When most organisations talk about sovereignty in the cloud, the conversation often starts and stops with data sovereignty. Where is my data stored? Which country’s legal framework applies? For many, the answer has seemed straightforward: deploy workloads in a local region offered by a hyperscaler and assume the problem is solved.
But that view is too simplistic. As Nine23’s CTO, Dan Hilton, recently highlighted on the TechUK panel “Navigating Sovereignty in the Era of Cloud Computing”, sovereignty in today’s world is about far more than where data rests.
From Data Sovereignty to Operational Sovereignty
Cloud platforms are global by design. Even if your workloads are deployed in a UK region, your data often moves across borders for resilience, optimisation, or management. That means your operational sovereignty (your ability to continue operating securely and effectively) is just as critical as your data sovereignty.
For example, what happens if:
- A subsea cable is disrupted, slowing access to your identity provider?
- A cloud-based identity service is unavailable for 30 days?
- Latency spikes impact mission-critical systems?
These aren’t theoretical “what ifs”, they’re sovereignty questions organisations must address as part of modern risk management.
In fact, we’ve just seen this play out. Microsoft confirmed that undersea cable cuts in the Red Sea disrupted Azure cloud services, forcing the company to reroute traffic and leaving users facing increased latency across parts of the Middle East, Asia, and beyond. Cables like these (the backbone of the internet) can be damaged accidentally or deliberately. For organisations dependent on cloud, the impact is immediate: slower performance, reduced resilience, and uncertainty over critical services.
This is a live example of operational sovereignty in action and why the debate must move beyond where data sits.
The Cloud Trade-Off
At Nine23, we’re enthusiastic about the cloud. It delivers flexibility, agility, and speed to innovate. But like any technology, it comes with trade-offs. The challenge isn’t whether to use the cloud, but how to make assured, intelligent decisions about what belongs there, backed by evidence and a clear understanding of risks.
Not every service needs to be sovereign. What matters is recognising where sovereignty matters most and documenting the decision. That’s what good governance and security-led risk management look like.
A Smarter Sovereignty Conversation
Too often, organisations adopt cloud services without fully considering the operational dependencies they create. Sovereignty isn’t about rejecting cloud; it’s about being clear on:
- What risks you’re accepting.
- What risks you’re mitigating.
- Where sovereignty really matters.
This is the conversation that needs to happen at board level, particularly for sectors like defence, government, and critical national infrastructure.
Watch the Full Panel
Dan shared these insights and more during TechUK’s webinar Navigating Sovereignty in the Era of Cloud Computing. You can watch the full session here: TechUK Panel Recording.
