Editor’s Note: This article was originally published on Forbes Business Council on March 6, 2026. It is republished here following the conclusion of the platform’s exclusivity period.
A business executive recently shared an experience that stuck with me. His organization had invested heavily in cloud and adopted a cloud security (SASE) solution, confident that it addressed regulatory requirements.
But then his security team discovered that, although the cloud edges were located in their country, policy updates were being pushed from a management console hosted outside their jurisdiction, and certain traffic inspection was occurring outside their region on infrastructure they did not control. Moreover, their data could be subject to access by foreign governments where their providers were headquartered. He thought he had sovereignty, but what he really had was only a contract that said sovereignty.
He’s not alone. Across boardrooms, from Singapore to Sao Paulo, business leaders are coming to the same conclusion: Sovereign cloud, on its own, doesn’t always deliver the level of security they thought they were buying.
Too often, sovereignty is reduced to a single question: Where does the data live? That definition made sense when applications were centralized and access paths were limited. But it tends to break down in modern, distributed environments.
Today’s enterprises operate across clouds, regions and edges. Users connect remotely. Applications span SaaS, private infrastructure and on-premises systems. AI-driven automation is introducing new, machine-speed interactions with sensitive data.
In this reality, sovereignty cannot be guaranteed by storage and processing location alone. It depends on how access is granted, where traffic is inspected, who enforces policy and who has visibility into the logs and performance data systems generate. If sovereignty only applies when data is at rest, it fails the moment that data moves, which is precisely when risk increases.
Sovereign cloud initiatives promise control, but in practice that control is often incomplete. Even when data resides within national borders, access may still be mediated by centralized security or networking products located elsewhere. Security inspection may occur outside sovereign boundaries. Policies may be authored, updated or enforced through non-sovereign systems.
As environments become more complex, these gaps widen. Each dependency on an external control plane or inspection point introduces uncertainty—about who can access data, under what conditions and with whose authority.
Work is no longer centralized. Applications live everywhere. Edge computing has multiplied the number of locations where data is processed. AI workloads and autonomous agents introduce new, automated paths to sensitive information, often operating continuously and at scale.
Every new access path expands the scope of what must be protected under sovereign control. Location-based controls struggle to keep pace when enforcement is not distributed alongside access. In highly regulated industries, that gap creates risk that cannot be mitigated after the fact. Sovereignty collapses when enforcement cannot keep up with distribution.
Sovereign secure access service edge (SASE) is not about rejecting the cloud. It is about governing it properly. It is about creating a security and networking model where access decisions, traffic inspection, policy enforcement, logging and telemetry operate within infrastructure controlled by the sovereign entity.
The distinction is critical: Sovereign cloud determines where data is stored. Sovereign SASE determines how data is accessed and protected, across users, devices, networks and applications.
Together, they form a complete sovereignty model. Cloud-only security approaches that rely on centralized control planes cannot meet these requirements, regardless of contractual assurances. Again, architecture, not intent, determines sovereignty.
For executives evaluating sovereignty strategies, beyond claims from providers, you need to make sure sovereignty is enforceable, observable and resilient. True digital sovereignty requires:
Anything less is a promise that cannot be verified.
There is a misconception that sovereignty slows innovation. In practice, I find the opposite is true.
Organizations architected for sovereignty can gain regulatory confidence, customer trust and access to markets otherwise closed. They reduce uncertainty in cross-border operations, avoid retrofitting controls after deployment and enable global growth without multiplying risk.
Rather than fragment your enterprise, sovereignty provides a unified control layer that allows your organization to scale responsibly across regions, industries and regulatory environments.
The need for digital sovereignty is accelerating as regulatory frameworks like the General Data Protection Regulation (GDPR), the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) evolve.
But implementing such digital sovereignty properly does have its challenges. It introduces jurisdictional and architectural considerations, and, therefore, it is not enough for applications to reside in a specific cloud location. Control, management, inspection and access must meet compliance requirements.
I find that many organizations secure cloud capacity within appropriate jurisdictions, but overlook that the secure access services used to reach those workloads may still inspect or enforce traffic in a different country or jurisdiction.
Addressing this gap depends on scale and operating model. Small and medium-sized businesses (SMBs) using sovereign cloud for specific workloads can partner with local managed service providers that deliver sovereign secure access within the same jurisdiction.
Larger global enterprises operating across multiple jurisdictions face a more complex challenge. They often require separate, sovereign, secure access environments aligned with each region’s regulatory requirements. Today, few cloud security providers can deliver this consistently across geographies. Some enterprises, therefore, choose to build dedicated sovereign infrastructure to simplify compliance.
The cloud is not disappearing. Instead, I see it evolving toward a more distributed, sovereignty-aware model that reflects geopolitical and regulatory realities.
In that world, sovereignty will not be defined by where data sits, but by who controls access, enforcement and governance across the entire digital estate. Combining a sovereign cloud with a sovereign SASE can make it truly effective. As digital borders re-emerge, sovereignty is determined by control—not by where data physically resides.
Subscribe to the Versa Blog
Trial
ROI
Contact