Unbiased analyst and consultancy agency Omdia has launched its market radar paper, exploring the sovereign cloud market and the way cloud service suppliers (CSPs) responded to the pattern.
The 2025 IT Enterprise Insights research analysed the highest 5 Western public cloud suppliers – AWS, Azure, Google, IBM, and Oracle – and found they make up 86% of the cloud market, with a presence in 33 international locations as of 2024. North America has 347 information centres, Europe 194, and China has simply three. Though cloud is accessible worldwide, the report reveals its infrastructure stays regional.
In response to Omdia’s analysis new codecs like edge cloud and sovereign cloud are on the rise, plus there’s the next deal with environmental sustainability which, the corporate surmises, will see extra gamers enter the market.
CSPs around the globe are anticipated to witness elevated stress as China-based CSPs increase globally. The market has developed in recent times, with CSPs now broadening their method by offering extra selections to fulfill operational autonomy, information residency, and resiliency wants.
Omdia discovered that the EU is main in information safety and sovereign cloud initiatives, like Normal Knowledge Safety Regulation (GDPR) and Gaia-X. Areas just like the Center East are beginning to develop related laws, with initiatives together with the Saudi Imaginative and prescient 2030. 60 new information centres have been arrange within the Center East, highlighting how its native infrastructure is rising.
The expansion of genAI has prompted international locations to think about “sovereign AI,” developed and run inside nationwide borders, bringing information below native management. This creates challenges for CSPs that don’t provide native amenities, and a few are dropping out on enterprise potential enterprise that goes to locally-based information centres.
Omdia says it expects 2026/27 to be essential for AI growth, with the thought of “sovereign generated information” turning into extra talked-about, with organisations needing to guard this AI-generated information from inside info requiring the identical ranges of safety as unique datasets. This raises complicated questions on digital possession within the AI period, the paper states.
Omdia have set suggestions for enterprises, service suppliers, and know-how distributors primarily based on its sovereign cloud mannequin. The latter highlights how the “attributes of a sovereign cloud could be utilized at six completely different ranges of sovereignty.”
For enterprises, Omdia’s advice is to grasp which elements of the enterprise and information are topic to native laws, and develop an architectural method displaying how they may implement sovereign cloud capabilities of their IT methods.
Omdia recommends service suppliers develop partnerships with native organisations to obtain official approval ()or accreditation) from nationwide governments to have the ability to ship sovereign cloud options.
Know-how distributors are really useful to research what’s required to fulfill native sovereignty laws. Omdia additionally suggests making purposes extra modular, to allow them to be separated in accordance with native sovereignty guidelines.
Omdia’s sovereign cloud mannequin
To judge precisely the diploma of sovereignty in a cloud deployment, Omdia has proposed a six-level mannequin, one which corresponds to the rising ranges of management and compliance obligatory.
The mannequin displays how a rustic’s legal guidelines and laws tackle information safety, processing, management, and privateness.
The six ranges are:
Knowledge residency
Knowledge have to be saved within the nation, with legal guidelines mandating that sure forms of information, like private or delicate info, can’t be hosted outdoors nationwide borders.
Knowledge processing
Knowledge have to be processed regionally by accredited entities following stringent privateness guidelines and consent, thus making certain tighter management over who can deal with the info and the way.
Knowledge privateness
Specializing in entry controls, if information is saved and processed regionally, it must be protected in opposition to unauthorised entry, significantly from international authorities. One of many greatest privateness challenges at the moment comes from the US CLOUD Act (Clarifying Lawful Abroad Use of Knowledge Act) of 2018.
This enables authorities to demand entry to information that’s saved by US-based firms, even when the info is saved on international servers. Understandably, this raises a significant pink flag for these wanting to maintain their residents’ digital info non-public and below native jurisdiction.
Generated information entry and management
Omdia recommends sovereign frameworks ought to outline who has possession and management over generated information.
Cloud resiliency
Cloud resiliency ensures cloud providers are usually not depending on international infrastructure, serving to to scale back the danger of potential disruption outdoors nationwide management, such financial or geopolitical upheavals.
Cloud as essential infrastructure/operational jurisdiction
Stage 6 suggests the cloud is handled like a nationwide utility, comparable to power, water or telecommunications. This entails governments capable of regulate, audit, and oversee the cloud in its jurisdiction.
How CSPs are responding
Starting with a “sovereign-by-design” technique, which primarily builds cloud platforms with sovereignty in thoughts, CSPs have needed to evolve, shifting to a extra customised and versatile mannequin, one which aligns with particular regional laws. CSPs are responding to the rising demand for sovereign cloud with two predominant approaches.
The primary mannequin the corporate urges cloud suppliers to method is full isolation with region-specific choices. Main CSPs like AWS and Oracle are creating separate, remoted cloud environments in a rustic or area. These are then separated from the supplier’s cloud infrastructure and managed by native personnel, with out entry by international workers. The mannequin is designed to fulfill stringent compliance wants, like GDPR.
The second method comes within the type of a partnership mannequin, one thing CSPs like IBM and Huawei have embraced. On this mannequin, a neighborhood service supplier or nationwide telecom firm operates the cloud providers on behalf of the worldwide CSP. The companions then deploy and handle the CSP’s cloud stack within the nation, offering localised compliance. Knowledge stays within the jurisdiction, permitting native workers to deal with operations.
Each fashions are a part of a wider pattern, as CSPs can now not provide one-size-fits-all cloud options below the rising raft of legal guidelines developed by nation states. Cloud suppliers are required to construct sovereign variants that permit clients to decide on the correct stage of management, compliance, and privateness to fulfill their wants and people of native legal guidelines. In response to Omdia, “the optimum method stays depending on the person buyer.”
(Picture supply: “Clouds” by Kiwi Tom is licensed below CC BY 2.0.)
Wish to study extra about cybersecurity and the cloud from trade leaders? Try Cyber Safety & Cloud Expo happening in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.
