Why sovereignty has become the new measure of cyber resilience

In 2026, national economies run on data. The health of data centers and other critical IT infrastructure now determines the resilience and competitiveness of entire countries, and we’ve seen global corporations and public services brought to their knees by a single breach.

At the end of last year, the Bank of England linked a slowdown in UK GDP to the Jaguar Land Rover cyberattack, showing how a severe incident can ripple across the whole economy.

For a decade, businesses have been racing to put their data into cloud storage in pursuit of greater efficiency and lower costs. It was the obvious choice for those looking to gain instant scalability without the capital burden of owning and operating data centers. But in chasing convenience, many unwittingly ceded control over their own data.

The problem lies in where and how organizations' data is stored. Much of the world’s critical data, from financial systems to healthcare records, now sits in data centers owned or operated by overseas entities, governed by foreign laws, and managed beyond domestic oversight. Few boards fully recognized that outsourcing their infrastructure meant surrendering visibility, and ultimately, control.

Today, as geopolitical tensions flare and cyber espionage actors adopt new AI tools, that trade-off is catching up with us. Governments and enterprises are waking up to the fact that you can’t secure what you don’t control.

Drivers of sovereignty: Why control matters more than ever

‘Data sovereignty’ means very different things to different people. For some, it’s simply about where data is stored - a matter of residency. But that’s a dangerously narrow view. True sovereignty is about control: your ability to retain full legal and operational authority over your data. That involves having control over who can access it, how it’s processed, and under which jurisdiction it’s governed.

The world is only now starting to come to terms with the limits on our control over our data. Years of outsourcing critical infrastructure to third parties abroad have created layers of operational dependency that governments are now recognizing as a critical risk.

Three key developments are pushing sovereignty to the top of the Critical National Infrastructure (CNI) and enterprise agenda:

1. The weaponization of digital infrastructure

From the sabotage of subsea cables to cyberattacks exploiting cloud supply chains, digital infrastructure has become the target of those looking to exert geopolitical influence or disrupt other sovereign nations.

Incidents targeting communication networks and service providers have revealed vulnerabilities in our systems; we have only to look at Russia’s repeated cyber attacks on Ukraine’s power and telecommunications systems to understand the weak position these put us in.

2. Tightening global regulation

The EU Cyber Resilience Act and NIS2 Directive have meant that company directors and those responsible for cybersecurity can no longer sweep digital sovereignty under the rug.

These regulations demand accountability throughout supply chains and impose penalties for opaque governance. Similar frameworks are emerging worldwide, redefining how trust is measured and enforced.

3. Eroding trust in overseas data protection

Last summer, Microsoft testified before the French Parliament, admitting it ‘cannot guarantee’ that data it holds is immune to US government data requests. The statement laid bare the uncomfortable truth behind so-called ‘local hosting’. Your data might sit in a European data center, but if the owner is headquartered in a foreign jurisdiction, it is not safe from extraterritorial access.

The reality is that cheap digital outsourcing, often to regions linked to adversarial states, has left the democratic world with limited leverage over the supply chains that underpin its economies – and facing a rising threat from well-resourced, state-backed cyber criminals. At the same time, with organizations embracing AI-led transformation, they are generating and processing more sensitive data than ever before; data that embodies their strategic advantage in-market and can be weaponized if exposed.

Sovereignty offers a path back to control. A sovereign environment allows organizations to act decisively, because when breaches occur, they have the legal recourse and operational visibility needed to make informed decisions within their domestic sphere.

So how can organizations move towards sovereignty?

Building resilience through real control

The bottom line is that organizations shouldn’t trust any provider that can’t clearly define and prove data sovereignty through contractual assurances. For too long, cloud providers have issued comforting but vague statements about customers’ data being hosted in domestic data centers. But they haven’t told the full story. Real sovereignty relies on the company in question knowing exactly who can access their data, how that access is governed, and under which laws.

The UK Government has been very clear about its ambition to make the country a global leader in secure, trusted digital services. Its AI Opportunities Action Plan offered a roadmap for safe, scalable digital transformation across the economy. But that goal won’t be achieved if organizations and their supply chains don’t have a clear line of sight over where data lives and who controls it. Procurement across Critical National Infrastructure and the public sector, in particular, will now prioritize providers that offer genuine legal and jurisdictional control.

Visibility: The cornerstone of sovereignty

Too often, procurement teams treat digital infrastructure as a race to the bottom on cost, without fully understanding the associated risks. When contracts go to the lowest bidder, and people sweep awkward questions about access and governance under the rug, you get a false economy: any savings you gain on paper vanish the moment a breach occurs or when an threat actor seizes control of your sensitive data.

Visibility must become a baseline expectation at every stage of engagement with a cloud provider. Decision-makers should demand end-to-end transparency from suppliers, including auditable oversight of data handling and identity verification. Providers must also be required to disclose, in writing, any legal obligations to foreign governments.

We’ve already seen the impact that cyberattacks can have on companies and entire economies. M&S has acknowledged that last year’s cyber attack on its systems will cost it roughly £136 million, and it certainly won’t be the last company to experience such a significant loss at the hands of cybercriminals. While you won’t eliminate every threat by branding a cloud solution as ‘sovereign’, strengthening sovereignty in your data operations will increase your visibility and control, and reduce uncertainty on the user’s behalf.

The path to strategic resilience

For years, businesses have prioritized convenience and cost-efficiency, but the trade-off between cheap and easy versus secure and sovereign has reached a natural inflection point.

For a government, investing in sovereign infrastructure and services is key step that organizations can take to help secure national GDP. Along with creating and maintaining domestic jobs it strengthens the governments ability to support and protect business revenues. It’s also a huge factor in continuity of essential services; keeping the lights on when the rest of the world flickers.

The real question for decision-makers now is simple: what is your organization's risk appetite?

How much uncertainty are your shareholders and customers willing to accept when the cost of dependency has become so clear?

Sovereignty will never be absolute in a world defined by interlocked digital infrastructure. However, the pursuit of practical sovereignty, rooted in transparency and domestic control, should be a key organizational and governmental priority: the only real way to ensure long-term resilience.

Sovereignty is also an incredibly complex journey that demands deep collaboration between policymakers, service providers, and – most of all – those to whom the data belongs. The destination may be one of greater individual control, but the journey demands collective action.

We've featured the best data migration tools.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit