--- title: What Is Data Sovereignty? Definition and Three Dimensions date: 2025-12-16T09:50:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/was-ist-datensouveränität-definition-und-drei-dimensionen" section: "Entries: Articles" --- ### Definition: Data Sovereignty vs. Data Protection [\#](#definition-data-sovereignty-vs-data-protection "Definition: Data Sovereignty vs. Data Protection") **Data protection (GDPR and similar laws):** - Protects the **privacy of individuals** - Rules: how may personal data be used? - Example: ​“May I store customer email addresses for marketing? Only with a lawful basis.” **Data sovereignty:** - Protects the **autonomy of the organisation over its data** - Questions: ​“Am I dependent on a provider? Can I get my data back? Can a foreign government compel access?” - Example: ​“My data is held by a US provider. US authorities can compel disclosure under the CLOUD Act. I cannot prevent that contractually.” **In short:** Data protection is about personal data and individuals’ rights. Data sovereignty is about control over all of your data. --- ### The Three Dimensions of Data Sovereignty [\#](#the-three-dimensions-of-data-sovereignty "The Three Dimensions of Data Sovereignty") #### 1. Legal Dimension [\#](#1-legal-dimension "1. Legal Dimension") **The questions:** - Under which legal system does your data sit? - Can a foreign government access your data? - Which law governs disputes with the provider? **Risks with providers under non-EU jurisdiction:** - **US CLOUD Act:** US authorities can compel US providers to produce data they control, regardless of server location - **US surveillance law (Section 702 FISA, EO 12333):** Foreign intelligence collection on data held by US providers; this is what led the CJEU to invalidate Privacy Shield in the Schrems II ruling (2020) - **Framework instability:** Safe Harbor fell in 2015, Privacy Shield in 2020. The current EU-US Data Privacy Framework is under judicial challenge. Transfer legality can change faster than infrastructure - **Impact:** Trade secrets, patient data and financial records held by foreign providers carry an access and compliance risk you cannot fully control **Full legal control looks like:** - Data physically resides in the EU - The operating entity and its parent are under EU jurisdiction - Data residency and access limits are contractually fixed - For the most critical data: infrastructure you own #### 2. Technical Dimension [\#](#2-technical-dimension "2. Technical Dimension") **The questions:** - How easily can you **move your data**? - Are you technically **dependent** on one provider? - Are formats and interfaces **open or proprietary**? **Risks (vendor lock-in):** - **Proprietary formats and services:** S3-compatible object storage is portable; provider-specific databases and serverless platforms are not - **API dependency:** Thousands of functions written against one provider’s services make migration a multi-year project - **Egress costs:** Moving data out of a hyperscaler typically costs around USD 0.05 to 0.09 per GB at list prices. The EU Data Act bans switching charges from January 2027, but regular operational egress remains billable - **Export limitations:** Some SaaS applications make complete, structured exports difficult **Full technical control looks like:** - Open standards (NFS, SMB, S3-compatible, SQL, JSON) - Complete export possible at any time, at known cost - Multi-vendor architecture: storage, backup software and platform independently replaceable - On-premises operation possible, not cloud-only #### 3. Operational Dimension [\#](#3-operational-dimension "3. Operational Dimension") **The questions:** - Who operates and administers the systems holding your data? - Who decides maintenance windows, updates and feature deprecations? - Can you delete, modify and restore data at any time, on your schedule? **Risks with provider-operated infrastructure:** - **Availability dependency:** A provider outage is not your fault, but it is your problem - **Unilateral changes:** Providers change services, prices and terms; you adapt - **Recovery dependency:** If your only backups are in one provider’s cloud and that account is compromised, your recovery depends on that provider’s processes - **Compliance dependency:** You must demonstrate control to auditors over systems you do not control **Full operational control looks like:** - You operate the systems (or a contractor under your direction) - You schedule maintenance and updates - Backups exist on infrastructure independent of production credentials - Recovery works without external dependencies --- ### Why Data Sovereignty Matters Now [\#](#why-data-sovereignty-matters-now "Why Data Sovereignty Matters Now") #### 1. Geopolitical Uncertainty [\#](#1-geopolitical-uncertainty "1. Geopolitical Uncertainty") Sanctions, export controls and political tensions can affect access to foreign-operated services at short notice. An architecture with exit options and local copies absorbs such shocks; a single-provider cloud architecture does not. #### 2. Regulatory Requirements [\#](#2-regulatory-requirements "2. Regulatory Requirements") - **NIS2:** Essential and important entities across the EU must manage supply-chain risk and ensure backup management and recovery capabilities. Demonstrating control is easier on infrastructure you govern - **DORA:** Financial entities must manage ICT third-party risk and document concentration risk, which puts single-cloud dependencies under scrutiny - **GDPR:** Third-country transfers require valid mechanisms; the legal basis for US transfers has been invalidated twice in a decade and the current framework is under appeal - **Sector rules:** Member states add their own requirements, for example for public administration and healthcare; Germany’s BSI baseline protection is one labelled example of national hardening standards #### 3. Cyber Resilience [\#](#3-cyber-resilience "3. Cyber Resilience") Ransomware groups target backups first. Cloud backups authenticated with credentials reachable from production are deletable with those credentials. A physically isolated, on-premises copy (hardware air gap) is the layer that survives a full network compromise. --- ### Practical Examples [\#](#practical-examples "Practical Examples") #### Example 1: Hospital [\#](#example-1-hospital "Example 1: Hospital") **Situation:** Patient records and imaging archives, retention periods of 10 to 30 years. **Sovereignty risks:** - Legal: patient data with a foreign provider carries access and transfer risk for the entire retention period - Technical: migrating a petabyte-scale archive out of a cloud is slow and expensive - Operational: recovery of clinical systems must not depend on internet bandwidth and provider support queues **Approach:** Archive on hardware WORM systems on-premises; backups on local secondary storage with an air gap; cloud only for non-critical workloads. #### Example 2: Manufacturing Company [\#](#example-2-manufacturing-company "Example 2: Manufacturing Company") **Situation:** CAD data and production records, a mix of trade secrets and operational data. **Sovereignty risks:** - Technical: proprietary platform services create multi-year migration projects - Legal: design data is a target for industrial espionage; jurisdiction matters - Operational: a provider outage stops engineering work **Approach:** Classify data; keep trade secrets and backups on-premises; use cloud selectively with open formats and a tested exit path. --- ### Checklist: Assessing Your Data Sovereignty [\#](#checklist-assessing-your-data-sovereignty "Checklist: Assessing Your Data Sovereignty") **Legal** - Where does the data physically reside, and under which jurisdiction does the operator (including its parent company) fall? - Can a non-EU authority compel access? - Are data residency and sub-processor changes contractually controlled? **Technical** - Can you export everything, in documented formats, at known cost? - Are protocols and formats open (NFS, SMB, S3-compatible) or proprietary? - Could you switch providers or move on-premises within a planned project? **Operational** - Do you control backup, recovery and maintenance schedules? - Does at least one backup copy exist on infrastructure independent of production credentials? - Can you restore critical systems without any external party? --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Does data sovereignty mean ​“no cloud”?** No. It means deliberate choices: on-premises first for critical and regulated data, cloud where it adds value, with open formats, EU jurisdiction where possible, and a tested exit. Hybrid architectures are the realistic model for most organisations. **Is sovereign infrastructure more expensive than cloud?** It shifts cost structure: capital expenditure and maintenance instead of consumption pricing. Over multi-year horizons, especially with growing data and recovery events, on-premises secondary storage is frequently cheaper because egress and retrieval fees disappear. Model both over five years, not one. **Do we need full sovereignty for all data?** No. Apply it where loss of control hurts: trade secrets, personal data at scale, regulated records, backups and archives. Public and test data can live anywhere. --- ### Further Resources [\#](#further-resources "Further Resources") → EU-US Data Privacy Framework: How Stable Is the New Framework? (/en/blog/eu-us-data-privacy-framework/) → US CLOUD Act Explained: Why Server Location Alone Is Not Enough (/en/blog/us-cloud-act-erklaert/) → Data Egress Fees: The Hidden Costs of Your Cloud Backup (/en/blog/egress-kosten-cloud/) → EU Data Act: What Changes for Cloud Users (/en/blog/eu-data-act-cloud-nutzer/) → Silent Brick System: On-Premises Secondary Storage with Air Gap Options (/en/produkte/silent-brick-system/) → Request a demo (/​en/​kontakt/​demo/​) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)