TL;DR: Many organisations still treat sovereign cloud as a procurement choice, but Commvault argues that digital sovereignty also depends on access authority, jurisdiction, recovery, and auditability, not just data location. That framing matters because residency alone cannot prove control when regulators ask who accessed the data, under what legal authority, and whether recovery worked under incident conditions.
At a glance
What this is: This is a Commvault analysis of digital sovereignty showing that data residency alone does not satisfy sovereignty requirements.
Why it matters: It matters to IAM, NHI, and governance teams because sovereignty depends on who can access data, under what jurisdiction, and how recovery is controlled, not just where the data sits.
👉 Read Commvault's analysis of digital sovereignty, residency, and recovery
Context
Digital sovereignty is the ability to control where data lives, who can access it, which laws apply, and how it can be recovered under incident conditions. In practice, that makes it a governance problem as much as a cloud architecture problem, especially for IAM and NHI programmes that manage access across vendors, regions, and recovery environments.
The article argues that many organisations confuse residency with sovereignty and stop at the cloud region selection step. That is an incomplete control model: access pathways, support personnel, key custody, and backup operations can all pull the environment back into foreign jurisdictional exposure even when primary data stays in-region.
Key questions
Q: What breaks when organisations treat data residency as the same thing as digital sovereignty?
A: They overestimate control. Residency only shows where data sits, but sovereignty also depends on who can access it, which legal regime applies, how support is delivered, and whether recovery works under incident conditions. A programme that stops at residency can still expose the organisation to foreign jurisdiction, vendor access risk, and restore-time non-compliance.
Q: Why do sovereignty programmes need IAM and recovery controls, not just cloud contracts?
A: Because access and restoration are where sovereignty fails in practice. Contracts can define intent, but IAM controls govern who actually reaches the data, and recovery controls determine whether the environment remains compliant when an incident forces restoration. Without both, the organisation may pass a procurement review and still fail an audit under real conditions.
Q: How can security teams tell whether a workload is truly sovereign enough?
A: They should test whether the workload meets its obligations across locality, technology, operations, and jurisdiction. If any one of those pillars depends on assumptions that cannot be evidenced, the posture is incomplete. The right test is not whether the workload is sovereign in name, but whether the organisation can prove the required controls continuously.
Q: Who should be accountable when a sovereign environment fails during recovery?
A: Accountability should sit with the programme that owns the full sovereignty boundary, not only with the infrastructure team. Recovery personnel, support vendors, and identity administrators all participate in the control chain, so the governance model has to assign ownership across legal, operational, and technical functions. That is the only way to keep incident recovery inside policy.
Technical breakdown
Why data residency is only one sovereignty control
Data residency answers a narrow question: where the primary dataset is stored. Digital sovereignty also depends on access control, operational dependency, encryption key custody, and jurisdictional exposure across the full service chain. Control-plane metadata, telemetry, support access, and backup traffic can all cross borders even when the payload does not. That is why sovereignty cannot be reduced to a cloud region or a single procurement checkbox. The practical test is whether the organisation can demonstrate control under real operating and incident conditions, not only under ideal design assumptions.
Practical implication: inventory every access path, supporting service, and data flow before treating any environment as sovereign.
BYOK versus HYOK in sovereignty programmes
Bring Your Own Key means the customer supplies encryption keys, but the provider still often manages them inside its platform boundary. Hold Your Own Key keeps key custody outside the provider environment, which materially changes who can be compelled to provide access under legal pressure or incident response conditions. For sovereignty-sensitive workloads, the distinction matters because key ownership is not the same as key custody. If the provider can still access or mediate the key path, the control is incomplete for strict jurisdictional requirements.
Practical implication: treat key custody as a separate control decision from key ownership and validate it under crisis scenarios.
Operational sovereignty and recovery are linked controls
Operational sovereignty covers who runs the environment and from which jurisdiction, but it becomes most visible during recovery. Backup infrastructure, restoration sequencing, and recovery-point management are often governed separately from primary data controls, which leaves a hidden gap until an incident forces restoration. If recovery personnel, support vendors, or restore locations do not meet the same sovereignty requirements as production, the programme can fail precisely when resilience matters most. Sovereignty therefore has to be designed as an end-to-end operating condition, not a static hosting choice.
Practical implication: test recovery workflows against the same jurisdictional and access constraints used for production.
NHI Mgmt Group analysis
Data residency is not digital sovereignty: Residency only proves where a dataset is stored, not who can touch it, which legal regime applies, or whether it can be restored safely. The article is right to separate those controls because sovereignty programmes fail when they collapse distinct governance questions into one cloud-location decision. Practitioners should treat residency as a subset of the wider sovereignty boundary, not the boundary itself.
Operational sovereignty is where most programmes are weakest: The hardest part to audit is not the hosting region, but the support chain, third-party access, and recovery path that sit behind it. That weakness is familiar in IAM and NHI governance too, where entitlement review is often cleaner on paper than in the real support model. The implication is that the control surface is larger than the procurement artefact, and the audit evidence has to match that larger surface.
Minimum viable sovereignty is the right operating model: Maximum sovereignty is neither realistic nor necessary for every workload, because obligations differ by data class and business function. A payroll system, a customer database, and an internal collaboration workload do not justify the same control posture. The discipline is to align sovereignty controls to the actual risk and regulatory burden, then prove them continuously. Practitioners should stop asking whether a cloud is sovereign in general and start asking whether a workload is sovereign enough for its obligations.
Recovery architecture must sit inside the sovereignty boundary: A programme that governs production but not restore paths has an unexamined failure mode. The same access, jurisdiction, and custody assumptions that protect live data must also apply to backups, restore operators, and incident recovery sequencing. Otherwise the environment can be compliant in steady state and non-compliant during the event that matters most. Practitioners should fold resilience evidence into sovereignty evidence, not treat them as separate programmes.
Sovereignty and identity governance are converging disciplines: The article shows that jurisdictional control is now inseparable from identity control, especially where support personnel, vendor administrators, and recovery operators can interact with sensitive workloads. That makes sovereignty a lifecycle problem, not just an infrastructure one, because access changes over time and across operational contexts. The implication for identity teams is that access governance must extend into legal and operational constraints, not only role design and authentication policy.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- A separate finding from the same report shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications.
- For a broader lifecycle lens, read NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that support sovereignty-style control boundaries.
What this signals
Minimum viable sovereignty: the most practical sovereignty model is not absolute control, but provable control matched to workload risk. That same logic is now showing up in identity programmes, where the real question is whether access, jurisdiction, and recovery evidence can be demonstrated across the whole operational chain, not just at procurement time.
The governance lesson is that sovereignty, NHI access, and incident recovery now share the same audit problem: evidence must survive operational reality. Teams that separate production access governance from backup and restore governance will keep discovering gaps only when regulators or incident conditions force a proof point.
With 59.8% of organisations seeing value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, per The 2024 Non-Human Identity Security Report, the market is signalling a broader move toward control models that can be evidenced in motion rather than in policy documents alone.
For practitioners
- Map all cross-border access paths Build an inventory of support accounts, vendor access, telemetry paths, backup channels, and administrative interfaces that can move data or enable access outside the intended sovereignty boundary. Include the jurisdiction of each operator and each dependency.
- Separate key ownership from key custody Document whether the organisation merely supplies keys or truly retains independent custody outside the provider environment. Test the model under legal compulsion, incident response, and recovery conditions so the difference is operational, not theoretical.
- Fold recovery into sovereignty testing Validate backup restoration, restore sequencing, and incident recovery against the same sovereignty constraints that apply in production. If the recovery team or restore location breaks the jurisdiction model, the programme is incomplete.
Key takeaways
- Digital sovereignty is broader than data residency because control, jurisdiction, and recovery all matter.
- Programmes that isolate production governance from recovery governance leave a compliance gap that appears under incident conditions.
- The practical answer is minimum viable sovereignty, where each workload gets the controls it can actually justify and evidence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Sovereignty depends on controlling who can access data and systems across jurisdictions. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege governs support access, vendor access, and recovery administration. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy underpins who can operate sovereign workloads and recovery systems. |
Apply AC-6 to administrative and recovery roles so sovereignty evidence extends beyond production access.
Key terms
- Digital Sovereignty: Digital sovereignty is the ability to control where data is stored, who can access it, which laws apply, and how recovery is performed. In practice, it is a combined governance, architecture, and operations problem that must be evidenced across the full service lifecycle, not assumed from cloud region selection alone.
- Operational Sovereignty: Operational sovereignty is control over who runs an environment, from where, and under which legal jurisdiction. It includes support personnel, third-party operators, and recovery teams, so it is often the most overlooked part of sovereignty because it lives in contracts, runbooks, and access pathways rather than in obvious system settings.
- Hold Your Own Key: Hold Your Own Key is a custody model in which the organisation retains independent control of encryption keys outside the provider environment. Unlike arrangements where the provider can still mediate access, HYOK is used when legal exposure, incident response, or jurisdictional constraints require true external custody of the key material.
- Minimum Viable Sovereignty: Minimum viable sovereignty is the right level of sovereignty control for a specific workload, calibrated to its regulatory obligations, risk profile, and operational needs. It rejects blanket maximum-control approaches and instead asks which controls can be consistently enforced, demonstrated, and sustained across the full lifecycle.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The EU Cloud Sovereignty Framework objective breakdown and how each pillar maps to procurement and audit decisions
- The BYOK versus HYOK distinction in the context of provider key custody and jurisdictional exposure
- The recovery and resilience discussion that ties backup operations to sovereignty boundaries
- The Geo Shield deployment model spectrum across SaaS, partner-operated, and customer-controlled sovereign environments
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org