Data sovereignty – a key principle for digital infrastructure

by Mark Pestridge, Executive Vice President and General Manager, Telehouse Europe; Sami Slim, CEO, Telehouse France and Takeyuki Yanagisawa, General Manager, Telehouse Business Planning Department, KDDI

As digital ecosystems expand, data sovereignty has emerged as a critical factor in how infrastructure is built and governed. For businesses, the challenge is finding the right balance: infrastructure must enable global collaboration while complying with local regulations, ensuring data privacy and security.

This balance is becoming increasingly important as breaches of data sovereignty laws become more common. Authorities in Europe have levied billions of euros in fines under GDPR, with similar enforcement actions emerging across North America, Asia-Pacific, Latin America, and the Middle East. This growing trend underscores the need for strict adherence to local regulations on data residency and transfer.

Countries including India, Vietnam, and Brazil have adopted stricter rules, mandating that certain datasets remain within their national borders or are transferred under defined conditions. These regulations shape architectural decisions, raising expectations for data centre operators. Now, capacity alone is insufficient – customers demand clarity and confidence around data sovereignty from day one.

This growing complexity has driven demand for carrier-neutral, multi-cloud environments that combine dense connectivity with proven compliance. Such environments allow businesses to match workloads with jurisdictions, maintain in-country data storage, and meet legal obligations without redesigning entire infrastructures.

As regulatory frameworks evolve, the location and ownership of infrastructure increasingly influence governance. The jurisdiction of the infrastructure operator determines which legal regimes apply to data, shaping privacy considerations and how extraterritorial claims are handled. This means data centres must be built for adaptability, able to evolve as technologies and regulations change.

Regulatory drivers

Regulatory requirements are increasingly shaping data centre design, especially in heavily regulated sectors like financial services. For example, the Digital Operational Resilience Act (DORA), applicable from January 2025, requires regulated financial entities and their technology partners, such as data centres, to evidence that they can withstand disruption and report incidents swiftly.

This sets a broader global trend – international standards are moving toward simplifying cross-border compliance, while also addressing rising expectations for cybersecurity and sustainability.

ISO/IEC 27001 (information security) and ISO/IEC 27701 (privacy management) are frequently requested certifications that align with EU regulations, including NIS2 and DORA. Similarly, the NIST Cybersecurity Framework provides a common approach for risk management, helping stakeholders maintain consistent practices as they scale operations across borders.

While international standards provide some consistency, data sovereignty rules are still fragmented. For instance, while GDPR remains the baseline across Europe, individual member states impose stricter local provisions. Meanwhile, countries like China and Japan have their own data sovereignty laws, with varying levels of control over cross-border data transfers.

Regional perspectives

Each region has unique data sovereignty requirements. In France, hosting personal health data requires Health Data Hosting certification, and the updated scheme requires physical hosting within the EEA with defined controls.

In the UK, data centres are now designated as Critical National Infrastructure, and the Cyber Security and Resilience Bill is expected to tighten incident-reporting and supply chain requirements. Meanwhile, Japan has strengthened its data protection laws, tightening restrictions on third-country data transfers. Amendments to the Act on the Protection of Personal Information which sits alongside the EU–Japan agreement for an economic partnership ensures a trusted flow of data between the two regions.

Design strategies for adaptability

As regulatory frameworks evolve, data centres must become more adaptable. Modular designs, which support for phased construction and retrofitting, are increasingly common. This approach enables operators to accommodate changing regulations and customer demands without major redesigns.

Modular designs also contribute to sustainability goals, with high-density zones ready for AI and liquid cooling, and reduced PUE (Power Usage Effectiveness), CUE (Carbon Usage Effectiveness), and WUE (Water Usage Effectiveness). Carrier-neutral campuses, which support multiple cloud and telecom providers, enable businesses to meet regulatory requirements while minimising vendor lock-in.

Collaboration and ecosystem partnerships

While infrastructure design sets the foundation, achieving effective data sovereignty requires collaboration across multiple partners. No single operator can meet all regulatory demands, which is why a connected ecosystem is crucial. This includes collaboration between carrier networks, cloud service providers, and security partners to ensure resilience, performance, and compliance.

Dense carrier ecosystems and Internet Exchange Points (IXPs) provide short, diverse paths to users, reducing latency and dependence to a single provider. At the same time, hyperscale cloud platforms and private cloud on-ramps offer predictable performance for regulated workloads and enable secure, direct data transfers for emerging technologies like AI.

In addition to these technical partnerships, legal and compliance tools like Standard Contractual Clauses (SCCs) and data processing agreements further support transparency and accountability , ensuring data is handled in accordance with regulations.

The road ahead

As data sovereignty becomes an integral part of infrastructure design, operators must focus on providing flexibility, transparency, and compliance. By combining modular designs, carrier-neutral interconnection, and recognised standards, businesses can build infrastructures that not only comply with current laws but also adapt as regulations evolve.

In this way, data sovereignty is no longer a challenge to work around. It is a design principle that ensures infrastructure can evolve with the geopolitical landscape, supporting innovation while keeping data secure and compliant.