Data residency and digital sovereignty are frequently used interchangeably, yet they describe fundamentally different things. Understanding the distinction is not a technicality — it is a matter of risk management.
The question sounds almost rhetorical: if my data resides in a data centre in Amsterdam or Frankfurt, surely I meet all requirements? In practice, this line of reasoning creates a dangerous blind spot. Organisations that assume a European data centre provides sufficient protection routinely overlook a set of related but fundamentally distinct concepts.
This article places the most commonly used terms side by side, clarifies the differences between them, and explains why the geographic location of data is only one piece of a considerably larger puzzle.
The terminology unpacked
Let us start with the terms themselves. Below are the definitions that appear in regulation, procurement documents, and supplier contracts — each meaning something different.
Data residency - Also: data domicile
The physical or legal location where data is stored. A contractual or technical guarantee that data remains within a specific jurisdiction — typically a country or region such as the EU. Data residency says nothing about who has access, under which law the provider operates, or how the data is processed.
Data localisation - Also: data localisation requirements
A legal obligation to store and/or process certain categories of data exclusively on national territory. Stronger than data residency: it is not a choice but a legal mandate, as seen in Russia's Federal Law 242-FZ or China's PIPL. Within the EU, localisation requirements apply notably to financial institutions and government data.
Data sovereignty - Also: informational sovereignty
The extent to which a state holds the legal right and practical ability to determine what happens with data about its citizens or institutions. The key question is jurisdictional: which country can compel access to that data through its courts or legislation, regardless of where the data physically resides?
Digital sovereignty - Also: technological sovereignty
The broader capacity of a state or organisation to make independent decisions about digital infrastructure, technology, and data — without dependency on foreign actors who can compel access, cut off services, or impose standards. It encompasses data sovereignty but extends to software, hardware, networks, and standards.
Operational sovereignty - Also: functional control
Concrete, day-to-day control over systems and processes: can encryption keys and access rights be managed without vendor involvement? Can services continue to function if the relationship with the provider ends? Operational sovereignty is the execution layer beneath digital sovereignty.
Technological autonomy - Also: strategic autonomy
The degree of independence from specific vendors, platforms, or countries for critical technology. In the EU context, this concerns reliance on American hyperscalers or Chinese hardware. Closely related to digital sovereignty, but with emphasis on industrial policy and supply chains.
Data protection / Privacy - Also: personal data protection
The legal rights of individuals regarding their personal data, and the obligations of those who process it. In Europe, governed primarily by the GDPR. Data protection intersects with data sovereignty but is not synonymous with it: it concerns individual rights, not state control.
Why the location of data is not enough
The European data centre is a frequently heard argument. The reasoning: my data is in Frankfurt, therefore I comply with the GDPR and am protected against foreign interference. But this misses an essential point: legal jurisdiction does not automatically follow from physical location.
"Where your data sits and who can reach it are two entirely different questions."— Gangwisch & Mayer-Schönberger, paraphrase
The best-known example is the US CLOUD Act (2018). Under this legislation, American authorities can compel US-based companies to disclose data — even when that data is physically located in Europe. A service provider with a US parent company can therefore be legally required to hand over data, regardless of whether the data centre is in Amsterdam. Data residency may be guaranteed; data sovereignty is not.
The same pattern applies in other jurisdictions. China has comparable legislation in its National Intelligence Law, which obliges Chinese companies and citizens to cooperate with intelligence services. A cloud solution offered by a Chinese provider, with data stored in a European data centre, offers limited legal guarantees in practice.
How do the concepts relate to one another?
| Concept | Primary question | Level |
|---|---|---|
| Data residency | Where is the data physically stored? | Technical / contractual |
| Data localisation | Is the data permitted to leave the country? | Legal / regulatory |
| Data sovereignty | Who holds legal authority over the data? | Legal / geopolitical |
| Digital sovereignty | Who controls the digital infrastructure? | Strategic / policy |
| Operational sovereignty | Can I manage my systems independently? | Operational |
| Technological autonomy | Am I dependent on foreign parties for critical technology? | Strategic / industrial |
| Data protection | Are the rights of data subjects respected? | Legal / compliance |
What does this mean in practice?
For organisations in critical sectors
Government bodies, hospitals, energy companies, and financial institutions are increasingly confronted with requirements that go beyond the GDPR. The NIS2 Directive, the DORA regulation for the financial sector, and forthcoming EU legislation on cloud infrastructure explicitly address the degree of control organisations must maintain over their own systems — not merely the location of their data.
This means that who manages encryption key material is at least as important as where the data is stored. Encryption in which keys are held by a third party offers limited protection if that party can be legally compelled to cooperate with access requests.
For procurement and vendor selection
When evaluating cloud providers and managed service providers, the relevant questions extend well beyond storage location. They include the parent company's jurisdiction, the applicable law in the country of incorporation, exit provisions, and the degree of control the customer retains over encryption and key management.
The key question in every vendor evaluation: Under which legal framework does this party operate, and can a foreign government use that framework to compel access to our data — regardless of where that data physically resides?
For your own organisation
Digital sovereignty is not a binary end state but a spectrum. No organisation operates in complete autonomy — nor is that the objective. The goal is informed decision-making: where do you accept dependency, and where do you not? Which data and processes are sufficiently business-critical to warrant additional control?
A pragmatic approach begins with classification: which data is sensitive, which is routine, and which touches on national security or business continuity? Only on the basis of that classification can appropriate measures be determined.
The role of PKI: who do you trust?
Digital sovereignty ultimately depends on trust — and trust in digital communications is inseparable from cryptography and Public Key Infrastructure (PKI). PKI determines who is authorised to certify identities, authenticate connections, and validate signatures. If the certificates used within your infrastructure are issued by a party outside your control — or outside the EU — that directly affects your operational sovereignty.
For organisations taking sovereignty seriously, the question of who manages the root of trust is at least as relevant as the question of where the data sits.
