Data sovereignty: New pressures force organizations to rethink risk

Bart SalaetsField Chief Technology Officer | F5

This blog post is the third in a series about digital sovereignty.

Not long ago, data sovereignty was largely viewed as a compliance issue.

Organizations worried about where data was stored, whether it crossed national borders, and how to comply with emerging regulations such as the European Union’s General Data Protection Regulation (GDPR). For many multinational companies, the goal was straightforward: avoid regulatory violations and the fines that could follow.

Today, the conversation is remarkably different.

While data sovereignty remains foundational, organizations are increasingly viewing it as one component of a broader digital sovereignty strategy that encompasses operations, technology platforms, and resilience.

As organizations become increasingly dependent on digital services and global infrastructure, the question is no longer just where data resides. It is who controls it, who can access it, and whether organizations can maintain the flexibility to move and adapt data, applications, and operations as regulations, technologies, and international relationships continue to change.

From GDPR compliance to strategic resilience

Consider a multinational healthcare company operating across Europe, North America, and Asia.

In 2017, its primary data sovereignty concern was GDPR compliance. The company needed to ensure patient data was handled appropriately, transferred lawfully, and protected from unauthorized access. Success largely meant satisfying regulatory requirements and reducing legal risk.

Fast forward to 2026.

The same organization now faces a much more complex set of challenges. It must navigate multiple national privacy regulations, industry-specific requirements, data localization mandates, and cybersecurity obligations. At the same time, it relies heavily on cloud providers, AI platforms, and global supply chains to support its operations.

Executives are asking new questions:

• Can we continue operating if geopolitical conditions suddenly change?
• Are we too dependent on a single cloud provider?
• Can we move critical workloads if regulations evolve?
• How do we govern AI models that depend on sensitive data spread across multiple regions?

The focus has shifted from compliance alone to resilience, control, and long-term operational flexibility.

What changed?

Several forces have combined to reshape the data sovereignty landscape.

Organizations must now navigate a growing patchwork of requirements, from Europe's GDPR and proposed Cloud and AI Development Act to China's Personal Information Protection Law (PIPL), India's Digital Personal Data Protection Act (DPDP), and emerging AI governance frameworks around the world. These initiatives increasingly influence not only how data is governed, but also where applications, cloud services, and AI workloads can be deployed.

At the same time, geopolitical tensions have increased apprehension about digital dependencies. Governments and enterprises alike are paying closer attention to foreign technology providers, cross-border data transfers, and the potential impact of sanctions, trade disputes, or changing political relationships.

Cloud concentration risk has also become a growing concern. Many organizations use multiple cloud providers, yet individual applications are often deeply tied to a specific platform. While cloud adoption has delivered enormous benefits, organizations increasingly want greater portability and clearer exit strategies should business, regulatory, or operational conditions change.

Together, these forces have transformed data sovereignty from a compliance exercise into a broader discussion about digital control and operational independence.

How hyperscalers have adapted

Interestingly, major cloud providers did not resist these changes. Instead, they adapted.

Providers such as AWS, Microsoft Azure, and Google Cloud recognized that governments and regulated industries wanted stronger assurances around data residency, operational control, and regulatory compliance.

In response, they expanded regional infrastructure, introduced sovereign cloud offerings, strengthened customer-controlled encryption options, and embraced hybrid and multicloud architectures more openly than in the past.

In many ways, the sovereignty requirements created a new market opportunity. Rather than reducing demand for cloud services, they pushed providers to offer more flexibility and greater control, while preserving the scale and innovation advantages that customers expect.

AI sovereignty: The next frontier

Just as organizations are becoming more comfortable with modern data sovereignty requirements, artificial intelligence is introducing a new set of challenges.

AI dramatically increases the value and sensitivity of data. Organizations must now consider where training data is stored, where models are trained, where inference occurs, and which jurisdictions govern AI-generated outputs.

Questions surrounding intellectual property protection, model governance, regulatory oversight, and cross-border AI operations are becoming increasingly important. Recent debates over access restrictions on advanced AI models have further highlighted how government policy decisions can directly affect the availability of critical AI capabilities across regions.

As governments develop new AI regulations and enterprises expand their use of generative AI, many organizations will find themselves navigating a new era of AI sovereignty alongside traditional data sovereignty requirements.

The result may be additional complexity, but also new opportunities for organizations that can establish trusted, compliant, and resilient AI environments.

Best practices to prepare for what comes next

While every organization faces unique challenges, several principles are emerging as best practices.

• First, prioritize visibility into where data resides and how it moves across environments.
• Second, build portability into cloud and application architectures whenever possible.
• Third, evaluate dependencies on specific providers and develop realistic contingency plans.
• Finally, treat data sovereignty as a business resilience issue rather than solely a compliance exercise.

Organizations that take this broader view will be better positioned to adapt as regulations, technologies, and geopolitical conditions continue to evolve.

How F5 can help

As data sovereignty evolves into a larger digital sovereignty challenge, organizations need consistent visibility, control, security, and policy enforcement across increasingly distributed environments.

The F5 Application Delivery and Security Platform (ADSP) empowers organizations to address these challenges by providing application delivery, security, and operational control across hybrid, multicloud, and AI-driven environments. By helping organizations maintain consistent policies, improve resilience, and reduce operational complexity, F5 enables enterprises to navigate an increasingly fragmented digital landscape with greater confidence.

To learn more about digital sovereignty and how to navigate it, watch this video and visit our digital sovereignty webpage.

In our next post, we'll explore digital sovereignty more broadly and examine how F5 ADSP enables organizations to build a stronger foundation for control, resilience, and flexibility in an increasingly complex world.

Be sure to check out our previous blog posts in the series:

Why digital sovereignty is ratcheting up the priority list

Operational sovereignty: Building resilience in an unpredictable world

About the Author

Bart SalaetsField Chief Technology Officer | F5

More blogs by Bart Salaets