By Mark Dando on Information Age - Insight and Analysis for the CTO
It’s in the nature of the modern digital economy that most organisations use digital technologies they don’t produce themselves.
A new study indicates that more than 60 per cent of UK IT leaders consider the government’s dependence on US cloud services to be a significant threat to the country’s digital economy, its own industry, and data security. That concern also highlights a broader question: when it comes to digital infrastructure, how regionally anchored and operationally specific must a strategy be to truly serve its stakeholders, especially compared to platform-driven models that may appear scalable, but often fail to meet what most customers need?
This deep-rooted dependency on external providers for critical infrastructure, software, and digital services exists at a time when geopolitical tensions and supply chain uncertainties pose a risk to operational resilience and long-term digital autonomy. At the same time, regulatory pressure is increasing. The introduction of NIS2, DORA, the Cyber Resilience Act (CRA) and the EU AI Act is driving organisations, particularly in regulated sectors, to re-examine how they manage data, digital infrastructure and operational control.
In this context, data sovereignty, or the ability of an organisation to retain full control over its data, digital infrastructure and operational models, is a bigger priority than ever. What was once viewed as a compliance issue is now a core requirement for ensuring transparency, business continuity and the ability to act independently based on a resilient IT infrastructure.
Common misconceptions around data sovereignty
Although the concept of sovereignty is subject to greater regulatory control, its practical implications are often misunderstood or oversimplified, resulting in it being frequently reduced to questions of data location or legal jurisdiction. In reality, however, sovereignty extends across technical, operational and strategic domains.
In practice, these elements are difficult to separate. While policy discussions often centre on where data is stored and who can access it, true sovereignty goes further. For example, much of the current debate focuses on physical infrastructure and national data residency. While these are very important issues, they represent only one part of the overall picture. Sovereignty is not achieved simply by locating data in a particular jurisdiction or switching to a domestic provider, because without visibility into how systems are built, maintained and supported, location alone offers limited protection.
Another common assumption is that adopting cloud or third-party platforms means relinquishing sovereignty when, in reality, it is eminently possible to leverage external technologies while maintaining control, provided systems are designed with these requirements in mind. The underlying point is that sovereignty is not about rejecting external solutions; it is about being able to understand, manage, and, where necessary, replace them on an organisation’s own terms.
Regaining control of your data sovereignty
So, where does this leave the many thousands of organisations looking to change course and take more active control over their data sovereignty?
The first point to address is that achieving is not a binary state, but a process of reducing dependency and regaining control over critical decisions. It requires deliberate choices across architecture, operations and procurement guided by a clear understanding of what must remain within the organisation’s control and why.
Reaching this point often hinges on conducting a comprehensive assessment of existing dependencies. These may lie not only in the location of data, but in proprietary technologies, closed interfaces or reliance on external support models. Part of the ongoing challenge is that many of these dependencies are deeply embedded, making them difficult to identify without a structured approach.
Sovereignty also depends on the ability to make independent decisions as circumstances change. That might mean moving to a new provider, meeting updated regulatory demands or addressing unforeseen risks without disrupting operations.
On a practical level, organisations that succeed in achieving tend to work toward a few common goals. Crucially, this doesn’t mean abandoning commercial platforms. Still, it does require clear-eyed scrutiny of dependencies that could constrain future flexibility or expose organisations to external legal jurisdictions, even when infrastructure appears locally hosted.
A second consideration is how decisions are made and sustained over time. Sovereignty is rarely achieved through one-off procurement or compliance exercises. It requires continuous attention to how systems are governed, who has access and whether the organisation can still act independently if conditions change.
Building this level of assurance often requires new internal capabilities, including the ability to evaluate technologies on more than cost or convenience alone, and to ask hard questions about transparency, interoperability and long-term viability. These questions may be technical, but the implications are strategic.
What good looks like
Organisations that take it seriously tend to focus less on technical purity and more on practical control. That means understanding which systems are critical to ongoing operations, where decision-making authority sits and what options exist if a provider, platform or regulation changes.
Clearly, there is no single approach that suits every organisation, but these core principles help set direction. Systems built on open standards, that are regionally anchored and operationally specific, for example, are easier to adapt, in-house knowledge makes it easier to challenge assumptions and contracts that include clear exit terms or support localisation, which offer more room to manoeuvre if and when circumstances change. For organisations that reach this point, sovereignty becomes much less of a compliance headache and instead can help define key elements of long-term business strategy.
Key takeaways
- Data sovereignty is the ability for an organisation to retain full control over its data. Risk from external digital service/infrastructure providers and increasing regulation is causing organisations to reassess how they manage their data, digital infrastructure and operational control. The practical implications of sovereignty are often misunderstood or oversimplified, resulting in it being frequently reduced to questions of data location or legal jurisdiction. In reality, however, sovereignty extends across technical, operational and strategic domains.Achieving data sovereignty is not a binary state, but a process of reducing dependency and regaining control over critical decisions.Reaching this point may lie not only in the location of data, but in proprietary technologies, closed interfaces or reliance on external support models.It also depends on the ability to make independent decisions as circumstances change.Organisations that succeed in achieving tend to work toward a few common goals, but that doesn’t mean abandoning commercial platforms.Consider how decisions are made and sustained over time. Sovereignty is rarely achieved through one-off procurement or compliance exercises.
Mark Dando is GM for EMEA North at SUSE.
Read more
Ransomware payments to be banned – the unanswered questions – The government has announced a ban on ransomware payments from public sector organisations. We explore the loose ends to be tied
Driving business growth through effective productivity strategies – Productivity models are key to driving business growth and improving performance but the key is to be flexible and take a holistic view of the process
7 key strategies for MLops success – Here, we explain the main strategies for MLops (machine learning operations) success to help your organisation stay competitive
The post Making sense of data sovereignty and how to regain it appeared first on Information Age.
