In 2026, the health of data centers and critical IT infrastructure determines the resilience and competitiveness of entire countries, according to TechRadar. The Bank of England linked a slowdown in UK GDP to the Jaguar Land Rover cyberattack, showing how a severe security incident can ripple across the whole economy. Yet many organizations have unwittingly ceded control over their data by outsourcing to overseas cloud providers, governed by foreign laws and managed beyond domestic oversight.
The economic cost of lost control
For a decade, businesses raced to put data into cloud storage for efficiency and lower costs. But in chasing convenience, they surrendered visibility and control. Warren O’Driscoll, Head of Security Practice at NTT DATA UK&I, noted that few boards recognized that outsourcing infrastructure meant surrendering control. Today, as geopolitical tensions flare and cyber espionage actors adopt new AI tools, that trade-off is catching up.
Three drivers pushing sovereignty to the top of the agenda
TechRadar identifies three key developments that are pushing data sovereignty to the forefront of Critical National Infrastructure (CNI) and enterprise cybersecurity:
| Driver | Description |
|---|---|
| Weaponization of digital infrastructure | From sabotage of subsea cables to cyberattacks exploiting cloud supply chains, digital infrastructure has become a target for geopolitical influence. Russia’s repeated cyber attacks on Ukraine’s power and telecommunications systems illustrate the vulnerabilities. |
| Tightening global regulation | The EU Cyber Resilience Act and NIS2 Directive demand accountability throughout supply chains and impose penalties for opaque governance. Similar frameworks are emerging worldwide. |
| Eroding trust in overseas data protection | Last summer, Microsoft testified before the French Parliament, admitting it cannot guarantee that data it holds is immune to US government data requests. This laid bare the truth behind so-called 'local hosting'—your data might sit in a European data center, but if the owner is headquartered overseas, control remains elsewhere. |
What true sovereignty means
'Data sovereignty' is often narrowly defined as data residency, but O’Driscoll argues that true sovereignty is about control—full legal and operational authority over who can access data, how it is processed, and under which jurisdiction it is governed. Years of outsourcing critical infrastructure have created layers of operational dependency that governments now recognize as a critical risk.
Implications for supply chain cybersecurity
For supply chain technology managers, the lesson is clear: you cannot secure what you do not control. The weaponization of cloud supply chains and the demand for regulatory compliance mean that every link in the digital supply chain must be scrutinized. As the Bank of England’s analysis of the Jaguar Land Rover incident shows, a single breach can cascade through the economy. Enterprises must reassess where their data resides, who has access, and what legal frameworks govern it—not just for their own operations but for every supplier and partner in their ecosystem.
Sources:
