Why data sovereignty is driving cloud hosting decisions

Data sovereignty is a top priority for many organisations. Where your data resides now determines how secure, private, and compliant your business is. Political uncertainty, enforcement of data protection regulations and concerns over data protection with the rise of AI technologies are just a few of the contributing factors.

Data sovereignty is the principle that data is subject to the laws of the country in which it resides. A recent survey of UK IT leaders reported that 61% of respondents said that data sovereignty is now a strategic priority for their organisation, with 45% exploring the possibility of repatriating workloads from the public cloud due to data protection concerns (IT Pro). 

In this insight, we will explore the evolving regulations and rulings impacting data governance, how this growing focus on data sovereignty is leading cloud hosting decisions, and how you can address data sovereignty through your own infrastructure. 

Evolving regulations and the impact on businesses

Several major developments in data regulations and law over recent years have had a significant impact on how organisations in the UK and EU must process data.

Brexit

Following the UK’s exit from the EU, known as Brexit, GDPR has been retained in UK law as the UK GDPR, but the UK does have the independence to keep the framework under review. While the key principles, rights, and obligations remain, there were implications for the rules on transfers of personal data between the UK and the EEA, which have needed addressing by UK and EU companies. As of June 2025 the Data Use and Access Act will be subject to a phased implementation period which will also introduce further changes to data protection law. 

Schrems II

A landmark judgement in 2020 from the Court of Justice of the European Union (CJEU), known as Schrems II, changed the data protection landscape. The ruling invalidated the EU-US Privacy Shield, a framework which allowed data transfer from the EU to the U.S., stating that U.S. laws did not offer protections equivalent to EU standards (GDPR summary). Following Schrems II, the EU-US Data Privacy Framework was launched in July 2023 to address the legal gaps identified, providing a compliant path for U.S.-based organisations to receive personal data from the EU. The European Commission also introduced the International Data Transfer Agreement (IDTA), replacing Standard Contractual Clauses (SCCs), offering clearer guidance for international transfers in the wake of Schrems II. 

GDPR 

While GDPR first came into force in 2018, major rulings over the last few years have emphasised its importance. 

In a groundbreaking GDPR ruling, the Irish Data Protection Commission imposed a historic €1.2 billion fine on Meta, for transferring personal data from European users to the U.S. without adequate data protection mechanisms (European Data Protection Board). This ruling served as a warning to other companies of the potential consequences of breaching GDPR requirements.

Developments in AI technology

As AI technology has advanced and become widely adopted, concerns have also grown around data protection when running and using these technologies. In response, the EU has passed the EU AI Act, a comprehensive AI regulation, with major implications for how data is processed, stored and governed in the cloud. The EU AI Act places significant emphasis on data governance, impacting cloud hosting decisions.

For UK businesses, it is important to note that, while the EU AI Act does not directly apply if you are solely operating in the UK, it does apply if you are selling AI tools to the EU, processing EU user data, or hosting AI workloads for EU customers. The UK government has developed its own response to AI, the AI White Paper, which takes a lighter-touch approach. The framework is non-statutory, instead giving existing regulators (such as the ICO, CMA, or FCA) responsibility for applying AI principles in their sectors. 

Data sovereignty considerations for cloud hosting

“Global by default” cloud models

Many public cloud platforms are offered by global providers, such as AWS, Microsoft Azure, or Google, with no clear borders between jurisdictions. These solutions are often not transparent about where your data is stored and processed, and may replicate and route data across borders. This creates significant compliance concerns, particularly for organisations handling sensitive personal data. 

“Data Gravity” concerns

The concept of data gravity refers to the idea that large volumes of data tend to attract other data, services, and applications towards where they are stored. 

While this is a common phenomenon, the more data you accumulate in one place, the harder it becomes to move that data somewhere else, creating infrastructure and operational dependencies. With some cloud providers, there are additional difficulties with migrating data, such as egress fees, proprietary services, and other vendor lock-in strategies. 

For organisations addressing data sovereignty concerns within their cloud infrastructure, this can make cloud repatriation and transferring data back into your jurisdiction additionally complex. 

Legal exposure

As many jurisdictions have their own data protection regulations, this leads to the potential for legal conflict between jurisdictions. This is a particular issue with public cloud infrastructure where it is unclear where your data is stored and transferred, as it is possible to run afoul of a jurisdiction’s regulations unknowingly. 

Industry-specific requirements

Many industries will have their own specific requirements around data protection, covering the location of data and any data migration across jurisdictions. One example of this is the National Data Guardian’s Data Security Standards which all organisations with access to NHS patient data and systems must use to confirm they are handling data correctly. When you are working in an industry with particularly strict compliance requirements, controlling where and how your data is stored and processed is vital. 

How to address data sovereignty in your cloud hosting strategy

Region-specific hosting

In order to best meet data sovereignty requirements, it is vital to have control over exactly where your data is hosted and processed. You should seek a provider who operates and hosts in the region(s) you require, and who can guarantee your data will not be transferred between jurisdictions without your knowledge. This transparency will allow you to meet the strictest compliance requirements, and maintain full control over your data. 

Global infrastructure with local legal accountability

Clear, legal separation between entities operating in different jurisdictions means a provider can provide legal compliance and region-specific support, while still offering the benefits of global reach. 

Working with an MSP

A managed service provider (MSP) with experience and expertise in data sovereignty can provide personalised guidance, and design your infrastructure to meet your compliance and data protection requirements. They can also provide ongoing management, advising you of any changes or developments to regulation which may impact you, and how you can adapt your infrastructure accordingly. 

Opt for a sovereign cloud solution

A specialised sovereign cloud solution with an expert provider means you can ensure your infrastructure is compliant with changing data privacy regulations. The VMware Sovereign Cloud Framework for example guarantees that partner providers comply with strict criteria, encompassing jurisdictional control and security measures. 

Cloud repatriation 

Cloud repatriation, the process of migrating workloads away from the public cloud and into a private or hybrid cloud environment, is a growing trend in response to data sovereignty concerns. In VMware by Broadcom’s Private Cloud Outlook 2025 report, they found that 69% of survey respondents were considering repatriating workloads from public cloud to private, with security and compliance stated as the leading driver for repatriation. Moving all or part of your infrastructure away from public cloud, and into a secure solution such as private cloud or virtual private cloud is an effective way to regain control over your data, and meet data sovereignty requirements. 

Our approach to data sovereignty

We have been supporting our customers with data sovereignty requirements over many years, providing solutions that comply with changing data privacy regulations in key strategic locations globally. Our team of compliance experts, cloud architects, technical engineers, and dedicated account managers are experienced in building and managing compliant solutions in all of our regions, and can provide guidance and support to you and your team. 

Our network of 35+ global data centre locations means you can choose where your data resides. In contrast to the public cloud model, our solutions, including Private Cloud and Hyve Virtual Private Cloud, give you tailored levels of control, offering logical and physical isolation as required. We operate entirely separate entities in the UK, Germany, and the U.S., with clear legal distinction, providing region-specific support and legal compliance. 

As a verified VMware Sovereign Cloud provider, we give you complete control over where your data is stored. Our solutions allow you to meet strict compliance requirements while keeping your environment secure across our global network of data centres.

If you have concerns around data sovereignty or questions around cloud repatriation, our experts can assess your needs, and provide guidance on your ideal, compliant and secure solution. Fill out our contact form and one of our cloud experts will get in touch. 

Originally published at: https://www.hyve.com/insights/why-data-sovereignty-is-driving-cloud-hosting-decisions