For much of the last decade, data sovereignty was largely treated as a legal or compliance concern. It was typically managed by legal teams while IT departments focused on building networks and deploying technology. If regulators asked where company data was stored, the responsibility generally fell outside the infrastructure team.
However, that traditional separation is quickly disappearing—and arguably should have done so earlier. Rapid cloud adoption, evolving geopolitical tensions, the rise of AI workloads requiring local processing and a surge in enforced data residency regulations have transformed data sovereignty into a fundamental infrastructure issue. For many organizations, it has now become a strategic priority rather than just a compliance box to tick.
What’s Driving the Shift
Regulations like the General Data Protection Regulation (GDPR) have been in force since 2018, and financial regulators across Europe, the United Kingdom and Asia-Pacific have long imposed rules governing cross-border data movement. While these frameworks are not new, the intensity of enforcement has increased significantly.
At the same time, new regulatory measures—including NIS2, DORA, and country-specific versions of GDPR—are expanding the compliance landscape. Combined with geopolitical developments, these factors have introduced a new layer of risk that organizations did not fully anticipate.
Previously, concerns were centered on companies outside China hesitating to work with Chinese vendors due to fears about government access to corporate data. That scrutiny is now being directed toward U.S.-based cloud providers as well, with governments and enterprises reassessing the implications of foreign jurisdiction over critical infrastructure.
This shift is pushing organizations—especially those operating in regulated sectors such as finance, defense, critical infrastructure and government—to ask deeper questions about what “in-country” data storage truly means. Even if information is stored within national borders, access to that data may still travel through infrastructure operated under a different jurisdiction.
A common oversight is assuming that storing data in a certified domestic data center automatically guarantees sovereignty. In many cases, the network path that users take to access the data passes through cloud security providers that do not meet the same sovereignty standards. In that situation, the data itself may remain local, but the access infrastructure does not.
European regulators are already developing frameworks to close this gap, raising an important question for organizations: whether their architecture is prepared for these changes or lagging behind them.
The Overlooked Security Architecture Challenge
Another complicating factor is the way modern cloud security systems are designed. Many enterprises rely on Security Services Edge (SSE) architectures, which were originally optimized for outbound connections—such as employees accessing cloud applications
Inbound traffic, however, often still depends on traditional on-premises firewalls built for older perimeter-based networks. As corporate environments become more distributed, this dual-architecture approach introduces operational complexity and potential security gaps.
In a sovereignty-focused environment, these gaps become more problematic. Running separate cloud and on-premises security models increases the likelihood that sensitive data will pass through infrastructure that fails to meet regulatory requirements.
Organizations that have faced sovereignty challenges for years—such as defense agencies, large banks and operators of critical infrastructure—have typically addressed the issue by building and operating their own security stacks. While effective, this approach requires substantial financial resources and specialized expertise, making it impractical for many businesses.
AI Workloads Add New Complexity
Much of the current enterprise discussion around AI security focuses on controlling employee access to AI tools to prevent sensitive data exposure. While important, experts argue that the bigger challenge lies elsewhere.
As AI systems move from centralized cloud inference to local or edge deployments, data sovereignty becomes even more critical. Retailers may run fraud detection models inside stores, banks may perform biometric verification in branches and manufacturers may deploy predictive maintenance systems on factory equipment.
These real-world scenarios involve sensitive operational data that organizations often prefer to keep within their own infrastructure.
The rise of agentic AI introduces additional complications. Traditional network architectures such as SASE and SSE were designed around predictable traffic flows—users accessing applications. In contrast, agent-based AI systems generate multidirectional communication: agents interacting with one another, connecting to external APIs, accessing local datasets and communicating with cloud services.
Applying consistent security policies to this dynamic traffic pattern is far more complex than what most enterprise security teams have managed previously.
A Vendor Approach to Sovereign Infrastructure
In response to these challenges, networking and security company Versa recently introduced what it calls Sovereign SASE-as-a-Service. The managed service is built on the company’s unified networking and security platform and aims to provide cloud-based operations without routing data through third-party cloud infrastructure.
Versa CEO Kelly Ahuja explained that sovereign deployments have long been a major part of the company’s customer base.
"I was doing this analysis, that of our top 100 accounts over, I think 85 to 90% of them are all sovereign," Ahuja told me. "Meaning, we give them software. They deploy their own environment, they operate it. We don’t even know what's going on."
The new service expands that model to organizations that lack the resources to operate sovereign infrastructure themselves. Versa delivers the offering primarily through partnerships with more than 150 global service providers and telecommunications companies that build managed services on top of its platform.
One example cited is Swiss telecommunications provider Swisscom, which offers secure connectivity as a standard service tier with built-in sovereignty protections. This allows smaller enterprises to access sovereign security capabilities without deploying their own enterprise-grade SASE systems.
Questions Organizations Should Be Asking
Compliance requirements such as GDPR, NIS2 and DORA provide a baseline for organizations evaluating their data governance strategies. However, meeting regulatory requirements does not necessarily reflect an organization’s true risk exposure.
Security leaders should consider several critical questions:
- Does the security layer controlling access to sovereign data meet the same sovereignty requirements as the data storage itself?
- How will data sovereignty be maintained as AI workloads expand across distributed infrastructure?
- Can the organization maintain a consistent sovereignty posture across multiple jurisdictions with varying regulations?
Managing data sovereignty within a single country can already be complex. Scaling that architecture across multiple regions while supporting distributed workforces and AI-driven systems introduces an entirely new level of operational difficulty.
Organizations that start addressing these questions today are likely to be better prepared than those that wait for a regulatory deadline—or a security incident—to force the issue.
Managed service models offer one possible solution to the resource challenge, though they are not the only option. Ultimately, the right approach depends on an organization’s size, risk tolerance and regulatory obligations.
What is clear, however, is that the challenges surrounding data sovereignty are not disappearing. If anything, they are becoming more intricate as technology, regulations and geopolitics continue to evolve.