The gap between high awareness of data sovereignty rules and effective enforcement
The Kiteworks Data Security and Compliance Risk: Data Sovereignty Report shows something troubling: 44% of professionals across Canada, Europe, and the Middle East claim to understand data sovereignty requirements “very well,” yet many still face frequent security and compliance incidents. This disconnect tells us that many organizations know the rules but haven’t built systems capable of enforcing them consistently.
Incidents are widespread. The report recorded rates of 23% in Canada, 32% in Europe, and 44% in the Middle East. The two most common problems, data breaches and third-party compliance failures, both at 17%, underline that operational safeguards haven’t kept up with regulatory knowledge. These numbers show that awareness isn’t translating into prevention. Teams understand compliance requirements in theory but often miss the technical and procedural steps needed to make compliance automatic and verifiable.
For executives, this is a signal to go beyond policies and awareness campaigns. It’s time to align strategy and execution. Boards and compliance leaders should ensure that sovereignty enforcement is built into data architecture, not simply monitored through audits. The ability to track and control who accesses data, where it’s stored, and how it’s encrypted must move from periodic checks to continuous, verifiable practice. When compliance is embedded in operations, not managed as an afterthought, organisations reduce risk and future-proof themselves against tightening regulations.
Dario Perfettibile, EMEA GM of GTM and Customer Operations at Kiteworks, summed it up clearly: companies are “spending millions” on compliance but still face sovereignty breaches and unauthorized data access. Executives should treat enforcement as a design problem, not an awareness issue.
High financial investment in sovereignty compliance has not prevented operational risks
The same report shows that the majority of organisations are spending over USD $1 million a year to meet sovereignty demands. Most of that investment goes into technical infrastructure changes (59%) and legal or compliance expertise (53%). Yet incidents keep happening. This tells us that money alone isn’t fixing the problem. Investment is being made, but perhaps not in the right areas or with the right accountability.
For decision-makers, the message is clear: focus spending where it delivers measurable control. Spending millions on compliance assessments or lawyers does not guarantee data integrity if the architecture underneath can still be exploited. True compliance requires systems that can prove sovereignty in real time, by design, not by audit. The most valuable spend is the investment that directly hardens infrastructure, improves monitoring, and allows organisations to respond to potential breaches before they turn into regulatory nightmares.
Many companies are still allocating budgets reactively, responding to breaches or changing regulations, rather than designing compliance infrastructure from the ground up. That approach is losing efficiency and raising costs. Leaders should shift from compliance management to compliance automation. Platforms that unify governance, control encryption keys, and produce instant audit-ready evidence are now essential to achieving true sovereignty assurance.
Perfettibile’s observation captures this reality: knowing the rules doesn’t equal compliance, and awareness without architectural proof is no longer enough. For leadership teams, the priority should be to ensure that financial investment translates into actionable, automated compliance systems that scale with the business. It’s no longer just about spending, it’s about building the ability to prove data control with confidence.
Regional dynamics reveal distinctive compliance challenges
The Kiteworks report highlights how regional conditions shape data sovereignty outcomes in unique ways. In the Middle East, nearly all respondents, 93%—said PDPL and SDAIA regulations directly impact their operations. Despite this strong regulatory focus, the region recorded the highest incident rate at 44%, showing that extensive regulatory exposure does not automatically lead to better results. Two-thirds of Middle Eastern organisations spend over USD $1 million annually on compliance, yet breaches and unauthorised access remain high. This pattern points to execution bottlenecks, where the volume of regulation has outpaced the capacity to enforce governance technically.
Canada shows different tensions. With the lowest incident rate of 23%, awareness and control appear stronger. However, respondents cited growing discomfort with cross-border data exposure, especially under U.S. legislation. About 40% of Canadian participants identified shifts in Canada-U.S. data-sharing agreements as a leading concern, and 21% pointed specifically to the U.S. CLOUD Act as a sovereignty threat. This highlights a vulnerability for Canadian firms managing data that crosses into jurisdictions with different privacy rules.
Europe’s situation revolves around its complex cloud ecosystem. For many European companies, the obstacle is not the law but the limits of vendor assurances. Forty-four percent of European respondents said sovereignty guarantees from cloud providers remain their main challenge to cloud adoption. Many vendors meet residency requirements but retain control over encryption keys, leaving customers uncertain about who can access their data. The tension between data location and true data control is now a defining issue for Europe’s digital economy.
For executives, the lesson is clear: sovereignty challenges are regional but interconnected. A uniform global strategy won’t work. Organisations must build compliance architectures that adapt to local regulations and operational needs simultaneously. Regionalised deployment, full control over encryption keys, and the ability to verify provider compliance in real time are now essential competencies for global operations.
Effective data sovereignty now demands technical enforcement and proof of compliance
The definition of data sovereignty is evolving. It no longer ends with storing data within national borders, it now requires demonstrable control. Regulators, customers, and procurement teams want proof: who can access the data, who manages the encryption keys, and whether compliance can be shown instantly. Relying only on geographic storage checks or vendor promises is no longer enough.
Across all regions, organisations are reorienting their strategies to meet this new standard. Over the next two years, respondents plan to prioritise automation, stronger technical controls, and systems capable of delivering audit-ready evidence. The goal is to make compliance measurable rather than interpretive. This shift is moving sovereignty from a static policy function to a continuous operational discipline supported by technology.
For leaders, this requires integrating data sovereignty into system architecture from day one. Compliance automation, centralised audit trails, and encryption key ownership should be treated as mandatory features of enterprise systems, not optional upgrades. This mindset simplifies regulatory alignment, reduces audit fatigue, and gives businesses immediate visibility into compliance status, something that manual reviews cannot achieve.
Dario Perfettibile, EMEA GM of GTM and Customer Operations at Kiteworks, explained this shift succinctly: “Regulators, customers, and procurement teams now want proof: who can access the data, who controls the keys, and can you demonstrate compliance on demand.” The organisations that integrate these assurances directly into their infrastructure will have a competitive edge. For executives, success now means proving control, not just claiming compliance.
AI governance is emerging as a critical aspect of data sovereignty
Artificial intelligence is introducing new dimensions to data sovereignty. The Kiteworks Data Security and Compliance Risk: Data Sovereignty Report highlights that as AI regulations evolve across the EU and under Saudi Arabia’s SDAIA framework, organisations are now confronted with the challenge of governing data used in AI training and processing. About one-third of respondents said they keep all AI training data within their home region, another third apply a mixed approach based on data sensitivity, and 21% are still working on an AI data sovereignty policy.
This fragmented approach signals that many organisations are still adjusting to the compliance requirements surrounding AI-related data. The risk is clear, without a structured policy, companies can easily find themselves breaching emerging regulations once enforcement accelerates. AI-driven environments intensify sovereignty problems because the flow of data across borders is often automated and large-scale, making oversight difficult if not built into the system design.
Executives should recognise AI governance not as a specialized issue but as a foundational part of their wider compliance ecosystem. Data used in AI training and inference must comply with the same principles as customer or operational data: controlled residency, restricted access, ownership of encryption keys, and the ability to provide regulators with transparent audit evidence. Incorporating AI data governance early prevents future retrofitting costs and positions companies ahead of impending regulations.
AI sovereignty also brings strategic value. Establishing clear governance for AI datasets and models builds stakeholder confidence, reinforces accountability, and ensures alignment with international data protection standards. For leaders, this is not just compliance, it is preparation for an AI-driven economy that demands traceability and evidence of responsible data handling.
Key takeaways for decision-makers
- Awareness without enforcement creates risk: Many organisations claim strong understanding of data sovereignty but still suffer high incident rates. Leaders should focus on turning compliance knowledge into enforceable system controls that prevent breaches.
- High spend doesn’t guarantee security: Despite investing millions annually, incidents persist. Executives should direct budgets toward solutions that deliver measurable control and audit-ready proof, rather than just legal or policy efforts.
- Regional strategies must adapt to local realities: The Middle East faces high incidents despite heavy spending, Canada struggles with cross-border exposure, and Europe battles cloud control issues. Leaders should tailor compliance architectures to regional risks instead of applying uniform solutions.
- Proof of control is the new compliance baseline: Regulators now expect demonstrable evidence of sovereignty through encryption key management and access transparency. Executives should embed automation and verifiable controls directly into their IT architecture.
- AI adds a new layer of sovereignty complexity: With evolving AI regulations, inconsistent governance raises exposure. Leaders should create AI-specific data policies ensuring training data meets sovereignty requirements before enforcement intensifies.
