Where data is stored and processed has become a geopolitical question, not just a technical one. GDPR, Schrems II, and chip export controls explain why.
In 2020, the EU Court of Justice struck down the EU-US Privacy Shield agreement, the mechanism that had allowed personal data to flow from EU systems to US-based companies. The court's reasoning, in the case known as Schrems II, was essentially that US surveillance law is incompatible with EU privacy rights. An EU citizen's data processed on US soil could be accessed by US intelligence agencies under frameworks that EU law does not recognize as offering adequate protection. The shield was gone. Every company relying on it scrambled to find something else.
I keep coming back to that ruling because it illustrates something important. The Schrems II decision was not primarily a technology ruling. It was a political statement about which legal order has authority over a given dataset. The data did not change. The servers did not change. What changed was the legal determination of which jurisdiction's rules apply when two systems have incompatible assumptions about surveillance, privacy, and the rights of individuals against state access. That is digital sovereignty. Not as an abstract ideal, but as a concrete, operational question with real consequences for architecture decisions.
Digital sovereignty is broadly the idea that nations, organizations, and individuals should have meaningful control over their digital infrastructure, data, and software supply chains. The concept has been around in academic and policy circles for years, but it moved from policy discussion to enterprise IT priority relatively recently. I think three developments explain the shift, and they are worth looking at separately because they operate at different levels.
The first is regulatory. GDPR, which came into force in 2018, was partly a digital sovereignty assertion. The regulation says that EU citizens' personal data must be handled according to EU standards regardless of where the company processing that data is headquartered. A US company handling EU personal data cannot simply opt out of GDPR by pointing to its US headquarters. The law applies where the data subject is located, not where the data processor is incorporated. This was already a novel jurisdictional move, applying a legal framework across borders based on where the user sits rather than where the service provider operates. Schrems II pushed the logic further: not only must the rules apply, but the destination country must actually offer equivalent legal protection in practice. Post-Schrems II, US-EU data transfers entered a period of genuine legal uncertainty that took years to partially resolve through the EU-US Data Privacy Framework, itself still contested. I hedge "partially resolved" deliberately because the legal negotiations around this continue and the situation as of 2024-2025 is still evolving.
The second development is data localization requirements. Several countries, including China, Russia, and India, have enacted laws requiring certain categories of data to be stored domestically. The specific requirements vary, and I will not try to characterize each country's rules precisely because they change and my reading of them may be incomplete. The general pattern is: sensitive data, personal data, or data related to specific sectors must stay within national borders. For a multinational organization that wants a single global cloud instance with uniform tooling, this creates real friction. You cannot always just pick a cloud region and be done. You may have legal obligations that require separate infrastructure in multiple jurisdictions, and those obligations may not be compatible with each other.
Gartner has tracked digital sovereignty as a growing enterprise concern. A 2023 Gartner press release predicted that 30 percent of multinationals would be severely impacted by unmanaged digital sovereign risk by 2025, and a 2024 prediction found that 70 percent of enterprises adopting generative AI would cite digital sovereignty as a top criterion for selecting cloud AI services by 2027. Both of those figures come from the Gartner newsroom at gartner.com/en/newsroom and I hedge them as forecasts, not measured outcomes. But the direction they point is consistent with what I see in practitioner conversations: this is not a niche concern for heavily regulated industries anymore. It is becoming a default consideration in cloud strategy.
The third development is the hardware dimension, and this one surprised me when I first started paying attention to it. Digital sovereignty has usually been framed as a data and software question. But starting in 2022 and continuing into 2023, the United States enacted significant export controls restricting the sale of advanced semiconductors and semiconductor manufacturing equipment to certain countries, most visibly China. These restrictions are widely reported public record. What they mean for digital sovereignty is this: a country that cannot independently produce advanced chips is dependent on foreign suppliers for the hardware that runs its AI systems, its cloud infrastructure, and its critical communication networks. That is a sovereignty gap at the physical layer, and it is harder to close than a data residency requirement. You can build sovereign data centers in a few years. Building domestic semiconductor fabrication capacity capable of producing leading-edge chips takes decades and enormous capital.
I wrote about how institutional logics shape cloud strategy decisions and geopatriation specifically, and digital sovereignty is the macro-political frame that makes those organizational decisions legible. Organizations are not geopatriating workloads purely because of technical preference. They are responding to a political environment where the location of data and computation has become a signal of alignment, risk, and regulatory compliance. The market logic (optimize for cost and performance globally) is competing with the sovereignty logic (optimize for control and legal protection locally), and the sovereignty logic is gaining ground.
This creates real operational complexity. A company running a single global cloud instance must now think about which data is subject to which localization requirements, which data transfer mechanisms apply to cross-border flows, and whether their chosen cloud provider's infrastructure actually sits within the required jurisdiction rather than just nominally serving it. These are not simple questions, and they do not have stable answers because the regulatory environment is still developing. The EU's Gaia-X initiative represents one attempt at a normative framework for European digital sovereignty, defining standards for what a "sovereign" cloud service should look like, but Gaia-X has moved slowly and the practical implications for vendor selection remain contested.
My own read is that digital sovereignty is a real policy force, not hype, and organizations that treat it as a compliance checkbox will find themselves repeatedly surprised. The Schrems II ruling came without much warning for many organizations that had been relying on Privacy Shield as a stable legal basis. The semiconductor export controls accelerated faster than most analysts predicted. These are not predictable events that compliance calendars capture. They are political decisions made by governments responding to geopolitical pressure, and the data architecture decisions that follow them are downstream of political relationships that most enterprise IT teams are not equipped to monitor. That gap between where the decision actually originates and where the operational impact lands is, I think, the real challenge digital sovereignty creates for IS practitioners.
About the author
Share
More notes
Related notes