CEOs, ready your battle plan—digital sovereignty is the data and AI battleground

CEOs, your digital borders are closing. The rise of sovereignty laws is fracturing the internet and reshaping how enterprises store, share, and protect data. If you don’t take control of where your data lives and who governs it, governments will. The rise of digital sovereignty—the protection of private, public, and citizen data within a nation—conflicts with the foundational principles of the internet. Every CEO now needs a digital sovereignty battle plan—a coordinated strategy to defend their data, secure their cloud, and keep their AI ambitions alive across conflicting jurisdictions.

Sovereignty is a complex topic; technology, supply chain ecosystems, and government policies influence it. We’ve authored this report to inform CEOs and their teams about the importance of digital sovereignty and the policies that threaten to break up the internet, undoing decades of information and service democratization. While most sovereign plans are being driven at the core by nations, these will impact highly regulated industries (banking, communications, and critical infrastructure). Due to this, CEOs, their leadership teams, and their boards should look beyond the hype of politics and into the legislation that will impact sovereign data challenges for firms operating globally.

Data from leaders of top global firms points to changes in geopolitical and economic factors as current drivers of digital sovereignty

In a recent HFS Pulse study (see Exhibit 1), when we asked leaders from 200 global enterprises about external factors shaping their organizations’ ability to achieve strategic goals, three factors stood out in their answers. These factors—geopolitical, economic, and security—reflect an undercurrent of concern about the safety of the data their businesses run on. To define actions for the CEO and their teams, we must look beyond current politics and into the international laws that have set the stage for these actions.

Exhibit 1: Geopolitics, economics, and cybersecurity now outrank technology as CEOs’ top external risks

Sample: 305 major enterprise decision makers
Source: HFS Research Pulse, 2025

CEOs must realize that the benefits of free-flowing data are fading as countries draw their digital borders

The idea of a “borderless digital economy” is collapsing—but new tariffs and trade wars weren’t the catalysts. The unraveling began nearly a decade ago, in 2018, when the US passed the CLOUD Act, allowing the US government to assert authority over data held by US companies worldwide. This gave the American government a digital backdoor into economic, political, and citizen data through the growing use of hyperscalers and data centers. The result has been that all other governments have been given the choice to comply or to develop their own sovereign technology and legal defenses.

The most significant reactions to the US CLOUD Act have come from China, as seen in the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which have created explicit legal barriers around Chinese data. These were followed by the EU’s GDPR Article 48 and France and Switzerland creating blocking statutes to achieve a similar effect—prohibiting direct compliance with foreign data demands.

In simple terms, the US CLOUD Act is about going after your data. And to thwart this, China, the EU, France, and Switzerland are leading the way to impede and make legislation like this illegal in their jurisdictions. Yet it is worth noting—and further complicating how a CEO must act—that the response hasn’t been uniform. Both Australia and the UK have taken more acquiescent stances. These countries have signed agreements with the US government to comply more seamlessly with the CLOUD Act. In other words, where you operate and store data can have a direct impact on what data you may or may not want in that jurisdiction.

Legislation is shaping the sovereignty of data; the tariffs aren’t

These statutes and laws surrounding AI, cloud, and personal information form the groundwork for creating an era of digital sovereignty. Yet, these were not in the spotlight until the tariffs, political tension, and a government that does not worry about overreaching took power in the US. America, above all, is injecting economic risk into all firms and their global ecosystems—and the internet itself.

For CEOs, the resulting culmination of international laws and growing global tension is driving an urgency to understand who controls their companies’ data. As data is now as consequential as who controls trade routes, semiconductors, AI computing, and other key assets, nations are investing in digital borders to secure their economic, political, and strategic advantages. Therefore, CEOs must define their firm’s digital, data, and AI sovereignty strategy. To begin, CEOs must audit what data they have and where it resides to develop defensible controls and governance.

Data without borders meets laws without compromise

The global cloud market was built on efficiency, scale, and international reach, enabling companies to easily facilitate the exchange of data on trade, people, commerce, and services. However, sovereignty laws now pose a threat to this model. Through national and international legislation, governments are rushing to dull the sharp points of the CLOUD Act. The result is likely to be a change in how the internet functions:

• China requires localization and government approval for foreign access to data. Thus, a CEO with operations in China needs to have stateside data in China that protects employee and client data, partner data, and data that the Chinese government deems essential.
• The EU and Switzerland are blocking foreign disclosure unless requests are submitted through formal treaties. Companies operating in the EU will face increasing fines for not securing European citizens, trade, and localized intellectual property.
• Canada, Brazil, and India require risk assessments and government oversight for outbound data, not blocking it, but adding friction to the extraction of data. Operating in these countries involves monitoring the formation of new legislation, and audits will be necessary to comply with emerging regulations.
• The UK and Australia have reciprocal agreements with the US to ease cross-border data access. Initiated before the current administration, this measure was intended to facilitate the sharing of information for security purposes. However, there is now growing pressure to review these agreements in the context of data sovereignty.

For a CEO worried about how their data might be exposed or subpoenaed, these issues must be on their radar. This global patchwork quilt of policy and legislation is not converging; instead, it’s fragmenting data, systems, and intellectual property. Enterprises that once architected technology stacks for performance and cost must now architect for compliance, jurisdiction, and risk insulation.

AI is rushing the sovereignty wall, creating a management trilemma

The current rush to unleash (or in some cases, leash) AI is on, and it’s on the front line of the digital sovereignty battlefield. Both companies and governments are looking at the impacts of data and how to secure, regulate, and protect themselves. In many cases, this is the development or investment in AI within their borders. Yet, AI depends on scale: the larger and more diverse the data, the smarter the model.

Sovereignty laws limit scale by restricting cross-border data flows, complicating everything from personal information and company data to the training and fine-tuning of AI models. As countries seek to strengthen their digital fortifications, the result is limited data, potentially undermining the core premise of the internet. Companies competing globally will struggle as the supply of data from global supply chains, customers, and products is constrained, and fears of foreign access or interference grow.

But CEOs cannot be idle. They need to know how to protect the data from their companies, partners, employees, and customers. To prepare for this digital battlefield, CEOs and their boards must understand how to navigate this emerging field of data, AI, and privacy with policy-driven actions to solve the sovereignty trilemma:

1. Where can company data reside?
2. Who can access and process it?
3. How do leaders ensure their firms comply with regulations and mitigate risk?

Failing to address these may lead to risk, fines, and losses.

One fact is apparent: Companies can’t go it alone. CEOs will need to turn to their partners for reinforcements in their cloud, data, and AI architectures, as well as for audit, governance, and cybersecurity. They must invest in regional intelligence and data ecosystems that respect local law while maintaining global innovation velocity. Effectively, they need to rethink how their firm leverages the global internet in more local ways.

Winning on this new battlefield requires a sovereignty battle plan—not a compliance checklist

Victory on this digital battlefield begins with data diplomacy. CEOs must lead coordinated campaigns across legal, technical, and operational domains to defend their data and sustain innovation. These actions form the foundation of a sovereignty battle plan that replaces reactive compliance with strategic control:

1. Map your sovereignty risk. Document the jurisdictions where your data resides, know where it’s processed, and which legal regimes govern it. Sovereignty risk assessments must be as routine as cybersecurity audits.
2. Architect for legal isolation. Treat compliance as a design principle. Segregate data, use localized cloud zones, and adopt sovereign cloud offerings that give you operational independence for mission-critical data within each market.
3. Protect model integrity. Guard your AI training pipelines like crown jewels—but not like the Louvre did. Make it mandatory to encrypt, watermark, and monitor information assets to prevent inadvertent cross-border leakage of intellectual property or AI model training data.
4. Negotiate digital guardrails. Corporate policy must anticipate conflict of laws between home and host jurisdictions. Build “data diplomacy” into your governance by aligning legal, security, and engineering teams around escalation paths for foreign data requests. Develop AI agents that can support monitoring and enforcing these policies.
5. Reframe compliance as trust. Establish transparency with customers and regulators about where and how their data is managed to build confidence. In an era of digital nationalism, companies, suppliers, and customers must trust that their data is protected and complies with sovereign privacy and security laws. This is the new market access license.

At HFS, we see sovereignty as the next frontier for enterprise modernization

The first era of digital transformation focused on speed, scale, and access, transforming how we utilized data to build global ecosystems and collaboration platforms. The second era, driven by AI, cloud, and data, is quickly becoming about control and legitimacy. Digital sovereignty is emerging as a means of protecting one’s information and building walls across the internet.

CEOs who begin preparing for how they handle sovereignty-by-design will move faster, not slower, because they will innovate confidently across clear legal boundaries. Meanwhile, those that ignore it will find their global AI and data ambitions constrained by red tape, court orders, or reputational risk.

The Bottom Line: Digital sovereignty is not just compliance—it’s command. The next era of competition will be fought on the digital battlefield, where control over data defines who leads and who follows.

CEOs without a sovereignty battle plan will lose control of their most valuable assets: intellectual property, customer data, and mission-critical information. In the next wave of AI and cloud adoption, the true differentiator won’t be computing power—it will be control.