Skip to main content

Data Residency vs Data Sovereignty: Why Location Alone Doesn't Protect Your Data

· 9 min read
Aytan Jalilova
Aytan Jalilova
Developer Advocate @ IOMETE

For years, Europe operated under a comforting assumption: host data on European soil, and European law will protect it. Expert opinions commissioned by the German Federal Ministry of the Interior — alongside long-standing legal realities like the US CLOUD Act and FISA 702 — have forced a reckoning that was long overdue.

The conclusion itself isn't new. But the willingness to say it out loud finally is: data residency does not equal data sovereignty.

Jurisdiction follows control, not geography

Here's the legal reality most organizations still underestimate. US surveillance and disclosure laws don't care where the servers sit. They care about who controls the data. If a cloud provider falls under US jurisdiction, US authorities can compel access — even if that data is stored in Frankfurt, Paris, or Helsinki. Even if it's managed through a European subsidiary.

This isn't speculation. It's been publicly acknowledged under oath. Contracts may promise to resist "unfounded" requests, but when a valid court order lands, the parent company complies. In the eyes of US law, a data center in Europe operated by a US-headquartered provider can still be treated as a US facility.

The law hasn't changed. What's changed is the geopolitical context — and the willingness of European institutions to stop pretending the risk doesn't apply to them.

Contracts and compliance create an illusion of control

For the better part of a decade, organizations papered over this problem with contractual assurances, certifications, and elaborate governance documentation. GDPR, standard contractual clauses, and compliance frameworks created a sense of safety — without actually changing the underlying power dynamics.

Compliance frameworks manage process. They don't alter who owns the infrastructure, who administers the systems, or which courts can assert authority. This trade-off was consciously accepted when the United States was viewed as a stable, aligned partner. That assumption is now far less certain — and the trade-off looks increasingly expensive.

Encryption helps, but it's not a silver bullet

Encryption gets cited as a mitigation strategy in nearly every sovereignty discussion. And yes, encryption at rest and in transit is essential. But it doesn't eliminate the problem.

Someone has to control the encryption keys. Metadata and operational traces are almost always left unencrypted. Cloud services, by their very design, must process data in plaintext at some stage.

If the provider controls the runtime, the key management system, or the administrator accounts, encryption merely shifts the trust boundary. It doesn't remove it.

Open source: necessary, but not sufficient

Open source technologies are a powerful enabler of digital sovereignty — and for good reason. They offer transparency, auditability, and freedom from vendor lock-in at the software level.

But open source alone doesn't resolve extraterritorial legal exposure. A US-controlled company offering services built entirely on open source software is still subject to the same legal obligations as any other US entity. The code may be open. The governance is not.

Open source becomes a genuine sovereignty enabler only when it's combined with sovereign control over operations, infrastructure, and governance. The software stack matters. But who operates it, and under whose laws, matters more.

Regulation is catching up — and raising the stakes

This discussion isn't happening in a vacuum. The regulatory landscape in Europe is actively tightening, and the gap between what's expected and what most organizations actually control is growing fast.

DORA — the Digital Operational Resilience Act — became enforceable across the EU in January 2025. It requires financial entities to maintain comprehensive oversight of their ICT third-party service providers, including registries of all contractual arrangements, concentration risk assessments, and exit strategies. The European Supervisory Authorities are now in the process of designating "critical" ICT third-party providers, which will face direct EU-level oversight.

What makes DORA particularly relevant here: it doesn't just ask whether you have a risk management framework. It asks who actually controls your critical ICT infrastructure — and what happens if that provider is compelled by a foreign government to act against your interests.

NIS2 broadens this logic across essential sectors. The EU AI Act introduces additional data governance requirements for high-risk AI systems. Taken together, these regulations are making digital sovereignty an operational requirement — not an aspiration.

For organizations relying on SaaS platforms operated by US-headquartered companies, the compliance picture is getting harder to reconcile. You can document your risk. But documentation doesn't change who holds the keys.

Sovereignty is an architectural decision

Strip away the policy language and the certification logos, and you're left with a straightforward question: who controls the system your data lives in, and under whose laws do they operate?

If the answer involves an entity subject to foreign jurisdiction — jurisdiction that can compel disclosure regardless of where your servers are — then you have a residency strategy, not a sovereignty strategy.

Real sovereignty requires architectural choices:

  • Infrastructure you operate within your own trust boundary
  • Open standards that prevent lock-in at every layer of the stack
  • Key management and administration under your direct control
  • Processing that never leaves your security perimeter
  • Exit paths that don't depend on vendor cooperation

Geography is one piece of the puzzle. But without operational control, it's a mailing address — not a security boundary.

Where IOMETE fits

This is precisely the problem IOMETE was built to solve.

IOMETE is a self-hosted data lakehouse platform that runs entirely within your infrastructure — whether that's your own data center, your private cloud, or your public cloud account. Built on open standards (Apache Iceberg, Apache Spark, Kubernetes), it processes and stores data without ever moving it outside your security perimeter.

There's no SaaS control plane sitting in another jurisdiction. No vendor-managed runtime that processes your data in plaintext on someone else's infrastructure. No ambiguity about who controls the encryption keys, the administrator access, or the audit trail.

For organizations in regulated industries — banking, insurance, government, defense — this isn't a philosophical preference. Under frameworks like DORA, it's becoming an operational requirement. You need to know exactly who controls your ICT infrastructure, demonstrate exit strategies, and prove that your critical data processing isn't subject to extraterritorial legal risk.

IOMETE doesn't ask you to trust a contract. It gives you the architecture to not need one.

Your data. Your infrastructure. Your jurisdiction. That's what sovereignty actually looks like.

Frequently Asked Questions

What's the difference between data residency and data sovereignty?

Data residency means your data is physically stored in a specific geographic location — say, a data center in Germany. Data sovereignty goes further: it means you have full legal and operational control over that data, including who can access it, under which laws, and through which systems.

You can have residency without sovereignty. If a US-headquartered cloud provider operates the infrastructure, US authorities can potentially compel access regardless of where the servers sit.

Does the CLOUD Act really apply to data stored in Europe?

Yes. The US CLOUD Act (2018) allows US law enforcement to compel US-based companies to produce data they control, regardless of where that data is physically stored. If the cloud provider is subject to US jurisdiction — even through a parent company relationship — data stored in Frankfurt or Paris can be legally accessed under a US court order.

Can encryption solve the sovereignty problem?

Encryption is essential but not sufficient on its own. If the cloud provider manages your encryption keys, controls the runtime environment, or administers the key management system, they can technically access your data in plaintext during processing. True sovereignty requires that you — not your vendor — control the encryption keys and the entire processing environment.

What is DORA and why does it matter for data sovereignty?

DORA (Digital Operational Resilience Act) is an EU regulation enforceable since January 2025 that requires financial entities to maintain comprehensive ICT risk management, including full oversight of third-party technology providers. DORA specifically requires organizations to assess concentration risk, maintain exit strategies, and document who controls their critical ICT infrastructure — making sovereignty an operational compliance requirement, not just a preference.

Is open source software enough to achieve data sovereignty?

No. Open source provides transparency, auditability, and freedom from vendor lock-in at the software level — all important building blocks. But if the company operating that open source software is subject to foreign jurisdiction, the legal exposure remains the same. Sovereignty requires open source combined with sovereign operations, infrastructure control, and governance under your own legal jurisdiction.

How does a self-hosted data platform help with sovereignty?

A self-hosted platform like IOMETE runs entirely within your infrastructure — your data center, your cloud account, your security perimeter. Data never leaves your controlled environment for processing.

You manage the encryption keys, the administrator access, the audit trails, and the network configuration. There's no external vendor runtime processing your data in plaintext under a foreign jurisdiction.

Which industries are most affected by data sovereignty requirements?

Banking and financial services (under DORA), healthcare (under GDPR and national health data regulations), government and defense (classified data handling), insurance (under DORA and Solvency II), and any organization handling personal data of EU citizens. The EU AI Act is also introducing data governance requirements that will affect organizations building or deploying high-risk AI systems.

Can I achieve data sovereignty on a public cloud?

Yes — if you control the deployment. Running a self-hosted platform on your own public cloud account (AWS, Azure, GCP) means you control the infrastructure, the network configuration, and the access policies.

The key distinction is whether you or a SaaS vendor controls the processing environment. A self-hosted deployment in your cloud account keeps the trust boundary within your control, unlike a vendor-managed SaaS platform.

Want to see how IOMETE works in regulated environments? Talk to our team →

ON THIS PAGE