5 things CIOs must do as sovereignty becomes a design constraint

For years, enterprise IT strategy operated on three assumptions: infrastructure could be global, vendors could be consolidated, and location had little impact on risk or compliance. That model is breaking down. As geopolitical tensions rise, AI regulation accelerates, and supply chains become more fragile, CIOs are being forced to rethink not just where technology runs, but how it’s sourced, governed, and secured.

“Three years ago, sourcing decisions always started with total cost of ownership,” says Jochen Jaser, CIO of open-source software company SUSE. “But that’s not the dominant frame anymore. Now it starts more like a risk register.”

That shift is reshaping enterprise architecture decisions at multiple levels. CIOs are reassessing dependence on hyperscalers, evaluating sovereign cloud options, and paying closer attention to where data resides and how it moves across jurisdictions. According to Shannon Bell, EVP, CIO, and CDO at enterprise information management company OpenText, “geopolitical risk has become a core architecture and sourcing consideration.”

The result is a more fragmented and complex operating environment. Gartner analyst Luis Pinto says organizations increasingly view geography as an architectural constraint rather than a secondary deployment issue, while Ron Babin, IDC advisor and professor at Toronto Metropolitan University, says CIOs must now navigate a growing patchwork of regional regulatory requirements.

As AI becomes more deeply embedded in enterprise operations, the strategic importance of data itself is also changing. CIOs are paying closer attention not only to where data is stored, but how it’s accessed, moved, and protected across borders.

“The business transcends borders, but your data can’t always do the same,” says Matt Stern, CSO at Hypori, a secure mobile access provider.

Organizations aren’t abandoning global platforms, but they’re redesigning how they use them. As sovereignty becomes a permanent strategic constraint, here are five things CIOs must do in response.

1. Treat geography as a core architectural decision

The most fundamental change is conceptual since location is now a design variable rather than a deployment detail. For years, CIOs optimized for scale and efficiency, often centralizing workloads in a handful of hyperscale cloud environments. That approach assumed stable global access and predictable regulatory conditions. Today, those assumptions no longer hold.

“Where technology is located and who has operational control over it is now a major business risk,” Pinto says. Organizations are responding by paying closer attention to data residency and access rights.

Jaser adds that the shift is forcing organizations to rethink even basic infrastructure assumptions. “Usually you’d just go with AWS, Google, and on-prem,” he says. “But now as digital sovereignty requirements are coming into space, we need to look for sovereign cloud offerings.”

That doesn’t mean abandoning hyperscalers entirely. SUSE itself operates a hybrid infrastructure spanning commercial clouds and its own data centers. Instead, Jaser says organizations are becoming more selective about workload placement, evaluating which systems require stronger sovereignty protections, and which can remain in global environments.

The shift is also reshaping operating models. According to Bell, workload placement strategies are increasingly driven by sensitivity of data, regulatory exposure, and operational risk. “We’re moving from a cloud-first mindset to more of a fit-for-purpose approach,” she says.

2. Design for multi-jurisdiction resilience, not efficiency

As geography becomes a constraint, resilience is replacing efficiency as the primary design goal. Enterprises are rethinking their dependence on a small number of global providers, particularly hyperscalers. While companies such as AWS, Microsoft, and Google remain central to most IT strategies, CIOs are increasingly wary of concentration risk.

“Vendor concentration is now treated as systemic risk, not strategic leverage,” Pinto says. Rather than abandoning hyperscalers, organizations are intentionally fragmenting their portfolios. Global providers are retained for standardized, low-risk workloads, while regional or sovereign alternatives are introduced for more sensitive applications.

According to Jaser, many organizations are now discovering how deeply earlier cloud consolidation decisions constrained their flexibility. “A lot of companies optimized everything for a single cloud provider in terms of technology, skills, and planning,” he says. “Then they realized they had three- or five-year contracts with commitments, which limits the ability to choose something else.”

Babin points to emerging risks that go beyond compliance. In some regions, even data centers are becoming potential targets in geopolitical conflicts. “CIOs now have to think about where their AI models are running and what risks exist in those locations,” he says.

The result is a more resilient, albeit splintered, sourcing model — one designed to preserve optionality if geopolitical, regulatory, or vendor conditions change.

3. Classify workloads by sovereignty and risk profile

If resilience requires diversification, it also requires precision. Not every workload needs the same level of protection. That’s where a more granular approach to sovereignty is emerging. Rather than treating it as a binary choice — sovereign or not — CIOs are increasingly thinking in terms of a spectrum.

“It’s not a black-and-white conversation,” Jaser says. “It depends on the workload, its relevance, and the specific sovereignty requirements attached to it.”

In practice, that means classifying workloads based on risk, sensitivity, and business impact. Highly sensitive data such as HR, security, or proprietary AI models may need to remain in tightly controlled environments, whether in sovereign clouds or on-prem infrastructure. Less sensitive applications like marketing systems or public-facing services can continue to run in global cloud environments.

This workload-based approach allows CIOs to balance competing priorities of cost, performance, regulatory compliance, and UX. It also reflects a more mature understanding of sovereignty as a set of trade-offs rather than an absolute goal.

Jaser also argues that CIOs should avoid overcomplicating the process. “Don’t over-engineer it,” he says. “Just start classifying your workloads and move to relevant things.”

Bell argues that most enterprise data don’t require the same level of protection. “More than 90% of enterprise data can safely sit in the public domain,” she says. “There’s really a small percentage that represents the keys to the castle and needs to be protected.”

4. Build portability and exit into every layer of the stack

As organizations distribute workloads across multiple clouds, sovereign environments, and regional providers, the ability to move workloads becomes critical.

Designing for workload portability upfront is becoming increasingly important, Bell says, and that flexibility becomes a critical requirement, not just for optimization.”

Technically, this is driving greater adoption of open standards, containerization, and orchestration platforms such as Kubernetes. These technologies make it easier to shift workloads between environments, whether across cloud providers or between cloud and on-prem systems.

Contractually, CIOs are pushing for stronger exit clauses, price protections, and flexibility. According to Pinto, organizations are increasingly embedding exit by design into their sourcing strategies since if contracts don’t allow for rapid disengagement, they may find themselves locked into environments that no longer meet regulatory or operational requirements.

The goal isn’t constant movement, but optionality. CIOs want the ability to adapt as conditions change. “The mistake some CIOs make is trying to have an extreme amount of portability, or not enough portability,” Bell says. “The magic is in the middle.”

5. Extend sovereignty thinking to the edge and endpoints

While much of the sovereignty discussion focuses on cloud infrastructure, risk doesn’t stop at the data center but extends to how data is accessed, particularly in a world of remote work and mobile devices. That’s where a less visible but increasingly important dimension of the problem is emerging.

“The business transcends borders, but your data can’t always do the same,” Stern says.

As employees travel and work remotely, sensitive data may be accessed across jurisdictions in ways that violate local regulations. Devices can also be inspected or seized at borders, creating additional exposure. As a result, some organizations are rethinking the model entirely, focusing less on securing devices and more on controlling access to data.

Stern argues that AI and distributed workforces are changing the nature of enterprise security itself. “Identity is now becoming the perimeter,” he says. “It’s not device-centric anymore but identity-centric.”

This shift reflects a broader reality that sovereignty is more about who can access data, from where, and under what conditions rather than just about where it’s stored.

From cost optimization to continuous risk management

Taken together, these changes point to a broader transformation in the CIO role. Technology strategy is about managing a dynamic set of risks for the long term that spans regulation, geopolitics, supply chains, and security, not just delivering capability at the lowest cost.

“This isn’t solely the responsibility of the CIO,” says Babin. “The executive team and the board need to understand the trade-offs.” In many cases, achieving greater control and adaptability requires additional costs, slower deployment, or reduced access to cutting-edge features.

As organizations adapt, CIOs are building strategies that are more complex but also more resilient. According to Pinto, the organizations best positioned for this shift will be those that treat geopolitics as a permanent design constraint not a source of temporary disruption.

That requires a different mindset around operational readiness and risk management. “Being risk ready is about understanding, mitigating, and managing risk in real time,” says Bell.

For CIOs, sovereignty is no longer a niche compliance issue. It’s becoming a core design principle shaping how technology is sourced, deployed, governed, and secured.