Geopatriation and Sovereign Cloud: When to Move Workloads Closer to Jurisdiction

Geopatriation and sovereign cloud are emerging as responses to regulatory requirements and cyber risks. This article explains when relocating workloads is justified.

Uncontrolled Cloud IT Cost Growth: A First Signal to Review Architecture

While cloud migration often promises cost optimization, the reality is more complex. Many organizations face uncontrolled increases in cloud provider bills. The issue rarely stems solely from the cost of gigabytes or compute hours. Unforeseen expenses are typically a symptom of a deeper architectural problem: a lack of discipline in resource management, blurred responsibilities, and chaotic deployment of workloads across global data centers.

FinOps emerged as an attempt to bring order to these processes, but it focuses on the financial management of existing infrastructure. When costs result from a fundamental mismatch between architecture and business requirements — particularly data security and sovereignty demands — a more radical solution is needed. This is no longer a matter of saving on instances, but rather one of risk management and ensuring operational resilience.

Geopatriation and Sovereign Cloud: Addressing Cybersecurity and Data Sovereignty Challenges

In response to these challenges, two interconnected approaches have emerged: geopatriation and sovereign cloud.

Geopatriation is the strategic return of data and workloads from global cloud platforms to infrastructure located within a specific national jurisdiction. This does not imply a complete abandonment of the cloud, but rather the relocation of critical components on-premises or to a local cloud.

Sovereign Cloud is a cloud infrastructure that is physically located, managed, and subject to the laws of a specific country. The key distinction from a typical local data center of a global provider is the guarantee that data will not fall under the extraterritorial laws of other states (e.g., the US CLOUD Act). This ensures full legal and operational control over the data.

The need for such solutions is reinforced by sobering statistics. According to the Cisco Cybersecurity Readiness Index 2025, based on a survey of 8,000 cybersecurity business leaders, most companies remain unprepared for modern cyber threats. Moving to a more controlled environment, such as a sovereign cloud, becomes a logical step to enhance protection.

❌ Mistake: Believing a New Cloud Platform Will Automatically Solve Organizational Problems

The most common mistake when considering a move to a sovereign cloud is the belief that the technology or infrastructure itself will resolve all security and compliance issues. In practice, technology only amplifies existing processes. If a company lacks clear data classification, has chaotic access management policies, and its development processes do not include security checks, then migrating to a sovereign cloud will merely transfer this chaos to a new, more expensive environment.

A sovereign cloud provides tools for control but does not implement it automatically. Without a prior data audit, a review of application architecture, and the implementation of stringent Identity and Access Management (IAM) policies, the project risks becoming an expensive cosmetic change without a real increase in security. First, processes and policies; then, the infrastructure to implement them.

Typical Scenario for Banks: How Data Localization Impacts Operational Resilience

Consider the architectural example of a national-scale bank. Its operations involve processing vast amounts of sensitive data: customer personal data, transaction history, and financial statements. This data is subject to strict regulatory requirements from the National Bank of Ukraine, as well as GDPR if the bank serves EU citizens.

In such a situation, using global cloud infrastructure creates several risks:

  • Legal Risk: Data stored in data centers in Frankfurt or Dublin may be subject to requests from law enforcement agencies in other countries, creating a legal conflict.
  • Operational Risk: In the event of geopolitical tension or damage to backbone communication channels, access to critical systems may be difficult or lost.
  • Compliance Risk: Regulators, including the NBU, demand clear guarantees regarding data location and control, which are difficult to ensure in a multi-jurisdictional cloud.

Relocating the core banking system, processing, and risk analysis systems to a sovereign cloud mitigates these threats. This provides a clear response to the regulator, guarantees physical and legal control over data, and enhances operational resilience by isolating critical infrastructure from global disruptions.

Regulatory Landscape: NIS2 and Other Critical Infrastructure Requirements

The NIS2 Directive, which strengthens cybersecurity requirements for critical economic sectors, is a key driver for transitioning to more controlled infrastructure models. Banks and financial institutions are classified as “essential entities” under NIS2, imposing increased obligations on them regarding risk management and incident reporting.

The ENISA Threat Landscape 2025 report confirms the relevance of these requirements: essential entities accounted for 53.7% of all organizations affected by cyberattacks. The same report indicates that digital infrastructure and services account for approximately 27.7% of data breaches, and phishing remains the leading initial access vector. This underscores that protection must be comprehensive: from employee training to selecting secure-by-design infrastructure.

NIS2 requirements largely align with global best practices, such as the Cross-Sector Cybersecurity Performance Goals (CPG) developed by the US agency CISA. These describe basic cybersecurity practices with proven effectiveness for protecting critical infrastructure. Having infrastructure within one's own jurisdiction significantly simplifies the implementation and auditing of these controls.

Technological advancements are an additional factor. According to the Ericsson Mobility Report, by the end of 2027, 5G will become the dominant mobile access technology by subscriptions. This will lead to an explosive growth in the number of connected devices (IoT) in the financial sector, generating local data that will require low-latency, high-security processing — another argument for localizing computing resources.

Practical Steps Towards Sovereign Cloud Implementation and Cost Optimization

Transitioning to a sovereign cloud is not merely a migration but a comprehensive transformation. It requires a clear action plan.

  1. Data Audit and Classification. Determine which data and workloads are critical and subject to regulatory requirements or require enhanced control. Not everything needs to be moved; a hybrid architecture is often the optimal solution.
  2. Architecture Redesign. Avoid a simple “lift-and-shift.” Applications being migrated should be modernized to effectively leverage the new platform's capabilities. This includes transitioning to microservices, containerization, and implementing CI/CD.
  3. Selecting a Reliable Partner. Implementing such solutions requires deep expertise. For example, companies specializing in cloud development for the enterprise segment, such as Softengi, help clients design and build complex AI systems and cloud applications that meet security and sovereignty requirements.
  4. Implementing FinOps Practices. From day one, implement tools for monitoring, budgeting, and optimizing costs in the new cloud. This will help avoid repeating mistakes related to uncontrolled resource consumption.

Strategic workload relocation is not a retreat from the cloud paradigm but its mature stage. It is a shift from blindly following trends to thoughtful IT architecture management, where the main criteria are not only cost and flexibility but also security, resilience, and compliance with legal requirements.

Checklist for Assessing the Feasibility of Transitioning to a Sovereign Cloud

  • Are critical data processed that are subject to strict local regulations (e.g., financial, medical, personal)?
  • Are current cloud providers outside your jurisdiction, creating risks of third-party access or legal conflicts?
  • Do your customers or partners require guarantees of data sovereignty and its storage in a specific country?
  • Are there heightened requirements for cyber resilience and protection against cyber threats that go beyond standard cloud services?
  • Is there a need for full control over infrastructure and data, including physical access and encryption key management?
  • Are there risks of unpredictable cost increases due to a lack of transparency and control over cloud resources?
  • Is the organization prepared to invest in the migration and management of a more specialized cloud infrastructure?

FAQ

What are geopatriation and sovereign cloud, and how do they differ?

Geopatriation is the process of returning data within a specific jurisdiction. A sovereign cloud is a specific infrastructure that provides such control, ensuring that data is subject exclusively to local laws and managed by a local company.

What regulatory requirements (e.g., NIS2) influence decisions about data localization?

The NIS2 Directive requires critical organizations, including banks, to enhance cyber risk management. Storing data in a sovereign cloud simplifies compliance with these requirements by ensuring transparency of control and protection from external legal influences.

How does a sovereign cloud help optimize cloud costs and improve cybersecurity?

While a sovereign cloud may be more expensive than global counterparts, it provides better control over resources, which helps implement effective FinOps. From a security perspective, it offers full operational and legal control over infrastructure and data, reducing risks.

Data sources