Imagine you're a CxO at a European firm in early 2020. The U.S-China trade war is escalating. Your primary cloud provider (headquartered in California, USA, with data centres across Asia) suddenly faces export restrictions and/or tariffs on critical technologies and services. You're suddenly caught in the crossfire of political sanctions. And with your infrastructure spanning multiple geographical jurisdictions, you find yourself subject to existential compliance and trade requirements you never architected for.
Your business resilience runbooks assumed borderless access to your vendors' support and teams. But those borders, the ones that your entire business assumed you could transcend, just closed.
You didn't plan for this. No one did.
We've reached a strange moment in cybersecurity and cyber operations. While most of us spent the last decade optimizing for speed, cost, and cloud efficiency, the political climate shifted from predictable patterns to unpredictable storms. Borders started to matter again, "vendor passports" have become critical risk factors and now we're facing conditions we haven't prepared for—but we'll be forced to navigate, one way or another.
I've had hundreds of conversations with CISOs, CIOs, COOs and Board members and the same question keeps surfacing: "In light of geopolitical tensions, how much sovereignty do we actually need?" The market is noisy, every vendor is positioning sovereignty solutions and, in the rush to respond, many organizations risk over-engineering for political theatre, rather than operational resilience.
The question isn't if your data sovereignty strategy will collide with geopolitical reality, it's a matter of when.
To address this reality, I’d like to introduce the concept of Minimum Viable Sovereignty: the baseline level of sovereign control you need to guarantee operational continuity when geopolitical conditions deteriorate.
This is not perfect sovereignty across every system. It’s not about increasing compliance complexity. It’s just critical recovery paths that must remain under your control when borders close. Those businesses that are able to weather the storm will have identified their Minimum Viable Sovereignty and adapted operations, long before that moment arrives.
January 2026: When Theory Became Reality
At the beginning of this year, China directed domestic companies to stop using cybersecurity software from U.S. and Israeli firms, citing national security concerns. This wasn't just another political policy shift. This was confirmation that we've entered an era where the location of your vendor's headquarters can become your single point of failure.
Geopolitical fragmentation is now one of three forces fundamentally reshaping global risk, right alongside AI and cyber inequity. The World Economic Forum's Global Cybersecurity Outlook 2026 makes it plain; "Cybersecurity risk in 2026 is accelerating, fuelled by advances in AI, deepening geopolitical fragmentation and the complexity of supply chains”.
This isn't theory anymore, it is the new operational reality.
Why have these three forces emerged as dominant influences on the global economy? Let's look at what happened back in 2025 for some context:
Salt Typhoon's Multi-Year Campaign: Chinese state-sponsored actors compromised at least 8 U.S. telecommunications providers. By August 2025, the FBI confirmed they'd breached 200 companies across 80 countries. It wasn't just data that was stolen, infrastructure was targeted, infrastructure that enables cross-border communications and recovery operations.
Taiwan's Digital Siege: The National Security Bureau reported cyberattacks on Taiwan’s critical infrastructure averaged 2.63 million per day, a 6% increase year-over year. Hospitals, banks, government systems, and telecommunications networks faced relentless targeting. This is what sustained geopolitical tension looks like at the operational layer.
Supply Chain Attacks Doubled: According to Cyble's 2025 analysis, cyberattacks on supply chains surged to 26 incidents per month—double the rate from early 2024. Palo Alto Networks research shows nearly one third of breaches in 2023 came through third-party access. Unfortunately, these examples aren't anomalies: they're the baseline now.
Indeed, Gartner's November 2025 survey revealed that "61% of CIOs and IT leaders in Western Europe plan to increase reliance on local cloud providers because of geopolitical concerns". More striking: 53% said "Geopolitics will restrict their organizations' future use of global cloud providers", and 44% reported they're already limiting use today.
Gartner predicts that by 2030, more than 75% of enterprises outside the U.S. will have a digital sovereignty strategy. This shift (which Gartner calls "geopatriation") represents a fundamental architectural change in how organizations think about data residency, operational control, and vendor risk.
Yet while 88% of organizations are worried about supply chain cyber risks, only 14% assess the cybersecurity posture of their immediate suppliers, which is one of our biggest (and fastest growing) risk factors in modern digital history; However, for the broader supply chain, that drops to 7%.
This disconnect between concern and action is dangerous when geopolitical shocks can instantly sever vendor access.
What Sovereignty Actually Means (And Why Compliance Isn't Enough)
Data sovereignty used to be a compliance question: "Where does data physically reside, and which regulations govern it?"
However, the new geopolitical reality demands we ask harder questions across three critical dimensions. Think of these as the questions every CxO should ask about their current architecture—not as a checklist to achieve perfection (which may be neither realistic nor necessary), but as a framework to identify where your sovereign exposure actually sits:
Data Sovereignty: Where does your data physically reside? Which jurisdiction governs it? Who can issue or control warrants to access it? If a foreign government demands access to data stored in their jurisdiction, what's your legal position?
Operational Sovereignty: Who actually operates your recovery infrastructure? Can you fail over without vendor or government intervention? Where are your vendor's support teams located? If those jurisdictions are sanctioned or restricted, can you still recover? Do you control encryption keys or does your vendor hold them? If your vendor's jurisdiction is locked out, can you still decrypt and access your data?
Vendor Sovereignty: Where is your vendor headquartered? Where are their engineers and operations teams located? Can they be sanctioned, restricted, or compelled by foreign governments? What happens to your recovery capabilities if geopolitical tensions target your vendor's home jurisdiction?
Unfortunately, no single vendor solves all three dimensions perfectly for every organization. A US-based vendor with no European footprint at all, might be ideal for American customers but could, subject to their architecture, represent a sovereignty risk for European or Asian firms concerned about U.S. jurisdiction controls or sanctions. A regional vendor might solve data residency but lack the operational scale for global enterprises, who need their vendor to operate on all major continents.
The point isn't to achieve perfect sovereignty everywhere, but to understand your exposure and architect accordingly based on your specific threat model, geography, and regulatory environment. True business resilience requires you to consciously assess sovereignty across all three dimensions, make informed trade-offs, and design recovery architectures in partnership with your vendors that function when your primary assumptions fail.
Versus What You're Being Sold
Minimum Viable Sovereignty is the baseline level of sovereign control required to guarantee operational continuity when geopolitical conditions deteriorate. Minimum Viable Sovereignty is a prioritization framework, not a destination. Its focus should be on identifying the critical recovery paths (such as backup, restore, identity systems, key management and failover infrastructure) then ensuring those paths remain operationally independent when borders close or sanctions hit.
What constitutes "minimum viable" will differ based on your organization's geography, regulatory obligations, threat model and risk tolerance. The question every CxO should ask is: "What's the smallest set of capabilities that must remain under our sovereign control to guarantee we can recover the business?"
For most organizations, Minimum Viable Sovereignty means honestly assessing:
Backup and recovery infrastructure: Can you restore operations without relying on vendor support teams in jurisdictions subject to sanctions or lockout orders? If your vendor's headquarters or primary operations are restricted, do you have alternative recovery paths?
Key management: Where are your encryption keys stored, and who controls access to them? If your vendor's jurisdiction is sanctioned, can you still decrypt and access your data? Do you need bring-your-own-key (BYOK) or hold-your-own-key (HYOK) capabilities for your most sensitive workloads, even if not for everything?
Identity and authentication resilience: Can your identity infrastructure function if your primary vendor's APIs are geoblocked or restricted? Do you have failover identity providers in alternative jurisdictions?
Failover independence: Can you fail over to secondary sites without vendor intervention or cross-border dependencies? Are your secondary sites truly independent, or do they rely on the same vendor operations teams?
When geopolitics shift to the detriment of your business, having answers to these questions is where the rubber meets the road. Most organizations discover that they've optimized for performance and cost, but have inadvertently outsourced operational sovereignty to vendors whose jurisdictions they never assessed as business risk factors. One of the most concerning statements I have heard in my conversations with CxOs is "We don't actually know if we could recover without our vendor's help."
That's the sovereignty gap that presents an unacceptable risk in the current geopolitical climate.
We've Reached a Critical Point
I want to be direct; We're in a sovereignty crisis. Sovereignty is now the primary risk layer for cyber resilience. Yet most organizations have no formal strategy for it and no plan for what happens when borders close or sanctions hit. Sovereignty must move beyond compliance checkbox exercises, to include:
Continuous visibility across vendor jurisdictions, data locations, and operational control points
Resilience planning that doesn't assume vendor access during a geopolitical event
Recovery architectures that function when borders close and APIs are geo-blocked
Vendor risk assessments that include geopolitical exposure, not just cybersecurity posture
Proven ability to fail over and restore without foreign intervention
Critically however, we must ensure that sovereignty is a core component of our cyber recovery strategy, on equal footing with backup, disaster recovery, and incident response.
A Call to the Boardroom
Sovereignty is urgent. When sovereignty fails, recovery fails—potentially permanently. Sovereignty must be on the agenda at the highest level of the enterprise. But to have constructive Board-level conversations, I've learned from my peers that you must be ready to face some hard questions:
If our primary vendor's jurisdiction issued a lockout order today, how fast could we recover without their assistance?
Can we prove to regulators and customers that our recovery infrastructure is operationally independent?
Are the cloud platforms, SaaS recovery and backup systems that we rely on, covered in our sovereignty strategy, or are they exposed?
Have we consciously chosen which workloads require sovereign control versus which can accept vendor jurisdiction risk?
The unfortunate reality is that many organizations don't have answers to these questions, and the attacker is betting on exactly that!
The Path Forward: Sovereignty Is Core to Resilience
We need to recognize that sovereignty is the foundation of resilience in an increasingly geopolitically fragmented world. Sovereignty doesn't just determine where data lives, it governs who can access it, who can operate it, and who can shut it down.
So what happens when sovereignty is compromised? In the current geopolitical climate, business continuity doesn't just begin when your identity fabric, systems and critical datasets are back online. Or when the ransomware is decrypted. It begins when you can prove that your recovery infrastructure is under your control and that no foreign entity can block, access, or manipulate it.
Without a strategy for sovereign resilience, every other layer of your resilience architecture is a castle built on sand. That's why nation-state actors and advanced threat groups are increasingly targeting vendor dependencies—not only to cause harm, but to neutralize quick recovery. Attackers know that once sovereignty is lost, the road back is long, expensive, and uncertain. This gives them greater leverage in extortion, ransom, and overall attack operations.
Sovereignty is no longer relegated to compliance or legal strategy, it’s now core to operational resilience and an organization's ability to reassert control when it matters most.
Immediate Strategic Actions for Business Leaders
The sovereignty challenge demands three immediate actions:
Audit Your Sovereign Exposure:
Map every critical vendor's jurisdiction, data locations, and operational control points.
Identify where geopolitical restrictions could instantly sever your access to recovery infrastructure.
Document which vendors have staff in jurisdictions subject to current or potential sanctions. Start with your backup and recovery vendors—they're your first and last line of defense.
Architect for Multi-Sovereign Resilience:
Design recovery architectures that function when borders close.
Build identity and API architectures that survive geo-blocking.
Test failover scenarios without vendor access—you can’t assume your vendor will be available to assist your disaster recovery.
Define Your Minimum Viable Sovereignty:
Identify the smallest set of capabilities that must remain under sovereign control to guarantee business recovery.
Don't over-engineer for political theatre.
Focus on the critical recovery paths (backup, identity, key management, failover)
Identify which workloads require sovereign control versus which can accept vendor jurisdiction risk—and ensure that those critical paths are operationally independent.
Resilience Without Sovereignty Is Resilience on Borrowed Time!
The gap between those who recognize sovereignty as a strategic priority and those who still view it as a compliance checkbox is widening rapidly. The World Economic Forum's 2026 Outlook concludes with a sobering observation; Organizations and governments face "Rising pressure to adapt amid persistent sovereignty challenges and widening capability gaps."
The question every business leader must answer is simple: When geopolitical tensions spike (and they will), can you guarantee operational continuity?
Or will you discover that your recovery strategy was built on assumptions that no longer hold?
The industry must move beyond treating sovereignty as a regional concern or regulatory burden. Sovereignty is the foundation of modern cyber resilience in an era where geopolitics and cybersecurity have now become inseparable.
The next time a government issues a vendor restriction order, or implements trade sanctions that introduce economically unviable operations, your board won't ask whether we are compliant, they'll ask whether we were ready!
Sources & Further Reading
World Economic Forum, Global Cybersecurity Outlook 2026
Gartner, "Survey Reveals Geopolitics Will Drive 61% of CIOs to Increase Local Cloud Reliance" (November 2025)
Reuters, "Chinese Cyberattacks on Taiwan Averaged 2.6 Million a Day in 2025" (January 2026)
Reuters, "Beijing Tells Chinese Firms to Stop Using US and Israeli Cybersecurity Software" (January 2026)
Palo Alto Networks, "Supply Chain Chaos in 2025: How Geopolitics Are Rewriting the Rules"
Cyble, "Supply Chain Attacks Surge in 2025: Double the Usual Rate"
Cybersecurity Dive, "At Least 8 US Companies Hit in Telecom Attack Spree"
(December 2024)
Rubrik, "Rubrik Announces Rubrik Security Cloud Sovereign" (January 2026)