By Jim Kent – Photo: Aristides Protopapadakis, CEO of Systemic

Data sovereignty has shifted from a theoretical concern to a boardroom-level discussion, particularly in markets like Luxembourg where financial services, regulation, and cross-border data flows intersect. But is it a genuine fear for clients, or simply another industry buzzword?

At its core, data sovereignty refers to the idea that data is subject to the laws and governance structures of the country in which it is stored or processed. For European organisations, this raises immediate questions when working with US-based hyperscalers. Regulations such as the US CLOUD Act, alongside frameworks like FISA, have created a perception, and in some cases a reality, that non-European authorities could access sensitive data hosted by American providers, even if that data resides in Europe.

We spoke with Aristides Protopapadakis, CEO of Systemic who said

“We are observing a significant rise in awareness regarding data sovereignty. Clients are becoming more selective, driven by regulatory frameworks such as the GDPR, ESMA guidelines, and national requirements that often mandate EU-based data storage. As a result, they increasingly prioritize providers offering sovereign cloud capabilities and EU-hosted data centres, aiming to mitigate cross-border data risks – particularly in light of evolving regulations such as AIFMD II.

At the same time, regulatory developments like DORA are accelerating a parallel trend: a strategic shift toward outsourcing critical infrastructure, including data hosting. In practice, this permits SaaS under specific conditions, primarily concerning where data is hosted, access controls, and whether cross-border data transfers are permitted. Financial institutions must therefore ensure strict control over data location, full auditability of the provider, and a clear exit strategy to guarantee data portability. Even large institutions are reconsidering the long-term sustainability of maintaining such infrastructure in-house, opting instead for trusted SaaS and cloud partners that can meet both operational and regulatory expectations.”

However, the picture is nuanced. Hyperscalers continue to invest heavily in European data centres, sovereign cloud offerings, and contractual safeguards. At the same time, European providers are positioning themselves as credible alternatives, emphasising local governance, transparency, and compliance with EU frameworks such as the AI Act and GDPR.

The real question is not whether data sovereignty is a fear, but how it is being managed. Increasingly, organisations are adopting hybrid or multi-cloud strategies, balancing performance, innovation, and regulatory exposure. Legal, IT, and risk teams are now far

more aligned, evaluating not just where data sits, but who can access it, under what conditions, and with what level of oversight.

In this context, data sovereignty is neither hype nor paranoia. It is a strategic consideration, one that reflects a broader shift towards digital autonomy in an increasingly fragmented global landscape.