By Jake Madders
Cloud strategy is expanding beyond demand for greater flexibility, performance and cost control, to include geopolitics. This article discusses how enterprises should navigate “geopatriation” – selectively moving workloads to meet evolving sovereignty and access rules.
Cloud strategy used to be centred around cost, performance and convenience. Not anymore. Today, geopolitical considerations are becoming equally critical.
Enter geopatriation: the selective relocation of workloads from global public clouds – typically provided by hyperscalers – to more sovereign environments. Named by Gartner as a Top Strategic Technology Trend for 2026, it reflects an emerging shift: enterprises are beginning to ask not just “where is my data?” but also “who can access it, and under which country’s rules?”
Jurisdictional control is moving from a technical detail to a boardroom priority. European regulators now require documented evidence of data sovereignty. A cascade of hyperscaler outages in 2025, including the major AWS incident in October, made the risk undeniable: concentration on a handful of platforms creates both operational and jurisdictional exposure.
Sovereignty is more complicated, and regulators want evidence
Many platforms offer a region selector, a compliance statement and a reassuring acronym. That is not the same as having control. Real sovereignty is more than data residency. It requires clarity about which jurisdictions can compel access – not just where data sits, but who can demand it.
The US CLOUD Act looms large: US law requires providers to preserve or disclose data within their “possession, custody, or control, no matter whether the data is located inside or outside the United States.” Add in subcontractors, global support desks and shared tooling, and “sovereign” becomes a marketing claim rather than a verifiable reality.
European regulators are responding. They expect organisations to manage supplier concentration, third-party risk and operational resilience with documented evidence, not assurances. DORA and NIS2, the EU’s digital resilience regulations, make jurisdictional risk a compliance requirement, not an option.
Signals that geopatriation is gaining momentum
While still in early stages, these regulatory and jurisdictional concerns are already starting to reshape procurement decisions. Airbus is preparing to tender a €50+ million contract to migrate mission-critical workloads – including ERP systems, manufacturing controls, and aircraft design data – to a digitally sovereign European cloud. The aerospace manufacturer estimates only an 80% chance of finding a suitable European provider, highlighting the gap between emerging demand and available supply.
Across the telecoms sector, sovereign positioning is becoming more explicit. Deutsche Telekom launched its T Cloud division in July 2025, positioning sovereign solutions as central to its strategy. In France, Capgemini and Orange formed Bleu, a joint venture offering Microsoft services under French operational control and targeting SecNumCloud 3.2 qualification.
However, awareness of geopatriation and the available sovereign alternatives remains limited within the wider European business community. For this trend to have a real impact, independent European cloud providers must take the lead. This is their opportunity, as jurisdictional clarity is starting to matter as much as global scale, levelling a playing field that is dominated by hyperscalers. Realising this potential will require a coordinated effort from providers, industry bodies and regulators. Organisations like CISPE (Cloud Infrastructure Services Providers in Europe), for example, are already working to shape a supportive regulatory framework and raise awareness of sovereign alternatives among European leaders.
Implementing a split architecture
Geopatriation does not require abandoning hyperscalers entirely. For organisations considering this shift, the most practical approach is a split structure. One side retains hyperscale platforms for rapid experimentation, scaling and services that would not sensibly be rebuilt. The other side places sensitive, regulated or operationally critical workloads into environments where control, access and accountability are easier to evidence.
The starting point is an inventory of data locations and copies. Map workloads to jurisdictions according to the regulatory requirements and access rules that apply in each environment. Ensure that business continuity provisions stay within chosen boundaries. Test exit plans under realistic failure scenarios – not just on paper.
These can be complex requirements. A managed service provider with genuine jurisdictional separation can help create repeatable controls, delineate clear ownership and provide tested recovery and auditable access models. The key here is “genuine” – providers must show that they are truly independent, not just rebranded hyperscaler subsidiaries.
The board-level question is shifting from “are we compliant?” to “can we evidence control, maintain operations through disruption and move workloads when geopolitics demands it?”
Organisations that get ahead of this will not abandon hyperscale. They will use it with cleaner boundaries, fewer hidden dependencies and clearer answers about jurisdiction and access – while building the optionality to move when circumstances require it.
Jake Madders
