Expensive theatrics or something more?

CTOs should ask whether the sovereignty premium delivers real value for their risk profile

The UK stands at a crossroads between exciting tech deals and growing cloud sovereignty concerns.

Following Google’s £400 million contract with the Ministry of Defence to deliver a sovereign cloud platform, and with US tech firms like Microsoft and Nvidia pledging to invest billions in the UK, new research from Pure Storage reveals that 100% of industry leaders now view data sovereignty risks as a key factor forcing organisations to reconsider where their data resides. This comes at a time when businesses both embrace and question their reliance on American hyperscalers.

A business recently asked me what would happen if the cable between Ireland and the UK were cut, given they run critical workloads in Dublin and are concerned about the physical connectivity between its UK operations and its cloud infrastructure. It’s precisely these conversations that capture practical concerns about resilience, control and what happens when things go wrong around cloud sovereignty.

The reality is that while sovereignty concerns are real and growing, actual cloud repatriation remains stubbornly small – less than 1% of the market by my estimation. What we’re seeing instead is a lot of talk, some genuine anxiety and little concrete action.

This disconnect between concern and action tells us something important about what enterprises prioritise. When businesses are worried about sovereignty, the conversation begins with practical questions around infrastructure resilience instead of surveillance fears or jurisdictional nightmares: What if our primary region goes down? What if geopolitical tensions affect our infrastructure access? What happens if we’re too dependent on a single control plane?

Businesses are increasingly being driven to deploy cloud infrastructure in their own data centre not because public cloud failed them, but because the revenue stakes are simply too high to cede every layer of control to external providers. Here’s where the sovereignty narrative gets murk – where do you draw the line on sovereignty? Even the most sovereign solutions can’t escape technology dependencies at some level.

European cloud providers still run on American servers, storage, chipsets and largely American operating systems. For instance, SAP’s recent £20 billion sovereign cloud investment, while impressive, is equally grounded in the reality that the entire technology stack remains fundamentally American – raising the question of which layers of the stack the sovereignty should be applied to.

This isn’t to dismiss sovereignty concerns, but to acknowledge their practical limitations. True technological independence would require rebuilding everything from transistors upward – something only China has seriously attempted, and even they struggle with advanced semiconductor manufacturing.

What troubles CTOs more than these technical realities is the hidden cost conversation that often gets overlooked. Sovereign alternatives are invariably more expensive, and tend to have a slower pace of innovation than their hyperscaler equivalents. The justification of these costs need to be included in the overall business case for sovereignty.

The question CTOs should ask isn’t whether they can achieve perfect sovereignty – they can’t, at least not yet – it’s whether the sovereignty premium delivers real value for their specific risk profile. Most enterprises have bigger problems to solve than hypothetical government overreach.

That said, the market is responding intelligently to these concerns. Hyperscalers are introducing sovereign cloud offerings precisely because they recognise customer anxiety, even if the underlying technology dependencies remain unchanged. Meanwhile, providers are creating more hybrid and flexible options that give enterprises relatively granular control over their data location and access policies.

I expect to see even greater flexibility in the coming months – customers able to select control frameworks like adjusting a slider, choosing the level of sovereignty that matches their actual risk tolerance rather than their theoretical concerns. Automation will be crucial here, ensuring that additional controls don’t sacrifice the agility that drove cloud adoption in the first place.

We’re not heading back toward on-premises infrastructure. Organisations are rapidly adopting cloud technologies, with strong momentum toward public cloud platforms. At the same time, the market is beginning to stabilise into a more balanced model, depending on business needs and workloads.

For partners and CTOs navigating this landscape, my advice is that start with the problem you’re actually trying to solve. Sovereignty for sovereignty’s sake is just expensive theatrics. However, considering sovereignty as part of a broader resilience and risk management strategy remains an important conversation.

The real test will come when organisations have to navigate the increasingly complex reality of maintaining innovation while preserving control. Those who approach sovereignty decisions with a full view of the consequences will fare better in the near future.

Eamonn O’Neill is CTO and co-founder at Lemongrass