Editor’s Note: This article was originally published on Forbes Business Council on March 3, 2026. It is republished here following the conclusion of the platform’s exclusivity period.
The cloud was supposed to simplify everything: global scale, shared infrastructure, one architecture for the world. However, that model is shifting, and I don’t see it shifting back again. The pressure driving that shift is sovereignty.
The question is no longer whether organizations trust the cloud but whether they can afford to cede control of their data and security enforcement mechanisms as digital systems increasingly intersect with national policy and regulation.
Data has always been valuable. What’s different is how directly it’s tied to geopolitical and regulatory consequences.
The cloud may operate globally, but laws don’t. Regulations covering data protection, financial services, critical infrastructure and national security are expanding in scope. Sanctions, cross-border disputes and high-profile disruptions have exposed a practical risk in relying on infrastructure that sits beyond an organization’s operational control.
I saw this firsthand in Europe when a defense ministry team believed it had done everything right with a sovereign cloud strategy, only to learn that a security vendor was still synchronizing policies through U.S.-based infrastructure. Its data storage was local, but policy enforcement and administrative control weren’t. Sovereignty can fail for data in motion even when data at rest appears protected.
Many organizations have launched sovereign cloud initiatives. These efforts do provide an answer—but often an incomplete one.
Data residency addresses where data is stored. It doesn’t fully address how data is accessed, inspected, routed or logged as it moves through enterprise systems. Even when data lives inside national borders, security and networking services can still operate from infrastructure outside of them. Traffic inspection may occur elsewhere. Policy updates and enforcement can still depend on systems beyond sovereign oversight.
The limitation here isn’t legal intent but technical design. Data location can be specified through policy and contract. Control over how data is handled in motion depends on where security and networking functions actually run.
This challenge grows as enterprises become more distributed. Data now lives across SaaS applications, private data centers and cloud workloads, accessed from branch offices, remote users and edge locations. AI workloads and automated agents introduce new paths to sensitive data, expanding the scope that sovereignty must cover.
Sovereign SASE is an architectural approach grounded in a simple truth: Sovereignty is not only about where data rests but who controls it as it moves. Looking beyond where data resides, sovereign SASE ensures the security and enforcement stack executes within the infrastructure that the sovereign entity owns and operates.
From routing decisions to packet inspection, policy engines, logging pipelines and telemetry collection, sovereign SASE ensures local jurisdiction. That means no policy dependencies or foreign control planes and no reliance on multitenant SaaS inspection points outside of your jurisdiction. Only full-stack, local control with auditable boundaries.
We worked with Swisscom as it built beem as a network-embedded SASE service with sovereignty designed in from day one.
In a customer Q&A session, requirements were framed in business terms: Customers wanted stronger security “without adding complexity” while ensuring sovereignty and regulatory compliance. The response was to offer secure connectivity as a managed service, not another stack of point products.
The sovereign requirement is similarly concrete. “Sovereign” means customers can trust and verify where and how their security is operated. Operating and hosting in Switzerland helps customers align enforcement with governance and data residency requirements. While connectivity and security are delivered together, Swisscom also emphasizes accountability. A single provider can stand behind end-to-end service guarantees, making security more predictable and operationally reliable at scale.
The business value shows up early because sovereignty is built into the service model. In Swisscom’s case, it offers faster secure access, fewer moving parts to manage and more consistent outcomes, delivered within Swiss-operated infrastructure. Over time, consolidating security and networking enforcement inside sovereign infrastructure reduces tool sprawl and integration overhead, translating into lower operational burden while maintaining local control.
Sovereign isn’t a logo on a data center. Before you buy, run five tests:
1. Data Residency: Are all data, telemetry and logs stored and processed in the sovereign locale without replication or “hairpinning” to global systems?
2. Legal Jurisdiction: Is the service contracted, governed and legally controlled under the sovereign locale’s law, minimizing exposure to extraterritorial access regimes such as the U.S. CLOUD Act?
3. Local Enforcement: Are access control, traffic inspection and security policy enforcement entirely within the sovereign locale?
4. Operational Control: Are sovereign locale personnel performing platform administration and day-to-day operations under local regulatory frameworks?
5. Architectural Isolation: Are sovereign cloud and sovereign SASE instances logically and operationally isolated from global control planes and shared infrastructure?
Sovereignty can’t be bolted on after the fact.
Architectures built around centralized control planes and fragmented security stacks hosted in hyperscaler clouds often struggle to deliver true sovereignty. By contrast, platforms designed from the outset to operate in any deployment environment (including cloud, on-premises, hybrid and sovereign) can meet these demands without compromise.
When my brother Apurva and I founded Versa in 2012, we made an early bet that networking and security would converge and that the future would require architectures that could run anywhere, not only in centralized clouds. Today, that’s becoming a prerequisite for market access and long-term trust.
The cloud isn’t disappearing, but it’s evolving toward a more distributed, sovereignty-aware model that reflects geopolitical and regulatory realities. In a world where digital borders are reemerging, architecture is the gatekeeper. Organizations that plan for “deploy anywhere” control early won’t need to retrofit. Everyone else is facing a harder road.
Subscribe to the Versa Blog
Trial
ROI
Contact
