IT Governance & Strategy

Sovereign Cloud Is Growing 35.6% Per Year. Geopolitics Is Now an IT Architecture Decision.

When a court ruling in Luxembourg changes where a German hospital can store patient records, cloud architecture is no longer a purely technical decision.

2026-05-14 · 6 min read IT Governance & StrategyTrust & Security

Gartner released updated IT spending figures this spring showing that worldwide sovereign cloud IaaS will hit $80 billion in 2026, a 35.6 percent growth rate from 2025 (https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026). As an IS researcher sitting in May 2026, that number feels like a verdict more than a forecast. It tells me that the era of geography-agnostic cloud architecture is already over, even if many organizations have not caught up to that reality yet. The growth is not being driven by hyperscalers inventing new services. It is being driven by courts, parliaments, and regulatory agencies deciding that where data lives, and under whose legal jurisdiction, is a governance matter, not a procurement footnote.

The case I keep returning to is Schrems II. In July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield. The question was whether the United States offered equivalent data protection to the EU. The court said no, citing US surveillance law, specifically the legal framework that allows American intelligence agencies to access data held by US companies regardless of where that data is physically stored. Overnight, cloud contracts routing EU personal data through US infrastructure became legally uncertain. What had been an IT decision became a legal one, and then a political one. That is the origin point of the sovereign cloud growth story. The $80 billion figure is what that ruling, compounded by GDPR, the EU AI Act, and analogous laws in India, Brazil, and China, has produced in terms of capital commitment.

The IS theory that helps me make sense of this is the resource-based view of the firm, specifically Barney's (1991) argument that strategic resources are valuable, rare, inimitable, and non-substitutable. For a decade, cloud infrastructure was understood as a commodity: scalable, standardized, and interchangeable across providers and regions. Sovereignty changed the resource calculus. A German hospital that can demonstrate full data residency within German jurisdiction, with a provider not subject to foreign intelligence law, has something that a hospital running on a US hyperscaler in the Frankfurt region cannot fully claim. Data sovereignty, when it becomes a legal requirement and a market differentiator, transforms from a compliance checkbox into a strategic resource. Organizations are now making $80 billion worth of capital decisions based on that transformation.

The Melville, Kraemer, and Gurbaxani (2004) IT value model is also useful here. That model argues that IT capability and its value are shaped by the external environment, including the regulatory, competitive, and macroeconomic context. What we are seeing in sovereign cloud is the regulatory environment directly reshaping IT architecture decisions at scale. The external environment is not just influencing how organizations use their IT. It is determining what IT configurations are legally permissible. Cloud architecture is now an artifact of geopolitics in a way the Melville model would predict, but that few practitioners fully internalized before Schrems II.

The EU AI Act adds another layer to the same problem. High-risk AI requirements take full effect in August 2026 (https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai). Organizations using AI in hiring, credit scoring, healthcare, or critical infrastructure serving EU residents must demonstrate conformity before deployment. The AI system's architecture, including where training data is stored, where inference runs, and where logs are kept, becomes a compliance variable. An American AI vendor whose infrastructure is geographically and legally outside EU jurisdiction faces a harder conformity argument than one running inside EU-sovereign infrastructure. The EU AI Act has turned cloud architecture into a pre-condition for regulatory authorization, not just a performance or cost variable.

What I find most interesting, and somewhat underexplored in the IS literature, is what this does to the internal decision-making structure of organizations. IT governance scholarship, from Weill and Ross (2004) onward, has focused on internal stakeholders: who owns which decisions, how IT and business align, what accountability structures produce better IT outcomes. The Schrems II ruling put a court in Luxembourg into the IT governance picture. GDPR added data protection officers. The EU AI Act adds compliance teams with specialized AI knowledge requirements. The 35.6 percent growth rate in sovereign cloud is not just a market signal. It is evidence that the "who" in IT governance has expanded beyond the organization's walls, and some of those external actors have legal authority to override the organization's preference for efficiency.

This is also where DiMaggio and Powell's (1983) institutional isomorphism applies. Their concept of coercive isomorphism describes how organizations conform to external regulatory pressures not because conformance produces internal value, but because failure to conform carries legal or reputational consequences. Sovereign cloud adoption looks like coercive isomorphism at $80 billion scale. Organizations are not restructuring their cloud architecture because geo-local infrastructure is technically superior. Many are doing it because a data protection authority, a court ruling, or a government procurement requirement has made the alternative legally or politically untenable. Understanding this distinction matters for IS research because it changes what we should expect these investments to deliver. Coercively isomorphic adoption tends to produce compliance on paper with variable operational change underneath.

From where I sit as an IS researcher, what surprises me is how slowly the governance literature has responded to this shift. We have robust frameworks for analyzing how boards and CIOs share decision rights. We have much less work on how organizations make architecture decisions when one of the effective "decision-makers" is a court ruling in a foreign jurisdiction or a regulation with extraterritorial reach. The Schrems II ruling changed the decision rights for EU data architecture without anyone inside any affected organization casting a vote. That is a form of external governance that the standard IS governance models do not capture well, and I think it deserves its own research stream.

The worry I carry is about the organizations that are not in the $80 billion growth figure yet. The sovereign cloud market captures explicit, intentional capital investment. It does not capture the organizations still running on globally agnostic cloud architectures, operating under legal assumptions that a court has already invalidated, waiting for a data protection authority to make the consequences real. GDPR compliance, five years after it entered into force, remains uneven. The EU AI Act in August 2026 will likely follow the same pattern: a wave of early movers, a long tail of non-compliance, and a regulatory enforcement calendar that determines which organizations feel the consequences first. The data point I want to see is not how much is being spent on sovereign cloud, but how much sovereign cloud spending is actually producing compliant architectures versus compliant-looking documentation. My research instinct says those two numbers are not the same.

---
claims_checked:
- "Sovereign cloud IaaS $80B in 2026, 35.6% growth": "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "EU AI Act high-risk requirements effective August 2026": "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai"
- "Schrems II July 2020 CJEU invalidated EU-US Privacy Shield": "public fact"
- "Barney 1991 RBV": "academic reference, consistent with field knowledge"
- "Melville, Kraemer & Gurbaxani 2004 IT value model": "academic reference, consistent with field knowledge"
- "DiMaggio & Powell 1983 coercive isomorphism": "academic reference, consistent with field knowledge"
- "Weill and Ross 2004 IT governance": "academic reference, consistent with field knowledge"
claims_unverified:
- "Sovereign cloud adoption being primarily coercively isomorphic vs. strategically motivated: directional argument, not from a single empirical source"
sources_used:
- "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai"
word_count: 1080

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Sovereign Cloud at $80 Billion Is a Geopolitics Story, Not a Compliance Story
Next →
McKinsey Says Software Engineering Is GenAI's Best Opportunity. The DORA Data Shows Why Teams Are Still Struggling.

Related notes

IS Theory
Data Governance Is Institutional Work, Not IT Administration
6 min read
IT Governance & Strategy
Healthcare IS Research Needs to Stop Counting Breaches
7 min read
IS Theory
Protection Motivation Theory Is Trapped in Cybersecurity
5 min read