Digital sovereignty describes an organization’s right to control its digital data. It also refers to country- or region-specific regulations that dictate that any data harvested or processed must be subject to its laws. According to Rahel Nasir, IDC Senior Research Director, it should be thought of in a broader context where, as well as data, “the focus is also on the infrastructure and the software that is created and relied upon to operate in the digital world.”
Data sovereignty is a subgroup of digital sovereignty. Here data is subject to the laws and governance structures within the country it is collected or applies to. Within on-premises infrastructure, data sovereignty is straightforward. It is the cloud that brings the complexity.
The digital and data sovereignty landscape defined
IDC defines digital sovereignty as “the capacity for digital self-determination by states, companies, or even individuals.” Put another way, Nasir says that “digital sovereignty gives digital organizations a license to operate.” Data sovereignty is a big part of this digital sovereignty picture.
Once you cut through the politics around digital sovereignty, what is essentially left are “issues of resilience, control, and management of IT infrastructure,” maintains Nasir, which has been on the IT agenda for some time, so it hardly pulls any surprises.
Given the increasing complexity of global infrastructures, however, organizations are increasingly concerned about staying compliant and ensuring digital and data sovereignty are carefully considered in organizational strategies, particularly when it comes to the cloud. So much so that IDC forecasts that by 2025, 70% of G2000 will prioritize the trusted infrastructure of sovereign clouds to ensure consistent security and regulatory compliance for specific sensitive workloads and data.
Cloud is causing concerns
As the uptake of multicloud accelerates, so do worries about data. Where is it? Who is safeguarding it? Digital sovereignty is still quite a new concept, which means that countries are evolving regulations as new scenarios arise. Applying digital sovereignty practices can be highly challenging in such a dynamic environment across multiple territories, especially when you add cloud infrastructure into the equation.
IDC estimates that in Europe alone, half of organizations will spend 10% of their IT budget over the next couple of years to comply with sovereignty rules adopted in the European Union. In IDC’s worldwide CEO survey conducted at the beginning of 2022, 80% of European organizations considered digital sovereignty their highest priority.
Such regulations present roadblocks to organizations in terms of growth and limit the flexibility of global digital platforms and public cloud services. It is little wonder that 98% of organizations in Europe and the U.S. have data sovereignty strategies in place or are currently working on policies that will impact their overarching organizational strategy, according to a Vanson Bourne study.
The emergence of cloud data sovereignty
When planning multicloud strategies, enterprises increasingly understand the importance of cloud data sovereignty in their plans. This determines the governmental jurisdiction in which cloud infrastructures are physically cited. As a result, IDC maintains that the following cloud organizations will consider adding a sovereign cloud to their multicloud strategy. A sovereign cloud is designed and constructed to provide data access in compliance with local laws and regulations. The Gaia-X initiative in Europe is an example of a sovereign cloud.
Enterprises are increasingly becoming aware that not all clouds are the same, and it is vital to identify the right cloud for the right workloads and applications. In some cases, this will be a sovereign cloud. Organizations that find this a challenge should engage a trusted partner to help guide them.
Organizations should look at sovereign clouds as supplementing their deployments on public or hyperscaler clouds. By integrating sovereign cloud into its multicloud strategy, organizations can benefit from increased flexibility and future-proof operations in terms of data, for example.
Staying ahead of rapidly changing regulations
According to Gartner, CIOs can no longer assume that all technologies within an organization’s operations will operate in all countries. The United Nations Conference on Trade and Development (UNCTAD) estimates that 80% of countries worldwide have enacted or drafted data privacy legislation.
The analyst firm thus recommends that organizations set up a geopolitical vendor and technology risk center of excellence to regularly assess the exposure of key suppliers to evolving government restrictions.
While an organization’s legal counsel stays informed on the changing regulatory vista, CIOs must proactively ensure its IT operating model and practices reflect current laws and procedures. To achieve this, Gartner recommends that CIOs establish a direct line of communication with their legal counsel to ensure everyone is up to date on legal issues and compliance.
Make digital and data sovereignty pivotal to organizational strategy
Digital and data sovereignty regulations will continue apace over the coming years as regulators and political leaders look to protect their borders. Business leaders and CIOs must include digital and data sovereignty in their overarching strategy to control risk, remain compliant and flourish in the digital economy.
Orange Business Services takes a solution-agnostic approach, providing our customers with the best cloud solution that best fits the regulatory landscape they are operating in. This includes the best technical mix to lower risk across regions. To find out more, click here.
Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.