Nutanix is a Business Reporter client
Why business leaders must build digital exit strategies before regulation or geopolitics forces their hand.
Not long ago, cloud strategy was all about performance, price and scale. Today, something far more fundamental is at stake – control. In boardrooms across Europe, business and public sector leaders are asking the same question: how can we ensure our data stays within reach, and outside the grip of foreign companies and powers?
This is the question at the heart of digital sovereignty, a concept that has shifted from technical jargon to strategic imperative in record time. For the UK, it is becoming a defining issue of the post-Brexit digital economy. For the rest of Europe, it is a response to growing fears that foreign control over digital infrastructure represents not just a business risk, but a national one.
And for all of us, it raises a critical truth. If we cannot walk away from our digital providers, we don’t really own our data. We’re only renting it and hoping the landlord stays friendly.
The legal reality behind the cloud
The urgency behind digital sovereignty isn’t ideological. It’s legal. Businesses may believe that hosting their data in a local or regional data centre provides protection, but legal jurisdiction often overrides geography.
Take the United States CLOUD Act. This legislation compels US-based technology companies to provide access to data, no matter where that data is physically stored, if requested by US law enforcement or intelligence agencies. Crucially, it can also prohibit providers from disclosing those requests to customers.
That creates a chilling scenario for European organisations. A UK business using a US-owned cloud provider might find its data accessed by US authorities without ever being notified. And if services are suspended, whether due to sanctions, litigation or political pressure, there may be no immediate recourse.
This isn’t theoretical. It’s happening. One high-profile incident this spring saw Microsoft temporarily restrict access to services for the Chief Prosecutor of the International Criminal Court, reportedly in response to US sanctions. Whether politically motivated or not, it proved a point: legal control trumps marketing claims, and companies are more exposed than they realise.
Sovereignty demands mobility
Digital sovereignty is not about avoiding the cloud. It’s about being able to move if you need to. And that’s where many businesses are still unprepared.
Over the past decade, enterprises have become deeply dependent on hyperscale cloud platforms. That’s not a criticism as those platforms offer incredible agility and innovation. But it also means many organisations lack a plan B. They have no practical, tested way to exit a provider if trust breaks down, prices spike or the geopolitical climate shifts.
In fact, we increasingly see governments stepping in. In Norway, regulators have begun requiring public institutions to develop exit strategies for their cloud services. In Germany and Switzerland, digital infrastructure investment is being weighed not only on technical merit but on the legal independence of the provider.
The UK, too, is moving. A bill currently under discussion would require stress-testing of organisational data strategies. This reflects a growing recognition that resilience must include the ability to change providers, quickly and cleanly, without downtime or data loss.
What boards need to ask today
Is this really an IT problem, or is it a C-suite issue that demands board-level attention? Senior leaders must now assess their organisation’s digital dependencies as carefully as their financial exposure.
- Can you move your workloads if you need to?
- Do you have contracts that support rapid migration?
- Have you mapped where your data resides and who has legal access?
- Do you have the internal capabilities to operate hybrid or multicloud environments?
Visibility remains a major challenge. According to the 2023 Nutanix Enterprise Cloud Index, only 13 per cent of public sector IT leaders say they completely understand where their data is located and under which jurisdiction it falls. That lack of clarity introduces unacceptable risk in a landscape where legal access matters as much as physical access.
These are not questions to leave for later. In a crisis, it’s already too late to design a safe exit. Sovereignty is not something that can be switched on. Instead, it must be built into the architecture of your business.
The opportunity in resilience
The good news is that a better approach is emerging. Modern, cloud-native platforms are enabling businesses to operate across multiple providers without lock-in. Hybrid multicloud infrastructure makes it possible to move data and applications across environments, without sacrificing performance or compliance.
This is more than a future vision: it is already the direction of travel. To this point, 84 per cent of public sector organisations globally now view hybrid multicloud as their ideal operating model. The appeal is clear: the ability to combine flexibility, resilience and compliance within a single architecture.
At Nutanix, we work with customers across Europe who are building exactly this kind of resilience. Whether in financial services, public sector or healthcare, these organisations recognise that sovereignty is not about cutting ties with the global cloud ecosystem. It is about making sure those ties are balanced, reversible and governed by clear terms.
One such example is the UK’s Department for Work & Pensions (DWP), which has embraced a modern cloud strategy to ensure operational continuity and flexibility at national scale. As one of the country’s largest public service departments, DWP’s ability to manage critical infrastructure with both agility and control speaks to the strategic importance of sovereign-ready digital platforms.
We are also seeing growing momentum from policymakers, regulators and industry leaders who want to ensure European organisations can retain digital self-determination without cutting themselves off from innovation.
This is the real goal. Not isolation, but independence.
Now is the time to act
In times of stability, it’s easy to overlook hidden dependencies. But we are not in a stable time. From economic volatility to political fragmentation, the risks of inaction are growing.
Sovereignty cannot be retrofitted. It must be planned for, budgeted for and tested, just like any other pillar of enterprise risk management. That process starts with visibility, continues with strategy and succeeds only with executive support.
European business leaders, especially in critical sectors such as government, finance and healthcare, now face a choice. Treat data sovereignty as a compliance box to tick or as a competitive differentiator.
This is no longer a niche concern, as 72 per cent of public sector decision-makers now say their top priority for cloud deployment is the ability to move workloads freely across environments. Because in the digital age, true sovereignty is not just about where your data lives. It’s about whether you can take it with you.
For more information, visit nutanix.com.
