IT Governance & Strategy

Sovereign Cloud at $80 Billion Is a Geopolitics Story, Not a Compliance Story

Sovereign cloud IaaS hits $80 billion in 2026 with 35.6% growth. What Gartner is forecasting is not a compliance checkbox trend. It is governments rewriting the rules of infrastructure.

2026-05-14 · 6 min read IT Governance & StrategyPlatforms & EcosystemsTrust & Security

I was reading a Gartner forecast from earlier this year and found a number I had not seen get the attention it deserves. Worldwide sovereign cloud IaaS spending will reach $80 billion in 2026, a 35.6% increase from 2025 (https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026). That is one of the fastest growth rates in any infrastructure segment right now. It is faster than overall cloud IaaS growth. It is faster than AI software. And most of the coverage I have read treats it as a compliance story, a dry accounting of regulatory requirements pushing organizations to keep data in-country. I think that framing misses what is actually happening.

Sovereign cloud is not primarily a compliance checkbox. It is a reflection of a political judgment that has been building in Europe, parts of Asia, and now in other regions: that critical national infrastructure should not depend on companies headquartered in foreign jurisdictions with different laws, different interests, and different security relationships. That judgment predates the current wave of US-China technology tensions, though those tensions have accelerated it. It was already visible in 2020 when the European Court of Justice issued the Schrems II ruling, invalidating the EU-US Privacy Shield framework on the grounds that US surveillance law gives American intelligence services access to data held by US companies regardless of where that data physically resides. The ruling did not just create a compliance problem. It formalized a sovereignty problem that European governments had been privately worried about for years.

The regulatory layer on top of this is extensive and still growing. GDPR gave European data protection authorities real enforcement power, and the record of fines since 2018 shows they are using it. The EU AI Act adds another dimension for organizations deploying AI systems. France's HDS certification scheme for health data requires that any organization hosting French health records use infrastructure that is subject to French law and meets specific security standards. Germany has equivalent frameworks for certain categories of government and healthcare data. What this creates is a patchwork of requirements that organizations operating across Europe must navigate, and the practical answer for many of them is that hyperscaler standard regions are not sufficient for certain data categories, full stop.

I want to be careful here about what I mean by "sovereign cloud," because it is a term that covers several different arrangements. One version is a domestic cloud provider that operates entirely within national borders under national law, companies like France's OVHcloud or Deutsche Telekom's Open Telekom Cloud in Germany. Another version is a hyperscaler operating a dedicated, isolated region specifically built to meet national sovereignty requirements, with contractual guarantees about data residency, staff security clearances, and structural separation from the provider's global network. A third version is a government-owned cloud, built and operated by a national entity to avoid dependence on commercial infrastructure entirely. These are meaningfully different approaches with different cost structures, different capability levels, and different political implications.

The fact that AWS, Azure, and Google Cloud have all invested heavily in the second version, dedicated sovereign regions with government-grade isolation, tells you something important about market dynamics. These providers are not building sovereign cloud offerings out of altruism or regulatory compliance. They are building them because large government and regulated-industry customers are increasingly requiring it as a condition of doing business, and the alternative is losing those contracts to domestic providers. The investment required to build and certify these offerings is substantial, which means the market has to be large enough to justify it. The $80 billion forecast suggests it is.

This is where I think institutional isomorphism (DiMaggio and Powell 1983) is genuinely illuminating, though maybe not in the way DiMaggio and Powell originally intended it. Their argument was that organizations adopt similar structures and practices not because those practices are demonstrably more efficient, but because conforming to institutional norms confers legitimacy. The organizations that were early adopters of cloud computing were partly motivated by efficiency, but partly by legitimacy pressure, the sense that modern digital organizations run on public cloud, and not being on public cloud was falling behind. Sovereign cloud is creating a parallel but opposite pressure. In European regulated industries, running sensitive data on standard hyperscaler infrastructure now carries a legitimacy problem, not adopting sovereign cloud is becoming the thing that looks like it is not taking governance seriously.

The geopolitical dimension deserves to be stated directly. Several of the same governments that are driving sovereign cloud adoption have also watched the US-China technology decoupling play out and drawn conclusions about what infrastructure dependency on foreign firms actually means. If your country's health data, financial systems, and government operations run on infrastructure controlled by companies subject to another country's laws, then your operational sovereignty depends partly on that other country's goodwill and legal restraint. That is a risk that governments, especially in Europe, have decided is no longer acceptable to carry implicitly. Sovereign cloud is one response to that risk calculation.

The IS research implications here are genuinely interesting to me, because most of our theoretical frameworks for technology adoption were developed in an environment where the dominant constraints on infrastructure choices were technical and economic. TAM (Davis 1989) asks about perceived usefulness and ease of use. RBV (Barney 1991) asks about resource characteristics that generate competitive advantage. Neither framework was designed to handle a situation where the relevant constraint is national sovereignty law. Sovereignty as an institutional constraint on infrastructure decisions is relatively undertheorized in our literature. Organizations do not adopt sovereign cloud because it is easier to use or because it generates a resource-based competitive advantage. They adopt it because the institutional environment in which they operate has changed in ways that make the alternative legally and politically untenable.

What worries me as a researcher is whether we will get good empirical data on what sovereign cloud actually costs organizations in capability terms. The premium pricing relative to standard hyperscaler regions is real. The reduced feature parity for newer services, since sovereign regions often lag the provider's main regions in available capabilities, is real. The complexity of managing data across environments where some workloads can go in standard regions and others cannot is real. These are costs that organizations are absorbing, and the $80 billion figure represents organizations deciding those costs are worth paying. But I have not yet seen systematic research on what sovereign cloud requirements are doing to the speed and quality of digital transformation in the organizations subject to them. That is a research gap that matters, because governments are making policy based on an assumption that sovereignty requirements and digital capability are compatible, and I am not confident that assumption is being tested rigorously.

---
claims_checked:
- "Sovereign cloud IaaS $80B in 2026, 35.6% growth (Gartner April 2026)": "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "Schrems II 2020, EU Court of Justice, Privacy Shield invalidated": "widely documented legal history"
- "GDPR enforcement record, fines since 2018": "publicly available enforcement data from EU data protection authorities"
- "France HDS certification scheme": "publicly documented French regulatory requirement"
claims_unverified:
- "AWS, Azure, Google Cloud dedicated sovereign region investments: widely reported in technology press, not linked to specific announcements"
- "OVHcloud and Deutsche Telekom Open Telekom Cloud as sovereign examples: widely documented, no single URL cited"
- "Sovereign regions lagging main regions in feature availability: widely reported, not sourced to a specific comparison"
sources_used:
- "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
word_count: 1080

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Spatial Computing and the Enterprise AR Story Nobody Is Telling
Next →
Sovereign Cloud Is Growing 35.6% Per Year. Geopolitics Is Now an IT Architecture Decision.

Related notes

IS Theory
Data Governance Is Institutional Work, Not IT Administration
6 min read
Organizational Theory
Digital Colonialism Is an IS Theory Problem, Not Just Politics
8 min read
IS Theory
ERP Failure Is Not a Technology Problem. It Is a Structuration Problem.
7 min read