Who Really Controls Your Data in the Cloud and AI Era?

Who Really Controls Your Data in the Cloud and AI Era?

Vijay Raina is a distinguished figure in the landscape of enterprise SaaS and software architecture, where he has spent years refining the intersection of technical design and regulatory compliance. As a specialist in SaaS technology and tools, he provides the kind of high-level thought leadership that bridges the gap between complex engineering and the strategic needs of global enterprises. In a world where data is often called the new oil, Raina serves as a seasoned navigator for organizations trying to protect their most valuable assets amidst shifting geopolitical tides and increasingly aggressive regulatory frameworks.

This interview explores the evolving definition of digital sovereignty, moving beyond the traditional focus on server locations to a more holistic view of operational and administrative authority. We discuss the significant impact of European legislative efforts, such as the proposed Cloud and AI Development Act, and the competitive responses from global hyperscalers like Microsoft, Google, and Oracle. Furthermore, we examine the practical steps customers must take during contract negotiations to ensure their sovereignty claims are backed by enforceable technical controls rather than mere marketing promises.

Digital sovereignty has shifted from being a simple checkbox for server locations to a complex, multi-dimensional business risk. How should organizations redefine their understanding of control in an era where data residency is no longer enough to guarantee privacy?

The old way of thinking about data residency—simply knowing which city your servers sit in—is fundamentally stale in today’s geopolitical climate. Now, we have to look at a multi-layered stack that includes operational control and administrative access, which essentially asks who has the “keys to the kingdom” regardless of where the hardware is bolted to the floor. For instance, even if your data is sitting in a pristine data center in the heart of the EU, if the provider is headquartered in the United States, they may still be subject to the U.S. CLOUD Act, which can compel them to hand over data. True sovereignty requires a deep dive into who can view or modify your systems, where the support engineers are physically located, and whether the provider can unilaterally suspend your service due to a shift in international sanctions. It is a sensory shift for most IT leaders, moving from a “where” mindset to a “who and how” mindset that encompasses everything from encryption key management to the resilience of the underlying supply chain.

The European Union is currently making waves with the proposed Cloud and AI Development Act and various other frameworks like DORA and NIS2. What does this aggressive regulatory posture mean for the future of the global cloud market, especially considering the current dominance of non-EU providers?

The stakes right now are incredibly high because EU cloud providers currently hold only about 15 percent of their own market, a statistic that has sounded an alarm for European policymakers. The publication of the Cloud and AI Development Act proposal on June 3, 2026, signals a massive push to reclaim this territory, with a bold target of tripling EU data center capacity by the year 2030. This isn’t just about local pride; it’s about mitigating the economic and resilience risks that come when the majority of your infrastructure is controlled by three major U.S. hyperscalers. Frameworks like DORA and NIS2 are putting teeth into these concerns by requiring financial entities and critical sectors to manage their third-party risks with extreme prejudice, often requiring contractual protections that non-EU providers struggle to meet without significant architectural changes. If a sovereign cloud offering can’t demonstrably satisfy these specific requirements, it doesn’t offer compliance relief—it actually creates a new layer of regulatory exposure for the customer.

Major technology providers have begun rolling out specialized “Sovereign Cloud” tiers to meet these new demands. When you look at the offerings from companies like Microsoft, Google, and Oracle, how can a customer distinguish between genuine operational transformation and what some call “sovereignty-washing”?

This is the billion-dollar question in procurement right now, because “sovereignty-washing” is a very real threat where providers layer thin, localized controls over their existing global infrastructure without changing the underlying jurisdictional risks. For example, Microsoft has introduced a tiered approach including Sovereign Public and Private Clouds, featuring a “Data Guardian” role that restricts remote access specifically to personnel residing in Europe. Google and Oracle are following suit with customer-managed encryption and logically separate infrastructure, but the savvy customer has to look for enforceable, auditable technical controls rather than just contractual assurances. You have to ask if the provider can unilaterally modify these commitments or if they are backed by physical hardware security modules where the customer retains the only copy of the encryption keys. If the sovereignty “solution” relies primarily on a press release or a blog post rather than a locked-down, transparent technical architecture, it likely won’t stand up to a rigorous audit by a regulator.

The integration of Artificial Intelligence into SaaS and cloud services adds a whole new layer of complexity to these sovereignty concerns. What specific risks do organizations face when their data is used to train models, and how can they protect themselves?

AI changes the game because the data isn’t just being stored; it’s being “digested” to improve or train models, which creates a permanent and often invisible footprint. The EU AI Act is already introducing governance obligations for high-risk systems, and customers must be vigilant about whether their sensitive data is being vacuumed up to benefit the provider’s general-purpose models. In any negotiation, the contract must explicitly prohibit the use of customer data for training without authorization and ensure that AI-generated outputs are subject to the same localization controls as the raw data itself. We are seeing a push for more “local” AI workloads that can run entirely within a customer’s own data center, similar to the Microsoft 365 Local model, to avoid the risk of data leaking into a global training set. It’s a matter of ensuring that the “brain” of the AI remains as geographically and operationally restricted as the database that feeds it.

Given that digital sovereignty is ultimately a contractual issue, what are the most critical, non-negotiable clauses that customers should be revisiting in their SaaS and cloud agreements today?

You have to move past the marketing fluff and get specific about government access request procedures, specifically demanding that the provider notifies the customer and challenges overbroad requests from foreign jurisdictions. Audit and reporting rights are equally critical; you shouldn’t just take their word for it—you need a contractual right to receive third-party audit reports on a regular basis to verify that sovereignty controls are actually functioning. Exit assistance is another area that is often overlooked; you must be guaranteed the right to retrieve your data in a usable format and migrate to another provider without operational disruption if the geopolitical or regulatory landscape shifts. Finally, ensure that all sovereignty commitments “flow down” to subcontractors and hyperscale infrastructure dependencies, because a chain is only as strong as its weakest link, and a sovereign SaaS provider running on a non-sovereign hyperscaler is a disaster waiting to happen.

What is your forecast for digital sovereignty over the next decade?

I expect we will see a fragmenting of the global internet into “sovereignty zones” where the technical architecture of a service is fundamentally different depending on where the customer is located. By 2030, the push to triple data capacity in regions like the EU will likely lead to the birth of a new class of “National Partner Clouds” that are physically and logically disconnected from the global backbone, making true operational independence the standard rather than a premium feature. Organizations that fail to bake these requirements into their contracts now will find themselves facing a “sovereignty debt” that will be incredibly expensive and disruptive to pay off when regulators eventually come knocking. We are moving toward a world where the ability to “unplug” or “localize” a workload at a moment’s notice will be the ultimate measure of a company’s digital resilience and maturity.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later