Expressions like digital sovereignty, sovereign cloud, and cloud sovereignty have now become part of the standard vocabulary for anyone involved in digital transformation and data governance. Driven by growing geopolitical instability and an accelerating wave of European regulation (including GDPR, DORA, NIS 2, and the AI Act), the topic has become central for both enterprises and public administrations.
The reason is simple: the cloud was born as a global infrastructure, designed and developed by major international hyperscalers. Its worldwide nature offers undeniable advantages in terms of scalability and service availability, but it also raises complex questions related to data transmission, control, and jurisdiction.
While cloud infrastructure may be unified and globally distributed, the laws that define governance, security, and rights are far from uniform: each country applies different — and sometimes conflicting — rules. Many will remember the 2013 Datagate scandal, which revealed surveillance programs by the U.S. National Security Agency involving data stored outside the United States. It was a striking example of how a provider’s country of origin can influence data access, regardless of where the information is physically located.
Every time an organization entrusts its data to a cloud infrastructure managed by a third party, it inevitably relinquishes, at least in part, direct control over that data, regardless of how robust the contractual or technological safeguards may be. This is a structural consequence of the as-a-service model, which separates data ownership from infrastructure management.
The data controller — whether a bank, a healthcare provider, or a retail group — is bound by a complex set of laws and regulations that demand transparency, accountability, and control not only over the data itself but also over its location, access, processing methods, and deletion capabilities.
The concept of digital sovereignty emerged in response to growing regulatory pressure emphasizing legal and operational control over data. In Europe and Italy, several key frameworks have shaped this concept. Three are particularly significant:
In essence, digital sovereignty can be defined as an organization’s ability to maintain full control over its data, the digital infrastructures hosting it, and the technologies used, without depending on external entities that are misaligned from a legal, technological, or operational standpoint.
In other words, digital sovereignty is the ability to decide where data should reside, who can access it, with which tools, and under which jurisdiction—minimizing compliance risks, external interference, and undue influence. It rests on three interconnected pillars:
Digital sovereignty does not mean cloud repatriation. It does not require abandoning existing investments or reversing years of infrastructure modernization. The goal is not to go backward, but to integrate a new layer of awareness into strategic decisions and assess, case by case, the legal, operational, and technological implications of data management. This is especially relevant for smaller organizations, which often approach digitalization without a proper risk assessment.
From a private-sector perspective, digital sovereignty means understanding which regulations apply, distinguishing between critical and non-critical data, and adopting solutions that align with that context. Here are four practical approaches:
A hybrid cloud combines the scalability of public cloud with the control of private cloud, enabling organizations to separate critical from less sensitive data. It’s a flexible and strategic solution, albeit more complex to design and manage, requiring strong architectural expertise and careful governance of data flows. Alternatively, a localized private cloud can be a suitable choice for organizations with stricter sovereignty needs.
A key element of digital sovereignty is the physical and legal localization of cloud infrastructures. Partnering with providers that operate data centers and facilities in Italy or Europe is essential to ensure compliance with an evolving regulatory framework. A cloud mix strategy can also be effective—for example, keeping highly regulated data within Europe while delegating less sensitive workloads to the global cloud. This approach aligns with the increasingly common multi-cloud model.
Technological sovereignty is also achieved by reducing dependency on proprietary vendors. Adopting open-source solutions and open standards helps mitigate vendor lock-in risks, facilitates interoperability across environments, and ensures long-term control over platform evolution.
Even the most localized infrastructure can be vulnerable without robust access policies, multi-factor authentication, data encryption, and continuous security monitoring. Digital sovereignty also depends on cyber resilience: the ability to protect, detect, and effectively respond to incidents. Strong identity governance (IAM) and a security-by-design approach are therefore essential components.
At Kirey, we guide companies through a fully customized cloud journey, built around business goals, existing technology, and applicable regulatory requirements.
Within this approach, and in every decision that stems from it, digital sovereignty is carefully assessed to help organizations maximize the benefits of the cloud while minimizing its structural risks.
Contact us to discover how we can help you build an efficient, secure, and compliant cloud infrastructure.