Geopolitical fragmentation, the risk of sanctions, and extraterritorial regulation are reshaping regulatory policy and enterprise IT decisions. Sovereign cloud—a model that ensures data is stored, processed, and governed within a specific jurisdiction under local legal frameworks—has become a critical topic on the CIO and CEO agendas, particularly in Europe. What were once considered compliance concerns are now manifesting as real operational risks. In response, regulatory developments are accelerating a broader push toward localization and more deliberate workload placement.

Sovereignty doesn’t mean isolation from global cloud providers. The promises of public cloud—cost efficiency, fast scaling, rapid innovation—are at risk if enterprises cannot access the services of hyperscalers. To preserve those benefits, and to avoid overpaying for compute, storage, and other cloud services, technology teams need to identify where dependence is acceptable and where independence is essential.

In practice, this means continuous assessment of risk segmentation. Leading enterprises are reframing sovereignty as a spectrum, not a binary state. Done well, sovereignty is not a constraint but a source of freedom of action—the ability to operate uninterrupted, adapt rapidly, or shift workloads as regulatory, geopolitical, or market conditions change.

Reframing sovereignty as a spectrum

Sovereignty has expanded beyond legal frameworks to encompass two dimensions:

• jurisdictional control over data and
• control over critical technology platforms.

Both introduce strategic and operational risk into decisions that until recently were viewed as regulatory compliance matters.

European policymakers saw a vivid illustration of this risk in February 2025. In response to sanctions put in place by the US administration, a global cloud provider assisted in disabling the email account of a prosecutor at the International Criminal Court. Although the provider later clarified that it would not intervene in similar cases, the incident underscored a stark reality: Access to essential digital infrastructure can become a geopolitical lever. By October, the ICC announced it would transition from the proprietary software to openDesk, an open-source office and collaboration suite.

Despite these risks, it’s difficult for many organizations to imagine operating without access to global cloud platforms. For most, the question isn’t whether to depend on global providers, but where and how. For example, customer service applications may run on public cloud infrastructure. But critical citizen or consumer data should reside within locally controlled, sovereign environments.

Highly regulated sectors have long embedded this discipline into business continuity planning and critical service mapping. Global financial institutions, for example, design architectures that enable local or regional storage of customer data, even as enterprise-wide processes operate across global networks. The principle is clear: Segment workloads by business importance, not convenience.

Too often, organizations begin to move to sovereign or local cloud only after incidents or regulatory pressure. The French Health Data Hub, which facilitates access to health data across dozens of government agencies and other organizations, offers a case in point. In February 2026, it decided to migrate from a US-based cloud provider to a European service in order to address persistent concerns about data control.

Balancing global and local cloud

The most effective cloud sovereignty strategies avoid default choices and instead design hybrid and multicloud architectures grounded in risk exposure and value creation. Decisions follow capabilities and requirements, not legacy preferences.

• Local and sovereign providers offer stronger alignment with local laws, reduced jurisdictional exposure, and greater flexibility in governance design.
• Global cloud providers deliver scale, advanced platform capabilities, and faster innovation cycles.

STACKIT illustrates how these strengths can be combined. As a European sovereign provider partnering with a global cloud service, it offers a sovereign version of Google Workspace hosted exclusively in German and Austrian data centers. Governed under EU law and insulated from extraterritorial exposure, the platform is gaining traction among public-sector bodies and regulated enterprises processing sensitive workloads—particularly in AI, healthcare, and smart city initiatives—within Germany.

In another example, a global aerospace company operating commercial and defense businesses across several regions must confront a range of sovereignty requirements for its enterprise, customer, and classified workloads. To meet those needs, the company has put in place a tiered sovereign architecture with three layers:

• Shared, global commercial and government cloud environments provided by hyperscalers for enterprise and customer data, with strong segmentation and compliance controls.
• Country-specific sovereign deployments with dedicated landing zones and localized control planes. Landing zones are secure, preconfigured cloud environments that establish guardrails for identity, security, and compliance. Localized control planes govern how infrastructure and services are provisioned, managed, and monitored within national boundaries. Together, they meet stricter national residency, regulatory, and operational requirements.
• Fully isolated, air-gapped, and emulated environments for classified programs (for example, top-secret US defense workloads), incorporating in-country infrastructure, restricted personnel access, and high-side (fully isolated, classified) network separation.

This structured model helps the company balance global scale and innovation with differentiated sovereignty tiers aligned to regulatory intensity and mission sensitivity.

Planning a sovereign architecture

Successful migrations or repatriations follow a clear sequence: Leaders begin by identifying business processes that are critical for customers, safety, revenue, or regulatory standing. They then map the full dependency stack supporting these processes, including data, applications, platforms, vendors, and operational skills.

Sovereignty becomes durable only when institutionalized: embedded in recurring workload classification and architectural governance, and integrated into DevSecOps and sourcing decisions.

Finally, organizations use a structured decision matrix to place workloads across public cloud, sovereign cloud, hybrid, or on-premise environments based on importance and risk (see Figure 1).

Figure 1

Ready to get started?

Three decisions can help launch a sovereign cloud strategy.

• Which workloads matter most? Identify the processes that are critical to customer trust, regulatory standing, and revenue. Segment them by business impact, not technical convenience.
• Where is dependence acceptable, and where is independence essential? Determine which data and platforms can remain on global hyperscalers’ infrastructure and which require sovereign, localized, or fully isolated environments.
• How will sovereignty be embedded into operating discipline? Define how workload classification, architectural governance, and sourcing decisions will reinforce sovereignty over the long term.

Compliance and risk issues may be the forcing function for developing a sovereign cloud plan, but its strategic value runs deeper. Leading organizations treat it not as a box to check but as a continuous discipline that evolves with business priorities, technology shifts, and regulatory change. Acting deliberately today positions them for greater regulatory certainty, deeper customer loyalty, and the operational flexibility required in an increasingly fractured world.