The Sovereignty Scramble: Why Enterprises Are Rethinking Where Their Data Lives — and Who Controls It

For years, the default posture of enterprise IT was simple: move to the cloud, consolidate vendors, and let hyperscalers handle the heavy lifting. But a growing body of evidence suggests that posture is shifting — not away from the cloud, but toward a more fractured, regulation-aware, and sovereignty-conscious model of cloud computing that is reshaping procurement decisions, vendor strategies, and the very architecture of global IT infrastructure.

A sweeping new report from Thales, the French defense and technology conglomerate, has laid bare the tensions at the heart of modern cloud adoption. The 2025 Thales Cloud Security Study, conducted in partnership with S&P Global’s 451 Research unit, surveyed more than 3,100 IT and security professionals across 37 industries and 18 countries. Its findings paint a picture of an enterprise world that is increasingly anxious about data sovereignty, multi-cloud complexity, and the expanding attack surface that comes with aggressive SaaS adoption.

Data Breaches in the Cloud Are No Longer Hypothetical — They’re Routine

According to the Thales study, as reported by TechRepublic, 73% of respondents said they use more than two cloud infrastructure providers, and nearly half — 46% — reported managing more than 100 SaaS applications. That proliferation has created significant blind spots. The report found that cloud assets have become the top targets for cyberattacks, with SaaS applications (31%), cloud storage (30%), and cloud management infrastructure (26%) ranking as the most frequently attacked categories.

The consequences are tangible. The study revealed that 31% of organizations experienced a cloud data breach in the past 12 months, up from 27% the year prior. Perhaps more troubling, the rate of enterprises that said they had never been breached dropped sharply, suggesting that the expanding cloud footprint is making incidents more likely, not less. Eric Hanselman, chief analyst at S&P Global’s 451 Research, was quoted in the report noting that “the sheer scale and complexity of SaaS operations present ongoing security and compliance challenges.”

Sovereignty Is No Longer Just a European Concern

One of the most striking findings in the Thales report is the degree to which data sovereignty has become a board-level concern. According to TechRepublic, a full two-thirds of respondents — 66% — identified data sovereignty as a major or very significant worry. The reasons are both regulatory and geopolitical. In the European Union, the General Data Protection Regulation (GDPR) and the newer Data Act have imposed strict requirements on where data can be stored and processed. But the concern extends well beyond Brussels. Countries from India to Brazil to Australia have enacted or proposed data localization laws that compel organizations to keep certain categories of data within national borders.

The sovereignty question is not purely legal. It is also a matter of trust. Enterprises operating in sectors like defense, healthcare, and financial services are increasingly wary of storing sensitive data with providers subject to foreign government jurisdiction. The U.S. CLOUD Act, which allows American law enforcement to compel U.S.-based cloud providers to hand over data regardless of where it is stored, has been a particular flashpoint. European organizations, in particular, have expressed concern that relying on American hyperscalers like AWS, Microsoft Azure, or Google Cloud could expose them to extraterritorial data requests that conflict with EU law.

The Multi-Cloud Reality: More Providers, More Problems

The Thales data underscores a paradox at the center of enterprise cloud strategy. Organizations are spreading their workloads across more providers in pursuit of resilience, best-of-breed capabilities, and negotiating leverage. But that diversification comes at a cost. Managing encryption keys, access controls, and compliance obligations across three, four, or five cloud environments is exponentially more complex than doing so in one. The report found that only 33% of respondents said they encrypt more than half of their sensitive cloud data, a figure that security professionals described as alarmingly low given the threat environment.

Sebastien Cano, senior vice president for cloud protection and licensing at Thales, said in a statement accompanying the report that organizations must “move beyond compliance checklists” and adopt what he called “operational sovereignty” — the ability to control and audit data processing, encryption, and access in real time, regardless of which cloud provider is hosting the workload. That concept, while not new, is gaining traction as enterprises realize that contractual guarantees from cloud providers may not be sufficient to satisfy regulators or protect against state-sponsored cyber threats.

SaaS Sprawl and the Shadow IT Problem

The explosion in SaaS usage has introduced another layer of risk that the Thales report highlights. With nearly half of enterprises managing more than 100 SaaS applications, the challenge of maintaining visibility into where sensitive data resides has become acute. Shadow IT — the use of unauthorized applications by employees — compounds the problem. Security teams often lack the tools or authority to audit every SaaS tool in use, and many SaaS vendors do not offer the granular encryption and access controls that enterprise security policies demand.

This is not merely a theoretical risk. High-profile breaches at SaaS providers in recent years, including incidents affecting Snowflake customers and the MOVEit file transfer vulnerability exploited in 2023, have demonstrated that third-party SaaS platforms can become vectors for massive data exfiltration. The Thales report’s finding that SaaS applications are now the single most targeted cloud asset category reflects this reality. As TechRepublic noted, the growing attack surface created by SaaS proliferation is forcing organizations to rethink their approach to vendor risk management and data classification.

Sovereign Cloud Offerings Are Multiplying — But Questions Remain

In response to these pressures, every major cloud provider has launched or expanded sovereign cloud offerings. Microsoft announced its EU Data Boundary initiative, designed to keep European customer data within the EU. Google Cloud has partnered with local operators like T-Systems in Germany and S3NS in France to offer sovereign cloud options that keep encryption keys under local control. AWS has introduced dedicated Local Zones and sovereign cloud commitments for government customers. Oracle, SAP, and a host of smaller European providers like OVHcloud and Scaleway have also positioned themselves as sovereignty-first alternatives.

Yet industry analysts caution that not all sovereign cloud offerings are created equal. Some provide data residency — meaning the data is stored within a particular jurisdiction — but do not guarantee that the provider’s personnel or systems outside that jurisdiction cannot access it. Others offer varying degrees of operational control, from customer-managed encryption keys to fully air-gapped environments. The lack of a universal standard for what constitutes a “sovereign cloud” has created confusion in the market and made procurement decisions more difficult for enterprise buyers who must satisfy regulators in multiple jurisdictions simultaneously.

The Encryption Gap and the Road Ahead

Perhaps the most actionable finding in the Thales report is the persistent gap between the sensitivity of cloud-stored data and the encryption practices applied to it. With only a third of organizations encrypting more than half of their sensitive cloud data, there is a significant exposure that no amount of perimeter security can fully mitigate. The report recommends that organizations adopt a “secure by default” posture that includes encrypting all sensitive data at rest and in transit, maintaining independent control of encryption keys, and implementing continuous monitoring of cloud access patterns.

The challenge, as always, is execution. Encryption at scale introduces latency, increases operational complexity, and can conflict with the functionality of certain SaaS applications that require access to plaintext data for processing. Organizations must balance security with usability, and that balance is different for a hospital managing patient records than for a media company managing advertising analytics. The Thales report does not pretend there is a one-size-fits-all answer, but it makes a compelling case that the status quo — in which most sensitive cloud data remains unencrypted and sovereignty controls are inconsistently applied — is unsustainable.

What the Data Tells Us About Where Enterprise Cloud Is Heading

Taken together, the findings from the 2025 Thales Cloud Security Study suggest that the next phase of enterprise cloud adoption will be defined less by migration speed and more by control. Organizations are not retreating from the cloud; they are demanding more from it. They want the elasticity and innovation of hyperscale platforms, but they also want the assurance that their data is subject to their rules, their encryption, and their jurisdiction. Whether the industry can deliver on that promise — without fragmenting the global cloud market into incompatible national silos — is one of the defining questions of enterprise technology in the second half of this decade.

For CISOs, CIOs, and procurement leaders, the message from the data is clear: cloud security can no longer be treated as an afterthought or delegated entirely to providers. The shared responsibility model that has governed cloud security for the past decade is evolving into something more demanding — a model in which enterprises must take active, continuous ownership of their data’s security and sovereignty, no matter where it resides.