Trust, security, compliance and transparent access control are what make sovereign cloud a data governance cornerstone.
We’re witnessing a crisis of trust in global cloud. Scott Sumner, vice president of government and chief information security officer at Dassault Systèmes explains: “It has become clear, particularly through the lens of a complex geopolitical landscape with nation-state sponsored cyber threats, that the idea of absolute safety in the cloud is compromised.”
While global cloud providers offer best-in-class capabilities, they aren’t appropriate for everything. “At a national level, trust for these bulk cloud carriers has weakened,” Sumner said. “There have been cases where security wasn’t handled as well as it should have been and where dependency on them has been a problem.”
The US Clarifying Lawful Overseas Use of Data (CLOUD) Act, which came into force in 2018, adds to the problem. The Act allows US authorities to access data from US-headquartered cloud providers or their subsidiaries, even if that data is stored outside the US. While this is a particular concern for defence organisations, other industries with strategic national IP – like nuclear, energy, critical infrastructure and transportation – are also at risk.
According to Capgemini research, the threat posed by potential exposure to extra-territorial laws and/or the possibility of data access by foreign governments owing to a vendor’s location of origin was cited as a concern by 68% of public sector respondents.
Ultimately, without sovereign control over data, governance isn’t guaranteed. Organizations want greater clarity on who can access their data, where it is stored and under which legal jurisdiction and how it is protected from nation-state interference.
What makes the sovereign cloud trustworthy?
There are three key pillars of the sovereign cloud that ensure trust:
1. Sovereign data location
UK-only residency and UK-only personnel access prevent unwanted jurisdictional access.
“The sovereign cloud provides assurance that you are subject to the laws of your own country,” said Sumner. “It creates agility within the country. For example, in the US, we have a number of offerings that we were able to pivot quickly for government use because the data was already in-country. We can do the same in the UK, EU, Japan and Australia. Having sovereign solutions in place means you don’t need to worry about moving data or building new data centers. The infrastructure, people and compliance framework are already there.”
2. Standards-based compliance and a zero-trust architecture
Defense customers assume systems are compromised until proven otherwise. That’s why Dassault Systèmes has adopted key industry standards including the National Cyber Security Centre’s 14 Cloud Security Principles, NIST 800-53, ISO 27001, SOC-2, TISAX, FedRAMP, C5 and SecNumCloud.
“We have a team of people dedicated solely to navigating new rules,” said Sumner. “The goal is to maintain our level of service while operating in increasingly stringent regulatory environments.”
Chris Spaul, director of enterprise solutions and innovation for aerospace and defense (A&D) at Dassault Systèmes, explains how important it is that cloud providers have comprehensive training in key industry standards. “Although we acknowledge our customers want to take the lead, we want to be there supporting them, helping drive them and helping them do the right things with our tools and helping them make the right decisions to get to that zero trust capability,” he said.
3. Transparent access control
Single-tenant UK-only environments allow full visibility of who can access data and when, supporting transparent access control for high-risk sectors like defense, energy and critical infrastructure.
Transparent access control is implemented through adherence to recognized frameworks like NIST 800-53, which guides access control policies, auditing and monitoring.
Why sovereignty is the backbone of data governance
Governance needs immovable boundaries, particularly for regulated sectors. Without sovereignty, data lineage, retention, residency and access control become impossible to guarantee.
Beyond compliance, the sovereign cloud offers:
- A single-tenant UK environment that can ensure traceability and transparency.
- Secure cross-discipline collaboration
- Simplified regulatory audits
- Reduced legal exposure
- Protection of IP from foreign retrieval
- Confidence that cloud is safe for high-value R&D workloads.
It’s time to adopt a cloud you can trust
Trust is earned through governance, transparency and control. A sovereign cloud provides the foundation for this, giving organizations the confidence to scale securely and responsibly.
This is particularly crucial at a time when the UK MoD shift from audit-first to “secure by design” means defense organizations must prove compliance and accept liability. Similarly, energy and transport operators can leverage sovereign cloud to confidently demonstrate correct handling of sensitive data, while retaining control and accountability.
Dassault Systèmes’ offering is born secure and therefore offers a compelling advantage for any company concerned about data governance.
“When we design a product, we apply three principles: security by design, privacy by design, and quality by design,” Sumner concludes. “This means the foundational elements of how the application or ecosystem works are engineered by specialists with decades of experience. It’s far more expensive to retrofit security later than to build it in from the start. Our platform and solutions have security, privacy and quality experts embedded directly into the development teams. When architectural decisions are made, the right subject-matter experts are in the room, and involved until the product is in front of the customer.”