How conversations around sovereignty are redrawing the digital map

By Nuzhat Sayani, Senior Vice President, Chief Privacy and Data Governance Officer and Fariba Wells, Senior Vice President, Global Government Affairs and Policy at Kyndryl

For years, data has flowed from place to place with relative ease, powering the world’s digital economy by keeping global commerce connected and efficient.

A bank in one country might send transaction data through computers in other countries to quickly check and approve a payment. When someone shops online from a store based in a different country, their payment and shipping information instantly moves across borders so the order can be processed.

But that era of effortless movement is starting to fade. As governments grow more protective of their digital borders, many countries are tightening the rules around where data can go and who can touch it. Nations that once embraced open digital exchange are now retreating into operational silos, driven by concerns over security, competition, and geopolitical tension. The result is a landscape with far less openness and far more scrutiny — one where the simple act of moving data across borders has become a strategic, legal and political challenge for global enterprises.

We know most business leaders are concerned about data sovereignty. Some 65% report they have made changes to their cloud strategies in response to geopolitical pressures, including data sovereignty regulations, according to the recently published Kyndryl Readiness Report. And 75% of those same leaders say they are concerned about geopolitical risk associated with storing and managing data in global cloud environments.

As concern around data sovereignty increases, it will become a defining constraint on business strategy, forcing enterprise leaders to rethink how they store data, architect applications, innovate and compete. For enterprises that built their technology estates during a more optimistic era of globalization, this shift introduces profound complexity. At the same time, it demands a thoughtful and nuanced response — one that balances compliance with ambition, protects data without limiting progress and recognizes that the future of innovation will depend as much on where information lives as on what companies do with it.

Data sovereignty rules are, in part, a response to concerns about US-based technology companies. Some enterprises overseeing critical infrastructure or personal data worry that when their sensitive data resides on infrastructure owned by US-headquartered companies, it could be subject to US jurisdiction — including the possibility of data access requests relating to criminal investigations under laws like the CLOUD Act.

For enterprises overseeing critical infrastructure or personal data, this isn’t an abstract concern but a structural vulnerability. In fact, government access requests to IT providers are rare, but they exist within a broader threat environment shaped by constant risk by threat actors. That is why partner selection must be rooted in capability and security discipline, not nationality. Sovereignty principles and procurement guidelines are emerging as ways for nations to assert control, reduce dependency on foreign providers and limit the possibility that their most sensitive information can be accessed by another government, no matter how trusted the relationship may seem.

Major US-based cloud providers have taken steps to ease those concerns — for example by launching “sovereign cloud” options. Unfortunately, there are no easy answers to the data sovereignty challenge.

We know from our Cloud Readiness Report that at least 41% of organizations have started repatriating at least some of their data from the cloud to on-premises or local environments. Repatriation may seem like the obvious response to sovereignty pressures, but the unavoidable drawbacks of this approach are substantial.

Moving data on-premises can satisfy local demands, but it reintroduces the limits that pushed many businesses to the cloud in the first place: restricted compute power, slower innovation, and rising infrastructure costs. Most importantly, on-premise systems cannot match the scale, GPU density, or advanced AI capabilities that hyperscalers provide. Enterprises must still operate globally, serve customers across borders, train AI systems on meaningful datasets, and maintain resilience against disruptions and cyber attacks.

What enterprises need is a thoughtful strategy for navigating this complexity. Strong data governance can help by distinguishing data that is only needed locally from data that must be available globally and by introducing appropriate safeguards such as masking or aggregation. The path forward is not to retreat from the cloud, but to design hybrid models that keep sensitive data local while still tapping into the scale and intelligence of hyperscaler infrastructure.

Managing sovereignty at scale requires consistency across data governance, observability, and policy enforcement of providers. Without that coherence, organizations face fragmentation, higher risk and systems that are tougher to manage and protect.

Navigating sovereignty goes beyond technology; it requires balancing legal rules, global politics, cloud choices and business goals. In this way, data governance is not just a safeguard — it is the operating system that allows enterprises to preserve sovereignty, maintain interoperability, and confidently scale innovation across complex, global environments. Moving forward with confidence demands fluency in global regulatory environments and deep expertise in hybrid and multi-cloud design. It requires integration capabilities, governance frameworks and operational discipline that most enterprises cannot build without help.

Some enterprises are understandably cautious about engaging US-based companies, but it is important to recognize that not all US-based technology firms pose the same sovereignty risk. The concerns that drive digital sovereignty policies are largely directed at the movement of personal data — not at infrastructure partners focused on operational systems, IT estates, and mission-critical workloads.

A trusted partner can design hybrid architectures that allow AI innovation without exposing sensitive data. They can establish policies that maintain continuity when regulatory conditions change — as they inevitably will — and they can advance local sovereignty interests without slowing innovation, all while acting as a catalyst for better design.

Sovereignty concerns are reshaping the digital landscape, but it does not diminish the value of the cloud. Instead, they demand a new level of intentionality, one where architecture, governance and trust converge. The organizations that succeed in this environment will be those that treat sovereignty not as a constraint but as a fundamental design principle, and that choose partners who understand that principle at every layer of the stack.

In a world defined by borders, data must move intelligently, decisively and securely. Sovereignty may set the rules, but strategy will determine who thrives within them.