Cloud Control: The New Corporate Mandate for Data Sovereignty

The corporate march to the cloud has hit a complex new phase. According to the 2025 Thales Cloud Security Study, which surveyed over 3,100 IT professionals globally, companies are no longer just asking if the cloud is secure. They are demanding to know exactly where their data lives and who can touch it. Nearly a third of organizations reported a cloud data breach in the last year, a number that's rising, not falling.

The study reveals a fundamental shift. While 73% of firms use more than two cloud infrastructure providers, this diversification brings risk. Only 33% encrypt more than half of their sensitive cloud data, leaving a vast exposure. SaaS applications, now used by the hundreds in a single enterprise, have become the top target for attacks.

But the driving force isn't just security. It's sovereignty. Two-thirds of respondents flagged data sovereignty as a major concern, a issue moving from European regulatory circles to boardrooms worldwide. Laws from India to Brazil dictate where data must be stored, while the U.S. CLOUD Act creates legal tensions for firms using American tech giants. The question is no longer just about compliance, but about control—who holds the encryption keys, and which government's laws apply.

In response, every major cloud vendor now markets 'sovereign' options, from Microsoft's EU Data Boundary to Google's partnerships with local European firms. Yet analysts warn these offerings vary widely; some guarantee data residency but not local operational control, creating a murky market for buyers.

The path forward, Thales suggests, requires 'operational sovereignty'—real-time control over data regardless of the provider. For IT leaders, the message is clear: the era of trusting the cloud provider to handle everything is over. The next chapter is defined by direct, verifiable command over corporate data, a technical and legal challenge that will define enterprise IT for years to come.