Cloud, data and privacy: What every organization needs to know about digital sovereignty in 2026

Data Privacy Week is an opportunity not just to reflect on obligations, but to reassess strategy. The organizations that succeed will be those that treat privacy and sovereignty not as constraints, but as foundations for sustainable digital growth. At IG&H, we'll use this week to dive into privacy and the cloud.

1. Privacy as your business enabler in the cloud era

For most organizations today, privacy is more than a compliance afterthought: it is a strategic business enabler. Trust from customers, partners, employees and regulators increasingly determines whether organizations can innovate, scale and compete. In a data-driven economy, the ability to use data responsibly is linked to reputation, resilience and long-term value creation.

 At the same time, organizations have embraced the cloud at an unprecedented pace. Cloud services, often provided by companies outside the EU, allow for advanced analytics, AI use cases and global collaboration. As a result, vast amounts of personal, sensitive and commercially confidential data are now stored and processed in cloud environments. This highlights an ever-increasing dependence on these suppliers for critical business processes, data and privacy.

Because of this dependence on cloud providers and the requirements of EU privacy regulations, cloud sovereignty now sits firmly on the agenda of organizations, governments and academics alike. Questions around who ultimately controls data, which laws apply and who can access data under what circumstances have become central to modern privacy discussions. One frequently cited example is the US CLOUD Act.

2. Cloud sovereignty and the US CLOUD Act

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in the United States in 2018, enables US law enforcement and intelligence agencies to force US-based service providers to disclose data in their “possession, custody or control,” regardless of where that data is stored globally.

Key aspects of the CLOUD Act are that it applies not only to US-based companies, but also to non-US organizations that maintain a sufficient nexus to the United States, for example, through ownership structures, subsidiaries or operational control. The Act allows US authorities to request access to data irrespective of where it is physically stored, including data hosted within the European Union. Such requests are assessed under US legal processes rather than EU law, which can give rise to conflicts with European data protection and confidentiality obligations. Although service providers may challenge these requests, the legal thresholds for doing so are high and the available grounds are limited.

Importantly, the CLOUD Act was designed to address legitimate law-enforcement needs in a globalized digital economy. However, from a European privacy and sovereignty perspective, it introduces legal uncertainty. This is particularly significant when US disclosure obligations conflict with EU data protection rules. How much does sovereignty rely on location?

 3. The cloud sovereignty debate: More than just location

The CLOUD Act allows US authorities, under certain conditions, to request access to data held by US service providers, even when that data is physically stored in the European Union.  Cloud sovereignty is often misunderstood as a purely technical or geographical issue: Where is my data stored?  In practice, it is far broader. Cloud sovereignty sits at the intersection of:

·       Legal jurisdiction (which country’s laws apply)

·       Operational control (who can technically access the data)

·       Contractual safeguards (what cloud-providers legally commit to)

·       Geopolitical realities (relations between states and evolving national security priorities)

While the EU has strong data protection laws and has invested heavily in strengthening digital sovereignty through regulation, certification schemes and initiatives such as GAIA-X, the global nature of cloud services means that data is often subject to multiple - sometimes conflicting - legal regimes simultaneously. As international tensions rise, including between long-standing allies, organizations must acknowledge that sovereignty and privacy risks are not theoretical. They are embedded in how modern cloud ecosystems operate.

4. The impact on EU-based organizations

For organizations operating in the EU, the CLOUD Act creates a tension between compliance with GDPR and exposure to foreign access requests.  Potential impacts include:

• Loss of exclusive control over sensitive data, violating privacy rights even when data is stored in EU data centers.

• Legal conflicts where complying with a US request may violate privacy rights, EU data protection or confidentiality obligations.

• Increased scrutiny from regulators and customers, especially in sectors with high privacy expectations, such as healthcare, the public sector, and finance.

• Reputational risk, particularly if privacy is violated and data access becomes public in times of heightened geopolitical sensitivity.

It is important to note that the CLOUD Act does not mean US authorities have unrestricted access to EU data. Requests must meet legal thresholds. However, the possibility of access alone could be enough to trigger risk considerations and violation of privacy, especially for organizations handling high-value or highly sensitive data.

5. How can you mitigate threats to sovereignty and privacy risks in the cloud?

There is no one-size-fits-all solution. The right approach depends on your organization’s risk appetite, regulatory exposure and strategic objectives. That said, there are several steps organizations can take today. These are three possible measures to strengthen privacy in the cloud:

• Use non-US providers

  Where feasible, consider EU-based or non-US cloud providers that are not subject to extraterritorial legislation such as the CLOUD Act. This can significantly reduce legal exposure, particularly for sensitive workloads. European alternatives include KPNCloud, Bit and Scaleway, for example.

  
  

• Adopt a hybrid cloud strategy

  After all, not everything has to go into the cloud. And not all data carries the same risk: a hybrid approach allows organizations to keep their most sensitive or regulated data in controlled environments, while still benefiting from the scalability and innovation of public cloud services.

  
  

• Use encryption, but avoid generic, off-the-shelf solutions

  With regular cloud encryption, the provider locks your data with their key. Using an approach like customer-managed encryption key (CMEK) means locking your data with your own key - so only you can provide access to it. Standard provider-managed encryption may not prevent lawful access requests.

  
  

  CMEK, advanced key management architectures or confidential computing solutions can materially reduce exposure and maintain the privacy of data. For example, the European Central Bank's cloud outsourcing guidance requires supervised institutions to keep robust control of cryptographic keys, along with ensuring their data hosted in the cloud is not shared with other customers. 

Data sovereignty is built on privacy, control, trust

In a world where legal boundaries no longer align neatly with technical ones, organizations must move beyond checkbox compliance and engage with the deeper realities of privacy, control and trust. Data sovereignty is not about rejecting the cloud; it is about using it responsibly and consciously.

Authors: Giovanni Ferronato & Sten van Uitert

Want to discover how secure transformation leads to your business's sustainable growth? s

Reach

Davide Bonalumi

Senior Manager Cybersecurity

davide.bonalumi@igh.com

+31615045242