Cloud Sovereignty: Feature. Bug. Feature. Repeat!

It’s slow but it’s happening. Cloud roll-backs are now much more than cost saving-attempts or back-to-comfort-zone shuffles. We all heard – in some way- about Basecamp’s 37Signals pulling the plug on a big Cloud vendor in early 2023 hoping it will save $7 million in the next five years by going on premise. The figure started touching $10 million recently. But there’s more to a Cloud exit than simply eking out dollars these days.

GEICO moved over 600 apps to the cloud over a decade but ended up with 2.5 times higher costs. Now they’re moving back to private cloud. Dropbox pulled 90 per cent of customer data off AWS and built their own hybrid system, saving a lot of money. Adobe also shifted major parts of their infrastructure away from public cloud. There are many, many more examples of large enterprises doing the same – as told by Kunal Kushwaha, Field CTO, Civo in a recent interview with Dataquest.

The genie is out of the bottle. Or in more practical terms: Toothpaste can’t be squeezed into the tube again.

- Frank Karlitschek CEO and founder of Nextcloud

India’s own technology players like TCS are also seen dotting headlines like the NOW Telecom-partnered Sovereign Cloud in Philippines or the RailTel Sovereign Cloud (tagged as the India’s indigenous sovereign cloud platform). There is also buzz about Ola’s Krutrim’s AI Sovereign Cloud for India. In fact, as per some recent BCG estimates, by 2028, as many as 65 per cent of nations are expected to implement a digital sovereignty plan. Sovereign-cloud infrastructure as a service (IaaS) spending is also expected to take a jump from $37 billion in 2023 to $169 billion by 2028. The reason lies a lot in regulatory push- from the European Union’s General Data Protection Regulation, France’s SecNumCloud rules, to India’s Digital Personal Data Protection Act. It also has to do with concerns related to data privacy, data control, cloud control, resilience assurance, security worries and business continuity needs. Everything, as we can decipher now, is boiling down to that counter-intuitive-sounding term- Cloud Sovereignty.

My Cloud, My Data, My Way, My Country- Why?

When the concept of Cloud first emerged, the idea was both path-breaking and why-did-we-not-think-of-it-before’ face-palming in its impact. Just skip all the infrastructure headache and let a vendor pool everything up in some Cloud- from where enterprises can use all the IT they want- and on tap. No need to pin up any tent-bolts anywhere, all’s available, when needed, as needed, in a Cloud. Simple!

But this ethereal, and magical-sounding, feathery-wispy Cloud still has its behind-the-curtains iron somewhere. The data sits in some place. And that some place – in some circumstances- can confront issues related to actual control, lock-outs, security threats, geo-political arm-twisting and law enforcement by foreign authorities. Hence, the very advantage of a Cloud of being ‘up there’ became its biggest concern- if only recently. Now enterprises have started asking for, and vendors scrambling to assure them of, sovereign clouds. Yes, a paradox of sorts. But also- a real concern today.

Cloud sovereignty isn’t just a buzzword anymore, argues Kushwaha. “It’s a real concern for businesses across the world. The pattern is clear. The cloud isn’t a one-size-fits-all solution anymore. Companies are starting to realise that sometimes control, cost, and compliance matter more than convenience.”

Frank Karlitschek, CEO and founder of Nextcloud elucidates that digital sovereignty means that third parties such as technology providers or foreign governments are not able to control you in your digital decisions. “Customers regularly mention some areas as risks -Digital dependency and vulnerability to blackmailing, costs, vendor lock-in (making it hard to move to another provider) and data protection.”

“Companies such as Microsoft have recently increased subscription prices for some of its products by 40 per cent. The Cloud Act grants US authorises access to cloud data hosted by US companies. It does not matter if that data is located in the US, Europe, or anywhere else. Now there are fears of industrial espionage, for example if the DOGE team in the US potentially has access to confidential databases. In addition, customers don’t want their data to be used for training of AI models.” He explains.

Kushwaha seconds that pattern and echoes that this isn’t just a UK thing. “In Europe, we’re seeing a clear pushback against the dominance of big cloud providers through projects like EuroStack. Over in India, the momentum is strong too. New data protection laws and the RBI’s plan to launch its own sovereign cloud show how serious the country is about taking control of its data.”

A lot of people confuse data residency with data sovereignty, but they’re not the same thing.

- Kunal Kushwaha, Field CTO, Civo

He illustrates how the RBI’s announcement is a big deal. “Their upcoming sovereign cloud, set for 2025, will offer affordable cloud services to financial institutions and make sure all data stays within the country. On top of that, India’s Digital Personal Data Protection Act from 2023 has strict rules about where data can go. The draft rules released in early 2025 give the government a lot more power over cross-border data movement.”

Mitesh Jain, Regional VP of Akamai India notes that this rise of stringent data privacy regulations reflects a growing recognition that data is not just a technological asset but a matter of public trust and sovereignty. “As a result, major cloud vendors are now offering Sovereign Cloud solutions, designed to comply with local legal frameworks, keeping sensitive data within national borders.”

Vinay Chhabra, Co-Founder & Managing Director, AceCloud adds the AI context here. “In today’s AI-driven world, data is one of the most valuable resources for a nation. As India becomes one of the largest digital economies, the need for a secure and trusted environment to safeguard enormous volumes of proprietary data is critical especially amidst Indian organisations facing around 3291 cyberattacks per week.”

What’s Sovereign and What’s Pseudo-Sovereign?

A lot of people confuse data residency with data sovereignty, but they’re not the same thing, warns Kushwaha.

“Data residency is simply about where your data is stored. Data sovereignty is about who has legal control over it. Even if your data is physically in one country, if the cloud provider is subject to another country’s laws, your data can still be accessed from outside. That’s a major issue.”

In June 2025, Microsoft France told the French Senate that they couldn’t guarantee French citizen data wouldn’t be sent to the US, even without the French government agreeing to it. That says a lot, Kushwaha weighs in. “Laws like the US CLOUD Act and FISA 702 allow the US government to demand data from any US-based company, no matter where the data is kept. That means a US hyperscaler would need to give access to any data stored on their servers in India. So storing your data locally doesn’t protect you if your provider still answers to foreign laws.”

As Mayank Verma, Global Head, Data & AI, Xebia also reasons, Cloud sovereignty is no longer defined by where data sits. “It’s defined by who controls how systems behave. Across India, Southeast Asia we are working with enterprises that have already met localisation and residency mandates but are now asking the harder questions: who holds access to telemetry, who can escalate and intervene, who governs model observability, and where support workflows terminate. Most cloud-native defaults were built for scale and efficiency, not for jurisdiction-specific control. That’s not a flaw- it’s a design trade-off that needs to be surfaced and addressed.”

The BCG NPI index report’s sidenotes also point out at how the Clarifying Lawful Overseas Use of Data Act in the US allows US authorities to subpoena data from any US-based provider – and this can happen even if that data sits in Europe or Asia. That explains why and how a country can use a sovereign cloud to build a jurisdictional firewall.

That’s why people are calling out big cloud providers like Microsoft, AWS, and Google. They talk a lot about digital sovereignty, but they’re still US companies. US laws still apply, clarifies Kushwaha. And this brings us to the next big item in the IT laundry-list - Sovereignty Washing.

Public Clouds or Public Laundromats- Sovereignty-Washing

Here, it might be helpful to take a quick glance at how vendors, specially hyperscalers, are trying to address this new gap. They, as explained by an BCG analysis, can take two routes – a Hyperscaler Cloud with sovereignty features and another one- a Sovereign Cloud with hyperscaler software. The former is where the capex is borne by the hyperscaler and the latter is where the capex comes from the local/joint venture entity/ies. In the first case- a country’s data may still fall under a foreign jurisdiction if the cloud infrastructure is owned by the hyperscaler. In the second case- all national data is governed by the local law/ownership.

But as Kushwaha contends, real data sovereignty means full legal and operational control. It’s not just about storing data in a certain location. “You need jurisdictional separation and customer-controlled encryption keys. Without that, the sovereignty claims don’t mean much.”

Prof. Nityesh Bhatt, Director, Institute of Management and Professor of Information Management Area, Nirma University concurs. It is an incremental improvement in the positive direction, however, not completely immune from the risks in the current geopolitical environment. It is an attempt to safeguard the market share and business interests of the leading tech titans, largely from USA. Partly a marketing gimmick too.”

The need for cloud sovereignty is accelerating, particularly among clients in Europe and India.

- Goutham Parcha, VP, Application Development, Pegasystems India

Goutham Parcha, Vice President, Application Development, Pegasystems India also observes that Sovereignty must be embedded in architecture, proven through control, and maintained with accountability. “Yet, there is a significant gap between what many cloud providers market as sovereign infrastructure and what true sovereignty demands.”

Verma illustrates that most enterprises the company works with have already implemented data residency. “This ensures that customer or regulated data is stored within national borders, typically through in-region cloud zones. Some have also achieved localisation, which enforces legal control over whether that data can leave the country. But neither of those provides sovereignty. Sovereignty is not about location. It is about operational authority.”

Mehul Bavishi, Customer Technology Advisor – Financial Services, Kyndryl India assesses that Sovereignty-washing is when cloud providers exaggerate or mislead about their ability to ensure sovereignty. “They might overstate their compliance with local laws or the level of control they offer to a country or an enterprise. This usually occurs when any variant of their cloud services continues to fall under the laws of their country of origin meaning that data from India can still surreptitiously be accessed by foreign law enforcement and intelligence services, even if generated/processed outside of their political boundaries. That’s not sovereignty.”

While providers often highlight local data hosting, they frequently fall short on delivering legal autonomy, operational independence, and architectural control. Without these core elements, many so-called sovereign solutions amount to little more than ‘sovereignty-washing’ in practice, reckons Parcha. “This problem stems from a narrow view of sovereignty. Placing data in a local region is not sufficient. If enterprises lack clear authority over access policies, control over encryption keys, and the ability to enforce compliance frameworks, their sovereignty is compromised. Infrastructure that appears compliant on paper often fails to deliver real legal and operational assurance.”

Bavishi advises that enterprises must critically evaluate their options to ensure that the services they choose meet their sovereignty needs/regulations.

Who’s On the 180 now?

Cloud sovereignty has become a critical priority for enterprises operating in regulated environments or facing geopolitical uncertainty. The conversation now extends beyond cost and scale to focus on control, compliance, and trust, tells Parcha.

Right now, government and healthcare are leading the charge when it comes to sovereign cloud. And AI is making the whole thing even more urgent, explains Kushwaha.

“For government, it’s not just about tech anymore. It’s about national security, legal control, and who actually owns the data. These are sensitive systems, so trust really matters. Even Civo’s on the UK G-Cloud list now, which shows how seriously people are starting to take this.”

Healthcare’s moving fast too, adds Kushwaha. “Cloud adoption in that space is growing like crazy. With the NHS aiming to digitise all patient records by 2026, there’s real pressure to get this right. But with strict privacy laws like GDPR and HIPAA, they’ve got to be super cautious about how and where patient data is stored. Finance is another big one. About a quarter of the UK’s cloud market is in banking and financial services. And in India, the RBI has straight up said banks should use sovereign cloud. Their data and risk rules are tight, so local control really matters there.”

Is lifting-and-shifting that easy though? Ask Karlitschek and he points out that migration is not an insurmountable challenge – it’s a manageable process. “We offer migration support. Nextcloud is an integrated platform but has a modular design. Customers can start with Files to edit and share documents and then later use Groupware for managing emails, calendars and contacts, and then Nextcloud Office or Talk for chat and videoconferencing.”

Roll-back from a hyperscaler environment are simple lift-and-shift processes and straightforward if the architecture, design, build and operational needs were designed agnostic of the vendor, opines Bavishi. “However, it can also be very costly/complicated, especially if architecture or the contract has vendor lock-ins for e.g. a use of proprietary hyperscaler services and toolings, impractical contractual agreements, etc.”

Data sovereignty cannot be fully achieved through data residency or localisation alone.

- Mitesh Jain, Regional VP, Akamai India

But making the switch is still a mental-shift. “For a switch from Microsoft365 or Google, user acceptance is often the biggest challenge. For example when an app is in a different colour than what they are used to.” Karlitschek shares.

Cloud Sovereignty- A Chimera?

All things considered, one is tempted to wonder- Can true digital sovereignty ever be achieved? Is the idea not a tad counterintuitive to the very DNA of technology- is it not paradoxical in the globalised age-accelerated and facilitated by technology- that businesses and entrepreneurs have finally come to enjoy?

Kushwaha assures that true digital sovereignty is absolutely achievable. “But it demands moving beyond the false choice between global connectivity and local control. It also requires significant investment from both the private and public sectors in every country it is pursued.

The internet promised borderless freedom, yet 2025’s geopolitical realities are sanctions, tariffs, and extraterritorial laws. These demand that businesses prioritise sovereignty to protect their growth, data, and customers.”

Cloud sovereignty is increasingly critical due to the evolving geopolitical scenario, government and industry-specific regulations, and vendor lock-ins with heavy reliance on hyperscalers. The concept has gained momentum and will continue to do so because technology has become pervasive and critical for running a state/country and any misuse by foreign actors can cause major repercussions, the way Bavishi sees it.

Prof. Bhatt captures that true digital sovereignty is a distant dream and achieving this requires a robust ecosystem for decades (humongous investment in enabling technologies, progressive policy, education etc.)

This isn’t counterintuitive; it’s evolution, as Kushwaha epitomises. “The cloud’s original promise was one of freedom. Today, when it comes to the cloud, freedom means more control. Businesses investing heavily in digital futures can’t afford to ignore the fine print in hyperscaler contracts or the reach of foreign laws. Sovereignty is the foundation for building safely in a fragmented world.”

The cloud promised freedom. Today, that means control. Businesses shaping digital futures must watch hyperscaler contracts and foreign laws. Sovereignty is key to building safely in a fragmented world.

Organisations have recognised the risks of digital dependencies and are looking for better options. There is no turning back, Karlitschek underlines.

This may, indeed, be not counterintuitive; but evolution. Remember those times when some cultures considered the very act of bathing dangerous – because they thought toxins could inject human bodies through pores, thus, opened. How far have we come! Just like how public bath-houses (once popular in many ancient civilisations and even in modern times with Sento in Japan) realised that hygiene could matter more than the comfort of community or a social institutional ritual. As long as we don’t do a King Henry VIII mistake (who closed all public bath-houses fearing spread of sickness) and throw the baby with the bath-water this time, sovereignty could mean another big mark on IT’s own Darwin-curve. A curve that’s slow, but always happening.

pratimah@cybermedia.co.in