Data sovereignty: at the heart of Europe’s business future

Management15 May 2025

Where an organisation’s data is stored and the related compliance issues make a flexible data sovereignty strategy more important than ever, argues Terry Storrar at Leaseweb UK

Once perceived as a corporate issue, the fact that organisations of every size now use cloud infrastructure, and are responsible for the data that is stored there, means that recent geopolitical developments are directly impacting the planning decisions made by any business that operates across borders.

In the UK and Europe, both large and smaller companies face the question of where to store their data and the laws that govern this. If that data is stored in the American cloud, on servers owned by US giants, this will be governed by US laws. This is raising concerns about the potential risks attached to having ‘eggs all in one basket’, particularly given the current unpredictability in the Oval Office.

Instead, many companies are starting to evaluate alternatives for storing data in the European region – a European cloud provides a viable option, offering stringent governance and increased oversight now and into the future.

Beyond the corporates

There is a common misconception that data sovereignty is really only a concern for Multinational Enterprises (MNEs) – large corporates with global reach; however, the truth is that SMBs also face certain challenges. And these smaller businesses rarely enjoy the dedicated legal and compliance teams larger companies can call on.

This is because smaller companies often rely on third-party cloud providers and often lack the internal expertise to manage all the legislation when it comes to cross-border data hosting. Ask yourself where your customer data is being stored and who has jurisdiction over it. If the answer isn’t clear, then it is time to pay more attention and perhaps look closer to home.

A sovereign European Cloud

The EU’s Important Projects of Common European Interest on Cloud Infrastructure and Services (IPCEI-CIS) might sound like a mouthful but it is a significant advance in creating a sovereign European cloud campus – designed to protect sensitive data, comply with EU regulations and ensure that Europe’s digital infrastructure is no longer dependent on US providers.

This project not only ensures regulatory compliance with EU laws such as GDPR, but it also reduces dependency on foreign providers, improving security and resilience while fostering technological growth. In the face of multiple policy shifts and incoming tariffs, a local option is looking increasingly attractive to major players, including AWS and Azure, as well as specialist European providers already invested in this option.

More than an IT concern

There is another common misconception that data sovereignty is primarily a matter for the IT department; the truth is that it has far-reaching implications for legal, compliance, finance, operations, and strategic decision-making. For example, regulations such as GDPR and DORA require strict control over where data is stored and processed, and non-compliance can lead to hefty fines and reputational damage.

At the same time, consumers and partners increasingly demand transparent data governance, making sovereignty a key factor in maintaining trust and competitive advantage. And the seemingly endless global economic instability and volatility has pushed sovereignty up the agenda as organisations look to eliminate uncertainty.

Repatriating data

Cloud repatriation – the process of moving data from public cloud environments back to on-premises or private cloud infrastructure – is increasingly linked to confidence in cloud data sovereignty. Organisations are repatriating data to regain control over where and how their data is stored, ensuring compliance with local regulations and reducing reliance on foreign cloud providers.

Some enterprises find that repatriating workloads improves performance and reduces cloud costs, particularly when dealing with large-scale data processing. Moreover, moving data back to private or hybrid cloud environments improves security by reducing exposure to third-party risks and foreign government access. Therefore, this is a natural next step in ensuring data sovereignty. The question is: who can best help with these daunting tasks?

Choosing the right partner

Once you have decided to bring your data back from foreign shores, you may need an advisor to help you restructure your operations locally. Begin by looking for consultants who have relevant certifications, such as ISO-IEC 27001, and who have demonstrated the requisite experience.

You will want a partner who can provide you with straightforward answers when it comes to data processing. If you need to know where your data is processed, vague assertions of ‘following best practice’ are not good enough. Instead, you need to know where your new provider has data centres so you can be sure that you are complying with regulations like GDPR and DORA.

A strong partner should also offer end-to-end encryption, zero-trust architecture, and sovereign security controls to protect data from external threats. These, combined with operational autonomy and geopolitical stability, will make for the best cloud partner.

It is clear that, in an ever-changing global market, having control over data will be a priority. So, now is the time to begin asking the tough questions, finding out where your data really lives and figuring out how best to bring it home.

Terry Storrar is the managing director of Leaseweb UK

Main image courtesy of istockPhoto.com and DKosig