In recent years, there has been a fundamental shift in how data is accessed and stored. It is now common for organisations to hand their data to external providers, allowing it to move across cloud platforms, shared infrastructure, and third-party services. While that may streamline operations and reduce costs, it can also mean sacrificing control and visibility over how data is used and who can access it. Those blind spots often surface at the worst possible time, whether during an audit, a customer assurance review, or due diligence for an acquisition.
This is where sovereignty enters the conversation. Put simply, data sovereignty means maintaining enforceable control over access to data, and being able to evidence that control under audit, even when the infrastructure belongs to someone else. When data travels freely between third parties and cloud environments, control, legal jurisdiction, and lasting confidentiality become more difficult to manage. That is particularly true for enterprises operating across jurisdictions or in heavily regulated industries.
As a result, trust and data protection can no longer sit solely with IT teams. Boards are increasingly expected to understand how business data is secured, how access is enforced across third parties, and what evidence exists that controls are actually working.
Strengthening protection without disruption —
Proactivity is critical. The organisations that get ahead of the risk will be those that start now by mapping their assets and building a clear picture of how data flows, who has access to it, and how it is protected in external environments.
To strengthen data security, businesses need to re-evaluate the shared ownership model that often applies when data is handed to third parties. Many assume that “secure by default” is enough, but sovereignty requires clarity on responsibilities, access pathways, and escalation rights. It also requires control over the elements that matter most, particularly encryption keys and the policies governing their use. If a business cannot control and revoke access at the cryptographic level, it becomes difficult to claim meaningful sovereignty, regardless of where the data is hosted.
Comprehensive encryption intelligence tools are central here because they provide visibility into data mobility and cryptographic dependencies. That includes legacy algorithms, deprecated protocols, and weak configurations that can persist unnoticed across cloud services and acquired systems. Each can become a vulnerability. That awareness helps enterprises build credible migration programmes, prioritise what to fix first, and avoid designing modern security strategies that look strong on paper while relying on inconsistent or ageing cryptography underneath.
The impact of emerging technologies on data protection —
Getting sovereignty and security right is becoming more urgent as emerging technologies — notably AI and quantum computing — increase the penalty for weak visibility and slow response.
AI is accelerating the pace of attack and the scale of vulnerability discovery. While it cannot break encryption in the way future quantum systems are expected to, it can speed up the identification of weaknesses and improve the sophistication of phishing attacks. For organisations with fragmented environments, inconsistent identity controls, and sprawling third-party access, that speed presents a substantial threat.
Quantum computing, meanwhile, raises the issue of long-term confidentiality. Much of the data leaders are responsible for must remain protected for years, and sometimes decades, including customer records, intellectual property, strategic plans, and regulated archives. That creates exposure to “store now, decrypt later” attacks, where adversaries capture encrypted data today in the expectation that it will become decryptable later. Quantum computing is not yet broadly accessible at scale, but the implications are relevant now for any business holding data with a long shelf life.
The mistake is to treat quantum as a future crisis and sovereignty as a separate debate. They converge on the same requirements: crypto-agility and control. Organisations need to know what encryption they rely on, where it is deployed, and how quickly it can be upgraded or replaced without disrupting critical services. That is precisely why automated cryptography discovery and inventory should become part of the sovereignty conversation early.
Early preparation is key for strategy —
As data moves fluidly across cloud infrastructure and external providers, enterprises can no longer view trust and data ownership as simply another technology project. Strategic concerns such as legal jurisdiction and long-term confidentiality become more complex when infrastructure is outsourced.
To maintain security, organisations need sovereignty. That means retaining control over encryption keys and being able to demonstrate that sensitive data remains protected and access remains governed, regardless of where the data travels. By securing data at its foundation, businesses gain a strategic foothold that is becoming increasingly important in a volatile global environment.
As technology advances, leadership must ensure the enterprise progresses alongside it. That means building systems on a strong enough foundation to adapt without requiring complete overhauls. The organisations best placed for what comes next will be those that put preparation and visibility at the centre of strategy.
This piece first appeared in the Q1 2026 edition of Business Quarter magazine. Click here to read.
Andy Leaver is CEO of Arqit.
You must be logged in to post a comment.