Data sovereignty is the principle that digital information is subject to the laws and governance structures of the country where it is stored has emerged as the core concept for answering this question. It’s become both a legal compliance issue and a strategic concern influencing how enterprises design and manage their IT infrastructures.
Digital sovereignty, cyber sovereignty, technological sovereignty and data sovereignty refer to the ability to control the data, hardware and software that a business or organization builds and relies on, as defined by The World Economic Forum.
Getting handle on digital sovereignty is growing more critical and complicated, according to Jon Cosson, head of IT and chief information security officer at wealth management firm JM Finn.
“Data sovereignty is not a buzzword, it’s survival,” Cosson said in a January 2025 interview with Computer Weekly.
In recent years, the stakes have risen dramatically. Governments around the world are asserting control over data within their borders, enacting regulations that dictate where and how data must be stored and processed.
Data sovereignty in focus as Europe scrutinizes US cloud influence, wrote Chris Mellor in March 2025 article for The New Stack.
“The EU has GDPR, NIS2, and DORA regulations that apply to customer data stored in the bloc,” Mellor wrote. “However, US courts could compel companies under US jurisdiction to disclose data, potentially overriding EU privacy protections in practice.”
This has established industry powerhouse cloud providers scrambling a bit, taking fast steps to adjust to stricter standards – particularly in Europe – about where and how businesses can manage their data.
Evolving data sovereignty rules mean companies can no longer rely on homologous IT infrastructures. This even renders many legacy systems non-compliant. Relying on hybrid cloud systems that can scale to meet growing needs and adapt to changing regulations within jurisdictions across the different locations where they operate.
Uniform Infrastructures Too Limited Under New Standards
Legacy IT systems are struggling to meet new data sovereignty standards. Companies are rethinking how they handle data as centralized and one-size-fits-all IT models are not enough to comply with varied requirements across regions.
This has exposed the limitations of legacy systems and created a clear divide between organizations that have put forethought and planning into diversifying and modernizing their infrastructures and those that have to play catch-up to stay compliant.
The divide will grow clearer as certification requirements around data management emerge, mandating that companies are certified to operate in certain markets and regions and meet stringent requirements for data handling practices.
Pierre-Jean Beylier, president of inherent, a French IT and telecommunications service provider, explained the impact this has had on his own company.
“We're big in the health sector, so we have a special certification called HDS, which allows us to manage data for public and private hospitals,” he told The Forecast.
“It's a sizable market for us. So this certification in France that is called the second cloud is expected to be required by a number of public sector customers. So if you want to play in that market, you will need at some point of time to have that certification.”
Beylier refers to the French Health Data Hosting certification, which is required for any organization hosting health data in France. He predicts many more will soon follow.
“Now Europe is launching its own certification, and in a European country where you talk about sovereignty, it cannot be about the sovereignty of your country,” he said.
“It's European sovereignty because it's a unique market. It's an open market. So certainly, the European certification is going to be the primary driver, and the big debate is, is it going to go as far as the French one, or is it going to be more flexible, more open to US players, to hyperscalers?”
He said the point of debate is around ownership, jurisdictions of the companies that do the business.
“Are they European companies or not?,” he asked. “That's where there are debates. But I think beyond the certification, it will become a bit of a standard, and you will need to have your certification in order to have the credibility to provide services to large, private and public sector customers.”
Many now face a choice: Spend heavily to retrofit outdated infrastructures (and risk doing so again soon), or pivot to new and more flexible models. Both require a financial investment and a pressing sell for IT leaders who have to get boardroom buy-in for an initiative that doesn’t have much time to wait.
Europe Leads the Way on Sovereignty Laws
As Beylier’s insight indicates, Europe has been at the forefront of the global movement toward data sovereignty, driven largely by a desire to keep European data within European borders and under European control.
GAIA-X, launched in 2019 and still in its developmental phase, has been central to this effort, an initiative to create a federated, interoperable cloud ecosystem that upholds European standards of data privacy, security, and sovereignty. GAIA-X aims to connect cloud providers – both EU-based and international – under a unified infrastructure that prioritizes European regulatory requirements.
The GAIA-X launch aligns with the larger effort, coined Eurocloud, to reduce reliance on non-European cloud providers and create a more competitive (and yes, sovereign) cloud ecosystem where European data doesn’t end up under non-European jurisdiction.
The initiatives have been met with a fair share of support and skepticism. Supporters, especially in highly regulated sectors like finance and healthcare, see it as a critical step toward reducing reliance on foreign providers. Skeptics argue that Eurocloud and GAIA-X could struggle to scale and compete with the likes of AWS, Microsoft Azure, and Google Cloud in terms of expertise, cost-effectiveness, innovation, and performance.
As data sovereignty norms and regulations evolve, infrastructure to support EU-based data management is a positive development. But as the established industry giants respond to the EU’s elevated sovereignty standards, it will likely become a game of catch-up for newer providers who want to gain their own market share.
Lidl’s Bold Move: Building Its Own Cloud
One interesting and unexpected response to Europe’s data sovereignty push has come from Lidl, a German grocery discount retailer. Lidl has opted to bypass reliance on existing providers by developing a proprietary cloud platform called Schwarz Digits, after its founder. The move that underscores how seriously European companies are taking the sovereignty issue.
Lidl’s cloud is designed specifically to meet European data protection and sovereignty requirements. Lidle’s decision to build its own infrastructure sets a bold precedent, highlighting the lengths to which some companies are willing to go to ensure complete data control.
“The one-stop-shop approach [to cloud] has shown cracks,” wrote Dotan Horovits in his Medium post Lidl’s Cloud Gambit: Europe’s Shift to Sovereign Computing.
Horovits is Cloud Native Computing Foundation Ambassador, open source enthusiast and DevOps aficionado. He wrote that “Amazon, Google, Microsoft, Alibaba et al. won’t be able to cover all grounds, neither in tech domains, nor in geo’s. This push for a EuroCloud is why a grocery chain like Lidl can suddenly emerge as a cloud player, grabbing market share from AWS. Schwarz Digits generated €1.9 billion in sales last year and has signed on major clients like SAP and Bayern Munich. This is no fringe experiment.”
The big cloud players have responded. AWS is investing €7.8 billion into the AWS European Sovereign Cloud. Microsoft joined them soon after. They’ll likely build EU-based infrastructure that keeps them relevant even in sovereignty-strict European regulatory environments.
But Lidl’s move could signal the beginning of a larger trend among European companies, particularly those in sensitive or highly regulated industries, toward building their own sovereign cloud solutions.
As concerns about data privacy and compliance continue to grow, more companies may follow Lidl’s lead, developing in-house or highly localized cloud solutions offering greater control and security than external providers.
The future of IT infrastructure will built on key principles: flexibility, adaptability and resiliency. To succeed, companies will balance compliance with innovation, using data sovereignty as a catalyst for building robust, secure and globally distributed IT operations.
Ken Kaplan is Editor in Chief for The Forecast by Nutanix. Find him on X @kenekaplan and LinkedIn.
Michael Brenner contributed to this story.
© 2025 Nutanix, Inc. All rights reserved. For additional information and important legal disclaimers, please go here.
