Cloud residency has moved from a technical preference to a board-level control question, as organisations are being asked to evidence who can access data, under which jurisdictions, and what happens when something goes wrong across borders. A Gartner survey of CIOs and IT leaders in Western Europe found that 61% expect geopolitical factors to increase their reliance on local or regional cloud providers, while also predicting that by 2030, more than 75% of enterprises outside the US will have a digital sovereignty strategy.
UK data and infrastructure decisions are being made under the same backdrop of persistent cyber exposure, which is pushing “where is it and who can reach it” higher up the priority list in procurement and assurance discussions. The UK government’s Cyber Security Breaches Survey 2025 reports that 43% of businesses experienced a breach or attack in the previous 12 months, with prevalence higher among medium and large organisations.
Demand signals are also pointing in the same direction, with sovereignty being treated as a buying criterion, not a niche compliance topic. A UK survey referenced by TechRadar reports that 78% of respondents agreed sovereignty has become a priority when choosing infrastructure partners, because decisions about where data lives, moves, and is accessed now affect risk, governance, and accountability.
Here, Mark Lewis, Chief Marketing Officer at Pulsant, offers his insights.
Why ‘UK-hosted’ is only part of cloud sovereignty
A UK cloud region tells you where services are hosted, yet sovereignty questions usually widen to cover who can access data, where administration is performed, and which jurisdictions sit over suppliers and support chains. The Ministry of Justice frames “data sovereignty” as more than server location, including checks such as whether data can be viewed, modified, copied or deleted remotely from another country and who is managing the service.
From a UK GDPR perspective, the related issue is whether any part of processing amounts to a restricted transfer, including scenarios where data is made accessible from outside the UK. The ICO’s brief guide to international transfers and its guidance on whether you are making a restricted transfer move the discussion into specifics: who is exporting the data, who receives it, and where that receiving organisation is located.
“When businesses set out their sovereignty requirements, the first problem usually isn’t technology, it’s ambiguity,” says Mark Lewis, Chief Marketing Officer at Pulsant. “Teams often see a provider’s UK region and assume that settles the sovereignty question, then a security review asks who holds admin access, where support teams and subcontractors are based, and what access is used during incidents and recovery. Once you map those access routes, it becomes clear that server location is only one part of the answer, and the real questions are who can reach the environment, from where, and under what controls?”
A practical sovereignty checklist for IT leaders
Once sovereignty is treated as an access and jurisdiction question, the next step is documenting the checks you can evidence. The steps below are the ones which hold up in procurement, risk reviews and audits.
- Map data and processing, then map access. Document which datasets are in scope, where they are stored and processed, and which roles and systems can access them, including break-glass admin routes, third-party support, managed services, monitoring, and incident response workflows. The ICO’s international transfers hub helps keep that analysis aligned to UK GDPR expectations.
- Separate “lawful transfer” from “sovereignty requirement”. A transfer mechanism can be legally valid while still failing a customer, board or sector requirement for jurisdictional control, so those requirements need to be written down as policy.
- Check the contractual controls that become critical during stress. Incident response obligations, audit support, subcontractor transparency, and the ability to evidence where access occurred often matter more than feature comparisons.
- Treat exit and portability as part of sovereignty. If you cannot move a workload or dataset inside a required boundary within a realistic time, governance stays theoretical.
“The teams that handle this well tend to bring security, legal, and operations into the same room early, then write down what they can prove, not what they believe,” says Mark Lewis. “When auditors ask about access and jurisdiction, you need a trail that covers how services are administered, how credentials are governed, and where critical recovery processes run.”
Why colocation matters for sovereignty
Witherslack Group cares for some of the UK’s most vulnerable children. IT Director Stephen Hall describes the reality of high-risk environments where
“a breach could genuinely destroy lives” and the complexities of managing data across multiple jurisdictions. It’s a real-world example of why some organisations need to treat location certainty and tightly governed administration as baseline requirements for data management. That focus sits alongside the government’s view that data centres are integral to national resilience, with UK data centres designated as Critical National Infrastructure in 2024.
For many IT leaders, the practical gap sits between what a provider markets as “UK-based” and what stakeholders expect when contracts, sector standards, or internal policies require data to remain under UK jurisdiction with tightly controlled administration. That is the point at which “UK-based” needs to be defined properly, covering not only where infrastructure sits, but also how operations are staffed, how privileged access is handled, and what happens during incidents. In some cases, that definition exercise often leads to using a trusted UK colocation provider as the control point for sensitive workloads, with cloud services connected in where they meet policy and assurance requirements.
What stands up under scrutiny
A sovereignty-led approach becomes credible when it produces outcomes that can be demonstrated under pressure, including during audits, breach response, and supplier changes. That usually means fewer environments with clearly documented access paths, tighter operational controls around administration and recovery, and an infrastructure mix that supports compliance evidence without creating avoidable fragility.
Cost still matters, but the organisations making the cleanest decisions are treating sovereignty requirements as constraints that must be met, then building procurement and architecture decisions around demonstrable controls. When those constraints are clear, UK colocation can serve as a stable foundation for sensitive workloads and control-heavy components, with public cloud consumption layered in through connectivity and governance that aligns with policy and can be evidenced when scrutiny arrives.
Content credit: Pulsant
