Public cloud remains central to enterprise IT. Analyst coverage indicates that end-user spending will reach roughly $723 billion in 2025, keeping the cloud at the heart of most portfolios. At the same time, many CIOs are reassessing workload placement because cost profiles drift, performance is uneven by region and tier and regulatory expectations have tightened. Contract terms and reversibility expectations have also sharpened. The practical question is which workloads belong where, and for how long.

Cloud repatriation means relocating selected workloads from hyperscale public cloud to private infrastructure or managed colocation when economics, performance, jurisdiction or exit constraints make that the better placement. It is not a retreat from the cloud. Analysis by IDC in 2024 indicates most enterprises expect some repatriation rather than wholesale reversals and industry coverage reports the same signal. These dynamics explain why repatriation is rising now and how regional conditions change the answer.

The shape of the trend

Repatriation is better understood as selective optimization within a wider workload placement discipline. It sits alongside modernization, rightsizing and retirement. The portfolio outcome is a mix of public cloud, private platforms and managed colocation with explicit movement paths between them. The signal is not that cloud has failed, but that workload shape, data gravity and regulatory scope drive periodic rebalancing.

Two data points help frame the discussion. First, cloud spend continues to grow at pace, which confirms that cloud remains a primary delivery model. Second, independent surveys show many organizations expect some level of repatriation in the next planning window. The task for CIOs is to move from sentiment to evidence by testing each workload against cost, performance and jurisdiction.

What’s driving the timing

The timing is explained by three forces that are visible across CIO portfolios.

• Spend control has become a board expectation after several years of migration and expansion. Many firms report overspend against budgets and a persistent gap between what they buy and what they use. Independent surveys show that managing cloud spend tops the list of challenges for a large majority of organizations.
• Data-intensive services now dominate many products, which increases sensitivity to egress patterns, cross-zone traffic and storage classes. The recent 451 Alliance research notes that more organizations are impacted by egress charges and that such charges can shape architecture and provider choice.
• Regulatory programmes are now in application, so due diligence and evidence become time-bound rather than optional. DORA is now live for financial entities in the EU, and UK regulators expect documented impact tolerances and rehearsed exit for material outsourcing.

Cost and finops discipline

Cost pressure often stems from workload shape. Steady, always-on services do not benefit from pay-as-you-go pricing. Rightsizing, reservations and architecture optimization will often close the gap, yet some services still carry a higher unit cost when they remain in public cloud. A placement change then becomes a sensible option.

Three observations support a measurement-first approach. Many organizations report that managing cloud spend is their top challenge; egress fees and associated patterns affect a growing share of firms, and the finops community places unit economics and allocation at the centre of cost accountability.

A practical assessment over a 12 to 36 month horizon classifies workload elasticity, models total cost of ownership with sensitivity to egress, cross-zone traffic, managed service premiums, software, facilities, people and exit effort, and then compares unit economics before and after commitments. Where a steady workload remains structurally more expensive in public cloud under realistic assumptions, a change of placement is typically warranted and should be paired with an exit rehearsal.

Regulation and sovereignty pressures

Regional law and supervisory practice shape placement. In Europe, the General Data Protection Regulation (GDPR) sets a high bar for personal data processing, and the Digital Operational Resilience Act (DORA) for financial entities entered into application in January 2025.

Several national schemes influence cloud service choice. Germany’s C5 catalogue acts as a recognised control baseline; France’s SecNumCloud sets qualification requirements for providers; andGAIA-X seeks to promote data portability and sovereignty through federated services.

Public cloud remains viable for many regulated workloads, assisted by sovereign configurations. Examples include theAWS European Sovereign Cloud (scheduled to be released at the end of 2025), the Microsoft EU Data Boundary and Google’s sovereign controls and partner offerings. These options have scope limits that should be assessed during design.

Public cloud remains viable for many regulated workloads when sovereign configurations meet requirements. Microsoft EU Data Boundary and Google’s sovereign controls are available;AWS European Sovereign Cloud is planned to launch by the end of 2025. All options have a defined scope that should be evaluated during design

Optionality by design

CIOs can protect choice by standardising on open formats and portable service interfaces. Useful anchors include OpenAPI for HTTP APIs, Apache Parquet and Avro for data exchange, the OCI image specification for container images, Kubernetes for orchestration, Kafka for event streaming and interoperable object storage APIs.

Reversibility improves when data products use portable formats with clear lineage, and when infrastructure as code and delivery pipelines remain as environment-agnostic as practicable. These conditions shorten movement paths and reduce rebuild risk.

When repatriation is the wrong answer

Repatriation tends to underperform where workloads are inherently elastic or seasonal, where high-value managed services would need to be replicated at significant opportunity cost, where the organization lacks the run maturity for private platforms, or where the cost issues relate primarily to tagging, idle resources or discount coverage that a FinOps reset can address.

Signals that repatriation should be considered

Indicators that often support a move include steady run profiles with persistent headroom, material egress exposure driven by data gravity, locality or latency constraints near plants, branches or exchanges, heightened expectations for evidence of administrative control, and the absence of a proven exit path in either contracts or rehearsal artefacts.

Regional patterns in practice

Regional signals vary across law, regulatory focus and market structure. The notes below summarise the drivers, the default posture and the action for the CIO**.**

Europe

Data protection obligations and sector rules drive evidence-led placement. DORA now applies to financial entities and brings a sharper focus to third-party ICT risk. Public cloud remains viable for many services where sovereign controls and operational autonomy can be evidenced, but legal jurisdiction remains a separate question that must be addressed through contract and encryption design. Providers have announced data boundary and sovereign offers. Microsoft has completed a staged EU Data Boundary. AWS has set out the governance and trust model for its European sovereign offer. Google documents configuration limits for sovereign controls.

Default posture: Keep elastic and global services on public cloud where suitable sovereign controls exist, use private platforms or managed colocation for steady or highly constrained workloads.

*Board focus:*Assurance that exit drills are scheduled and that evidence packs remain current for supervisory authorities.

United Kingdom

Regulators expect explicit impact tolerances for important services and credible exit plans for material outsourcing. Operational resilience policy and outsourcing guidance have lifted the bar for exit and third-party oversight. The Bank of England has reminded payment firms to strengthen disruption planning as part of a wider resilience push.

Default posture: Organizations typically define clear exit criteria, pre-agreed data extraction paths and regular drills.

*Board focus:*Visibility of impact tolerances, currency of board assurance and the cadence of exit rehearsals for material outsourcing.

United States

Sector laws shape placement choices. HIPAA governs health data privacy and security; the FTC Safeguards Rule under GLBA governs customer information in financial services; andFERPA protects student records. These rules do not dictate a single hosting model, but they do shape the evidence that must be kept ready and the security controls that must be in place.

Default posture: Use public cloud for elastic and managed services, with private platforms for steady, data-intensive services where unit cost and residency simplify risk.

*Board focus:*Alignment of contractual terms with data sensitivity, including breach reporting, audit access and exit provisions.

Middle East

Data residency and audit access expectations are explicit and rising. Saudi Arabia’s NationalCybersecurity Authority Cloud Cybersecurity Controls were updated in 2024 and the SAMA Cyber Security Framework continues to set baseline controls for financial entities. Residency and administrative control often need to be explicit in contracts and design.

Default posture: Plan for strict locality, private links and clear evidence of administrative control.

*Board focus:*Demonstrable locality, private connectivity where required and clear evidence of key custody and administrative roles.

China

The Cybersecurity Law, Data Security Law and Personal Information Protection Law together create a strong localization and cross-border transfer regime. Parallel environments and split data flows are common for multinational groups. Compliance starts with a clear reading of these laws and their implementing measures. Movement across borders needs formal assessment and documented controls.

*Default posture:*Treat China as a distinct operating environment with dedicated controls and hosting.

*Board focus:*Design separation for local handling and narrowly scoped, policy-controlled integrations to global platforms.

Governance, rehearsal and reversibility

Repatriation is easier when reversibility is a first-class objective. That means contracts with clear data portability terms, technical standards that allow movement and regular drills. Exit rehearsals and data extraction tests convert policy into practice. This aligns with UK PRA expectations on outsourcing exit and with DORA’s focus on ICT third-party resilience for financial entities.

Evidence maintained for regulators

Effective reversibility depends on auditable artefacts that demonstrate control, data portability and the feasibility of exit. Typical evidence includes access and administrative role reviews for both operators and providers, key-management lineage with customer-held keys where applicable, security event and administrative activity logs with stated retention, documented results from exit rehearsals that prove data extraction and rebuild, and contractual reversibility clauses with an agreed annual drill schedule.

Assumptions to test

Repatriation debates often rest on assumptions that do not hold in practice. These points surface the common ones, so placement choices can be made on evidence rather than narrative.

• Repatriation implies abandoning cloud. Portfolios remain hybrid. Elastic, global and managed services often stay in public cloud, while steady or tightly governed workloads may fit better on private or colocated platforms.
• **Costs always fall when services move back.**Savings depend on workload shape and design. Poorly scoped moves or immature operations can increase cost or risk.
• Sovereign offerings settle jurisdictional questions. They improve residency and operational autonomy. Legal reach is a separate matter managed through contract and customer-held keys.
• Everything must move together. Selective moves are common. Stateful cores or data layers may shift while elastic components remain in place.

From argument to action

An effective operating model treats placement as a periodic, evidence-based review that weighs unit economics over a 12 to 36 month horizon, performance and latency expectations, data gravity and regional legal obligations. Portability is engineered through open interfaces and data formats so that movement, when justified, is executable rather than rhetorical. Reversibility is treated as a property of the system and evidenced through rehearsal, data extraction tests and curated audit artefacts. Status is reported with spend, reliability and risk so that placement is governed as part of the portfolio, not as an exception.

Repatriation as selective optimization

Repatriation is selective optimization within a wider placement discipline, not a retreat from cloud. Public cloud remains central for elastic scale, global reach and rich managed capabilities. A move for a subset of workloads becomes attractive when economics, performance, jurisdiction or exit feasibility point to a better fit elsewhere. The organizing principle is straightforward: Place each workload where cost, control and service quality align, and preserve the option to move again as signals change.

Decisions rest on evidence rather than sentiment. Unit economics, sensitivity to egress and cross-zone traffic, latency and data gravity, and the regulatory posture of the service together define the right answer for each workload. Portability and reversibility are designed in, then proven in practice. Treated this way, repatriation is one option within disciplined portfolio management. It protects value, strengthens control and leaves strategy free to adapt.

This article is published as part of the Foundry Expert Contributor Network.Want to join?