Why CIOs need to respond to digital sovereignty now

The digital sovereignty movement is gaining momentum. Around the world, governments are introducing regional laws requiring local data residency or processing. Take Europe’s Gaia-X sovereign cloud initiative, or the string of increasingly common hyper-local data laws like the EU’s GDPR, India’s DPDP Act, Canadian provincial rules, California’s CCPA, and many others.

While data sovereignty has been brewing for years, its importance has surged recently, demanding attention across all digital environments and clouds. “I’ve observed a marked increase in the urgency surrounding digital sovereignty, and it’s impossible to ignore,” says Doug Gilbert, CIO and CDO at Sutherland Global, a digital transformation services company.

The combination of rising geopolitical issues and a post-globalization, pro-governance mood is prompting many CIOs to explore geographic-agnostic, portable architectures, and to reexamine on-prem, colocation, or in-country private clouds. It’s also pushing hyperscalers and enterprise platforms to introduce new offerings and complex configurations to comply with regional laws.

Despite growing awareness, many CIOs are still working to assess the landscape and respond. “There’s not a lot of guidance,” says Tim Crawford, a CIO strategic advisor and industry analyst. “But don’t take a passive approach. Be aware, be diligent, and move forward.”

So the time for action is now. For global CIOs, the response is to assess how digital sovereignty impacts your organization today, and then chart a course to future-proof your strategy against further fragmentation.

Global tensions drive sovereignty responses

Smit Shanker, global CIO at Xebia, an IT services and consulting company, points to geopolitical tensions, global instability, and trade issues that fuel the increasing concern of digital sovereignty. “It’s certainly become an extremely important topic that needs to be thought about and solved for.”

Although AI continues to dominate the spotlight, Shanker warns that it shouldn’t leapfrog core digital strategies. “Being ready for AI and using it to differentiate also means being in control of your digital assets, and that’s where sovereignty becomes extremely important,” he adds.

For other CIOs, the growing focus on digital sovereignty is driven by rising expectations for control and transparency, and treating data as a strategic asset. “Organizations want to know where their data lives, who can access it, and how it’s protected,” says Mike Blandina, CIO of cloud-based data storage company Snowflake. “As CIOs, our role is to help companies navigate these shifts without sacrificing innovation,” he says.

Fines are also another concern as the cost of non-compliance is growing, says Rich Murr, chief customer and information officer of ERP software provider Epicor. “Region-specific data laws and regulations have been in place for several years, but more jurisdictions are establishing their own standards,” he says. For Murr, increasing complexity heightens the urgency to act.

Sutherland Global’s Gilbert also sees significant penalties for non-compliance as a motivator, but ranks other factors just as high. “Geopolitical dynamics, such as US-China technology tensions, are pushing nations to assert greater control over their data ecosystems,” he says.

Growing public concern over privacy and relentless cyberattacks also strengthen the case for resilience. “It’s become clear why we needed to prioritize our digital sovereignty response to safeguard their data and reputations,” Gilbert adds.

Digital sovereignty starts to reshape operations

Countless sovereign data laws continue to put pressure on global enterprise operations. “China is of particular concern as it requires the ability to inspect and assess infrastructure,” says Scott Wheeler, partner at Asperitas Consulting. These laws expose organizations to hefty fines, often requiring duplicate in-country infrastructure and additional audits of personal data.

Eamonn O’Neill, CTO of Lemongrass, which helps enterprises run SAP in the cloud, has also noticed an uptick in interest in alternative clouds. And it’s not just about regulatory compliance — enterprises are also drawn to the enhanced resilience and security that sovereign clouds offer compared to traditional hyperscalers.

To counter, hyperscalers are introducing their own sovereign clouds. “They’re actively tracking the localized control frameworks being released from different regions, geographies, and jurisdictions to ensure they can meet them,” says O’Neill. “This is clearly a customer demand-led cycle of innovation, and we see it growing rapidly.” For O’Neill, automation is the linchpin for enabling this in a flexible, adaptive manner.

Better to plan now than react later

In response to this whirlwind of factors, many organizations are taking action. “We’ve decisively moved beyond a wait-and-see mindset and are actively reshaping our strategies,” says Gilbert. “The turning point was twofold: imminent regulatory deadlines and the imperative to preserve stakeholder trust.” For Gilbert’s team, this has meant auditing data flows, aligning with regional mandates, and investing in new infrastructure strategies.

Those organizations that acted early are now reaping dividends. “We started investing early, long before recent policy shifts,” says Blandina, and for Snowflake, this included investing in localized infrastructure and partnering with cloud providers to meet regional data residency, privacy, and compliance requirements. “Planning for change, rather than reacting to it, is the only way to be equipped to navigate disruption.”

Others agree that a proactive approach is key to future-proofing the organization and reducing risk. “As a global company that falls under the jurisdiction of many governing bodies, compliance and risk avoidance is something we must address proactively,” says Epicor’s Murr. “In most cases, wait and see isn’t a viable option.”

Still, some CIOs are evaluating the landscape and gathering information to guide practical decisions. “We’re at the stage of active evaluations and assessments,” says Xebia’s Shanker. “The requirements that drive such implementations aren’t completely defined yet, which means we need to go back to basics to ensure our solutions are modular, scalable, secure, and local as determined by market and regional regulations.”

How CIOs are leading adaptations

The rise of digital sovereignty and regional data laws is already reshaping cloud, data, and operational strategies across global enterprises. To respond, global CIOs are spearheading various efforts, including repatriating workloads, deploying sovereign or regional cloud zones, implementing edge data centers, and doubling down on data control and auditing.

“These regulations have fundamentally altered our operational landscape,” says Gilbert. “Countries like the UAE, with strict data residency laws, have forced us to reevaluate where we store sensitive information.” Sutherland Global has responded by using localized data centers from major cloud providers, also known as sovereign clouds. Plus, they’ve strengthened access control to comply with cross-border transfer restrictions, all of which comes at a cost, albeit a necessary one.

Xebia, meanwhile, is exploring a deeper overhaul through self-architected, region-agnostic data infrastructure. “We realized that developing these capabilities positions us better than scrambling later when requirements become non-negotiable mandates,” says Shanker. “Operationally, we’re investing in team education around data residency, encryption key management, and sovereign-compliant DevOps practices.”

Another future-proofing strategy is building systems that work across jurisdictions. “Often, US companies that operate internationally will adopt GDPR-style practices globally,” says Asperitas’ Wheeler. While this approach is often cheaper than managing different operations in every country, it still increases overall costs, he adds.

Platform-provider CIOs arguably face the greatest operational burden. Blandina explains that digital sovereignty has led Snowflake to support new cloud regions, regional boundary controls, and in-region deployments in sovereign markets. “The key is building secure data architectures that are flexible enough to meet local requirements but still enable global scale,” he says. “Sovereignty doesn’t have to be a roadblock; it can be a catalyst for building stronger, future-ready data strategies.”

Compliance is (mostly) on the platform’s shoulders

Who bears the burden of digital sovereignty compliance — cloud platforms or the enterprises that use them? While some brave outliers may develop their own region-agnostic or self-hosted solutions, most enterprises expect cloud providers to implement region-specific controls to meet compliance demands. For instance, data localization-as-a-service is an emerging cloud service solution.

“We’ve leveraged SaaS solutions for many years and look to these same vendors to ensure we’re compliant with digital sovereignty requirements across the globe,” says Murr. “Like many technology evolutions, I think this eventually becomes an X-as-a-service offering that’s fairly easy to leverage.”

Offloading the compliance burden to platforms also affords more of a best-of-breed approach. “They have the infrastructure and expertise required to deliver digital sovereignty solutions, and an enormous opportunity to monetize this offering,” he adds.

But end users can’t keep up, says Crawford, as it’s too much to become an expert in all requirements. Instead, they’ll rely on vendors to embed compliance into tooling. The companies closest to business data are in the best position to do this, he adds. Given its dominance in global commerce, it makes sense for SAP, for instance, to oversee transactional data. Similarly, IBM could manage large enterprise systems, Salesforce customer data, and ServiceNow or Workday employee data.

Xebia’s Shanker agrees the onus lies with platform providers such as CRM and ERP vendors to build in sovereign-compliant services and options. However, he believes enterprises remain responsible for architectural decisions, and data and operational governance.

Others also view the role as somewhat split. “I believe compliance works best when it’s a shared responsibility,” says Blandina. While platform providers must take the lead in building secure, compliant-by-design infrastructure and abstracting complexity, end users must actively govern how the tools are implemented. “The result is a stronger, more resilient compliance posture,” he adds.

Guidance for CIOs navigating digital sovereignty

Global CIOs, particularly those at US-based enterprises, are grappling with an increasingly fragmented global regulatory environment. This reality could reshape the technology supplier ecosystem, opening space for innovation and new frontrunners to emerge, predicts Shanker. “It’s worthwhile to look beyond traditional partnerships and alliances,” he says.

In this volatile landscape, enterprises must be proactive, not reactive, to prepare for further regulatory shifts. This means meeting customers where they are within their specific jurisdictions and regulatory needs, and choosing platforms that provide these capabilities by default.

“Leverage SaaS providers that have incorporated digital sovereignty solutions into their platforms,” advises Murr, and Blandina adds that global enterprises should prioritize investing in platforms and partnerships that offer configuration, transparency, and compliance by design. To him, that means designing for optionality using modular, compliance-ready architectures. “Regulatory environments will continue to evolve, and digital sovereignty requirements will only become more nuanced,” Blandina says.

Organizations also need monitoring in place to know when a compliance breach occurs. “There are legal requirements that if you have a breach, the clock starts the minute it occurs, and you must notify those affected,” says Crawford. “The problem is if you don’t have governance, you may not even know.”

The cloud is no longer borderless

In the US, 20 states have already enacted comprehensive data privacy laws. And with country-specific data regulations on the rise, we’re heading toward an increasingly de-globalized, compartmentalized world. This trend reflects national and geopolitical uncertainty, heightened privacy concerns, and the intrinsic importance of digital data to society at large.

“Digital sovereignty will only grow in importance as data becomes more central to economic policy, national security, and innovation,” says Blandina. “I believe we’ve just started to see the needs of sovereignty play out, and the companies and platforms that are innovating in this space will be best positioned to support the future.”

While the past two decades saw unfettered cloud computing replace on-premises systems, the pendulum is now swinging back toward governance. “The future likely holds stricter data localization requirements, more regulatory fragmentation, and expectation of enhanced control over digital assets,” says Shanker. “Enterprise IT, therefore, must evolve from efficiency-focused to sovereignty-resilient, prioritizing optionality without losing the standardization and efficiency benefits. This will be the new challenge.”

For most global CIOs, the risks of non-compliance are now too great to not prioritize. Beyond fines, market exclusion and reputational harm can carry severe consequences for the business. Sovereignty will take different forms across regions, requiring a meticulous response. With these factors combined, it means it’s time to act.

“You have to get far more granular and sophisticated with your application architectures and data governance models,” says Crawford. While gen AI might eventually offer some support, the specificity and constantly evolving nature of territorial data laws make non-deterministic AI a risky bet. So stay agile and be ready to accommodate more sovereign laws as they emerge. As Crawford puts it: “Get in, buckle up, and hold on.”