Skip to main content

What is Data Sovereignty?

Data sovereignty refers to data being subject to the laws and regulations of its physical location. This can mean data in storage, processing, or transmission, regardless of the physical location of an organization.

All data stored, processed, and transited within a country, state, region, or jurisdiction is bound by the relevant laws and regulations surrounding data use and privacy protections. Data sovereignty laws are created to protect and govern individuals, organizations, and governments. Data protection regulations include rules on handling personal health data, layers of data security for public sector information, and the establishment of local data storage for foreign companies.

What is the difference between data residency and data sovereignty?

Data residency is where data is physically located. Data sovereignty is how the laws of a location apply to the data that physically exists within that place. Both data sovereignty and residency are especially important in cloud computing and cloud services, where it's possible to house data anywhere in the world. 

All cloud storage, instances, and services run on physical machines tied to a specific geographic location. Because of these differing regulatory environments, organizations must give critical consideration to where their cloud instances reside and where cloud services run. The data sovereignty of these storage and instances is a highly important decision.

Data sovereignty typically falls under the governance, risk, and compliance function of an organization’s cybersecurity and legal program.

What is the AWS Digital Sovereignty Pledge?

The AWS Digital Sovereignty Pledge is our commitment to offering AWS customers the most advanced set of sovereignty controls and features available in the cloud. We give you the flexibility to choose how and where you want to run your workloads for data localization.

The AWS Digital Sovereignty Pledge outlines four key areas where AWS is investing in capabilities to help customers meet their evolving digital sovereignty requirements.

Control over where your data resides

Organizations must always be able to choose where their data resides. AWS has always given customers the choice of where their data resides, with AWS Regions and Availability Zones across North America, South America, Europe, the Middle East, Africa, Asia Pacific, and Australia and New Zealand.

When an AWS Region is not close enough to meet your data residency needs, AWS offers various distributed infrastructure offerings that deliver a consistent cloud experience within a geographic boundary. With AWS Regions, AWS Local Zones, AWS Dedicated Local Zones, AWS Outposts, and AWS Wavelength, you’re empowered to run your workloads wherever they need to reside.

Control over data access

Organizations must have protections in place to prevent unauthorized data access. For example, the AWS Nitro System is designed to enforce restrictions so nobody, including anyone in AWS, can access customer workloads on EC2. Access permissions and restrictions must be built to ensure the highest level of data protection, depending on the data type.

Data encryption capabilities

Organizations must be able to encrypt data in transit, at rest, and in memory. Organizational data should use encryption by default, with the option for stronger encryption if desired. All AWS services already support encryption, with most also supporting encryption with customer-managed keys inaccessible to AWS.

Cloud resilience

Organizations must be able to achieve digital sovereignty without risk of data loss. Control over your data and high availability are critical considerations for data sovereignty, requiring organizations to proactively mitigate the risk of data loss. This enables you to sustain your operations even in the case of unexpected events. Currently, AWS delivers the highest network availability of any cloud provider. Each AWS Region comprises multiple Availability Zones (AZs), which are fully isolated infrastructure partitions. To better isolate issues and achieve high availability, customers can partition applications across multiple AZs in the same AWS Region.

How to implement data sovereignty considerations?

Understanding and incorporating data sovereignty requirements is crucial to maintaining compliance. Here are some considerations as you start your sovereignty journey:

Plan for data localization compliance

Compliance with the law starts with understanding the regulations governing your organization’s operations. These data laws and regulations can cover your business’s geographic areas of operation, the data types you store and process (e.g., health, financial), customers, and your employees’ own data, and how long data collection logs are kept.

Research and communicate with relevant regulatory bodies and law enforcement agencies to ensure you are creating compliant systems and are aware of the process in the event of reporting non-compliance.

Not every company has a data sovereignty expert on hand. Partnering with a compliance consultant can be beneficial in remaining up-to-date with evolving regulations. 

Implement fine-grained access controls

Data residency can be compromised if just one user copies data to another physical location. To prevent this situation, start with foundational, best-practice Identity and Access Management, and implement strict privileged access controls for elevated administrators. 

To help you automate and monitor your storage locations, encrypt your data, and enforce data residency guardrails, you can use AWS Control Tower. The AWS Control Tower control library contains a group of digital sovereignty controls. These controls can enforce data sovereignty configurations, prevent actions, detect resource changes, enforce granular access restrictions, enable default encryption, and provide resiliency capabilities.

Build resilience for mission-critical systems

Business continuity in a disaster depends on reliable backup and failover systems. To comply with data sovereignty regulations, these systems must reside within the same region to maintain the same data sovereignty as your typical operations.

Building in resilience for your mission-critical systems means distributing your data across multiple Availability Zones for reinforced data localization.

For customers who are running workloads on-premises or for remote use cases, you can use AWS services that provide specific capabilities for continued support during network disruptions and remote compute and storage. These services include AWS Outposts and Amazon EKS Anywhere.

Find a cloud partner who provides transparency and assurances

Not only is choosing your data’s location a big decision, but organizations must also be able to trust that their cloud service provider’s systems truly comply with the data sovereignty rules of the jurisdiction. Bring a compliance expert and chat with the provider’s own compliance team for assurance.

AWS has always prioritized customers’ choice over their data sovereignty, allowing full control of the location and movement of their data. From day one, the AWS sovereign-by-design approach has earned us the trust of customers, who are among the world's most data security and privacy-conscious organizations.

What are data sovereignty best practices?

Keeping an up-to-date map of your current data landscape is essential to maintaining a compliant data architecture. Consider implementing the following:

Sort and secure sensitive data

Protecting sensitive data means built-in controls, including tagging, identity and access management, encryption, isolation, and rules for sensitive data at rest, in transit, and in processing. 

Choose your data residency according to applicable laws

Choose data locations that best fit your needs based on your research on your business operations, customers, and data types. Remember that your data location needs may change as your business changes, and data sovereignty may be affected.

Choose a trusted cloud provider

By rigorously vetting public cloud providers, you can gain trust in their data sovereignty assurances. Choose a provider with well-established operations in your chosen data location. 

Keep up to date with compliance obligations

Laws and regulations surrounding data change all the time. You must ensure you remain current with the latest regulations, anticipate new requirements, and meet reporting obligations. Choose a delegate within your organization or a partner company who will be responsible for remaining up to date with changing laws. Create an internal data protection policy that aligns with your obligations.

What are data sovereignty challenges?

Different geographic locations around the world have widely varying laws and regulations regarding data storage, processing, and handling. Jurisdictions may overlap, adding additional layers of data regulations for storing and handling data. For example, Spain, France, and other EU countries have internal laws governing data sovereignty, but must also comply with EU laws. Highly regulated industries such as healthcare and finance also have different regulations. Some countries have indigenous data sovereignty laws regarding the rights of indigenous peoples. 

Doing extraterritorial business can have implications for your data governance requirements. For instance, Australian companies must comply with the GDPR when dealing with EU citizens’ data. 

For organizations with multiple globally registered entities, data sovereignty and compliance with differing extraterritorial regulations become highly complex.

How can AWS support your data sovereignty needs?

All organizations, big and small, must carefully consider data sovereignty to make sure that they remain compliant with their legal obligations in managing data. Data sovereignty considerations intensify for cross-border operations, multinational companies, and organizations working in highly regulated industries. Consider how you manage storing data, how you transfer data, and how you process data.

It’s important to choose a cloud provider that fully understands data sovereignty. Your cloud provider must provide built-in data protections for its customers according to regional requirements, and offer a wide range of data governance, digital identity, and access management, data security, and privacy controls.

Explore Digital Sovereignty at AWS for more information, case studies, and the latest product updates in this critical Security, Identity, and Compliance area.