A New Era of Digital Sovereignty
Digital sovereignty is no longer a regional concern or abstract policy debate—it’s a defining force shaping the future of cloud security and compliance. Governments and regulators are placing increased scrutiny on where data lives, how it’s accessed, and who has operational control over it.
But here’s the key shift: sovereignty is much more than isolation—it’s about control without compromise. Cloud customers want the full benefits of cloud innovation and the ability to meet rising regulatory expectations. AWS’s evolving digital sovereignty strategy is a direct response to this need.
The urgency is backed by market trends: IDC forecasts $258.5B in global sovereign cloud spending by 2027, growing at a 27% CAGR. Sovereignty is no longer niche. It’s a generational transformation in how compliance, cloud, and trust intersect.
For compliance-driven organizations navigating frameworks like FedRAMP, CMMC, GDPR, and IRAP, AWS’s sovereign-by-design architecture opens new opportunities—and new responsibilities.
AWS Approach to Sovereign Cloud Design
AWS is taking a layered approach to digital sovereignty:
- Dedicated Sovereign Regions: AWS plans to launch additional cloud regions with stricter jurisdictional controls, including Europe, the Middle East, Asia Pacific, and Australia & New Zealand.
- Customer-Controlled Encryption: Enhanced key management services where customers maintain exclusive control over encryption keys.
- Operational Autonomy: Minimizing AWS personnel access to customer data and operations within sovereign regions.
- Transparent Architecture: Through services like Nitro and Control Tower, AWS emphasizes architectural transparency, reinforcing customer trust.
These changes aren’t just about building trust; they are setting new technical baselines that impact how organizations must design and validate compliance in the cloud.
Initiatives such as the AWS European Sovereign Cloud will be an independently operated cloud region in the EU (hosted in Germany), with local staffing, support, and operations, backed by a €7.8B investment. This provides EU customers with increased operational autonomy and assurance in line with EU regulations such as GDPR and DORA.
AWS Sovereign Cloud: More Than Just Infrastructure
AWS has made several key moves ensuring their Digital Sovereignty Pledge is taken seriously, including:
- Encryption Everywhere: Customers have the ability to encrypt all data, whether in transit, at rest, or in memory, for AWS services. Using AWS CloudHSM and BYOK in AWS KMS allows customers to maintain verifiable control over data access. At 38North Security, we’re actively building our own internal compliance automation solution using AWS CloudHSM as a critical trust foundation.
- AWS Control Tower: A managed service that simplifies the process of setting up and managing AWS environments by automating account provisioning, security, and compliance enforcement. Over 245 controls have been added to enforce digital sovereignty requirements.
- AWS Dedicated Local Zones: AWS infrastructure placed in a customer-specified location or data center to help comply with regulatory requirements.
- AWS Nitro System: A high-performing lightweight hypervisor that eliminates operator access through strong physical and logical access to enforce access restrictions, enabling confidential computing by default.
- AWS Digital Sovereignty Competency: A new partner designation that highlights providers capable of guiding customers through sovereignty requirements—and a space where firms like 38North Security can lead.
This is sovereignty by design, not exception.
As an AWS Advanced Tier Services partner and proud member of the AWS Global Security & Compliance Acceleration (GSCA) program, 38North Security works closely with AWS and public sector stakeholders to stay at the forefront of cloud compliance and sovereignty initiatives.
FedRAMP and Sovereign Cloud Alignment
FedRAMP’s modernization efforts (FedRAMP 20x) are increasingly aligned with the principles behind sovereign cloud:
- Continuous Monitoring (ConMon): Emphasizing real-time visibility and telemetry-driven continuous compliance, aligning with AWS’s automated cloud security services such as AWS Security Hub, Amazon GuardDuty, Amazon Inspector, and Amazon Macie.
Learn more: How Continuous Monitoring Supports FedRAMP Readiness
- Control Inheritance: FedRAMP allows CSPs to inherit controls from underlying infrastructure providers. With AWS’s sovereign regions, this inheritance becomes even more compelling for government systems requiring stricter isolation.
- Zero Trust Integration: Sovereign architectures naturally complement zero trust principles, increasingly required in government mandates.
Learn more: 16 Things You Need to Know About Zero Trust
Organizations seeking FedRAMP authorization must now think beyond traditional boundary definitions. In a sovereign cloud world, compliance is not just about segmentation — it’s about demonstrable, automated control enforcement.
CMMC 2.0 and ITAR: Sovereignty in Defense
CMMC emphasizes controlled access, while ITAR (International Traffic in Arms Regulations) raises the bar even further—requiring strict control over who can access defense-related data and where it is processed.
With AWS sovereign cloud capabilities:
- Data localization is no longer just about geography—it’s about operational sovereignty.
- AWS Nitro and CloudHSM help enforce cryptographic boundaries with no operator backdoor access.
- Regional deployments with clearly defined personnel boundaries support compliance with ITAR and similar national security requirements.
Defense contractors and DoD-adjacent CSPs must increasingly design for sovereignty, not just security. That means enforcing who can touch data, where it’s stored, and how it’s verifiably protected.
Learn more: Determining Compliance: What CMMC Level Do I Need for My Business?
Global Framework Convergence: GDPR, ISM/IRAP, ISMAP, CCCS, DORA
We are seeing a convergence across global compliance frameworks, each with their own flavor of sovereignty:
- GDPR (EU): Emphasizes data residency, access transparency, and lawful processing.
- DORA (EU): Introduces new expectations for operational resilience and governance in financial services.
- ISM/IRAP (Australia): Requires local infrastructure alignment and independently validated controls.
- ISMAP (Japan): Mandates rigorous third-party assessments and cloud vendor accountability.
- CCCS (Canada): Enforces compliance with the Canadian Centre for Cyber Security’s cloud security controls.
Learn more: Here’s How Trade Agreements Impact Data Sovereignty in IRAP
U.S.-based CSPs and advisory firms can no longer treat these frameworks as “foreign.” They are shaping the way modern architectures are being reviewed and authorized globally.
Case in point. Control and management planes deployed across foreign geographic regions often raises a red flag by regulatory bodies. Knowing which countries permit global support operations can justify the business case to expand into new foreign markets. Depending on the jurisdiction not all data types require the same level of protection. Having an experienced global advisor such as 38North to guide go-to-market (GTM) decision making is an absolute necessity.
As of today, we are actively working with clients and partners across the U.S., Japan, Australia, Canada, and the UK to navigate these complex, sovereign-first regulatory requirements.
AWS + 38North Security: Partnering for Sovereignty-by-Design
AWS is clear: digital sovereignty isn’t something it offers alone. It’s something it enables through partners. That’s where 38North comes in.
We help:
- Architect sovereign-by-default environments in a customer selected AWS region.
- Maximize inheritance by accurately mapping controls to framework-specific requirements (FedRAMP, CMMC, GDPR, IRAP, ITAR, DORA, ISMAP, CCCS).
- Leverage cloud-native services and innovations such as AWS Nitro, CloudHSM, Control Tower, and Landing Zone Accelerator to reduce compliance friction and speed adoption.
- Prepare organizations for the shift from documentation to provable, code-driven assurance.
Sovereignty doesn’t mean sacrificing capability. It means unlocking new trust.
Conclusion: Compliance in a Sovereign Cloud World
AWS’s sovereign cloud strategy represents a fundamental shift in how cloud platforms support regulatory obligations. For CSPs, integrators, and agencies, this is a chance to move beyond “checkbox compliance” and toward governance that is auditable, automated, and aligned with global expectations.
Digital sovereignty is no longer a future state. It’s a current requirement. And those who design for it today will lead tomorrow.
At 38North Security, we’re building partnerships that make sovereignty real—in the code, in the architecture, and in the audit room. While we’re headquartered in the US, we are actively engaged with customers and partners across the globe spanning multiple geographic regions.
If your organization is preparing for the next wave of compliance modernization at a global scale, we’d love to help.
Talk to us about how FedRAMP 20x, CMMC 2.0, and global digital sovereignty initiatives are shaping your organization’s compliance roadmap.
About the Author
