The rise in data sovereignty requirements and risks mean that country, regional and global organizations need to aware that they they could face revenue loss, financial penalties, and reputationally damaging loss of trust if they break data sovereignty regulations.

Pure Storage has run a study with academics from the University of Technology Sydney (UTS) which found that geopolitical uncertainty and regulatory evolution mean data sovereignty has moved from being a compliance issue to one that can affect revenues, competitiveness, and customer trust.

Alex McMullan.

Alex McMullan, International CTO for Pure Storage, stated: “The potential consequences of not having a modern and realistic data sovereignty strategy are acute. Loss of trust, financial damage and competitive disadvantage are possible outcomes that cannot be ignored. We recommend a hybrid approach to data sovereignty: start with a risk assessment across workloads, keep critical workloads sovereign, and use the public cloud for the rest.”

Data sovereignty is about who has the legal authority to access and govern data, regardless of where it is actually stored. Data residency is about where the data is physically stored. For example, the EU’s General Data Protection Regulation (GDPR) enforces both data sovereignty and residency, requiring that EU Residents’ personal data is stored and processed within specific geographic locations or under adequate safeguards, regardless of whether it’s handled outside the EU. On top of that, there are 60 articles in the EU’s Digital Operational Resilience Act (DORA) regulations applying to financial sector operators in the EU territory. Article 12 requires secure, physically and logically separated backup storage.

US-based public clouds, like AWS, Azure and the Google Cloud, were built with a global reach and without any country or regional data sovereignty requirements in mind. Nowadays, such data sovereignty requirements can mandate that certain kinds of data must be physically stored within a geographic territory and not be moved outside.

There are US data sovereignty regulations. For example, US goverment Executive Order 14117 (2024) and DOJ Final Rule (Effective April 8, 2025) prohibits or restricts bulk transfers of”sensitive personal data” (e.g., genomic, biometric, health, financial, or precise geolocation data) and “government-related data” to “countries of concern” (China, Cuba, Iran, North Korea, Russia, Venezuela) or associated persons. Another example: the Health Insurance Portability and Accountability Act (HIPAA) requires protected health information (PHI) to be stored, accessed, and transmitted in ways that ensure US jurisdictional control, often implying domestic handling for compliance.

Data sovereignty concerns are rising in the current AI era because countries and regions want their own, local AI competency and not to be dependent on US-based providers subject to the somewhat capricious effects of Donald Trump’s presidency with, for example, tariff rises and data access requirements. Dan Middleton, VP UK and Ireland, Keepit, tells us that: “The US CLOUD Act allows authorities in that country to compel US organizations to hand over data, regardless of where that data is stored. This creates an unavoidable conflict between US law and European data protection laws, forcing US companies to choose between criminal liability in their home country or violating European data protection regulations.”

The Pure/University of Sydney study relied upon qualitative interviews with experts and practitioners from across industry and the research sector in nine countries between July and August 2025; Australia, France, Germany, India, Japan, New Zealand, Singapore, South Korea and the United Kingdom.

The study found that;

• 100 percent of respondees confirmed sovereignty risks, including potential service disruption, have forced organisations to reconsider where data is located
• 92 percent said geopolitical shifts are increasing sovereignty risks
• 92 percent warned inadequate sovereignty planning could lead to reputational damage
• 85 percent identified loss of customer trust as the ultimate consequence of inaction
• 78 percent are already embracing different data strategies, such as implementing multi service provider strategies; adopting sovereign data centers; and embedding enhanced governance requirements in commercial agreements Gordon Noble, Research Director at UTS’s Institute of Sustainable Futures, said: “These are wake-up call numbers. Every single leader we interviewed is rethinking data location. The message is clear: sovereignty is no longer optional, it is existential.”

The AI angle has increased interest in data sovereignty. On Asia-based AI governance, a respondent said: “AI is fast becoming a geopolitical force, and data centres are the chess pieces on the board. Decisions about where to build, how to power them, and their environmental impact are increasingly central to global negotiations.”

Pure suggests that organizations adopt a data sovereignty process that analyses the risk landscape to identify which services and data sets are most critical and sensitive, place these workloads in sovereign environments, while leveraging public cloud for less crucial functions. It says that this “enables organizations to maintain compliance and control without sacrificing the innovation and agility that organizations need in order to remain relevant in today’s fast-paced business environment.”

Archana Venkatraman, Senior Research Director, Cloud Data Management, IDC Europe, said: “We expect to see data sovereignty treated as a strategic priority in 2025 and beyond.”

Here at B&F, we expect an increase in territorial data residency requirements for sensitive data sets.

Read more in a McMullan blog. Download research report information here.