This blog post is the first in a series about digital sovereignty.
As organizations expand across clouds, regions, and AI-driven services, questions about control are becoming harder to ignore.
Digital sovereignty has become much more than a niche concern limited to governments and highly regulated industries. Across finance, healthcare, public sector, and multinational organizations, security leaders are rethinking where applications run, who controls critical services, and how dependent they have become on external technology providers.
“Digital sovereignty is not a fixed destination. It is an ongoing process of balancing control, resilience, flexibility, and operational simplicity in a world where regulations, technologies, and trust models continue to change.”
In parts of the Middle East, for example, strict data protection regulations strongly influence where these organizations store their data, often resulting in locally hosted solutions. Yet many of those same organizations still rely on cloud-based DNS and volumetric DDoS services because those services do not inspect customer payloads. The result is not a rejection of cloud computing, but a more selective and strategic approach to digital sovereignty.
That distinction matters. Digital sovereignty is not about abandoning the cloud or isolating infrastructure from the rest of the world. It is about maintaining control as regulations evolve, trust models shift, and operational risks become more difficult to predict. For multinational organizations, sovereignty requirements are becoming a moving target shaped by regional laws, procurement standards, operational resilience concerns, international relations, and the rapid rise of AI.
As a result, digital sovereignty is forcing executives to re-examine their data, operations, technology dependencies, and AI systems. As they consider their digital sovereignty strategies, here are four questions security leaders need to ask:
1. Who can access my data?
Data sovereignty remains perhaps the most immediate concern for many organizations. At its core, it focuses on maintaining control over where data is stored, who can access it, and which laws govern it.
This apprehension is being driven largely by compliance requirements and jurisdictional conflicts. Regulations such as GDPR, the EU AI Act, and regional data residency mandates are raising the stakes for organizations that move sensitive data across borders. At the same time, concerns about foreign jurisdiction and third-party access continue to influence where applications and data are deployed.
In response, some organizations are slowing their migration to public cloud environments for sensitive workloads. Others are selectively bringing applications and data back into private or on-premises infrastructure, particularly in industries such as finance and government where risk thresholds are lower and compliance expectations are higher.
Importantly, not every workload requires the same level of sovereignty. Many organizations are adopting hybrid approaches that keep highly sensitive applications and data local while continuing to consume less intrusive services from cloud providers.
2. Is there a “kill” switch?
Organizations are increasingly asking whether they can maintain operational continuity if access to external platforms or services is disrupted. That concern may stem from changing regulations, shifting trust relationships, or broader operational uncertainty. In some cases, enterprises worry about becoming too dependent on a single provider for critical services.
Operational sovereignty shifts the discussion from compliance to control, and this is where the idea of a “kill switch” enters the discussion. Operational sovereignty is not about shutting systems down. It is about ensuring that an external entity cannot unexpectedly disrupt or disable your critical operations.
For some organizations, this means prioritizing infrastructure that can operate independently in self-managed or even air-gapped environments. Others are evaluating whether key application delivery, security, and management functions can continue operating during service interruptions or changes in regional requirements.
The larger issue is resilience. As organizations become more dependent on digital services, operational sovereignty becomes increasingly tied to business continuity. For many enterprises, that also means maintaining the flexibility to move applications and services to another environment when needed, including as part of a cloud exit strategy.
3. How dependent am I on a single technology stack or provider?
Technology sovereignty focuses on long-term resilience and flexibility.
Many organizations now recognize that infrastructure decisions made today may become constraints tomorrow. Regulatory expectations may change. Procurement standards may tighten. Regional requirements may evolve. As a result, organizations are beginning to evaluate how difficult it would be to move workloads between environments or adapt applications to new operational realities.
For some, that means reducing dependence on proprietary technologies or single-provider ecosystems. For others, it means investing in open source technologies, Kubernetes-based architectures, local or regionally developed technologies, or hybrid deployment models that provide greater portability over time.
This does not mean every organization is abandoning hyperscalers or public cloud services. In fact, many are continuing to expand their cloud footprints. But there is growing recognition that flexibility matters. Organizations increasingly want the ability to place workloads where it makes the most sense based on compliance, performance, operational risk, and business priorities.
In many ways, technology sovereignty is less about where applications run today and more about preserving future options.
4. Who controls how my AI systems access and act on sensitive data?
AI sovereignty may become the next major phase of this discussion.
As AI systems become more deeply integrated into business operations, organizations are beginning to ask new questions about where AI models run, how inference is performed, and whether sensitive data remains under organizational control.
This is especially important as enterprises build AI infrastructure around GPU-based “AI factories” and large-scale data pipelines. Organizations want to understand how AI systems connect with sensitive applications and data, how AI interactions are governed, and how operational control can be maintained at scale.
In Europe and other regions, some organizations are already exploring sovereign AI initiatives designed to reduce dependency on external AI platforms while maintaining greater control over infrastructure and data flows.
The challenge is that AI amplifies many of the concerns already associated with digital sovereignty. Data governance, operational resilience, scalability, security, and regulatory compliance all become more complex when AI systems are introduced into the environment.
Why flexibility is key
Analysts have warned that unmanaged digital sovereignty risk could expose multinational organizations to financial, legal, and reputational consequences in the years ahead. At the same time, digital sovereignty requirements themselves continue to evolve.
That is why flexibility may ultimately become the most important consideration of all.
Organizations are increasingly looking for ways to support different levels of sovereignty across applications without fragmenting operations or creating excessive complexity. Hybrid and multicloud strategies, selective use of on-premises infrastructure, consistent policy enforcement, and unified operational models are all becoming part of the discussion.
Digital sovereignty is not a fixed destination. It is an ongoing process of balancing control, resilience, flexibility, and operational simplicity in a world where regulations, technologies, and trust models continue to change.
To learn more about digital sovereignty and ways to navigate it, watch this video and visit our digital sovereignty webpage.
Also, stay tuned for our next blog post in this series, in which we’ll take a deeper look at operational sovereignty and why organizations are increasingly concerned about maintaining control over critical digital operations.
About the Author
Related Blog Posts
The patch window has closed. Here is how F5 is built for what comes next.
As AI models have changed software security, the industry needs to adapt.
Responsible AI: Guardrails align innovation with ethics
AI innovation moves fast. But without the right guardrails, speed can come at the cost of trust, accountability, and long-term value.
Best practices for optimizing AI infrastructure at scale
Optimizing AI infrastructure isn’t about chasing peak performance benchmarks. It’s about designing for stability, resiliency, security, and operational clarity
Datos Insights: Securing APIs and multicloud in financial services
New threat analysis from Datos Insights highlights actionable recommendations for API and web application security in the financial services sector
Secrets to scaling AI-ready, secure SaaS
Learn how secure SaaS scales with application delivery, security, observability, and XOps.
How AI inference changes application delivery
Learn how AI inference reshapes application delivery by redefining performance, availability, and reliability, and why traditional approaches no longer suffice.