What Is Data Sovereignty? Definition and Three Dimensions

Definition: Data Sovereignty vs. Data Protection #

Data protection (GDPR and similar laws):

• Protects the privacy of individuals
• Rules: how may personal data be used?
• Example: ​“May I store customer email addresses for marketing? Only with a lawful basis.”

Data sovereignty:

• Protects the autonomy of the organisation over its data
• Questions: ​“Am I dependent on a provider? Can I get my data back? Can a foreign government compel access?”
• Example: ​“My data is held by a US provider. US authorities can compel disclosure under the CLOUD Act. I cannot prevent that contractually.”

In short: Data protection is about personal data and individuals’ rights. Data sovereignty is about control over all of your data.

---

The Three Dimensions of Data Sovereignty #

1. Legal Dimension #

The questions:

• Under which legal system does your data sit?
• Can a foreign government access your data?
• Which law governs disputes with the provider?

Risks with providers under non-EU jurisdiction:

• US CLOUD Act: US authorities can compel US providers to produce data they control, regardless of server location
• US surveillance law (Section 702 FISA, EO 12333): Foreign intelligence collection on data held by US providers; this is what led the CJEU to invalidate Privacy Shield in the Schrems II ruling (2020)
• Framework instability: Safe Harbor fell in 2015, Privacy Shield in 2020. The current EU-US Data Privacy Framework is under judicial challenge. Transfer legality can change faster than infrastructure
• Impact: Trade secrets, patient data and financial records held by foreign providers carry an access and compliance risk you cannot fully control

Full legal control looks like:

• Data physically resides in the EU
• The operating entity and its parent are under EU jurisdiction
• Data residency and access limits are contractually fixed
• For the most critical data: infrastructure you own

2. Technical Dimension #

The questions:

• How easily can you move your data?
• Are you technically dependent on one provider?
• Are formats and interfaces open or proprietary?

Risks (vendor lock-in):

• Proprietary formats and services: S3-compatible object storage is portable; provider-specific databases and serverless platforms are not
• API dependency: Thousands of functions written against one provider’s services make migration a multi-year project
• Egress costs: Moving data out of a hyperscaler typically costs around USD 0.05 to 0.09 per GB at list prices. The EU Data Act bans switching charges from January 2027, but regular operational egress remains billable
• Export limitations: Some SaaS applications make complete, structured exports difficult

Full technical control looks like:

• Open standards (NFS, SMB, S3-compatible, SQL, JSON)
• Complete export possible at any time, at known cost
• Multi-vendor architecture: storage, backup software and platform independently replaceable
• On-premises operation possible, not cloud-only

3. Operational Dimension #

The questions:

• Who operates and administers the systems holding your data?
• Who decides maintenance windows, updates and feature deprecations?
• Can you delete, modify and restore data at any time, on your schedule?

Risks with provider-operated infrastructure:

• Availability dependency: A provider outage is not your fault, but it is your problem
• Unilateral changes: Providers change services, prices and terms; you adapt
• Recovery dependency: If your only backups are in one provider’s cloud and that account is compromised, your recovery depends on that provider’s processes
• Compliance dependency: You must demonstrate control to auditors over systems you do not control

Full operational control looks like:

• You operate the systems (or a contractor under your direction)
• You schedule maintenance and updates
• Backups exist on infrastructure independent of production credentials
• Recovery works without external dependencies

---

Why Data Sovereignty Matters Now #

1. Geopolitical Uncertainty #

Sanctions, export controls and political tensions can affect access to foreign-operated services at short notice. An architecture with exit options and local copies absorbs such shocks; a single-provider cloud architecture does not.

2. Regulatory Requirements #

• NIS2: Essential and important entities across the EU must manage supply-chain risk and ensure backup management and recovery capabilities. Demonstrating control is easier on infrastructure you govern
• DORA: Financial entities must manage ICT third-party risk and document concentration risk, which puts single-cloud dependencies under scrutiny
• GDPR: Third-country transfers require valid mechanisms; the legal basis for US transfers has been invalidated twice in a decade and the current framework is under appeal
• Sector rules: Member states add their own requirements, for example for public administration and healthcare; Germany’s BSI baseline protection is one labelled example of national hardening standards

3. Cyber Resilience #

Ransomware groups target backups first. Cloud backups authenticated with credentials reachable from production are deletable with those credentials. A physically isolated, on-premises copy (hardware air gap) is the layer that survives a full network compromise.

---

Practical Examples #

Example 1: Hospital #

Situation: Patient records and imaging archives, retention periods of 10 to 30 years.

Sovereignty risks:

• Legal: patient data with a foreign provider carries access and transfer risk for the entire retention period
• Technical: migrating a petabyte-scale archive out of a cloud is slow and expensive
• Operational: recovery of clinical systems must not depend on internet bandwidth and provider support queues

Approach: Archive on hardware WORM systems on-premises; backups on local secondary storage with an air gap; cloud only for non-critical workloads.

Example 2: Manufacturing Company #

Situation: CAD data and production records, a mix of trade secrets and operational data.

Sovereignty risks:

• Technical: proprietary platform services create multi-year migration projects
• Legal: design data is a target for industrial espionage; jurisdiction matters
• Operational: a provider outage stops engineering work

Approach: Classify data; keep trade secrets and backups on-premises; use cloud selectively with open formats and a tested exit path.

---

Checklist: Assessing Your Data Sovereignty #

Legal

• Where does the data physically reside, and under which jurisdiction does the operator (including its parent company) fall?
• Can a non-EU authority compel access?
• Are data residency and sub-processor changes contractually controlled?

Technical

• Can you export everything, in documented formats, at known cost?
• Are protocols and formats open (NFS, SMB, S3-compatible) or proprietary?
• Could you switch providers or move on-premises within a planned project?

Operational

• Do you control backup, recovery and maintenance schedules?
• Does at least one backup copy exist on infrastructure independent of production credentials?
• Can you restore critical systems without any external party?

---

Frequently Asked Questions #

Does data sovereignty mean ​“no cloud”? No. It means deliberate choices: on-premises first for critical and regulated data, cloud where it adds value, with open formats, EU jurisdiction where possible, and a tested exit. Hybrid architectures are the realistic model for most organisations.

Is sovereign infrastructure more expensive than cloud? It shifts cost structure: capital expenditure and maintenance instead of consumption pricing. Over multi-year horizons, especially with growing data and recovery events, on-premises secondary storage is frequently cheaper because egress and retrieval fees disappear. Model both over five years, not one.

Do we need full sovereignty for all data? No. Apply it where loss of control hurts: trade secrets, personal data at scale, regulated records, backups and archives. Public and test data can live anywhere.

---

Further Resources #

→ EU-US Data Privacy Framework: How Stable Is the New Framework? (/en/blog/eu-us-data-privacy-framework/) → US CLOUD Act Explained: Why Server Location Alone Is Not Enough (/en/blog/us-cloud-act-erklaert/) → Data Egress Fees: The Hidden Costs of Your Cloud Backup (/en/blog/egress-kosten-cloud/) → EU Data Act: What Changes for Cloud Users (/en/blog/eu-data-act-cloud-nutzer/) → Silent Brick System: On-Premises Secondary Storage with Air Gap Options (/en/produkte/silent-brick-system/) → Request a demo (/​en/​kontakt/​demo/​)