Data sovereignty: Don't just tick the box, think outside it

Sponsored Feature There's a cliché that generals are always prepared to fight the last war. The same could be said of regulation and compliance. Successive scandals or crises prompt legislation and regulation to protect against a repeat. But these newly minted strictures often miss the next big threat.

The financial scares of the early 2000s gave us SOX, Dodd-Frank, and the UK's Financial Services Act. In the last decade, governments and regulators have fretted about the resilience of the operational infrastructure underlying businesses and society at large. This resulted in Europe's DORA, NIS2, and Cyber Resiliency Act, along with a raft of federal regulations in the US.

All of these have a direct impact on businesses' technology operations in general, and data activities in particular. More recently, they have tied in with increasing concerns about data, AI, and sovereignty.

So it's not surprising that some C-suite leaders and frontline workers view the compliance processes these regulations dictate as a necessary evil at best. At worst they see them as a brake on their day-to-day businesses and on their ability to develop innovative new services and get them onto market. This comes into focus with the rush to adopt AI, which depends on quality data.

But is that a narrow-minded view? Could taking a holistic view of compliance actually buttress efforts around data sovereignty? Could it help businesses become not just more resilient, but more innovative and competitive? And should data sovereignty be understood as much more than a question of geography?

After all, when it comes to cyber threats, attacks are becoming more lethal and frequent. Data protection specialist Veeam's Field CTO EMEA Edwin Weijdema says, data is the prime target now. It has become more valuable even as it has multiplied and became more distributed. "It's in your own data center. It's in a rented data center. It's in the cloud. It's in software as a service. It's being shared all over," he says.

Threat actors have one of two goals, he continues. They either want to extort money from their victims by encrypting and/or stealing their data, or they want to put their victim out of business. "This is the geopolitics," Weijdema continues. "It's not about stealing your data, it's about crippling you completely."

Security concerns vary at a regional and even sub-regional level. Companies in the Middle East often have narrowly focused security concerns, while the European Union concentrates more on data protection and sovereignty overall. There are also subtle differences within the bloc. All might be acutely aware of the threat from the East, but some countries, such as the Baltic States or Finland, might feel it far more keenly with all out cyber attacks being a more regular occurrence.

But Weijdema says, "The backup is the number one target for any of those threat actors out there. Because if you can get the backups, you get everything."

Which is why Andre Troskie, Veeam's EMEA Field CISO says, "All these regulations are brought in to make sure that organizations improve their cyber security posture but also increase their operational resilience."

With the explosion of artificial intelligence and AI agents, he continues, "It makes the problem statement even worse in terms of how we are going to understand where our data is protected, as it's needed in all those cases."

What Europeans and the rest of the world have realized, he continues, is that "In order for these frameworks to be really powerful, we need the organizations to retain control over their data."

Control and flexibility

This requires much more than a tick-box attitude to compliance, points out Weijdema, not least because when it comes to technology, the law is generally ten years behind.

Regulators aren't asking businesses to think about sovereignty because they want managers to fill in compliance forms, he says. It's because they see the full range of threats, from natural disasters, to cybercrime, to state actors. They want companies and society to survive them.

Reducing the risk to zero is unrealistic. Achieving that would bankrupt most organizations. Rather, says Troskie, the aim is to manage risk to an acceptable level. The objective is to achieve demonstrable data control, he says. This is more than obsessing about where data resides geographically.

"You want to be able to demonstrate that you understand the coverage of your data lifecycle, and you want to be able to provide evidence that you can demonstrate that to others."

That data lifecycle will increasingly incorporate other organizations. "Because we live in an interconnected world, why would you store data that you get from one of the other links in the chain?" asks Weijdema. It doesn't make sense for a hospital, for example, to store test results when those are already held by its laboratory systems partner.

But, if that labs partner suffers a cyber attack, the hospital also suffers. "Connecting those systems makes it more efficient. It also makes it more harmful."

Veeam's recent customer workshop series makes it clear that companies can't just fall back to paper-based operations in an emergency, he adds, even though they sometimes ask. 

"I had one customer two months ago, and he raised his hand and said, 'we can still do things on paper?'" Weijdema recalls.

This wasn't a case of having a low tech bullet-proof plan B. "'No, no, no,' they said. 'We're just trailing behind on the digital transformation chain.'"

How can tech leaders unpick this compliance conundrum?

Veeam views data resilience – and by implication data sovereignty - as resting on five pillars: data backup; data recovery; data portability; data security; and data intelligence.

The path of most resilience

The first two pillars might be self-evident, but a company cannot be resilient if it cannot restore its data quickly for fast recovery. Likewise, portability (the ability to shift data across different platforms and environments) is critical. If a physical datacenter is put out of action, a physical backup facility might be the desired option. But a cloud alternative might also make sense, for example if a firm's physical assets are being subjected to forensic investigation.

Security covers companies' need to protect their data from unauthorized access or exfiltration. Data intelligence is the ability to develop insights about the data. Those insights can be security focused, especially if they point to anomalies that could point to an emerging problem.

"Should I do a full recovery?" Weijdema asks as an example. "Or should I just do a recovery of those three items that have been touched?"

Troskie says the industry is looking beyond the traditional three-layer approach of operational management, risk management and compliance, and internal audits.

"We are moving away from those three independent layers to one of continuous and autonomous assurance, empowered by agentic AI," he explains. But this will need reliable data and new approaches.

"We need AI governance and oversight," he says. "That skill set needs to be built and then articulated appropriately at those three layers."

The C-suite or compliance team might want assurance that everything is in line with regulations, or in the event of an attack that decisions are based on the correct information. But the C-suite and business teams also want to know that data is available to develop and underpin the new AI-based services they're betting the future of the company on.

With the right approach, businesses and public organizations can manage, understand, and protect their data, keeping it available to fuel innovation and to help them recover from existential attacks. But they need to understand these are two sides of the same sovereign coin.

"We need to educate our partners so that we understand the intricacies of developing infrastructure and systems from a sovereign perspective that also still makes us efficient, effective, and nimble enough to compete," says Troskie.

"It's one thing saying we have to use sovereignty to slow us down," he concludes. "We can also use sovereignty to speed us up."

Sponsored by Veeam .