By Pavel Shkilionak, Director, IBA Group Delivery Centers Development & Cloud ServicesIBA Group were shortlisted in the ‘Best Hybrid Cloud Solution’ award at the 2025/26 Cloud Awards.

Adopting cloud strategies makes a lot of sense for most organizations. It can accelerate digital projects, reduce capital expenditures, and support remote work expansion. When you avoid maintaining on-premises infrastructure, you avoid many hassles, and you position your organization for growth and even global-level scalability.

How do you know if the strategy is sound? The KPIs are typically uptime, deployment speed, cost efficiency, and scalability. There’s a common assumption that as long as data is available, the cloud strategy is sound.

But how sound is that assumption, really? Is your organization positioned for future safety or positioned for too much risk?

Key Takeaways

Cloud strategy is no longer just an IT decision. It’s a risk and governance decision tied to jurisdiction, regulation, and continuity.

  • Data residency and provider jurisdiction can affect legal exposure, discovery, and access, even if security controls are strong.
  • Regulatory expectations increasingly focus on control and accountability, not just technical protection.
  • A sovereign and hybrid approach can preserve agility, and reduce jurisdictional and geopolitical exposure.

software engineers team developing autonomous AI

Global Rules for Global Scaling

Although multi-cloud environments are now common in most of the business and industrial worlds, there are factors to consider when it comes to deciding where your data is housed.

Legal authority and jurisdictional reach are important, especially for areas like fintech and energy. Regulatory exposure and geopolitical dependencies are also board-level concerns. Cloud locations determine which country’s laws govern your stored data.

This doesn’t usually present a concern…until it does. For example, could a foreign government compel disclosure? Could sanctions disrupt your access? Are there data transfer restrictions?

And what about in the case of fraud or data breach? How are cross-border investigations handled (and do you know how to navigate the legal system in the country where your data is housed)?

While cloud strategies have largely eliminated many of the problems faced by today’s industries, in terms of expansion and operation on a global scale, cloud has also introduced jurisdictional exposure that didn’t exist back when your organization depended on purely domestic infrastructure models.

Cloud architecture isn’t just a matter of looking at the technical architecture of the system. It now requires a careful look at the jurisdictional architecture of your cloud system as well. It’s not simply about the accessibility of your data, but rather control of your data, which is an executive and Board-level concern.

Most Boards oversee financial risk, operational continuity, regulatory compliance, and fiduciary exposure. Data location can impact all these factors. It can put your organization at litigation risk, breach liability, and result in costly compliance penalties.

There’s also the question of what-if? How can your business ensure continuity during geopolitical instability? In a global society, we’re no longer impacted only by the happenings in our locale, but rather around the world.

The Cloud Solved Infrastructure. It Introduced Jurisdiction.

Cloud strategy delivered some amazing benefits. Innovation cycles have become much faster. Elastic compute scaling allows for quick, flexible growth. Geographic redundancy allows for greater resilience should the need for disaster recovery arise.

Cloud strategy can also be more affordable, with ‘pay-as-you-go’ efficiency.

These boons have helped to optimize infrastructure management and increase the velocity of DevOps. They have allowed for global deployment and a remote workforce, which wouldn’t have been possible until this decade.

The emerging reality of cloud systems is adjusting to meet the moment. Data in the cloud is typically governed by the provider’s headquarters jurisdiction and subject to the national security laws of that area.

In some cases, there have been CLOUD Act-type frameworks that have given way to extraterritorial legislation. International data transfer agreements have also allowed for shifting geographic responsibility.

Ultimately, data governance is under the purview of the provider. Server geography doesn’t always equal legal authority. But before issues arise, it’s wise to make sure you understand the guidelines that apply to your data.

Where your provider is headquartered can, in many cases, matter more than where the servers physically sit. Even if your data is stored in-country with encryption and strong access controls, legal compulsion mechanisms may still apply.

The World Economic Forum ranks geopolitical conflict and regulatory fragmentation as top business risks. This trend is increasingly reflected in executive risk discussions, particularly as regulation and cross-border enforcement grow more complex. Some of the potential exposure types include cross-border discovery in litigation, conflicting regulatory demands, and legal hold requirements across jurisdictions.

Sudden sanctions can impact provider operations and become a costly issue. For institutions that value privacy (which is most), forced disclosure under foreign law is another significant concern. This is where digital sovereignty enters the conversation.

Digital Sovereignty Explained in Business Terms

Digital sovereignty means that your organization retains the ability to determine which laws govern its data and how the data is processed and transferred. It also covers who may compel access to your data and how disputes are resolved.

There are some misconceptions that data sovereignty is “anti-cloud” or “anti-global commerce.” There’s also a fear that data sovereignty can thwart growth, particularly with hyperscale platforms.

The reality is that sovereignty is actually a sound governance strategy for many organizations. It gives your Board of Directors legal clarity and a more controllable risk exposure. It adds predictability to help with continuity planning.

Sovereignty can be viewed as risk segmentation or legal hedging. It gives you regulatory insulation and protection from cloud-related risks, still allowing you to use many of the benefits of cloud systems (albeit strategically).

Sovereign architecture supports audit readiness. Should issues arise, it positions you in a defensible compliance posture and boosts your regulatory alignment. At the end of the day, it offers you more operational independence, especially when it is handled deliberately with intention and planning.

According to the IBM Cost of a Data Breach Report, the average global breach cost has reached $4.88 million. Additionally, that amount can be amplified by regulatory and legal fines.  This is one reason governance and jurisdiction matter. Cost exposure isn’t limited to remediation. It extends to legal obligations, regulatory scrutiny, and cross-border enforcement.

Several pressures are accelerating the urgency of this conversation, including some extremely high-profile data breaches over the last few years. The regulatory pressure is expanding faster than IT governance in many cases. With global growth in data localization, sector-specific mandates, and audit traceability requirements, it goes deeper than just protecting your data.

Regulators increasingly assess the governance structure and authority chain. In the event of an issue, the control mechanisms will be assessed and data residency alignment verified. So even with encryption, firewalls, and access logs in place, there is still enough risk to give many boards pause.

Multi-region cloud deployments can complicate audit responses and violate sector-specific laws. It’s not uncommon for data to be accidentally routed through restricted jurisdictions, and it can subject your organization to shadow exposure.

Discovering if your organization is compliant is often a reaction, not a proactive measure. Compliance failures are often discovered during audits or litigation, or they’re brought to light during a breach investigation. Rarely does the issue come about during architecture planning, which is when you have the most control.

So, what is a Board to do, especially if you’re in an area where diplomatic tensions are escalating, or you’re facing sanctions? Access to critical workloads could be delayed, and operational agility could slow down. You can weaken your ability for contractual enforcement.

Resilience on a global level requires jurisdictional and provider diversity. Most importantly, it requires contingency planning, which leads many business leaders to the idea of sovereign segmentation. It doesn’t mean you need to abandon the cloud, but you need to redesign its use.

Sovereign & Hybrid Cloud: Balancing Agility with Control

Now, for an anxious business leader, this might be a sign to circle the wagons and go all on-premises with your cloud control.

While full authority control can seem like the safest choice in an ever-uncertain world, it leads to limited agility and slower innovation. Moreover, it’s capital-intensive, and the benefits of going all on-prem typically don’t outweigh the cost.

An all-public cloud gives you maximum scalability and global reach. It also limits your jurisdictional insulation and increases risk.

Many organizations are finding the most successful approach to be the hybrid sovereign model. This segment’s cloud architecture is based on workload and task criticality. In other words, your sensitive and regulated areas are protected with sovereign hosting and restricted provider exposure in jurisdiction-controlled environments. At the same time, scalable and variable workloads get the performance optimization and hyper scalability of the elastic cloud infrastructure.

Adding the integration layer with controlled APIs, identity governance, and encryption boundaries helps you get the best of both worlds.

The Benefits of Hybrid Cloud and Sovereign Expansion:

  • Maintains innovation velocity
  • Limits cross-border exposure
  • Enhances compliance defensibility
  • Enables selective data localization
  • Preserves strategic flexibility

Think of it as portfolio diversification applied to IT governance. Your high-risk areas are covered conservatively, while your growth areas benefit from a more flexible environment. Cloud architecture becomes a question of risk management.

Hybrid models are already fairly dominant. Sovereignty refines how they are structured.  Gartner predicts that 90% of organizations will adopt a hybrid cloud approach through 2027. So, how do you know what to keep sovereign and what is safe to move to the cloud?

Businessman Leads Business Meeting

Identifying Which Data Requires Sovereign Control

There’s not one hard and fast answer for every business. Generally, retaining sovereign control of certain types of sensitive data is the best approach.

Some data that’s commonly prioritized includes:

  • Regulated data
  • Health records
  • Financial transaction systems
  • Industrial control systems
  • Proprietary R&D
  • Identity, security, and authentication frameworks
  • Executive decision analytics

The nuances of each category can look different, but it’s based on the same principle: defining sensitive data. This is the data that would have a significant impact on your business if it were manipulated, disclosed, inaccessible, or legally contested. That data should be the information you protect at all costs, because it forms the foundation of your organization.

Data that doesn’t meet this criterion benefits from the flexibility of the cloud.

If you’re having a tough time concluding which data should be sovereign and which should be cloud, try asking:

  • If this data were unavailable for 72 hours, what would be the revenue impact, regulator impact, and contractual penalties?
  • If this data were disclosed, would it put us at risk of legal exposure? Could it cause brand impact or competitive damage?
  • If the data is legally compelled abroad, would we face a compliance conflict? What would be the cost, and what would be the expected operational delay?

The result of such a thought experiment helps you ensure that your architecture aligns with your business criticality. You’re not just going with the default infrastructure settings. Your choices are strategic and well thought out.

The question of data architecture shouldn’t be left on the shoulders of your IT team because they understand the technical aspects of it. It’s a conversation for your CIO, CISO, Legal leadership, and Board. At the end of the day, it can significantly impact feasibility, strategic risk, continuity oversight, and exposure.

Cloud placement impacts your corporate liability and shareholder exposure. It can affect your entire organization and is most certainly a governance question. Architecture decisions shape enterprise risk, and organizations that address this early and head-on gain leverage.

How We Address Data Sovereignty Problems

Thus, the cloud today is more than just infrastructure. It’s a matter of legal viability and technological independence. Cloud customers are demanding full protection from extraterritorial access and our ICDC hybrid cloud platform fits perfectly into this trend. It supports deployment of clouds completely isolated from foreign legal influence.

The ICDC platform icdc.io is not just an alternative to public clouds. It is a tool for creating your own ecosystem that meets strict security standards. Unlike global players, ICDC enables the creation of private and hybrid clouds in the customer’s own data centers or with trusted local providers, as well as the setup of local private computing power for end users. This eliminates the risks associated with the US Cloud Act and the EU Data Act.

Built on open source, ICDC does not involve license fees for proprietary software, which significantly reduces the total cost of ownership. For businesses, this means the ability to scale without exponentially increasing costs.

The Compute, Networking, and Storage modules, and the Outrun container service of ICDC allow companies to transition to a microservices architecture seamlessly, which is critical for time-to-market.

Currently, we are working to provide a technical capability for advanced users who have powerful PCs and servers to download on their hardware a dedicated software package with a private ICDC cluster. As a result, the users will manage and consume their own computing and storage resources through the icdc console, paying for this feature via subscription.

From Infrastructure Choice to Strategic Control

The move towards cloud systems has been largely positive. It solved scalability, cost efficiency, and availability in massive, measurable ways. It’s allowed for expansion that is truly global, so businesses can reap the benefits of technology anywhere in the world.

The goal of a modern cloud strategy is to optimize exposure. Find the right balance for agility, compliance, sovereignty, and resilience. It’s about choosing where authority resides.

For business leadership that can do this successfully, the scalability and opportunities are vast, but won’t leave you looking over your shoulder, worrying about risk.

Seeking guidance on digital sovereignty and cloud architecture that aligns with your risk posture?  Reach out to IBA Group. If your cloud strategy was built for speed, we can help you reassess it for authority, accountability, and long-term resilience.