IDC Guest Post (Sponsored by Broadcom)
In today’s rapidly evolving and ever-complex digital landscape, the concept of digital sovereignty is no longer confined to niche regulatory discussions but has matured into a business-critical imperative focused on organizational autonomy and self-sufficiency. The geopolitical and economic upheavals witnessed in 2025 have amplified the urgency, positioning control over data, data transfers, and data access as essential components of business continuity and survivability.
What is Digital Sovereignty?
Defining digital sovereignty depends on one's perspective and is likely to vary in scale depending on risk appetite and profile. For a state actor, digital sovereignty concerns the ability to assert jurisdiction and control over digital assets; their broader supply chains; and, potentially, their economic, societal, and geopolitical impacts. From an organization's perspective, digital sovereignty provides complete control over its data, the infrastructure the data resides in, all associated data transfers, and the corresponding access mechanisms. This concept ensures organizational self-determination, enabling enterprises to maintain self-sufficiency and survival even when faced with significant market or political shocks. As a consequence, digital sovereignty can be definitive and critical for all organizations that use digital services and platforms.
Figure 1 shows how digital sovereignty comprises several attributes and has evolved from self-determination and self-sufficiency to survivability. Digital sovereignty is about operational resilience for enterprise organizations and, at the macro level, is crucial for governments to ensure the continuous availability of critical national infrastructure.
Figure 1: IDC’s Digital Sovereignty Stack
IDC considers cloud sovereignty (also called sovereign cloud) to be a subset of the overall digital sovereignty concept. It must comply with all relevant data laws and regulations in the jurisdiction where it operates. Moreover, sovereign controls must apply to the platform provider and all underlying infrastructure, wherever they are, including any data transfers to third-country locations and any parties with access to them.
As there is no agreed-upon definition of sovereign cloud, organizations seeking solutions are advised to exercise caution when assessing any offerings. Sovereign cloud deployment models range from public clouds with sovereign controls to private clouds and air-gapped, locally operated clouds. Different providers offer solutions with varying levels of control and compliance, ideally tailored to a user’s individual needs. We have seen attempts, mostly in the European Union (EU), to develop a generally accepted definition of sovereign cloud. These attempts, with varying levels of success, have taken the form of draft certification schemes under the EU Cybersecurity Act, drawing on national and international cloud security standards, or, more recently, the European Commission DGIT cloud tender.
AI sovereignty has also emerged as a subset. While sovereign cloud comprises sovereign controls of the IT solutions and services included in data, technical, and operational sovereignty (as detailed in IDC's Worldwide Sovereign Cloud Taxonomy, 2024 study), sovereign AI encompasses the full spectrum of sovereignty, as shown in the “stack” above. However, much more will be needed here to achieve meaningful autonomy and control. IDC has developed a sovereign AI framework that focuses on the levers organizations can use to exert greater control and choice over the design, development, deployment, accessibility, operation, maintenance, and governance of AI implementations, as well as the technology foundations on which those implementations depend. The core of the framework is about the assets and capabilities required to build a working AI system that delivers business value.
Why is Sovereign Cloud Gaining Traction?
Regulatory and legislative compliance has typically been the chief driver of sovereign cloud solutions in sectors such as finance and the public sector. Others, mostly in critical infrastructure, have considered various degrees of sovereignty as key elements of their overall risk management strategy. While this remains the case for many organizations globally, there are regional variations, especially in Europe, which is at the forefront of digital sovereignty.
In recent years, particularly in the wake of the COVID-19 pandemic, the expanding cloud has emerged as the main driver in Europe. The need to enhance cybersecurity drove this trend, with many cloud users conflating sovereignty and security (while they can be two sides of the same coin, sovereignty is more about data control, transparency, and reduction of critical dependencies). But amid the geopolitical and economic uncertainties seen so far in 2025, the need to protect against extraterritorial data requests is the top driver of the sovereign cloud market in Europe (see Figure 2).
Figure 2: What are or were the main drivers of your organization’s decision to use sovereign cloud?
Source: IDC Europe, Worldwide Digital Sovereignty Survey, July 2025
Thus, the market landscape for sovereign cloud solutions has undergone a dramatic transformation, owing to external geopolitical and macroeconomic factors that have elevated the discussion from a compliance necessity to a strategic autonomy.
Choosing and Using a Sovereign Cloud
Many organizations start their move to a sovereign cloud by identifying which workloads require sovereignty and why. Not all data is equal; some workloads contain highly sensitive personal or financial information, while others may be subject to sector-specific regulations.
A successful sovereign cloud strategy starts with classifying workloads based on regulatory exposure and data sensitivity. This enables organizations to make informed decisions about data storage, processing, and protection. As with all their workloads, organizations should choose the most appropriate IT venue for their data. While implementing a sovereign cloud is not a binary choice between public and private infrastructure, it requires a nuanced approach that integrates sovereignty into the broader IT strategy. Federated cloud architectures and virtualization technologies play a vital role here, enabling organizations to maintain flexibility while ensuring compliance. Sovereign cloud solutions must be interoperable, scalable, secure, and capable of supporting control without compromising innovation.
Choosing the right vendor is another critical step. Organizations face various obstacles, including navigating compliance requirements and ensuring operational transparency. While IDC survey data reveals that ownership of in-country datacenters to support data localization is the most important attribute for customers when seeking sovereign cloud partners and providers, from an overall perspective, the most sought-after providers are those that offer more than infrastructure. Trustworthy providers that can demonstrate deep regulatory and vertical industry expertise, work within and enable partners in local ecosystems that can guarantee agreed levels of sovereignty, and offer flexible deployment models will feature highly in customer shortlists. Importantly, sovereignty is not a one-size-fits-all approach. Various workloads demand different levels of control, and providers must offer customizable solutions that reflect this.
Increased interest in digital sovereignty is prompting organizations to reassess their cloud and IT choices. The ultimate aim is to place control, transparency, and autonomy at the center of organizations’ future IT investment and strategic partnership selection. To help them achieve that, they will look for partners and providers that offer the expertise to help overcome challenges of implementing sovereign cloud, such as high complexity, high costs, and integration issues with the main cloud environment.
To help their customers succeed with digital sovereignty, sovereign cloud providers are advised to:
- Support organizations in developing frameworks that enable them to classify data according to sensitivity. Sovereign cloud should primarily cater to workloads with a heightened degree of sensitivity. For example, this may include workloads that require specific regulatory compliance and/or data rated as “business critical,” “top secret,” or “highly confidential,” such as valuable intellectual property or customer data.
- Offer open standards that help to limit supplier concentration and better support platform interoperability, data portability, transferability, and cloud reversibility.
- Build extensive partnership models where sovereignty is assured throughout the supply chain. This will help make sovereignty scalable for organizations.
- Invest in robust regulatory compliance to demonstrate an operational “fit for purpose” environment, aligning with industry best practices and local rules.
- Invest in compliance-first infrastructure and specific AI governance capabilities to provide auditable protection against evolving data access risks.
- Utilize technologies such as virtualization and standardized APIs to enable the seamless integration of sovereign enclaves into the broader multicloud architecture. This will give customers the strategic capability to choose the right IT venue for the right workload.