Operating Globally, Complying Locally: Why Sovereignty Is About Control, Not Location

By Sonal Rattan - CTO & Co-Founder at Exate

For years, financial institutions have asked a simple question about their data: where is it? That question is now outdated.

In today’s cloud-driven, AI-enabled financial ecosystem, data is no longer static. It moves continuously across systems, jurisdictions, and providers, while regulation remains anchored in national boundaries. This mismatch is creating a new reality: organisations can know exactly where their data is and still not be in control of it. That shift is why digital sovereignty is rapidly emerging as one of the defining challenges in RegTech, moving from a compliance concern to a core strategic priority.

Organisations can know exactly where their data is and still not be in control of it

Recent industry research reflects this change in mindset. According to recent data, 61 percent of organisations now view sovereignty as a strategic priority, and 71 percent already factor it into technology and infrastructure decisions. Despite this growing focus, capability is lagging. Only 35 percent of organisations report having full visibility over where their data is stored and governed, while 24 percent say they are not prepared for evolving sovereignty requirements. This gap between awareness and execution is becoming one of the most significant risks in modern data strategy.

Part of the challenge lies in how sovereignty is understood. Terms such as data residency, data localisation, and data sovereignty are often used interchangeably, yet they represent fundamentally different concepts. Data residency refers to the physical location where data is stored. Data localisation relates to legal obligations requiring data to remain within national borders. Data sovereignty, however, is about jurisdiction and control, specifically which laws apply to data and who has the authority to access it. An organisation may meet residency requirements and still be exposed to foreign jurisdiction, or localise data and still lack control over access. Location alone does not guarantee sovereignty. Control does.

As organisations confront this reality, many are broadening their approach beyond data alone. Digital sovereignty is increasingly understood as a combination of control across the data itself, the technical mechanisms that enforce access and protection, and the operational layer that determines who administers and interacts with systems. Sovereignty risk rarely sits in one place. It emerges from the interaction between data, infrastructure, and people, making isolated solutions insufficient.

Understanding the Difference

Data Residency: refers to the physical location where data is stored

Data Localisation: relates to legal obligations requiring data to remain within national borders

Data Sovereignty: is about jurisdiction and control, specifically which laws apply to data and who has the authority to access it

61% of organisations now view sovereignty as a strategic priority

71% already factor it into technology and infrastructure decisions.

35% report having full visibility over where their data is stored and governed

24% say they are not prepared for evolving sovereignty requirements

For years, organisations have attempted to address sovereignty through infrastructure decisions, selecting specific cloud regions or isolating workloads. While these approaches provide a degree of control, they are no longer enough. Cloud environments are inherently distributed, with data flowing continuously across APIs, services, and regions. At the same time, extraterritorial regulation means jurisdictional exposure does not stop at geographic boundaries. As a result, organisations are being forced to rethink the problem entirely, shifting from: “Where is my data stored?” To: “Who can access it, and under what legal authority?”

Until that question can be answered with confidence, sovereignty remains unresolved.

This urgency is being amplified by geopolitical uncertainty, increasing reliance on a small number of global technology providers, expanding regulatory expectations, and the growing need for operational resilience. In sectors such as financial services, sovereignty is now directly linked to risk exposure, compliance posture, and business continuity.

It is also influencing vendor decisions, with 82 percent of organisations indicating they would consider switching from large technology providers to regain greater control over data governance.

Despite significant investment in cloud and security, many organisations still lack control at the data level itself. This is where a new model is emerging, often described as data-centric sovereignty.

Rather than relying solely on infrastructure, this approach embeds protection directly into the data through techniques such as pseudonymisation, encryption, and format-preserving controls. Access is enforced through policy-driven mechanisms that consider user identity, context, and purpose, while data remains protected across bulk processing, APIs, and streaming environments. By decoupling data protection from infrastructure control, organisations can reduce jurisdictional exposure and apply consistent policies regardless of where data resides or moves.

This shift toward data-centric control is not theoretical. It reflects a growing recognition that sovereignty cannot be achieved through infrastructure decisions alone, but requires control to be embedded directly into the data layer itself. This gap between policy and real-world enforcement is what led to the development of eXate, built on the principle that sovereignty must be enforced at the data level, meaning:

• Applying protection techniques such as pseudonymisation, encryption, and format-preserving controls directly to sensitive data, ensuring that it remains secure and usable without exposing regulated information, regardless of where it is stored or processed

• Enforcing access through attribute-based, context-aware controls, where decryption and data access are dynamically governed by factors such as user identity, location, and purpose, rather than static infrastructure rules

• Maintaining consistent protection across bulk data, APIs, and streaming environments, so that sovereignty controls are applied uniformly across modern data architectures rather than limited to specific systems or use cases

• Decoupling data protection from underlying cloud provider control, enabling organisations to retain sovereignty over their data without being dependent on infrastructure-level security models or constrained by a single provider’s jurisdiction

The result is that data can move freely across systems and jurisdictions, while remaining governed and controlled at every point.

Sovereignty is often framed as a constraint, something that limits flexibility or increases cost. That perspective is increasingly outdated.

Organisations that can demonstrate real-time, enforceable control over their data are better positioned to build trust with regulators and customers, enter new markets more quickly, and reduce exposure to geopolitical and legal risk. In this context, sovereignty is not simply about compliance. It is becoming a foundation for digital trust and a source of competitive advantage.

The industry is now at an inflection point. The question is no longer whether sovereignty matters, but whether organisations can operationalise it consistently, at scale, and in real time. This will not be achieved through location strategies alone. It requires a shift towards control by design, embedding sovereignty into data, systems, and operations from the outset. In a world where data is constantly in motion, true sovereignty does not come from keeping data in place. It comes from maintaining control wherever it goes.

This article reflects perspectives from the evolving RegTech landscape, including data-centric approaches to security and sovereignty developed at eXate.

eXate is a distributed software platform operating at the intersection of data classification, data privacy, and data sovereignty, designed to embed centralised control into common data ingestion and distribution points. Its approach enables organisations to discover and classify sensitive data at scale, apply appropriate privacy controls based on how that data is used, and maintain continuous visibility across complex environments. By combining data classification with distributed privacy enforcement, organisations can safeguard sensitive information while supporting operational use, ensuring that data remains controlled, protected, and governed within authorised boundaries regardless of how it moves across systems.