Data sovereignty: what the term means and why it's becoming relevant for businesses
US law applies to US companies regardless of where their servers are located. That means: anyone storing data with Amazon, Microsoft or Google – even in a European data centre – cannot say with absolute certainty that US authorities won't be able to access it under the CLOUD Act. Data residency and data sovereignty are two different things.
This isn't a niche concern for large corporations and legal departments. It's a question that affects every company processing data in the cloud, handling customer data or running AI applications. And it's a question that is becoming considerably more pressing in 2026, driven by new regulation: the EU AI Act, the Data Act and NIS2.
This article explains what data sovereignty actually means, how it differs from related concepts and which concrete questions businesses should be asking right now – particularly when it comes to the cloud.
What is data sovereignty?
Data sovereignty describes the ability of companies, individuals or states to exercise autonomous control over their own data. This covers the right to determine where data is stored, who has access to it, how it is processed and shared – and which legal rules apply in doing so.
The concept has several dimensions. In practice, three levels can be distinguished – and they are frequently conflated, when they should be kept clearly separate.
Data sovereignty refers to the legal and factual control over data: who is permitted to do what with this data, and under which legal framework?
Data stewardship is often used interchangeably, but relates more specifically to the organisational capacity to make independent decisions about data – free from dependence on external systems or vendors.
Digital sovereignty is the broader concept: the ability to use digital technologies, infrastructure and data in a self-determined way that aligns with one's own values – at the level of companies, institutions or entire states.
The distinction between data sovereignty and data residency is particularly important here: data residency simply describes the physical location where data is stored. The fact that data sits in a German or European data centre does not automatically mean it is processed under European law. The location of storage alone is no guarantee of sovereignty.
Cloud data sovereignty: where the problem starts
Cloud services have fundamentally changed how companies work with data. According to the PwC Cloud Business Survey 2025, 74 per cent of German companies now use cloud solutions – up 13 percentage points from 2023. But as cloud maturity grows, so does awareness of the sovereignty questions it raises.
The core problem: the majority of the world's widely-used cloud infrastructure comes from US hyperscalers – Amazon Web Services, Microsoft Azure, Google Cloud. These companies are subject to the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which under certain conditions allows US authorities to access data held by their cloud providers – regardless of where that data is physically stored.
This creates a genuine conflict: European companies processing sensitive customer, financial or health data in US cloud services cannot say with absolute certainty that this data could not become accessible to US authorities – even if they comply fully with GDPR. Data residency and cloud data sovereignty are two different things.
On top of that come cloud-specific dependencies: when data is deeply embedded in proprietary cloud systems, switching to a different provider becomes technically and contractually difficult. This vendor lock-in situation practically limits control over a company's own data holdings – even if there are no immediate legal issues.
How mid-sized companies can approach data strategy and what foundations are needed is explored in our article Data analysis in SMEs: from raw data to better decisions.
The regulations shaping data sovereignty today
The regulatory landscape around data sovereignty has changed substantially over the past two years. Companies now need to keep track of several overlapping frameworks.
GDPR: the familiar starting point
The General Data Protection Regulation is the best-known framework. It governs the protection of personal data, sets requirements for its processing and storage and restricts transfers to third countries. GDPR is not a complete answer to data sovereignty – but it is the foundation on which all further thinking builds.
What many overlook: GDPR does not fundamentally prohibit the use of US cloud providers. It does, however, require appropriate safeguards and sets strict conditions for the legal basis of data processing. The responsibility lies with the data-processing company – not with the cloud provider.
EU AI Act: new compliance requirements from August 2026
The EU AI Act's core provisions come into force on 2 August 2026. For companies using or developing AI systems, this creates concrete documentation, transparency and oversight obligations. Particularly relevant for data sovereignty: high-risk AI systems that cannot demonstrate data sovereignty will no longer be permissible to operate. This raises new questions for companies running AI applications on US cloud infrastructure.
Data Act: data rights and interoperability
The EU Data Act has been in force since September 2025 and creates binding rules for the handling of non-personal data. It strengthens data sovereignty by mandating data portability, ensuring fair access to data and imposing concrete requirements on cloud providers outside the EU – including a requirement to demonstrate that third-country data access can be prevented.
From September 2026, initial obligations will directly affect product life cycles: manufacturers of connected products must provide users with straightforward access to their data.
NIS2: cybersecurity as a compliance obligation
Germany's NIS2 Implementation Act came into force on 6 December 2025 – with no transition period. It substantially expands the range of companies subject to mandatory cybersecurity requirements and makes company management personally liable. Data security and data sovereignty are closely linked here: those who don't know where their data is or who can access it have no reliable foundation for security measures either.
How companies can structure data access and data sharing strategically without losing control is explored in our article Share data, create added value: when is data sharing worthwhile?
The EU AI Act, the Data Act and NIS2 interact with each other – and all three raise questions that can't be answered by the IT department alone. At d:u27 on 13 & 14 April 2027 in Münster, specialists from law, technology and business leadership discuss what the regulatory environment means for concrete company decisions – and which steps mid-sized businesses can take today.
Cloud data sovereignty: asking the right questions
Data sovereignty isn't a state that companies achieve once and then tick off. It's a continuous process of control, assessment and adaptation. The first step is asking the right questions.
Where is which data being processed?
Many companies have no complete overview of which of their data ends up in which cloud services. Through SaaS tools, AI applications and automated workflows, data flows spread across many systems. A current inventory – which cloud providers are in use, where their servers are located, which legal framework governs them – is the foundation for all further decisions.
Which legal framework applies to the cloud providers you use?
The storage location alone is not enough. What matters is the legal order that a cloud provider is subject to. A US company with a data centre in Frankfurt is still a US company – with all the implications of the CLOUD Act. European cloud providers or sovereign cloud solutions that are exclusively subject to European law offer structurally greater control.
Which data is particularly sensitive?
Not all data carries the same risk. Customer data, health data, financial data and strategic business information require different treatment from publicly accessible content. A classification by level of sensitivity helps set priorities – and determines which cloud strategy makes sense for which data.
Are there exit strategies for cloud dependencies?
Long-term contracts with individual cloud providers and no exit option create dependencies that practically constrain data sovereignty. Hybrid cloud approaches or multi-cloud strategies – keeping critical data on sovereign infrastructure while processing less sensitive data in large hyperscalers – represent a pragmatic middle ground for many companies.
Which cloud strategies work in practice, how businesses handle vendor lock-in and what the EU AI Act specifically requires are all topics we explore at d:u27 on 13 & 14 April 2027 in Münster. Companies that have already made these decisions share their experience there – without sugarcoating it.
What this means concretely for the Mittelstand
For many mid-sized businesses, the topic can feel abstract – until it becomes concrete: a data protection authority conducts an audit, a major client presents compliance requirements, or a regulated market suddenly demands proof of data sovereignty.
According to a EuroCloud survey, nearly 45 per cent of members see sovereignty as the number one trend for 2026 – ahead even of artificial intelligence. That's no coincidence: the combination of the EU AI Act, the Data Act and NIS2 makes data sovereignty an operational requirement, not just a political discussion point.
For the Mittelstand, this means in concrete terms: it's not about switching off all cloud services or moving exclusively to European providers. It's about developing a conscious approach to data – knowing where different data sits, what risks that entails and how those risks can be managed.
Companies with that overview are not only better protected against compliance risk. They also build trust – with customers, partners and regulators. Data sovereignty is increasingly becoming a quality signal, particularly in sectors such as healthcare, financial services and public administration.
How data-driven decision-making and a sovereign approach to data fit together is explored in our article Data-based decision-making in SMEs.
Conclusion: data sovereignty is not a compliance exercise
Data sovereignty means retaining control over your own data – not just on paper, but in everyday practice. The legal framework provided by GDPR, the EU AI Act, the Data Act and NIS2 makes one thing clear: those who don't exercise this control actively will gradually lose it.
The first step is not a major project. It's an inventory: where does which data sit? Who has access? Under which law? Based on those answers, priorities can be set – and a way of handling data developed that holds up over the long term.
Data sovereignty is not just a question for the IT department – it's a strategic matter for company leadership, legal teams and every function working with customer data. At d:u27 on 13 & 14 April 2027 in Münster, we bring together exactly the people who treat data sovereignty not as an abstract compliance topic but as the foundation for reliable data and AI work in practice. Save your ticket now.
Weitere Blogs
