Data sovereignty emerges as universal business risk just as billions flow to US clouds

As President Trump's UK State Visit draws to a close with tens of billions in US tech investment pledges, a contradiction emerges. While Microsoft commits £22 billion and Google promises £5 billion to expand their UK operations, new research suggests organizations are increasingly concerned about the very dependencies such investments create.

Pure Storage released findings this week showing that 100 percent of industry leaders surveyed across nine countries now view data sovereignty risks as forcing organizations to reconsider where their data is located. The irony should not be lost on us - as the UK celebrates record AI investment from American hyperscalers, every single expert interviewed for the research expressed concern about the geopolitical risks of depending on non-domestic providers.

Patrick Smith, Field CTO EMEA, Pure Storage, outlines the researched, which was conducted with the University of Technology Sydney, and says: 

Data sovereignty has just become the hottest topic that, in a funny way, almost nobody is talking about. Nobody wants to admit to doing anything about data sovereignty, but it seems to be on everybody's mind at the moment.

The research paints a picture of organizations caught in an uncomfortable bind. On one hand, they're keen for the innovation and scale that comes with hyperscaler cloud services. On the other hand, they're increasingly aware that such dependencies create new categories of business risk that didn't exist when there was more geopolitical stability. It’s hard to deny that during the rise of public cloud services, the consideration about inter-country tension was far less. 

The perfect storm

Smith identifies three converging factors: growing awareness of data sensitivity, the dominance of US-based hyperscalers, and an increasingly fractured geopolitical landscape. The numbers from the survey are clear - 92 percent of respondents said geopolitics is increasing sovereignty risks, while 85 percent warned that inadequate sovereignty planning would result in loss of customer trust. Smith explains: 

What we're seeing is increasing geopolitical uncertainty, together with potential evolution of regulation, plus regulation that's already in place, meaning that data sovereignty is moving from being a compliance issue to actually being viewed as a fundamental business risk that can impact competitiveness, innovation and customer trust.

This isn't theoretical. The research points to concrete examples where services have been "turned off by foreign entities" under political pressure, while some hyperscalers are now "providing new offerings that actually contractually aim to distance themselves from the US and some of the regulation in the US that may impact service availability."

The fact that cloud providers themselves are acknowledging these risks and attempting to contractually mitigate them speaks volumes about the seriousness of the threat landscape.

The UK's awkward dance

Against this backdrop, this week's investment announcements take on a different tone. Yes, Google's £5 billion commitment and Microsoft's £22 billion pledge represent substantial votes of confidence in the UK economy. But they also represent a deepening of exactly the kind of dependencies that the Pure Storage research suggests organizations should be worried about.

The contradiction isn't lost on critics. Mark Boost, CEO of UK cloud provider Civo, argues that while tech investment should be welcomed, this deal ultimately takes another step towards surrendering the UK's digital sovereignty (see George Lawton’s piece on diginomica this week). Boost points to the US Cloud Act, noting that "none of the 'Big Three' providers can offer true digital sovereignty, leaving British businesses and public bodies completely at the mercy of American data laws.

It's an uncomfortable truth that sits alongside the celebratory press releases. NVIDIA's planned deployment of 120,000 high-end GPUs across Britain may represent the largest such deployment in Europe, but it also creates an infrastructure dependency that would be difficult to unwind should geopolitical relationships sour.

Pure Storage’s research suggests organizations are acutely aware of this tension. When asked about customer approaches to data sovereignty, he notes that "because this topic has really only started to gain traction since the beginning of the year, I think they're still looking at the landscape and trying to understand whether they're going to be forced to do something by regulation or not."

The result? A wait-and-see approach that feels increasingly untenable as dependencies deepen and geopolitical tensions persist.

The AI factor

One area where the tension between sovereignty and innovation is particularly acute is Artificial Intelligence. The UK's AI hunger is evident in every policy announcement, with Prime Minister Keir Starmer betting big on the technology to transform government operations. But AI workloads often require the scale and specialized infrastructure that only hyperscalers can provide.

Smith sees some cause for optimism here, noting a shift in AI focus from training to inference:

What I think we're seeing now, and has been talked about with NVIDIA, is the move away from a focus on training to inference. And when you move to inference, you're very much looking at a pre-trained model and your own data.

This shift could make sovereignty concerns more manageable, since inference workloads can potentially run on sovereign infrastructure while leveraging pre-trained models developed elsewhere. But it's a nuanced distinction that requires planning to implement effectively.

The cost of sovereignty

Perhaps the most sobering aspect of the Pure Storage research is its assessment of the financial implications. When asked about return on investment, Smith is blunt: 

This is not an ROI place. This is 'it's going to be expensive to mitigate risk,' because you are having to rework applications, especially those organizations - and pretty much every organization who's been tempted to move up the stack within the hyperscalers, from IaaS to Platform as a Service.

The lock-in effect is particularly acute for organizations that have embraced platform-as-a-service offerings:

There’s much more lock-in when you get to Platform-as-a-Service capabilities that are only really available in the three big hyperscalers. So as soon as you go to a domestic sovereign cloud or MSP, they tend to only be offering IaaS - they're not offering that broad set of PaaS offerings that so many people like. So that means a whole load of rework.

This creates a difficult choice: accept the sovereignty risks that come with hyperscaler dependencies, or face the "incredible amount of time, effort, money that would be needed to untangle an organization from hyperscalers, plus loss of access to the innovation that comes with hyperscaler environments."

Three paths forward

The research identifies three possible approaches organizations can take. The first is to "do nothing" - effectively stick heads in sand and hope for the best. The second is complete sovereign control, untangling from all non-domestic providers. The third, and recommended approach, is a hybrid model that keeps critical workloads sovereign while leveraging public cloud for less sensitive functions. Smith explains of the all-or-nothing approaches:

Both of those come with a huge amount of risk. Do nothing comes with the risk of service disruption or loss of data, or data leakage to third parties. Moving to complete sovereign data centers comes with the incredible amount of time, effort, and money that would be needed to untangle an organization from hyperscalers.

The hybrid approach requires what Smith calls "a more intentional approach to risk assessment" - understanding what's truly critical and what can safely reside in non-sovereign environments. It's a nuanced strategy that demands both technical sophistication and clear business priorities.

Perhaps most significantly, the research suggests regulatory change is inevitable. Smith notes:

The European Union is absolutely talking about data sovereignty and what they need to do to ensure that they remain competitive on the world stage, but also are not at risk from dependency on non-EU providers should a competitive scenario turn challenging or problematic.

The EU faces a particular challenge here - balancing sovereignty concerns with competitiveness. Smith adds:

The EU has to walk a tightrope because the EU, I think, has become much more sensitive to the fact that regulation holds organizations back, makes them less competitive on the world stage. 

This regulatory evolution could fundamentally reshape the investment landscape that's currently being celebrated. Sovereign capabilities that seem optional today may become mandatory tomorrow, forcing organizations to reconsider infrastructure strategies they're cementing with this week's investment announcements.

My take

The uncomfortable truth emerging from this research is that data sovereignty concerns and hyperscaler dependencies are on a direct collision course. While this week's investment pledges represent genuine economic opportunities for the UK, they also deepen the kind of infrastructure dependencies that create new categories of business risk.

The challenge for enterprise technology buyers is threading the needle between innovation and control. The hybrid approach Smith advocates makes strategic sense, but requires a level of planning that many organizations have yet to embrace. More critically, it requires honest assessment of what happens when geopolitical relationships deteriorate and the infrastructure you depend on becomes a liability rather than an asset.

The research suggests we're past the point where these concerns can be dismissed as theoretical. With 100 percent of survey respondents acknowledging sovereignty risks and 78 percent already changing their data strategies in response, the question isn't whether data sovereignty will become a defining issue for enterprise IT - it's whether organizations will adapt proactively or reactively.

For now, the celebration of this week's investment announcements is understandable. But the real test will come when organizations have to navigate the increasingly complex reality of maintaining innovation while preserving control in a world where data location increasingly matters as much as data itself.