Someone is always watching. From Sydney to Singapore, Frankfurt to Fukuoka, the question of who controls data—where it sits, who can touch it, and under whose laws—is fast becoming one of the defining contests of the digital age.
For two decades, globalisation’s digital cousin promised frictionless innovation. Data could flow freely, the cloud was borderless, and the internet’s geography was irrelevant. Those illusions are evaporating. As one financial services chief told researchers from the University of Technology Sydney, “The real opportunity of data is solving global challenges… But that requires collaboration, and multilateral cooperation is under strain.”
The comments can contained in “Data Sovereignty: A New Era Navigating Risk in a Dynamic World” a report written by UTS researchers in a report commissioned by Pure Storage, a storage technology vendor.
Data sovereignty—the idea that data must obey the laws of the nation in which it is stored—has gone from the fine print of compliance manuals to the top of board agendas. Its rise reflects not just the anxieties of policymakers but the new reality that geopolitics now lives inside the datacentre. The cloud has borders after all.
The shifting ground beneath the cloud
For governments, sovereignty has always meant control. For businesses, it increasingly means survival. As cyber conflicts flare and trade alliances fracture, the location of a byte can now determine the fate of a balance sheet.
Pure Storage’s latest research, informed by UTS and based on interviews across nine countries, paints a picture of rising unease. Companies are realising that sovereignty risk is no longer theoretical. It’s operational. “Once data is created and stored, ensuring that it’s only ever in one place and only ever within a geographic boundary is actually quite a tricky issue,” said one Australian data governance expert.
The urgency has intensified with the advent of generative and agentic AI systems, which feed on vast, often ungoverned data reservoirs. The compulsion to accelerate AI adoption has outpaced the guardrails meant to constrain it. The result is a patchwork of exposure points—jurisdictional loopholes, conflicting laws, and blind spots—that could turn tomorrow’s innovation into today’s liability.
Risk One: When the Cloud Goes Dark
It starts with a login screen that no longer loads. A customer-facing service goes down. Panic follows. It looks like a cyberattack—but what if it isn’t? What if the outage comes from a foreign regulator’s court order, a sanctions ruling, or a geopolitical dispute that severs access to servers you don’t own?
This is no longer a thought experiment. The Pure Storage report recounts cases where foreign entities have turned off critical services. U.S. cloud providers, acutely aware of the risk, have begun writing “keep alive” clauses into contracts—insurance against their own governments.
The EU’s new Digital Operational Resilience Act (DORA) has raised the stakes. It mandates that organisations recover quickly from digital disruptions. Losing access to cloud infrastructure hosted in another jurisdiction may not only cripple operations but breach compliance obligations. As one New Zealand governance manager put it, “If you don’t control the whole stack, how can you say you have data sovereignty?… Should you lose access to that software or format, how can you assert sovereignty?”
What was once about efficiency is now about existential resilience.
Risk Two: Foreign Eyes and the Surveillance State
Of all the risks in the new data order, few unsettle executives more than foreign access. Roughly one in three experts interviewed for the report cited government surveillance as their top concern. The distinction between legitimate and illegitimate access—between subpoenas and snooping—is increasingly blurred.
“Increasingly it’s going to be difficult to put data in one of the big players,” warned an Australian AI expert, “especially with overseas companies.” The affinity for global platforms that once underpinned digital growth is eroding under the weight of mistrust. The Snowden era introduced the idea of state surveillance. The generative AI era has turned it into an everyday business calculation.
Boards, the study found, remain largely unprepared to manage the fallout of an access scandal. When the whistle blows, it won’t just be about fines. It will be about trust—the intangible currency of digital capitalism.
Risk Three: Regulation Rising
The good news, if you can call it that, is that regulators are finally awake. GDPR set the benchmark. Japan’s Act on the Protection of Personal Information and Singapore’s PDPA followed suit. Europe’s forthcoming Data Union Strategy aims to tighten the net further.
What’s notable is how many executives now view regulation not as a drag but as a discipline. “Regulation is not necessarily a barrier to innovation,” said another AI expert. “Quite the opposite, it’s actually a net positive.” Rules, when predictable, provide a framework for trust. In the long run, they can help industries move faster, not slower.
The echo of this sentiment is being heard from Silicon Valley to Seoul: sovereignty compliance is becoming the licence to operate. Those who treat it as bureaucracy miss the point—it’s a competitive advantage.
The Perfect Storm: Trust and the Cost of Inaction
Combine service disruption, foreign interference, and regulatory exposure, and you get a perfect storm. Ninety-two per cent of respondents in Pure’s study said ignoring sovereignty risks would damage reputation; 85 per cent said it would erode customer trust.
Trust, once lost, is almost impossible to regain. And in an age where customers choose brands based on values as much as value, sovereignty is morphing into a brand issue. Boards are learning—slowly—that the integrity of their data infrastructure is inseparable from the integrity of their reputation.
Yet the path to safety isn’t simple. A rigid “sovereign-first” stance risks isolating firms from innovation. The challenge is balance—protecting national interests without suffocating global collaboration. As the report warns, sovereignty zealotry can become its own vulnerability, cutting companies off from the very tools that fuel growth.
This tension—between openness and control—is not new. But in the digital economy, it is being replayed with unprecedented intensity.
The Energy Cost of Independence
The sovereignty agenda doesn’t stop at compliance. It reshapes how and where the world builds infrastructure. The datacentre has become the new oil refinery: strategic, expensive, and politically charged.
Geopolitics now dictates technology supply chains. Taiwan’s chip factories rely on Dutch lithography and German optics, which depend in turn on raw materials sourced from Australian deserts. The fantasy of self-sufficiency dissolves under the microscope of global interdependence.
“AI is fast becoming a geopolitical force, and data centres are the chess pieces on the board,” said one governance leader in Asia. Their proliferation carries consequences. Local sovereignty demands local infrastructure—but that infrastructure guzzles power and water at rates that alarm environmental agencies. By 2030, global datacentre energy demand is expected to more than double.
The sustainability trade-off is acute. As one New Zealand data manager observed, “Building local data centres is central to sovereignty—but it comes with trade-offs. While they create jobs, they also put pressure on cities, accelerate urban migration, and risk deepening regional inequities.”
Here lies the paradox: the quest for sovereignty risks undermining another global imperative—climate responsibility.
Three Roads to Sovereignty
According to Pure Storage, organisations face three strategic choices.
The first, and recommended, is intentional risk assessment. Identify which data is mission-critical, which workloads are sensitive, and which can safely reside in public clouds. Build governance frameworks that align with these risk tiers. This approach demands foresight, but it also builds resilience.
The second is detachment. Some firms are cutting ties with non-domestic providers altogether, building sovereign-only stacks. It is a defensive reflex born of fear, not strategy. It often backfires, reducing access to global innovation ecosystems and raising costs.
The third is denial. Pretend the risks don’t exist. Hope the regulators don’t notice. And when the servers go dark, pray.
The first path—hybrid, pragmatic, data-aware—is gaining traction. It allows organisations to keep sensitive workloads under sovereign control while exploiting global cloud capabilities for agility. It’s the digital equivalent of portfolio diversification.
Best Practices and the New Playbook
The playbook emerging from the report is refreshingly concrete. Start with a granular risk assessment: not every workload carries the same exposure. A conference-room booking system can live safely in the public cloud; payroll data should not.
Second, explore hybrid architectures that mix sovereign hosting for critical services with public cloud for flexibility.
Third, choose sovereign service providers carefully. Regional players such as AUCloud in Australia, Deutsche Telekom and Ionos in Germany, and Beyond.pl in Poland are building infrastructure that blends local control with international technology. Evaluate them on three criteria:
- Jurisdictional independence: Can they resist foreign legal overreach?
- Operational resilience: Can they guarantee uptime without cost blowouts?
- Compliance and exit planning: Do their contracts prevent lock-in?
Finally, prepare for regulatory evolution. Europe is investing €200 billion in AI infrastructure; India, Japan, and Singapore are following suit with their own data protection laws. Those who anticipate these frameworks now will gain not just compliance, but competitive speed.
As one Australian expert told researchers, “AI is certainly redefining the boundaries that we need to think about [in relation to] protecting data and what data sovereignty actually means.”
The Whisperer of Sovereignty
Pure Storage, for its part, has become something of a sovereignty whisperer—advising clients not just on storage but on strategy. Its argument is simple: sovereignty is no longer a checkbox; it’s a condition of doing business. Organisations must evolve from passive data custodians into active stewards of digital trust.
There’s a growing affinity among executives for hybrid models that promise the best of both worlds—control without paralysis, flexibility without fragility. Seventy-eight per cent of firms surveyed are already moving toward multi-provider setups that include sovereign data centres and governance baked into contracts.
The echo across industries is clear: sovereignty is the new resilience. In the same way cybersecurity became mainstream a decade ago, sovereignty is now crossing from the compliance department to the boardroom.
Control, Trust, and the Future of the Cloud
What began as a technical debate about data storage has become a moral one about power. Sovereignty touches everything: who governs AI models, how nations secure infrastructure, and how citizens maintain autonomy in a world of algorithmic oversight.
“Somebody is always watching” is no longer paranoia—it’s policy. The question is whether that watcher is your regulator, your vendor, or a foreign state.
The compulsion to digitise everything—to store, share, and simulate—has outpaced society’s ability to control its by-products. The next phase of digital maturity will require something rarer than processing power: humility.
As the Pure Storage report concludes, the battleground of the next decade will not be over cloud capacity or compute speed but over control. The winners will be those who manage to balance innovation with sovereignty, speed with scrutiny, and openness with trust.
Without that balance, the future of data looks less like liberation—and more like occupation.