Expert Column: Cybersecurity — Why Sovereignty Matters Now More Than Ever

Since the early 2000s and the rise of cloud computing, the notion of digital sovereignty has sparked ongoing debate. Against the backdrop of current geopolitical tensions, European companies’ ability to maintain their independence and control in the digital realm, while protecting the data and interests of their employees and stakeholders, sits at the center of concern.

Digital sovereignty has moved beyond the traditional remit of legal services to become a strategic priority for leaders. In the face of data regulation, the need to know precisely where data resides and under which laws it falls has become a crucial element. CISOs find themselves at the heart of this evolution, charged with managing data sovereignty both as a security imperative and as a strategic lever for the business.

Digital sovereignty is not merely a compliance obligation.

The sheer volume of region-specific regulations, from the GDPR in Europe to similar frameworks in Asia and the United States, makes adopting a universal approach impossible. Moreover, recent geopolitical tensions have forced organizations to reassess their reliance on foreign cloud infrastructures; recall that today 72% of European cloud is owned by three American giants (1). Third-party risk, exposure to surveillance, and loss of legal control push leaders—from both the public and private sectors—to seek an infrastructure that is not only secure but also sovereign.

In fact, the perception of cybersecurity professionals regarding risk has shifted. The location where data is stored is now pivotal. Deliberately, everyone seeks to limit risk. Indeed, if your data reside in a jurisdiction that permits access by foreign governments, as allowed by the U.S. CLOUD Act, you expose yourself to a risk that no encryption algorithm or firewall can mitigate. A legal vulnerability that neither encryption nor a firewall can compensate for, and whose consequences weigh directly on security teams.

A necessary convergence between compliance and cybersecurity.

Once siloed by design, these two functions are now compelled to collaborate. An evolution that forces Security Operations Center (SOC) teams to understand legal stakes, and legal leads to become familiar with IT realities. The change is not purely operational; it is cultural, pushing CISOs to assume a new role. They can no longer merely protect systems; they must also guide their organizations through a complex environment mixing regulation, data localization, and technology.

To succeed in this transition, they are compelled to rethink how they evaluate security solutions. The question should no longer be “Is this secure?”, but rather “Where are the data hosted and processed, and under what jurisdiction?” Such reflection will gradually steer decision-makers toward security platforms that offer full transparency on the applicable jurisdiction, providing local data hosting and supporting sovereign cloud deployments.

In this context, the management of encryption keys becomes a critical point as well: it is essential to know who controls them and where they are stored. If these elements do not align with national regulation or with your risk tolerance level, then the solution under consideration is not adequate.

Any ambiguity should be treated as a red flag

The choice of “sovereign” partners is now decisive. Providers who cannot clearly explain data flows, cross-border transfers, or legal obligations are not viable long-term partners. The same goes for those who rely on shared-access management or whose services are governed by foreign legal frameworks with conflicting disclosure rules.

These decisions are important not only for operational resilience but also for establishing a level of trust. In a context where customers and regulators pay close attention to data practices, proving control over data location and access can become a real competitive advantage. It signals a strong commitment to privacy, transparency, and compliance with legal obligations.

This is an opportunity CISOs must seize to act with clarity and rigor. Data sovereignty is no longer a question reserved for specialists; it is now a strategic issue. This implies demanding more from suppliers, forging closer internal partnerships with legal and compliance teams, and embedding regulatory obligations into every facet of the cybersecurity strategy.

Those who succeed will not only proactively reduce their exposure to risk, but will also help redefine the notion of trust in the digital era.

* Xavier Duros is a cybersecurity expert at Trend Micro

(1) https://www.techradar.com/news/european-cloud-market-is-being-dominated-by-three-big-players