Data Sovereignty in the Age of Geopolitical Uncertainty

 

From the ongoing war in Ukraine, to instability in the Middle East, and rising tensions in the South China Sea, global conflicts are proving that digital systems are deeply exposed to geopolitical risks. Speaking at London Tech Week, UK Prime Minister Keir Starmer highlighted how warfare has evolved, noting that it “has changed profoundly,” and emphasizing that technology and AI are now “hard wired” into national defense. His remarks underscored a critical point—IT infrastructure and data management must be approached with security at the forefront.

But achieving this is no easy task. New research from Civo reveals that 83% of UK IT leaders believe geopolitical pressures threaten their ability to control data, while 61% identify sovereignty as a strategic priority. Yet, only 35% know exactly where their data is located. This isn’t just a compliance concern—it signals a disconnect between infrastructure, policy, and long-term strategy.

Once seen as a policy or legal issue, data sovereignty is now a live operational necessity. With regulatory fragmentation, mounting cyber threats, and increasingly complex data ecosystems, organizations must actively manage sovereignty. Whether it’s controlling access to AI training data or meeting residency rules in healthcare, sovereignty dictates what businesses can and cannot do.

Legislative frameworks such as the EU Data Act, the UK’s evolving stance post-Brexit, and stricter critical infrastructure policies are shaping enterprise resilience. As Lord Ricketts stated in the House of Lords, “the safe and effective exchange of data underpins our trade and economic links with the EU and co-operation between our law-enforcement bodies.” Building trust now depends on robust and enforceable data governance.

Public cloud adoption has given many businesses the illusion of flexibility, but moving quickly isn’t the same as moving securely. Data localization, jurisdictional controls, and aligned security policies must be central to enterprise strategy. This demands a shift: design IT systems for agility with control, or risk disruption when regulations inevitably change.

Sovereignty-aware infrastructure is not about isolation, but about visibility, governance, and adaptability. Organizations must know where data is stored, who can access it, how it travels, and which policies apply at each stage. A hybrid multicloud approach offers the flexibility to scale, while keeping sovereignty and governance intact. For instance, financial firms may need to keep sensitive transaction data within the UK but still run analytics in the cloud—an architecture that enables agility without sacrificing compliance.

Generative AI further complicates sovereignty. Training models with private datasets, deploying inference at the edge, or simply exchanging prompts across jurisdictions introduces new risks. Many businesses have embraced AI without aligning deployments with residency or compliance requirements. Sovereignty now extends beyond storage—it covers compute, access patterns, and third-party model interactions.

Building sovereignty into design requires collaboration between IT, legal, and compliance teams, as well as infrastructure that supports location-aware policies from day one. Research from Nutanix shows the urgency: 94% of public sector bodies are using generative AI tools, yet 92% admit their security isn’t sufficient, and 81% say their infrastructure falls short of sovereignty needs.

Customers and partners are increasingly demanding transparency—knowing where data resides, how it is used, and whether governance is enforced. Regulators are also raising expectations beyond “checkbox compliance.” In sectors like healthcare, education, finance, and government, sovereignty is now synonymous with trust and continuity.

The path forward starts with clarity. Organizations must know where their data lives, what laws apply, and whether their infrastructure can support hybrid deployment, location controls, and detailed audits. They must also plan for generative AI workloads with sovereignty in mind, ensuring scale does not come at the expense of compliance.

Ultimately, sovereignty should be treated not as a restriction, but as a design principle. Businesses that do this will not only remain compliant but will also build resilience, transparency, and long-term trust. In an environment where data moves faster than regulation, maintaining control is no longer optional—it is fundamental to good governance and sound business strategy.