When cloud power collides with data sovereignty

Hyperscaler cloud services clash with national data sovereignty

Hyperscaler providers like AWS, Google Cloud, Microsoft, IBM, and Oracle have transformed enterprise infrastructure through massive global scale. The goal is simple, connect everything, everywhere, and run it faster, cheaper, and more efficiently. But this same design also creates a strategic problem for governments and regulators: data sovereignty. When data crosses borders, it’s no longer fully protected by local law. And because these hyperscalers are all US-based, they are bound by US jurisdiction, even if the data sits in London, Berlin, or Tokyo.

The US Cloud Act and similar legislation give American courts authority to compel US companies to provide data stored anywhere in the world if that data is considered under their “possession, custody, or control.” For clients outside the US, this is an uncomfortable truth, it means that compliance with US law can override local privacy protections. The Foreign Intelligence Surveillance Act (FISA) Section 702 adds another layer, allowing forced “technical assistance” from cloud providers, again without guaranteeing the protection of foreign entities.

Executives working across multiple jurisdictions need to treat this as a governance issue, not just a technical one. The operational efficiency of global clouds is compelling, but sovereignty isn’t optional. When national security, public interest, or citizen data are involved, board-level oversight becomes necessary. This is especially true for industries tied to defense, healthcare, or finance, where control of information directly ties to strategic resilience.

Deciding how to handle data sovereignty is about control, not distrust. Leaders should evaluate whether the efficiency gains from hyperscale infrastructure justify potential exposure to foreign legal mandates. The future may lean toward regionally governed, interoperable clouds, an approach that maintains efficiency without surrendering control.

Hyperscaler evasion of technical vulnerability issues

When asked how they would technically block a US court order requiring them to hand over foreign data, the major hyperscalers gave vague answers. They shifted attention to their encryption policies, to air-gapped services, or to customer-controlled keys. None of these are wrong, but none fully address the real question: how can hyperscalers prevent forced access if legally compelled? In practice, most cloud data processing happens “in the clear,” meaning it’s temporarily unencrypted in memory for computation. That’s where the true exposure lies.

Even the best encryption schemes can’t protect data while it’s being used. Specialized “data-in-use” encryption can reduce risk, but it’s complex, costly, and not broadly deployed. Hyperscalers are aware of this, yet their responses typically avoid acknowledging the underlying vulnerability: the law can compel them to assist, technically or operationally, in accessing that data.

C-suite executives need clear thinking here. Encryption and compliance certifications are not infallible shields, legal compulsion overrides both. The focus should be on control structures and transparency agreements that make compelled actions visible to the customer. Governance frameworks must ensure there’s accountability if any government requests access to data.

For global enterprises and public organizations, this means understanding that technical defenses can only go so far. Real sovereignty and compliance assurance come from structural choices, choosing where cloud workloads run, who controls encryption keys, and what jurisdiction governs the provider. This approach is not just about privacy; it’s about maintaining autonomy in a world where legal power is distributed unevenly.

Legal frameworks permit covert data access via software updates

Under U.S. law, particularly FISA Section 702, courts can require cloud service providers to deliver “technical assistance” to support intelligence or law enforcement operations. That term is broad enough to include modifications to software, such as updates, that could quietly provide access to data. These updates are typically machine-coded and not subject to human-level auditing, which means that such actions could occur without the customer’s knowledge.

For multinational executives, this raises a serious governance challenge. A company may comply fully with security certifications, maintain rigorous encryption standards, and still be vulnerable to compelled actions embedded within provider updates. These are not theoretical possibilities, they are legally supported capabilities available to U.S. courts. Existing safeguards in standard hyperscaler operations don’t offer a mechanism for customers to audit, detect, or oppose these hidden forms of access.

Organizations handling sensitive data, especially in critical national infrastructure or regulated sectors, should account for this legal reality when relying on U.S. cloud vendors. The solution isn’t panic; it’s strategy. Implementing additional controls such as verified build environments, code review protocols, and independent update validation can reduce hidden exposure. Public-private collaboration on verifiable compliance frameworks may also improve visibility and trust between providers and governments.

Executives should approach this not as a failure of technology but as an intersection of law and infrastructure. Trust requires transparency, and in the absence of transparency, organizations must design control systems that independently validate what their suppliers deliver. Sovereign oversight, regular audits, and contractual clarity are key tools for managing the unseen dimensions of digital compliance.

Standard service agreements undermine data isolation

Standard hyperscaler contracts are written to optimize efficiency, not sovereignty. Most contain clauses allowing customer data, and its metadata, to move freely between regions for operational purposes. Known as “follow-the-sun” support, this practice ensures global uptime and rapid problem resolution. But it also means that data often crosses borders automatically, creating jurisdictional exposure even when services are marketed as regionally isolated.

For business leaders, this is an area where the small print matters. A cloud region designated as “UK-only” or “sovereign” may still depend on shared infrastructure and global support routing. This diminishes the ability to guarantee that data stays within national boundaries. In industries requiring strict localization, such terms weaken compliance frameworks and risk violating domestic data protection regulations.

Decision-makers should insist on contractual assurance regarding where data is stored, processed, and accessed. This includes metadata, system logs, and backups, elements that can reveal just as much about a system as the data itself. For public-sector and defense entities, such guarantees should be non-negotiable. Vendors able to deliver verifiable, jurisdiction-bound architecture will have a growing competitive advantage as nations develop clearer sovereignty requirements.

Executives must weigh the operational benefits of global infrastructure against the compliance and strategic control gained through regional isolation. In practice, complete isolation often isn’t feasible without cost or complexity, but tighter contractual governance and audit mechanisms can keep exposure to a manageable level. This balanced approach, technically feasible, legally sound, and commercially realistic, is where genuine sovereignty begins to take form.

The challenge of achieving true data sovereignty

Attaining full data sovereignty is a complex goal that exceeds current technical and legal capabilities. Even when organizations choose air-gapped systems or opt out of standard cloud contracts, complete isolation from broader infrastructure and jurisdictional influence remains uncertain. These solutions can lower risk but cannot eliminate it. Compelled access orders, software dependencies, and global network integration continue to pose structural exposure points.

For business leaders, this challenge isn’t just technical, it’s strategic. Sovereignty isn’t achieved by a single tool or vendor promise but by aligning technology choices with governance control. Leaders must assess how cloud operations intersect with national, regional, and internal compliance frameworks. Each decision, from where data is stored to who manages encryption keys, reshapes control boundaries. The companies that master this alignment will not only meet compliance standards but set benchmarks for transparency and risk management.

The market trend is moving toward hybrid and sovereign cloud models configured for regulated sectors. These systems prioritize local jurisdiction, verifiable partitioning, and government oversight. However, such designs often compromise on scalability, cost efficiency, or integration speed. Executives must decide whether these trade-offs are acceptable to maintain control and compliance.

Forward-focused leaders should treat sovereignty as an evolving process rather than a static goal. The right approach combines layered control, audit transparency, and resilient infrastructure partnerships. This mindset keeps organizations adaptive as legal frameworks and technical standards continue to evolve globally.

Critical implications for the UK public sector

The UK public sector’s strong dependence on U.S. hyperscalers presents a major sovereignty challenge. Analyst firm Tussell reports that 95% of central and local government bodies used hyperscale cloud services in the 2023–2024 financial year, representing more than 1,100 organizations. This widespread adoption demonstrates efficiency at national scale but also extends exposure to external jurisdictions.

A notable example is the £400 million contract between Google and the Ministry of Defence to deliver a “sovereign cloud” solution based on Google Distributed Cloud. While described as sovereign, such platforms still depend on U.S. corporate ownership and therefore remain within the reach of U.S. legal authority. The UK’s Department for Science, Innovation and Technology (DSIT) has yet to define what “data sovereignty” means in this context, leaving a policy gap that complicates digital governance.

For senior government executives, this lack of legal clarity introduces strategic vulnerability. Decisions driven solely by efficiency risk future complications when data protection rules tighten or when geopolitical tensions shift. Establishing an official sovereignty definition should be a national priority, enabling procurement and compliance teams to set consistent data control expectations.

Public sector leaders must also consider multi-vendor and hybrid approaches that distribute infrastructure control across jurisdictions. These models may cost more upfront, but they enhance resilience and political independence. As governments worldwide reassess the role of hyperscalers in national infrastructure, the UK can lead by building frameworks that combine global innovation with clear local control.

Main highlights

• Global reach still means U.S. legal risk: U.S.-based hyperscalers like AWS, Microsoft, and Google remain subject to U.S. jurisdiction, even when hosting data abroad. Executives should account for this exposure when forming data residency and compliance strategies.
• Encryption doesn’t equal sovereignty: Encryption protects data at rest and in transit but not while it’s being processed. Leaders should implement governance and verification mechanisms to oversee how their providers manage encryption and legal compliance.
• Legal mandates can enable covert access: U.S. laws such as FISA Section 702 allow compelled “technical assistance” that may include undisclosed software modifications. Executives must ensure service providers offer transparency and third-party validation for updates and system changes.
• Contracts compromise data localization: Most standard cloud agreements allow cross-border data movement for operational support. Decision-makers should negotiate explicit data location and access clauses to maintain control and meet jurisdictional compliance.
• Absolute sovereignty remains unattainable, build layered control: Even air-gapped or isolated systems cannot guarantee full immunity from external jurisdiction. Leaders should pursue multi-layered strategies combining regional hosting, strict governance, and verified oversight.
• The UK’s reliance reveals a broader global risk: With 95% of UK public bodies relying on U.S. hyperscalers, policy gaps on data sovereignty leave national data vulnerable. Executives in both public and private sectors should push for clearer sovereignty definitions and balanced, hybrid infrastructure strategies.