Let’s get something out of the way early on: public cloud is actually pretty good. For development environments, burst compute, globally distributed collaboration – it remains a capable tool for enterprise IT. The problem is not public cloud itself but the fact that the legislative world around it has changed, while most organisations’ use of it has not.
The question worth asking is whether your organisation has deliberately decided which workloads belong in public cloud and which belong in private cloud. For most, the honest answer is no, and that gap between an assumption and a considered strategy is where legal and regulatory exposure builds, quietly, without announcement.
The difference nobody explained
Ask most CIOs where their data is and they will point to a region. UK South. London availability zone. That is data residency: the physical location of the servers.
Ask where their data is governed and at best, they will point to the data protection and information security clauses in the contract. Push it one step further and ask who holds legal access rights, under what circumstances, under which nation’s law – and the answer becomes less certain. That is data sovereignty. The two are not the same, and many organisations have never been told where one ends and the other begins.
The distinction matters because of the US CLOUD (Clarifying Lawful Overseas Use of Data) Act (2018). It compels any US-headquartered company to produce data in its possession, custody or control in response to a valid US government request, regardless of where that data physically sits. AWS, Microsoft Azure and Google Cloud all operate their UK regions as subsidiaries of US parent corporations. A UK data centre address does not change that corporate structure, or the jurisdiction that flows from it.
Sam Perrin, Customer CTO at Xtravirt, explains this legal grey area in simple terms.
“When you own the servers, the provider has no possession, custody or control over what’s inside them. It’s the same as renting a flat – the provider holds the building, but what’s inside is yours,” he says.
When you own the servers, the provider has no possession, custody or control over what's inside them. It's the same as renting a flat - the provider holds the building, but what's inside is yours.
Customer CTO, Xtravirt
“That changes once a provider moves from renting physical space, to offering storage as a service. You still own your data, but the provider now has custody of it – and with custody comes the ability to be legally compelled to produce that data, regardless of where it physically sits. By contrast, if you own the underlying infrastructure, you keep both ownership and custody in your own hands, which removes the single biggest source of ambiguity over how your data can be reached and governed.”
This does not make the major cloud providers untrustworthy. It makes them subject to a law they cannot override. For many workloads that is acceptable. For AI programmes trained on sensitive data, regulated records, or commercially confidential intellectual property, it deserves a deliberate assessment rather than an inherited assumption.
What the board is asking - and what it isn't
Robin Gardner, Xtravirt’s Chief Commercial Officer, draws a precise line between board-level awareness and board-level understanding:
“There is an awareness, but not necessarily an understanding of the problem statement. And even if there is understanding at the CXO level, there isn’t necessarily a link to where their own organisation sits and the risk their own organisation is carrying.”
The risk gets delegated to the CISO or CIO without a precise brief. The board asks whether everything is comfortable. The CIO points to ISO certifications, contractual data residency commitments, a UK availability zone. In many cases that is enough. In some cases, it is not, and the gap between what the contract states and what the law permits is exactly where the uncertainty lives.
There is an awareness, but not necessarily an understanding of the problem statement. And even if there is understanding at the CXO level, there isn't necessarily a link to where their own organisation sits and the risk their own organisation is carrying.
CCO, Xtravirt
The data you didn't know you had
Perrin’s observations from years working alongside enterprise IT teams lands harder than any market statistic:
“We see a lot of customers who don’t even know what applications they’ve got, let alone what data they’ve got.”
Data accumulates. Teams build on shared drives, spin up virtual machines, hand over ownership to developers who generate data nobody tracks. Enterprise data estates work like most people’s phone camera rolls – thousands of items, largely uncategorised, some carrying compliance obligations the organisation has never mapped to the infrastructure hosting them.
This is the consequence of years of reasonable decisions: move fast, manage compliance later. Regulatory environments no longer accommodate that approach, and the classification problem sits underneath every serious conversation about sovereignty and jurisdiction.
The regulatory floor is rising
The Data (Use and Access) Act 2025 introduced key reforms taking effect from February 2026. It amends UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), introducing new rules on international data transfers and how organisations demonstrate accountability for data they process.
The Cyber Security and Resilience Bill, introduced in November 2025, is the most significant overhaul of UK cybersecurity legislation since 2018. It extends regulatory scope to managed service providers, data centre operators and critical supply chain partners, with incident reporting requirements of 24 hours from awareness.
Gardner puts the gap plainly:
“The familiar GDPR questions around data processor and data controller are no longer sufficient to provide the level of assurance that sovereignty requires.”
The shift is measurable. A 2025 survey of 100 senior UK IT decision-makers found 95% citing data sovereignty as a key concern, with 52% of organisations on public or hybrid cloud taking active steps to reduce their reliance on US providers1. For those bidding on UK public sector contracts, it has moved further still: UK buyers are treating sovereign cloud as a procurement requirement, with demand growing as geopolitical pressure focuses attention on who controls data storage and transfer2. For organisations whose revenue depends on regulated-sector work, demonstrable UK data sovereignty has moved from differentiator to requirement.
Private cloud built for this moment
The hyperscalers have responded with sovereign service models – dedicated regions with local staff and local infrastructure. Gardner’s assessment is precise:
“What you don’t have is a solid air gap between the organisation running that and US-based ownership. And that still puts it at risk of US legislation giving a pathway through, regardless of the location of the hands on keyboard.”
The broader risk is that a well-constructed private environment with a robust contractual framework can still leave a sovereignty gap elsewhere in the estate. Productivity tools, backup services, cloud-connected platforms in daily use can quietly route data through infrastructure subject to US jurisdiction. Private cloud solves the problem for the workloads it hosts, but the rest of the estate needs the same scrutiny.
For organisations that have determined certain workloads belong on infrastructure they own, the question today is around what that infrastructure delivers. VMware Cloud Foundation 9.1, Broadcom’s latest private cloud platform, provides zero-trust segmentation, sovereign recovery, and continuous patching at the infrastructure layer – not as bolt-on tooling but as default capability. Multi-tenant workload isolation means sensitive and non-sensitive workloads share infrastructure with strict, auditable controls between them. That is a ‘right workload, right place’ strategy made operational in practice: not two separate environments maintained in parallel, but one architecture with clear governance throughout.
The question to ask
Gardner leaves every CIO and CISO with one question – for their cloud provider, and for themselves:
“Do we have sovereign control over our data, our intellectual property and our business operating model?”
Does your provider have UK data centres? Does the contract include a data residency clause? Those are starting points. Organisations that can answer Gardner’s question with a confident “yes” have assessed their data, understood what governs it, and built infrastructure that reflects those decisions. For the workloads that require genuine sovereignty, private cloud is not the cautious option. It is the only one that closes the gap.
Ready to start that conversation? Xtravirt’s private cloud team starts with the questions before the architecture. Visit www.xtravirt.com/own-your-cloud to discover more and get in touch.
1 Asanti/Vanson Bourne survey, June 2025: https://asanti.com/press-release/uk-it-leaders-shift-cloud-strategy-over-data-sovereignty-concerns-new-research-finds/
2 Burges Salmon, February 2026: https://www.burges-salmon.com/articles/102lzhr/hot-topics-in-2026-for-uk-public-sector-cloud-contracts/
