CIOs certainly are not new to the challenges of data sovereignty.
How and where data is stored has been top-of-mind for CIOs, from the days of on-premises systems to the era of hyperscalers and Saas applications, notes Shannon Bell, executive vice president, chief digital officer, and CIO of OpenText, an information management solutions company. “It’s always been important to know where your data is and how you’re protecting it,” she said.
But current factors make that job more complex than ever. AI is now in the mix. Geopolitical tensions are rising. And equally unnerving — the big tech companies are having to reconsider their data sovereignty promises.
Data Sovereignty Challenges in 2025
Figuring out a data sovereignty strategy is not a simple task, with CIOs having to factor in potential challenges from multiple sources.
Surveillance laws vs. Privacy regulations
The US CLOUD Act gives the U.S. government authority over U.S. tech companies and could give it access to their customers’ data, regardless of where it is being held. The 2018 law allows US companies to challenge a government order to produce data, if the disclosure poses a material risk of violating foreign laws, but does not guarantee exemption.
When push comes to shove, it therefore seems that U.S. surveillance laws could win out over privacy regulations in other jurisdictions, like the EU. A Microsoft executive said as much when speaking to the French Senate this summer; Anton Carniaux, director of public and legal affairs with Microsoft France, said the company “cannot guarantee” that it would not hand over data on French citizens to the U.S. government if faced with an injunction, The Register reports.
The uncertainty is driving concern. “There’s been a lot more talk around, ‘Should we be managing sovereign cloud, should we be using on-premises more, should we be relying on our non-North American public contractors?” said Tracy Woo, a principal analyst with researcher and advisory firm Forrester.
Ditching a major public cloud provider over sovereignty concerns, however, is not a practical option. These providers often underpin expansive global workloads, so migrating to a new architecture would be time-consuming, costly, and complex. There also isn’t a simple direct switch that companies can make if they’re looking to avoid public cloud; sourcing alternatives must be done thoughtfully, not just in reaction to one challenge.
“The bottom line is that it is too difficult to disintermediate yourself from the North American public cloud providers,” said Woo. “Like it or not, they are the backbone of your global infrastructure.”
Customer Data Protection
In addition to tensions between U.S. surveillance laws and EU privacy laws, CIOs of global organizations have to think about data protection requirements across all of their customers’ jurisdictions.
“Data protection for a customer in Germany is different than the requirements for data protection for a customer in the U.S. or in Singapore,” explained Bell.
CIOs have to decide whether to enforce different standards of regulation across their different jurisdictions, to comply with local law, or to apply a single gold standard across all their data, regardless of geography. This can quickly be complex to manage. “We have an entire compliance organization within my technology team that probably wouldn’t have existed 20 years ago,” said Bell.
With the intense proliferation of data, it can be easy to make mistakes. Data can wind up where it isn’t supposed to be.
“Getting transparency but also alignment and having that in a centralized repository is incredibly difficult,” said Woo.
Mignona Coté, CISO of enterprise software company Infor, agreed “You can test, test, test, test, test but still you forgot one use case. And so there will be consequences. There will be things that you’ve got to fix.”
While mistakes can and do happen across company operations, mistakes in data regulation can be particularly costly, Woo pointed out. Sovereignty issues can lead to legal troubles with local governments, fines, and even global reputational damage.
In an effort to address these challenges and liabilities, public cloud providers have been grappling with sovereignty issues for years and developing specific sovereign solutions, including those designed for heavily regulated industries that struggled to adopt the public cloud, Woo said. But ChatGPT “turned everything on its head,” she said.
The Added Complications of AI
CIOs are expected to lead the charge on AI innovation – but in order for AI to achieve its hoped-for outcomes, CIOs need good information management. What data is being used to train models? Where is that data coming from? Is it safe? Are AI projects being deployed in a way that upholds privacy regulations across different jurisdictions?
“There’s a nervousness around deployment of AI, and I think that nervousness comes from — definitely in conversations with other CIOs — not knowing the data,” said Bell.
Although decoupling from the major cloud providers is impractical on many fronts, issues of sovereignty as well as cost could still push CIOs to embrace a more localized approach, Woo said.
“People are realizing that we don’t necessarily need all the bells and whistles of the public cloud providers, whether that’s for latency or performance reasons, or whether it’s for cost or whether that’s for sovereignty reasons,” explained Woo. “And so, there has been this push to create and move that AI to the local environment as well.”
Conversely, CIOs should understand how they can use AI to improve and automate data management. “AI could be used as an enabler to see if the data is going somewhere else,” said Coté.
The Pressure Is On
Meanwhile, the clock is ticking. Sovereignty has become a top board-level concern, amid the global proliferation of data privacy laws and the legal requirement to comply with them. Executive leaders want to know that data is safe and that regulatory compliance is being met — without hampering a company’s operations. Customers want to know that their data remains within their operational jurisdictions.
“The CIO is going to be looked at as the one who could solve the problem. There is a lot of pressure on him or her,” said Coté.
Bell described this responsibility as a balancing act for the IT organization, as they have to try to meet all regulatory requirements while still leaving teams with enough flexibility and agility for innovation. Managing these pressures requires a cultural change around the way IT teams operate and how they are viewed within an organization.
To be successful, Woo outlined a few goals that CIOs will want to achieve: to know where all data resides, to have control and transparency around said data, and to ensure total regulatory compliance. Crucially, they will want to make sure that sovereignty and regulations are employed on data at all stages, whether at rest, in transit, or under use.
Hybrid Model for Managing the Challenges and Uncertainty
How to proceed is a challenge. The current issues around hyperscalers, the sovereignty of data, US surveillance rules, and the U.S. CLOUD Act are in flux. “I think those pieces of the puzzle are still unfolding,” says Bell.
CIOs can’t say exactly how the puzzle will look, Bell said, but they do need to guide their organizations forward as the pieces come together, building and deploying systems that both protect and capitalize on enterprise data.
Flexibility and portability of the solutions they deploy is key, as the regulations, standards, and expectations around data sovereignty evolve.
She anticipated that the hybrid will be the model of choice going forward.
“Maybe five to 10 years ago, CIOs would tell you,’ I’m going to have 100% of my workloads on the cloud.’ Now, CIOs very much understand that the hybrid ecosystem is where they will land,” said Bell. “It’s just a question of what percentage of your workloads sit where.”
