Jake Madders, Director and Co-Founder of Hyve Managed Hosting, explores why geopolitical risk is forcing organisations to rethink where their cloud workloads sit.
Gone are the days when cloud strategy focused exclusively on convenience, performance and cost. In the modern age of global instability, tariff-setting and trade disputes, a fourth factor is forcing itself into the conversation: geopolitical risk.
This has pushed organisations around the world to reassess not only where their data is located, but who can access it and under which country’s rules.
That has, in turn, led to the emergence of a trend called ‘geopatriation’: the relocation of workloads and applications out of global public clouds – typically provided by hyperscalers – and into more local environments. It is one of Gartner’s Top Strategic Technology Trends for 2026, and it reflects an emerging shift where businesses are starting to ask tougher questions around control, access and jurisdiction.
In line with this, we are seeing the concept of jurisdictional control rapidly move from a technical detail to a boardroom priority. Regulators across Europe are now asking for documented evidence of data sovereignty. Over the past year, a number of hyperscaler outages, including the major AWS incident in October, have highlighted the scale of the risk, while underlining why cloud concentration can create both operational and jurisdictional exposure.
Sovereignty is more complex, and regulators require evidence
Many providers currently offer a region selector together with a compliance statement. It is important to remember that this is different from having control. Real sovereignty is about much more than data residency. It requires clarity about which jurisdictions can compel access – not only where data sits, but who can demand to see it.
The US CLOUD Act is the example that is often cited here: US law requires providers to preserve or disclose data within their ‘possession, custody, or control, regardless of whether the data is located inside or outside the United States’. If you factor in subcontractors, global support desks and shared tooling, then ‘sovereign’ can become a marketing claim rather than something an organisation can properly evidence.
European regulators are now responding to these challenges. Increasingly, they are expecting organisations to manage supplier concentration, third-party risk and operational resilience with documented evidence, not just assurances. DORA and NIS2, the EU’s digital resilience regulations, make jurisdictional risk a compliance requirement, not simply an optional consideration.
Momentum is gathering behind the approach
Although the geopatriation trend is still in its early stages, regulatory and jurisdictional concerns are already beginning to reshape procurement decisions. In healthcare, sovereign-cloud concerns are also starting to drive concrete buying decisions, as tighter health-data governance rules in Europe push providers to scrutinise jurisdiction and data residency far more closely than before.
In telecoms, too, sovereign positioning is becoming more explicit. Deutsche Telekom launched its T Cloud division in July 2025, positioning sovereign solutions as central to its strategy. In France, Capgemini and Orange formed Bleu, a joint venture offering Microsoft services under French operational control and seeking SecNumCloud 3.2 qualification.
Despite these examples, there is still only limited awareness of the geopatriation strategy and the available sovereign alternatives within the wider European business community. If this trend is to have a real impact over time, independent European cloud providers will need to play a role in building understanding and trust.
This creates an opening for providers that can offer jurisdictional clarity alongside operational resilience. Global scale still matters, but it is no longer the only consideration. Realising this potential will require providers, regulators and industry bodies to collaborate effectively. The early signs look promising. Organisations such as CISPE, Cloud Infrastructure Services Providers in Europe, are already focused on developing a supportive regulatory framework and raising awareness of sovereign alternatives among European leaders.
Why a split architecture works
Geopatriation does not require abandoning hyperscalers entirely. For organisations considering this shift, a split structure is likely to be the best fit. One side retains hyperscale platforms as a foundation for rapid experimentation, scaling and services. The other places sensitive, regulated or operationally critical workloads into environments where control, access and accountability are easier to demonstrate.
The starting point needs to be creating an inventory of data locations and copies. Map workloads to jurisdictions according to the regulatory requirements and access rules that apply in each environment. Make sure business continuity provisions stay within the chosen boundaries. Don’t just test exit plans on paper, but also under realistic failure scenarios.
Doing this can be difficult, of course. Organisations will need to look closely at whether providers can demonstrate genuine jurisdictional separation, clear ownership models, tested recovery processes and auditable access controls. The distinction matters. Providers must be able to show that their sovereignty claims are supported by operating models, governance and technical controls, rather than branding alone.
Looking to the future, the big shift we are seeing is away from ‘are we compliant?’ to ‘can we evidence control, maintain operations through disruption and move workloads when geopolitics demands it?’
Organisations that get ahead of the curve on this will not abandon hyperscale. They will use it with cleaner boundaries and clearer answers about jurisdiction and access – while retaining the option to move when circumstances dictate.
