance status, but their ability to operate effectively in an AI-driven future where data protection and technological advancement must coexist.
As Europe continues to lead global conversations about digital rights and data protection, its legal departments must evolve from compliance enforcers to governance innovators. The question is not whether to implement comprehensive data governance, it is whether organisations will act before regulators force their hand.
Camilo Artiga-Purcell
Camilo Artiga-Purcell is General Counsel at Kiteworks, leading the company’s global legal operations. With over a decade of experience litigating cases from their inception through trial and appeal, Camilo also advises businesses on litigation risks, best practices, and drafting negotiated contracts.
