Until recent years, if you asked a colleague where your data was, they’d likely give you a funny look. Colloquialisms like “in the cloud” or “on your computer” told the average worker all they needed to know.
This is changing. Geopolitical difficulties, the ever-growing power of technology giants, and the normalisation of AI have combined to bring the term ‘data sovereignty’ into public discourse. More than that, it has brought the topic to the board room.
Historically, the issue of sovereignty focused on mission-critical, highly sensitive data — things like health records, customer profiles, or financial transactions. It was a specialist issue in a small, focused part of the wider business.
Now, the need to retain control over your data is broadening that conversation to things as basic as email addresses, system logs, and even low-value metadata. Sovereignty is now a question of whether businesses are able to retain command and control over their data across borders, jurisdictions, and technologies.
We see this everywhere from core infrastructure to government policy. How did a failure in a data centre in Virginia bring down a quarter of the internet worldwide? Why is the French government replacing huge platforms like Microsoft Teams and Zoom with domestic alternative Visio? Why is the US government telling its diplomats to try and slow the EU’s development of data sovereignty rules?
In all cases, the answers relate back to sovereignty.
Businesses face new pressure over cross-border data
At Confluent, the last twelve months have seen a 300% leap in sovereignty-related enquiries. What would once have been buried within a huge compliance document is now the focus, with issues like cross-border access, operational control, and data residency all priority issues.
This tells us that sovereignty isn’t just a fad; board-level decisions are driving these conversations. Business leaders need to be absolutely sure that they control the data that moves across borders, and that it does so with the right safeguards and in the right circumstances.
Imagine a global helpdesk at an international company. You might be required to provide round-the-clock support to tens of different countries, all of which have their own rules for data regulation and privacy. Can your team handle all the data they need to without breaching those rules? If the data doesn’t move, does remote access count as a breach?
It’s these sort of practical complexities that are now driving corporate conversation. Vendors are coming under increasing scrutiny when it comes to answering these questions, and the penalties of failing to do so are ever-growing.
Outsourcing control does not outsource responsibility
This kind of example is further complicated by the introduction of frameworks like the Digital Operational Resilience Act (DORA). In fact, this kind of legislation is partially designed to ensure that compliance and regulation is raised at the start of any corporate relationship.
DORA makes it mandatory for financial organisations to meet certain thresholds for resilience against cyber threats. Crucially, this includes third-party tech providers that your organisation uses.
This is significant because most companies will have no control over the servers or data centres of a third-party provider. Nor will they be able to impact the personnel available to respond to incidents, or the quality of updates and patches that keep these systems safe. But their accountability for these things does not change — control has been outsourced, but responsibility has not.
If that partner does not meet your standards, it is still your company that will have to pay the price. Are your departments and teams aligned on that? How do technology, legal, and compliance teams resolve their differences?
Compliance becomes a commercial differentiator
The complexities of this situation have made compliance a selling point in and of itself, and a differentiator for tech platforms across the board. Customers and regulators are pushing for greater transparency and protection, and vendors are racing to meet that market need.
That means offering governance frameworks as part of any core value proposition. It means acquiring the certifications needed to offer certain levels of data protection and agency. It means conducting some of the most in-depth, impressive audit regimes in the corporate world to date.
All of these things are dependent upon one starting point: auditing your data. You need to know what you have, where it lives, and who can access it before anything else.
Technical and compliance teams need to be aligned on this state of affairs, and agree on the right approach to risk and accountability. That extends to third-party partners and providers, particularly with business-wide systems like cloud platforms, to make sure that everyone agrees how control is actually maintained in practice.
As AI adoption accelerates and regulatory pressure grows, these challenges will only become more pressing.
Data sovereignty starts with visibility
Businesses cannot afford to treat sovereignty as a technical footnote or a compliance afterthought. It needs to be built into the foundations of their data strategy, from infrastructure choices to vendor relationships and internal governance.
The organisations that get this right will not simply reduce risk. They will build greater trust with customers, regulators and partners. In a world where data is constantly in motion, sovereignty will increasingly depend on the ability to govern that movement with confidence. For business leaders, the message is clear: you cannot control what you cannot see, and you cannot protect what you do not understand.
