Point of View

CPOs, map your sovereignty risk before geopolitics does it for you

This HFS Point of View is for chief procurement officers mapping digital sovereignty exposure across vendor contracts before the next renewal cycle locks in three to five more years of risk.

Digital sovereignty has stopped being a regulatory abstraction. It is arriving in enterprise vendor portfolios as contract clauses CPOs did not write. Sovereign buyers (governments, defense ministries, regulated institutions like the ICC leaving Microsoft, NATO air-gapping its cloud, France moving 2.5 million civil servants off US platforms) are forcing vendors to rebuild for the strictest customer, and that standard then cascades contractually into every supply chain that touches the same vendors, including yours.

Sovereignty now belongs on the CPO’s desk as a supply chain risk, and the window to shape it is the next renewal cycle: every contract signed on the old assumptions locks in three to five more years of exposure, and the early-exit rights enterprises hold today under the EU Data Act do not survive it. This piece gives CPOs a working definition, the four pillars to measure exposure against, and five moves to make before the next renewal.

Enterprises have been making a political bet on the wrong world

Your vendor stack was built on the quiet bet that borders between allied democracies did not really apply to data, US cloud providers were neutral global infrastructure, and the rules-based order would just keep going. Nobody wrote it down, and every contract assumed it. Because the bet kept paying off, enterprises missed the three successive eras of sovereignty risk in Exhibit 1. Each warning signal looked like noise until the next one arrived.

Exhibit 1: Enterprises missed three successive eras of sovereignty risk

Three-column timeline diagram comparing how sovereignty risk has evolved across three eras and how enterprises responded to each. Era 1, infrastructure risk, 2000 to 2012: the risk was physical data location — where servers sat and which jurisdiction applied; key signals were the US Patriot Act (2001), early Safe Harbor pressure in the 2000s, and calls for data localization in the late 2000s; enterprise responses were that the risk was mostly ignored, the trust assumption held, and data stayed where it was cheapest. Era 2, platform risk, 2012 to 2020: the risk was who controlled access — not where data sat but who held the keys; key signals were Snowden (2013), Safe Harbor collapse (2015), and the CLOUD Act (2018); enterprise responses were rationalizing the risk as political noise while cloud migration continued and accelerated. Era 3, operations risk, 2020 to present: the risk is who runs your processes — vendors embedding into operations, not just hosting data; key signals are DORA naming hyperscaler concentration (2025), the ICC exiting Microsoft (2025), NATO air-gapping cloud (2025), drones striking AWS Bahrain (2026), and 18 US tech firms named as military targets (2026); enterprise response is that most enterprises have not yet assessed this layer of exposure. Footer note: each layer is still in the stack, compounding the last, and now arriving in vendor contracts. Source: HFS Research, 2026.

Source: HFS Research, 2026

Era 3 breaks the pattern. The earlier signals could be rationalized as political noise and waited out; this one arrives inside vendor contracts, where it cannot. National interests are back inside vendor contracts, jurisdictions are competing for control of data, and regulators are starting to enforce what governments have been signaling for years. Every unresolved exposure from the first two eras is still sitting in the stack, now compounded by the third.

What most private-sector leaders miss is that the sovereign-buyer mandate does not stay contained to governments and defense. When sovereign buyers mandate hardened architectures, vendors cannot sustain multiple parallel stacks in perpetuity. They rebuild for the strictest customer, and that standard then cascades contractually through every supply chain that touches them. By the time sovereignty reaches the private sector, it arrives as a clause, not a choice.

Sovereignty has four pillars, and most enterprises have a gap on at least one

Most enterprises cannot define sovereignty for their own operations, and they cannot manage what they have not defined. HFS defines it as an organization’s ability to maintain meaningful control over its digital assets, systems, and dependencies, such that if trust breaks anywhere, the organization can still operate and govern itself.

In practice, that control rests on four pillars: where your data can be reached (jurisdictional control), whether you can actually leave (operational portability), who owns the question internally (governance ownership), and whether you can keep running when the infrastructure underneath you cannot (infrastructure resilience). Most enterprises have a gap on at least one, and many have gaps on all four (see Exhibit 2).

Exhibit 2: The four pillars of digital sovereignty

Four-column framework diagram defining each pillar of digital sovereignty and naming the contractual gap each one exposes. Pillar 1, jurisdictional control: the enforceable right to control and contest access to your data when a government intervenes; gap — most force majeure clauses do not cover state-actor targeting of named technology firms, and the 2025 US sanctions on the ICC exposed this gap when Microsoft could not guarantee service and no contract clause let either party contest it. Pillar 2, operational portability: the ability to exit a vendor relationship without losing operational continuity; gap — most exit clauses move data, not processes, and France's migration of 2.5 million civil servants off US platforms exposed this gap as the data moves in months but the operational rebuild takes years. Pillar 3, governance ownership: a single internal function accountable for sovereignty that gives the board a working definition and tracks exposure across the other three pillars; gap — most enterprises have no named owner, and the ICC story exposed this gap when boards asked who owned sovereignty and the question fell between procurement, legal, and IT. Pillar 4, infrastructure resilience: the ability to maintain service continuity when the physical or virtual infrastructure is disrupted and localization compliance prevents failover to another region; gap — the AWS Bahrain strike exposed this gap when workloads pinned to that region by residency rules could not fail over. Source: HFS Research, 2026.

Source: HFS Research, 2026

CPO checklist: five moves to make before the next renewal

You do not need a complete transformation program to start. You need a few moves you can make inside contract cycles you are already running, and they go in roughly this order: own it, see it, use the rights you already have, enforce the standard going forward, and stress-test the edges (see Exhibit 3).

Exhibit 3: The CPO’s checklist of moves to make before the next renewal

Five-row action checklist sequencing the procurement moves a CPO can make inside contract cycles already running. Move 1, own it: name an accountable owner and brief the board, because sovereignty cannot sit in a shared inbox between procurement, legal, and IT; pick a named function, give it the mandate, and put a one-page exposure map in front of the board before someone else does. Move 2, see it: demand a sovereignty disclosure now by asking every strategic vendor in writing which cloud processes the data, in which legal jurisdiction, and what happens if a government requests access — if the team cannot get a clear answer in hours, the gap is already real. Move 3, use the rights you already have: audit contracts against the EU Data Act for early exit and renegotiation rights, and use them as leverage before using them as exits. Move 4, enforce the standard going forward: set sovereign delivery as a pass/fail rebid criterion in every renewal, require EU-domiciled or equivalent sovereign architecture for any contract touching regulated data, and review force majeure to confirm it covers kinetic conflict and state-actor targeting of named technology firms. Move 5, stress-test the edges: stress-test regional failover under localization constraints for every critical workload locked to a single cloud region by data residency rules — if the answer depends on the same provider standing the region back up, the result is a single point of failure, not resilience. Source: HFS Research, 2026.

Source: HFS Research, 2026

The Bottom Line: If your vendor strategy still depends on trust, it is already exposed.

Sovereignty is not a procurement risk. It is supply chain risk that lands squarely on the CPO’s desk. Your job is to turn it into enforceable control, credible exit paths, and board-level visibility. Lead it or be led by it.

Sign in to view or download this research.

Login

Register

Insight. Inspiration. Impact.

Register now for immediate access of HFS' research, data and forward looking trends.

Get Started

Authors

Related


Download Research

    Sign In

    Insight. Inspiration. Impact.

    Register now for immediate access of HFS' research, data and forward looking trends.

    Get Started

      Contact Ask HFS AI Support