Getty Images/iStockphoto

Feature

Ignoring digital sovereignty? CIOs can't afford to

Geopolitical turmoil and shifting regulations are forcing CIOs to reassess their approach to data control. Digital sovereignty is now essential for protecting operations, compliance, and trust.

Carolyn Heinze
By
Published: 29 Oct 2025

Executive summary

  • Digital sovereignty empowers IT leaders to control data, operations and infrastructure, thereby reducing risks associated with compliance failures, downtime, and reputational damage.
  • Achieving digital sovereignty requires strategic planning, situational awareness and clear risk profiling.
  • IT leaders must enforce transparency and audit rights with cloud providers to maintain full control and ensure compliant systems.

Geopolitical tension, disruption and war have marked this decade, driving organizations to seek ways to thrive during intense uncertainty. For most companies and their chief information officers (CIOs), this requires building resilient operations under strict control and oversight. Achieving digital sovereignty is a major part of this effort.

In its 2025 Hype Cycle for Digital Sovereignty report, Gartner Inc. defined digital sovereignty as "autonomy over data, operations and technology, while enabling compliance with regulatory frameworks within specific geographic boundaries." The Stamford, Conn.-based advisory firm also noted that digital sovereignty comprises:

  • Where data resides.
  • How data is protected.
  • Where data is located physically, including the infrastructure that processes it.
  • How technology keeps businesses running.

(Learn about the Gartner Hype Cycle – a depiction of a technology's lifecycle – and its business applications here.)

Digitally sovereign companies, of course, decrease the chances of losing control over their data. But Gartner's conclusion goes even further: Digital sovereignty transcends shielding individual organizations from harm. "It is essential," the research notes, "for national security, economic resilience and operational continuity."

Risks of ignoring digital sovereignty

Disregarding digital sovereignty carries several risks, said David Linthicum, founder and lead researcher at Linthicum Research, a technology-focused firm based in Ashburn, Va. Among them are:

  • Failure to comply with laws and regulations.

And geopolitics significantly influences how much control companies retain over their data, Linthicum noted.

For example, Company A stores its data on Cloud Provider B's servers, which are in a European Union (EU) country. Cloud Provider B discovers Company A is doing business with a rogue state — one under EU sanctions. Cloud Provider B kicks Company A off its platform, leaving the company scrambling to find an alternate option.

The result: Business continuity is interrupted. This downtime, combined with news of Company A's engagement with an unfriendly regime, leads to bad public relations (PR) and diminished trust among customers and investors.

Linthicum, who recently co-authored "Unlocking the Power of the Cloud: Governance, Artificial Intelligence, Risk Management, Value" with Meredith Stein, said organizations sometimes encounter conflicting laws governing the country in which their cloud provider is headquartered.

"A lot of European companies are very worried about dealing with American-based cloud companies because of the risk of U.S.-based law enforcement -- its ability to subpoena their data if it's stored on a U.S.-based server," he said.

These fears, Linthicum added, extend to situations where data is stored on servers in the EU but managed by an American cloud provider. Moreover, administrations change, and so do these laws, creating an even more volatile climate.

Benefits of digital sovereignty

Still, when companies achieve digital sovereignty, they reduce the risks associated with business continuity, compliance and reputation, Linthicum said. He further stated that it increases people's understanding of how their data is handled, which in turn fosters trust.

For example, if a German company attests that it is storing information pertaining to its German customers in a sovereign cloud located in Germany, those individuals feel reassured that their personal data isn't in a facility halfway around the world, where different laws may apply.

"That has value in terms of PR and customer relationships," Linthicum said.

Action plan for CIOs and business leaders

Achieving digital sovereignty requires companies to maintain a deep understanding of their present situation. Among the best practices to consider are the following:

Build situational awareness

Develop a team that's thoroughly familiar with the company's operations and any related and potentially harmful issues, said James Stewart, partner and chief technology officer at Public Digital, a London-based consulting firm.

Together, the team seeks clear insight into the geographical markets along the organization's entire supply chain. Additionally, the team monitors the company's operating markets for changes or developments that may affect the data stored there.

Stewart added that the assembled team is best when it includes representatives from all business disciplines. Top leadership, on the other hand, prioritizes data that the company must control absolutely.

"(This team needs to be) working together so that (the business) can have a holistic understanding of both how we work now, but also how we want to work," Stewart said.

Recognize that digital sovereignty extends beyond the data center

While an organization's information is often stored in the data center around the corner, ensuring digital sovereignty doesn't stop there. Stewart noted other parts of the necessary infrastructure typically reside elsewhere -- sometimes even outside the country the company calls home.

For example, what happens if a critical subsea cable is cut, the internet goes down, and the data center cannot access that offsite infrastructure?

When teams fail to scrutinize requirements for end-to-end digital sovereignty, they often lack the data control they thought they had, Stewart said.

Profile risk strategically

For Will Venters, associate professor of information systems in the Department of Management at the London School of Economics and Political Science, digital sovereignty is a balancing act between retaining control over an organization's data and assuming some risk to gain competitive advantage, streamline workflows or innovate.

"Locking your data inside your business may be the safest option from a security perspective," Venters said." But it's not necessarily the safest option from a business perspective because you want to drive value and build business processes that allow you to capitalize on the ecosystem of other services."

Companies must avoid a blanket approach to profiling risk, Venters said. Instead, leaders must assign risk tolerance levels to specific data sets. This isn't an easy exercise, Venters acknowledged.

For example, a company rightly considers a zero-risk policy for customer data. However, what if data mining promises true business innovation? In this case, Venters suggests organizations seek technology that enables them to mine while remaining secure and digitally sovereign.

Demand transparency from cloud providers

Sometimes an organization's digital sovereignty is weak because its cloud provider does not offer adequate control over their data. This is why Linthicum stresses the importance of mandating complete transparency in the service-level agreements (SLAs) companies sign with their cloud providers, including:

  • Details on how the cloud provider's customer could audit the provider.
  • How the cloud provider's client has access to its data.
  • Which country's laws the cloud provider follows.
  • Where data is physically stored.

Hammering out these specifics is crucial, Linthicum said, if companies are to maintain control over their data. Companies don't want their cloud provider to move data without telling them; this creates compliance risk -- especially if that information now resides in another country.

Instead, Linthicum said a strong SLA clearly states the cloud provider must give sufficient notice prior to moving data and collaborate with its customer on the migration process.

Stipulate the right to audit cloud providers

Cloud customers have the right to audit their providers' operations, and the SLA must state this, Linthicum said. He added that companies, at any time, should be able to:

  • Visit the data center where their information is stored.
  • Verify the server on which it is stored.
  • Examine the backup and recovery systems to confirm that data is not sent to another country for backup and recovery operations.

"You should be able to see the servers where your data is going to be stored for these particular applications that are critical to your business," Linthicum said.

Linthicum acknowledged reluctance to grant this access; cloud providers often cite security concerns to prevent customer visits. However, if a provider refuses onsite audits, Linthicum urges companies simply to choose another provider. 

"[If you] vote with your feet, even if it costs you more money, you're still going to make it up in terms of lowering risk," Linthicum said.

In the past, he added, only a few cloud providers dominated this space. Today, companies have far more transparent – that is, better – options.

Invest in planning for digital sovereignty

Ultimately, achieving digital sovereignty requires careful planning. Linthicum emphasized that this is a complex process that requires a diverse team of skilled individuals.

"It comes down to a larger strategic architectural framework where you're going to build, deploy and host your applications, and that needs to be well thought out," Linthicum said. "Understand that this is going to be a complex array of heterogeneous systems you're going to have to work with."

Carolyn Heinze is a Paris-based freelance writer. She covers several technology and business areas, including HR software and sustainability.

Dig Deeper on CIO strategy