Between aspiration and reality: How companies deal with data sovereignty

Technical contribution

June 4, 2025

Würzburg, June 4, 2025 - The strategic importance of data sovereignty is growing noticeably. However, many companies are struggling with its practical implementation. This is a key finding of a recent study by BARC. While 84 percent of the companies surveyed classify data sovereignty as an important topic in their corporate strategy, almost half cite a lack of human or technical resources as the biggest hurdle on the way to gaining actual control over their data.

"Many companies have understood that data sovereignty is an essential building block for digital security and sustainable innovation," says Carsten Bange, founder and Managing Director of BARC. "What is often missing are the necessary prerequisites to implement this claim in a structured way."

Between aspiration and reality

Data sovereignty means being able to track where data is stored, who has access and under what conditions it is processed at all times. This is not just about technology, but also about processes, responsibilities and transparency. Current regulatory developments in Europe in particular, including the EU Data Act and the NIS2 Directive, are significantly tightening the requirements for traceability and access control.

At the same time, there is a lack of capacity in many companies: 45% of respondents cite a lack of resources as a key challenge, while 39% complain about a lack of in-house expertise. Particularly in complex, mature IT landscapes, it is difficult to identify critical data, clearly define responsibilities and implement technical and organizational measures in a targeted manner.

Strategies: classification, hybrid models and security investments

In order to meet the increased requirements, many companies are pursuing a combination of technical and organizational measures. 51% rely on hybrid cloud strategies in order to be able to manage data flexibly depending on its criticality. At the same time, 50% are investing more in cyber security, with an above-average proportion in the DACH region (55%).

A central element of sovereign data architectures is the targeted classification of data: The need for protection is particularly high for personal information (employee and customer data), but financial data and data for AI applications are also considered particularly sensitive.

Governance instead of good intentions: Anchoring data sovereignty strategically

"Data sovereignty should not be seen exclusively as a technical issue," emphasizes Timm Grosser, Senior Analyst at BARC. "Companies should clearly define responsibilities and set up internal structures in a targeted manner. Only then can legal requirements be fulfilled efficiently and sustainably." The authors of the study advise companies to first carry out a thorough inventory of their data landscape, systematically classify sensitive data and clearly establish governance structures. This is the only way to create the basis for sustainable and resilient data sovereignty, regardless of individual technologies or provider strategies. The BARC study was commissioned by Exasol, Dataciders and Exoscale and can therefore be made available free of charge: https://barc.com/de/research/datensouveranitat-sichern/