Compliance emerges as competitive differentiator amid rising data sovereignty scrutiny

Data sovereignty has shifted to the top of the executive agenda as mounting geopolitical friction and regulatory scrutiny turn compliance from a tickbox exercise into a commercial priority.

The question of where data lives and how it’s controlled is now shaping procurement discussions, vendor selection, and even system design. It’s also forcing firms to rethink what counts as data risk.

Where the issue of sovereignty once focused on sensitive material such as financial transactions, health records, or customer identities, organizations are now taking a much broader view.

Email addresses, system logs, usage data and even metadata — which once might have been considered “low value” — are all being reassessed as organizations move to show demonstrable control over all of their data, not just their most sensitive assets.

Take Robinhood, the US-based trading platform, as an example. In an interview with diginomica in 2024, the company pointed to data sovereignty as one reason for choosing Confluent, citing the need to trace where data originates, where it ends up, and how it moves through systems over time.

As one of its data leaders explained, “we need to know where data originates, where it ends up, and how long it spends at each point in the system.”

That level of visibility allows it to explain data flows to regulators when needed, illustrating how sovereignty is increasingly tied to control and auditability, not just where data is stored.

Sovereignty is more than geography

In other words, sovereignty is no longer simply a question of geography, but of whether organizations can demonstrate control over how data moves and is accessed. Organizations want to know what information they can move across borders, under what circumstances, and with what safeguards. And it’s an issue that goes to the very heart of today’s cross-border business environment

Consider a global helpdesk operating out of multiple countries providing 24/7 support. If a ticket is raised in one country, can it be handled by someone in another without breaching local rules on data access? And even if the data itself never moves, does remote access from a different jurisdiction constitute exposure?

These are the kinds of practical questions now shaping procurement discussions. And organizations are desperate to find the answers.

This widening definition of sovereignty — along with ongoing uncertainty — helps explain why compliance and legal oversight have become a board-level concern. And it’s why more and more vendors are under increasing scrutiny about their approach to compliance.

At Confluent, we’ve seen a threefold spike in sovereignty-related inquiries in the last year alone. Not long ago, it might have been covered in a few lines buried deep within a 700-question compliance form. Today, some organizations are issuing entire questionnaires dedicated solely to data residency, cross-border access, and operational control.

Compliance is moving up the agenda

In sectors such as financial services, the issue of sovereignty is even more acute. In many cases, it’s being raised in meetings even before the technical merits of a solution are discussed.

This change has been prompted, in part, by the introduction of frameworks such as the Digital Operational Resilience Act (DORA).

This EU regulation requires financial firms to strengthen and test their resilience to ICT and cyber risks, including those posed by third-party tech providers. This is important because when organizations move to managed platforms, they hand over day-to-day operations to the provider.

They no longer manage the servers, decide who patches the systems, or control which engineer handles an incident. Yet accountability does not move with that handover. If data is accessed from another country, if logs are incomplete, or if controls cannot be demonstrated, it is the organization — not the cloud provider — that must answer for it.

This means having visibility into how data moves in real time, how it is structured, and who can access it at each stage. Capabilities such as stream governance, schema control, and end-to-end data lineage are becoming critical, allowing organizations to enforce standards consistently, track how data flows across systems and borders, and demonstrate compliance after the fact.

Without that level of control, sovereignty remains difficult to prove in practice. And that’s not all.

While a technology team within a bank, retailer or health provider may be comfortable with shared responsibility models and global delivery, those in charge of legal or compliance teams may not share their outlook. It’s opened up a compliance gap within organizations, and it is vendors who are increasingly acting as a bridge.

Compliance is now a commercial differentiator

All of which points to one thing. Compliance is becoming a competitive selling point in its own right. With customers demanding greater transparency, vendors looking to differentiate themselves are doubling down on their certifications, audit regimes, and governance frameworks as part of their core value proposition.

And this effort is not without cost. Certifications have to be maintained. Audits repeated. Questions answered. That all takes money and people.

So what does this mean for companies looking to navigate their way through increasing amounts of red tape? Ultimately, it means acknowledging what’s going on and taking control. That starts with auditing your data — knowing what you hold, where it sits, and who can access it.

Using governance to your advantage

It means aligning technical and compliance teams on risk and accountability. And it means working closely with cloud partners to understand how control is maintained in practice. How this is handled could prove to be a useful indicator of how deeply compliance is embedded in a vendor’s organization.

It's easy to look at what's happening today and think of it as yet another costly regulatory burden. And yet, viewed from a different angle, it could be seen as a shift in cloud maturity where governance and oversight are emerging from the wings.

What’s more, the issue of sovereignty will not remain in the spotlight forever. In recent months, we’ve seen a couple of inquiries around post-quantum cryptography. They could be a one-off. Equally, they could be the start of the next regulatory wave. Who knows?

What we do know, though, is that despite all the concerns, the cloud market is adjusting. Providers are investing in clearer operational boundaries, stronger documentation, tighter access controls, and more transparent reporting. That has to be a good thing.