Expressions like digital sovereignty, sovereign cloud, and cloud sovereignty have now become part of the standard vocabulary for anyone involved in digital transformation and data governance. Driven by growing geopolitical instability and an accelerating wave of European regulation (including GDPR, DORA, NIS 2, and the AI Act), the topic has become central for both enterprises and public administrations.
The reason is simple: the cloud was born as a global infrastructure, designed and developed by major international hyperscalers. Its worldwide nature offers undeniable advantages in terms of scalability and service availability, but it also raises complex questions related to data transmission, control, and jurisdiction.
While cloud infrastructure may be unified and globally distributed, the laws that define governance, security, and rights are far from uniform: each country applies different — and sometimes conflicting — rules. Many will remember the 2013 Datagate scandal, which revealed surveillance programs by the U.S. National Security Agency involving data stored outside the United States. It was a striking example of how a provider’s country of origin can influence data access, regardless of where the information is physically located.
Digital Sovereignty and the Sovereign Cloud: Regulations and the Three Pillars
Every time an organization entrusts its data to a cloud infrastructure managed by a third party, it inevitably relinquishes, at least in part, direct control over that data, regardless of how robust the contractual or technological safeguards may be. This is a structural consequence of the as-a-service model, which separates data ownership from infrastructure management.
The data controller — whether a bank, a healthcare provider, or a retail group — is bound by a complex set of laws and regulations that demand transparency, accountability, and control not only over the data itself but also over its location, access, processing methods, and deletion capabilities.
Key Regulations on Digital Sovereignty
The concept of digital sovereignty emerged in response to growing regulatory pressure emphasizing legal and operational control over data. In Europe and Italy, several key frameworks have shaped this concept. Three are particularly significant:
- GDPR (2016/679)
The GDPR introduced the principle of accountability, requiring data controllers to ensure the traceability, protection, and transparent management of data at all times, even when it is handled by third-party providers. This made it essential to know where data is physically stored, who can access it, under which jurisdiction, and with what guarantees.
- NIS2 Directive
NIS2 expands cybersecurity obligations to a broader range of public and private entities. Among its requirements are risk assessments along the digital supply chain and oversight of critical suppliers, forcing organizations to verify where their data actually resides.
- Italian Cloud Strategy
This strategy defines the guiding principles for a secure and controlled migration to the cloud by public administrations. Its goals include enhancing the resilience of digital public services and maintaining control over critical data. The strategy introduced the concept of the sovereign cloud through the creation of the Polo Strategico Nazionale (PSN), a national strategic hub serving as a reference infrastructure.
What Is Digital Sovereignty? The Three Pillars
In essence, digital sovereignty can be defined as an organization’s ability to maintain full control over its data, the digital infrastructures hosting it, and the technologies used, without depending on external entities that are misaligned from a legal, technological, or operational standpoint.
In other words, digital sovereignty is the ability to decide where data should reside, who can access it, with which tools, and under which jurisdiction—minimizing compliance risks, external interference, and undue influence. It rests on three interconnected pillars:
- Data residency
Digital sovereignty begins with data location, but it also encompasses access and processing rights. Data sovereignty means having the ability to choose where data is stored, who can access it, and under which legal framework it is managed. This is at the core of compliance with regulations such as the GDPR. - Technological Sovereignty
This refers to the ability to adopt technologies independent of entities under potentially conflicting jurisdictions. Often, this translates into avoiding vendor lock-in, embracing open standards, and, where possible, using European or locally hosted infrastructures. - Operational Sovereignty
This is the capability to autonomously manage infrastructures and digital services in compliance with local laws, free from interference by third parties or foreign jurisdictions. It requires that data management, technical support, and critical operations be entrusted to entities operating within legally compatible territories, such as the European Union.
Digital Sovereignty and the Cloud: Best Practices and How to Achieve It
Digital sovereignty does not mean cloud repatriation. It does not require abandoning existing investments or reversing years of infrastructure modernization. The goal is not to go backward, but to integrate a new layer of awareness into strategic decisions and assess, case by case, the legal, operational, and technological implications of data management. This is especially relevant for smaller organizations, which often approach digitalization without a proper risk assessment.
From a private-sector perspective, digital sovereignty means understanding which regulations apply, distinguishing between critical and non-critical data, and adopting solutions that align with that context. Here are four practical approaches:
Opt for Private and/or Hybrid Cloud Models
A hybrid cloud combines the scalability of public cloud with the control of private cloud, enabling organizations to separate critical from less sensitive data. It’s a flexible and strategic solution, albeit more complex to design and manage, requiring strong architectural expertise and careful governance of data flows. Alternatively, a localized private cloud can be a suitable choice for organizations with stricter sovereignty needs.
Choose Partners with Italian or European Infrastructure
A key element of digital sovereignty is the physical and legal localization of cloud infrastructures. Partnering with providers that operate data centers and facilities in Italy or Europe is essential to ensure compliance with an evolving regulatory framework. A cloud mix strategy can also be effective—for example, keeping highly regulated data within Europe while delegating less sensitive workloads to the global cloud. This approach aligns with the increasingly common multi-cloud model.
Prefer Open-Source Technologies and Open Standards
Technological sovereignty is also achieved by reducing dependency on proprietary vendors. Adopting open-source solutions and open standards helps mitigate vendor lock-in risks, facilitates interoperability across environments, and ensures long-term control over platform evolution.
Implement Strict Access and Security Policies
Even the most localized infrastructure can be vulnerable without robust access policies, multi-factor authentication, data encryption, and continuous security monitoring. Digital sovereignty also depends on cyber resilience: the ability to protect, detect, and effectively respond to incidents. Strong identity governance (IAM) and a security-by-design approach are therefore essential components.
At Kirey, we guide companies through a fully customized cloud journey, built around business goals, existing technology, and applicable regulatory requirements.
Within this approach, and in every decision that stems from it, digital sovereignty is carefully assessed to help organizations maximize the benefits of the cloud while minimizing its structural risks.
Contact us to discover how we can help you build an efficient, secure, and compliant cloud infrastructure.
