The data sovereignty and technology control dilemma: global reach, political risk

In a world where geopolitical tensions increasingly shape global business operations, European organizations face a growing dilemma: how to remain compliant, competitive, and secure in a landscape shaped by overlapping and often conflicting legal regimes, compounded by political pressure.

Staying out of opposing political spheres is getting harder. The rise of data legislation with extraterritorial effect means that being compliant with one jurisdiction may directly conflict with obligations in another. This legal tension creates uncertainty for businesses. Especially those working across borders face difficult choices between market access, legal exposure, and data sovereignty. In this context, compliance is no longer just a legal checkbox—it’s a strategic balancing act that impacts competitiveness and trust.

Legal overlap meets political leverage

European businesses operate in a deeply interconnected global market. Yet this digital and economic interdependence increasingly exposes them to political vulnerability. For example, U.S.-based tech and cloud providers can be compelled to hand over data—even if the data is stored on European soil.

Such legislation directly clashes with the EU’s General Data Protection Regulation (GDPR), which imposes strict requirements on data privacy and prohibits unauthorized international transfers. The result? Companies can find themselves caught in a legal double bind—facing pressure to comply with conflicting laws from powerful jurisdictions.

More broadly, as seen in high-tech sectors, strategic assets like data are becoming tools in international political contests. This growing politicization of information means that compliance decisions are not only legal—they’re increasingly geopolitical.

Encryption: more than a technical solution—separate business from politics

In this high-stakes environment, data encryption stands out as a critical enabler of sovereignty, trust, and resilience. When properly implemented, encryption ensures that even if foreign authorities gain access to stored data, the content remains unintelligible without locally held decryption keys. This helps businesses:

• Mitigate extraterritorial exposure by denying access to readable data,

• Demonstrate GDPR compliance through technical safeguards,

• Reassure partners and customers by protecting sensitive information regardless of jurisdictional conflict.

To be effective, encryption strategies must include:

• End-to-end encryption for data at rest and in transit,

• Exclusive EU-based key management, avoiding foreign control,

• Zero-trust architecture, limiting access even within the organization,

• Provider contracts that limit data exposure to non-EU laws,

• Regular audits and encryption policy updates to stay aligned with evolving legal requirements.

Encryption, in short, has evolved from an IT tactic to a strategic risk management tool.

Strategic resilience in a geopolitical age

The broader conclusion from industries under geopolitical strain is this: European businesses must future-proof themselves against rising political and regulatory uncertainty. That means building strategic resilience across digital infrastructure, legal governance, and supply chains.

From a data perspective, this involves:

• Managing reliance on non-EU cloud and technology providers,

• Prioritizing digital sovereignty through encryption and localization,

• Embedding legal foresight into data architecture, anticipating future conflicts.

These steps not only guard against legal and regulatory risk but also enhance operational flexibility and long-term competitiveness.

ENISA’s 2024 cybersecurity insights

The European Union Agency for Cybersecurity (ENISA) released its first-ever State of Cybersecurity in the Union report in December 2024, offering an evidence-based overview of the EU’s cybersecurity posture and areas needing strategic improvement.

Key takeaways include:

• Elevated Threat Environment: Cyber risks remain high across the EU, with attackers exploiting newly discovered vulnerabilities that could disrupt essential services.

• Fragmented Implementation: Differences in how Member States and sectors apply cybersecurity strategies hinder a unified defense posture.

• Workforce Deficit: A widening skills gap continues to undermine resilience efforts—nearly half of organizations report difficulty in finding qualified personnel, and women remain underrepresented in the field.

To address these issues and strengthen digital sovereignty, ENISA presents six core policy recommendations:

1. Strengthen policy implementation and ensure consistent execution across the Union,

2. Improve cyber crisis management preparedness and coordination,

3. Secure supply chains to protect against upstream vulnerabilities,

4. Expand cybersecurity skills development and workforce diversity,

5. Promote awareness and cyber hygiene practices across sectors,

6. Foster alignment between regulatory frameworks and technical standards.

These recommendations are not just policy directives—they reinforce the strategic need for proactive governance, localized data control, and resilience planning across both the public and private sectors.

Lessons from the Netherlands: a case study in Cloud Risk

The Netherlands Court of Audit’s 2025 report, Dutch Central Government in the Cloud, provides a real-world example of the risks of inadequate cloud oversight:

• Missing Risk Assessments: Two-thirds of the most critical public cloud services lacked the legally required risk evaluations.

• Unclear Cloud Usage: A significant number of cloud applications had undefined deployment models, complicating oversight and governance.

• Foreign Dependencies: Over 50% of the Dutch government’s cloud services were hosted by U.S.-based providers, raising concerns about jurisdictional control.

• Policy Fragmentation: Lack of cohesion across ministries hindered consistent cloud security practices.

The report underscores the importance of coordinated cloud strategies, transparent provider relationships, and robust contractual safeguards—principles equally relevant to private-sector organizations navigating similar risks.

Conclusion: data control is the New Strategic Autonomy

As global data regulation becomes an instrument of geopolitical influence, the compliance dilemma facing European companies will only intensify. Navigating this new normal requires more than legal advice—it demands technical autonomy, policy awareness, and strategic clarity.

Encryption and data control are no longer optional—they are core to doing business in a politically charged digital economy. European organizations that act now to secure, localize, and govern their data will be best positioned to remain compliant, competitive, and trusted in an era defined by global reach and political risk.