Share
Why organizations need to treat sovereignty as a strategic design principle—not an afterthought.
Since the introduction of first-generation public cloud services in 2006, cloud adoption has grown rapidly, largely driven by a small group of U.S.-based hyperscalers. From the start, the ability to maintain control over data, infrastructure, and operations has been a persistent concern, particularly for governments and regulated sectors.
As regulatory frameworks evolve, geopolitical tensions increase, and the use of generative AI expands, digital sovereignty is becoming a strategic topic for many organizations
“Digital sovereignty means different things to different people. But at its core, it’s about control,” said Hans Bos, Security Assurance Lead for the EU Public Sector at AWS. “Where is my data? Who has access to it? How can I be sure of that?”
Webinar Digital Sovereignty
Watch this webinar with Hans Bos,Security Assurance EU Public Sector, AWS and Jeroen van der Leer, Cloud Strategy Consultant, Xebia to learn more about key regulatory frameworks and compliance considerations, a risk-based approach to evaluate and implement sovereignty, and sovereign-by-design solutions.
Understanding Sovereignty Through Client Concerns
Rather than forcing a rigid definition, sovereignty must be framed around the client's needs and context. This may include data protection regulations, industry-specific controls, or resilience strategies against political and legal uncertainty.
“The most important question we ask clients is: What are you concerned about?” said Jeroen van der Leer, Cloud Strategy Consultant at Xebia. “That conversation is the starting point for designing sovereignty—not technology.”
While regulators often operate under frameworks defined by national or supranational law (such as the GDPR), technical teams need practical implementation paths: encryption, access control, auditability, and architectural reversibility.
Moving Beyond the Privacy Debate
The discussion also addressed common misconceptions about international data transfer regulations. For instance, while the EU-U.S. Data Privacy Framework received an adequacy decision from the European Commission in 2023, enabling compliant data flows to U.S. service providers enrolled in the framework, some concerns remain about how long the framework will stand, especially under potential political changes in the U.S.
“A lot of legal uncertainty stems not from what’s written today, but from what could be reversed tomorrow,” noted Bos. “That’s why many public sector organizations are asking for more technical and operational safeguards on top of legal agreements.”
Resilience as a Design Goal
Beyond compliance, resilience can be seen as a critical driver of digital sovereignty. This includes the ability to migrate workloads, adapt to jurisdictional changes, and continue operating under adverse conditions.
“Resilience isn't just about failover or uptime,” said van der Leer. “It’s about the ability to retain operational control even if legal frameworks shift, or if you need to move to a different provider.”
This is especially important in sensitive sectors such as healthcare, finance, and government, where operational continuity and data assurance are non-negotiable.
A Structured Approach to Sovereignty
Instead of positioning sovereignty as a binary or static state, both Xebia and AWS recommend a risk-based, iterative process, tailored to the organization’s exposure and regulatory context.
“You don't have to solve everything at once,” said van der Leer. “But you do need a clear understanding of what you're solving for.”
That process typically includes:
- Classifying data and workloads by criticality and exposure
- Assessing technical, legal, and operational risks
- Implementing mitigating controls such as customer-managed keys or access isolation
- Designing for portability to reduce long-term dependency
- Reviewing regularly to adjust for changing circumstances
Conclusion: A Longstanding Concern That’s Not Going Away
Digital sovereignty is not a trend. It has always been a concern, particularly for those operating in sensitive or regulated environments. But the context has changed: with the rise of AI, increased regulatory complexity, and global dependencies, the stakes are higher.
“Sovereignty isn't about rejecting the cloud. It’s about using it on your own terms,” said Bos. “The capabilities are there. The question is: how do you use them responsibly?”
Organizations that adopt a structured, risk-informed approach to sovereignty will not only ensure compliance. Instead, they will gain the flexibility and control needed to navigate an ever-changing future.
Meet the Experts
|
|
|
|
Hans Bos |
Jeroen van der Leer Cloud Strategy Consultant @ Xebia |