Getty Images

Why legal control beats location in data sovereignty

US law can access global data via providers, making local data residency insufficient. Businesses must prioritise true jurisdictional control over "sovereignty washing" marketing

When the US government suspended foreign access to Anthropic's most advanced AI models last month, overseas users lost access overnight. The lesson from this was not about one product. It was that access to technology can be switched off by a government decision at any moment – without any warning or negotiation.

The question it raised for every modern business was not just whether a service remains available, but who has legal power over the provider behind it. The US CLOUD Act is the clearest example. It requires US-based providers to disclose data in their "possession, custody, or control" – wherever in the world that data physically sits, including providers owned by a US parent company. 

A sovereign-branded cloud with a datacentre in London and a parent company in Virginia is still within reach of US law. Location provides almost no real protection.

Regulation is catching up with the problem

The EU is taking steps to keep pace by bringing in its Cloud and AI Development Act which proposes a single sovereignty framework with four levels of independence. This runs from basic data residency at Level 1 up to genuine independence from third-country interference at Level 4.

In other words, European regulation now says in law what the market has been slow to admit: that residency is the lowest rung of sovereignty, not the definition of it. This marks a definitive step towards European infrastructure autonomy. 

And within Europe, the cloud industry is moving the same way – CISPE's "Sovereign and Resilient Cloud Services Framework" gives customers a way of assessing providers on evidence of true sovereignty rather than marketing buzzwords.

The sovereignty gap

The risk for business sits in the gap between where data lives and who controls it. If an organisation cannot say who can access its data, and under which legal framework, it does not have the control it thinks it has.

This is complicated further by the rapid evolution of AI applications. As AI systems and critical workloads move into production, that sovereignty gap gets harder to defend – to regulators, to customers and to boards of directors.

Plenty of providers now use the language of sovereignty, but far fewer can evidence it. This is "sovereignty washing" – a local flag on the datacentre, a region selector on the sign-up page and a confident sales message, while ownership, legal reach and operational access remain conveniently vague.

Under the EU's framework, that gets you to Level 1, nothing more.

What organisations should ask for from infrastructure providers

Addressing sovereignty and control is now a matter of due diligence, not a branding exercise. Before signing, businesses need firm answers to several questions about who has legal control over the provider and its parent company, and under which jurisdiction.

They should know, for example, where support staff sit, what they can access, and where backups live, since they deserve the same scrutiny as production systems.

Exit routes need to be contractual and tested, too, because if you cannot move a workload without major disruption, you do not control it. Portability across the stack is another key aspect, so that critical dependencies like identity and core data layers are not locked into one ecosystem.

Although many sovereignty concerns are directed at hyperscale cloud, it still has a valid role in a hybrid architecture for specialist services such as burst capacity and rapid experimentation. A mature cloud strategy is about matching each workload to the jurisdiction, risk profile and level of control it requires.

Control is becoming the real test of cloud sovereignty

Businesses should not accept claims about access and control in the cloud at face value. A rigorous approach is required to avoid unexpected government intrusion and prepare for regulations such as the EU Cloud and AI Development Act. True sovereignty that protects businesses manifests itself in architecture, contracts and day-to-day service delivery. If the answers to the key questions are vague, the label is doing too much work. 

This shift is levelling the playing field. Jurisdictional clarity is starting to matter as much as a provider’s global scale, so I hope the providers who can open the books on ownership, access and exit are those winning the projects involving sensitive workloads. 

For local and regional sovereign cloud providers, this is a genuine opportunity. They are built to answer the main concerns about clear ownership, jurisdictional certainty and direct accountability – and for the first time the market is asking for what they have always offered. 

For UK and European businesses, that is not a constraint. It is the first time in years the control question has a real answer.

Jake Madders is director and co–founder of Hyve Managed Hosting

Read more about data sovereignty

Read more on Infrastructure-as-a-Service (IaaS)