Natalia - stock.adobe.com
Why Asia needs its own model of digital sovereignty
Framing digital sovereignty simply as a “US versus non-US cloud” debate is no longer fit for purpose. Asia must forge its own path through data jurisdiction, technical portability, and operational control
Digital sovereignty has become one of those phrases everyone repeats but few define. In Asia, it is often reduced to a simple “US versus non‑US cloud” debate or a box‑ticking exercise around data localisation – which makes for good talking points, but does not help a Singapore-based chief financial officer (CFO) decide where to run a core banking system or a regional chief information security officer (CISO) determine how to train an AI model on customer data without tripping over three different regimes at once.
Asia’s digital economy has also outgrown the habit of defining sovereignty purely in reaction to other markets: from Indonesia’s data protection law to Vietnam’s Decree 53, the region is building its own foundations for a data‑driven future, even as global cloud and artificial intelligence (AI) platforms are deeply woven into how businesses operate, from supply chains to customer engagement.
Framing sovereignty as “US versus non‑US” misses this nuance. It assumes the only choice that matters is whose flag flies over the datacentre, when most organisations in Asia will inevitably use a blend of local, regional and global providers. The real questions are far more practical and more uncomfortable: which laws can legitimately claim jurisdiction over data and systems; how easily critical workloads can be moved or re‑architected if risk changes; and who, in practice, can access the data at 2am during an incident.
These are the conversations we need to be having. Digital sovereignty in Asia only becomes useful when we stop treating it as a slogan and start treating it as a design discipline built on three pillars: data sovereignty, technical sovereignty and operational sovereignty.
Data sovereignty: Law before location
Data sovereignty is often mistaken for simply “where the data sits”, but location is only one part of the equation. What really matters is jurisdiction: which courts and regulators can reach your data, especially as AI rules emerge across different markets. As AI spreads into areas like credit, hiring, healthcare and public services, regulators are moving beyond soft guidance – South Korea’s new AI Basic Act is a clear signal that higher‑impact systems will face stricter expectations on risk, oversight and transparency. In this environment, losing control of data quickly becomes losing control over how businesses operate and innovate.
The real issue here is clarity and choice. Boards should be asking where data is stored and processed, which legal entities control the infrastructure, what commitments exist around using data for AI training and how government access requests are handled. In Asia, data sovereignty should be about mapping different classes of data – from public content to highly sensitive personal information – to environments where the legal and contractual frameworks match the level of risk.
Technical sovereignty: No more “stuck in one stack”
Technical sovereignty comes next: the ability to move, rebalance or redesign workloads when business, regulatory or geopolitical realities shift. The biggest sovereignty risk may not be a particular law but over‑dependence on a single cloud stack.
No single stack will satisfy every jurisdiction as AI and data rules evolve. Measures that are voluntary in one market today can become mandatory in another tomorrow. That is why data portability, clear workload segmentation and the ability to shift between public, private and more sovereign environments are becoming design requirements rather than nice‑to‑haves.
In a region as diverse and fast‑moving as Asia-Pacific, multi‑cloud and hybrid are not fashion statements. Done thoughtfully, they are tools of sovereignty, giving organisations room to manoeuvre when regulations tighten, AI policies evolve or geopolitical tensions spill over into the technology stack.
Operational sovereignty: Where cyber security and sovereignty meet
Operational sovereignty is often the missing piece in board conversations. Yet, it is where sovereignty becomes very real. Even with the right contracts and architectures, what matters day to day is who can access systems and data, from where and under what controls.
In a globalised services model, it is normal for support engineers, site reliability teams and security specialists to sit outside the customer’s home market. The issue is not geography per se, but governance. For example: are privileged accesses strictly logged, time‑bound and justified?; which jurisdictions do the provider’s support operations sit in and what obligations they are under?; can in‑region support models for certain workloads be insisted, especially in regulated sectors?
This is where cyber security and sovereignty converge. Identity and access management, observability, incident response and audit trails are not only security topics, they are operational proof of control. After an incident, regulators and customers in Asia are increasingly asking, not just “were you secured?” but “who else could see this data, under what rules and how does one know?”. For Asian leaders, operational sovereignty should be treated as part of their cyber resilience strategy, not a separate compliance concern.
Designing for freedom of choice
Ultimately, sovereignty should not be treated as a checkbox at the end of a cloud procurement process. It needs to be incorporated from the outset as a way to preserve freedom of choice over time by classifying data and workloads according to sensitivity demanding transparency from partners on jurisdictions, data flows and support models; building enough technical portability to respond if laws, risk or economics change; and treating operational controls around access and logging as part of the sovereignty posture, not just the security posture.
Organisations across Asia-Pacific that move the fastest are not those seeking the most rigid constraints, but those striving for trusted flexibility. They want a cloud they can trust, not one that traps them. They want a cloud that provides assurance, so they know their data is protected and have the freedom to innovate, grow and adapt as the regulatory and geopolitical landscape evolves.
It is worth remembering that sovereignty in Asia will not be won by copying someone else’s debate. It will be defined by the region’s ability to build cloud strategies that put Asian priorities at the centre: legal clarity, technical agility, operational trust and, ultimately, the freedom to chart our own digital future.
Terry Maiolo is vice-president and general manager for Asia-Pacific at OVHcloud
Read more on Regulatory compliance and standard requirements
-
![]()
Where MENA CIOs draw the line on AI sovereignty
-
![]()
Qatar advances sovereign cloud strategy to strengthen digital trust and national autonomy
By: Andrea Benito
-
![]()
e& drives AI-first workforce transformation with Oracle Cloud
By: Andrea Benito
-
![]()
How to navigate data sovereignty for AI compliance
By: Donald Farmer
