Research by Omdia finds more than 100 countries have some form of data sovereignty or localisation laws but often even within countries there are contradictory rules
Omdia’s new report Digital Sovereignty: Data Protection, Residency, and Localization Policies and Regulation reveals that sovereignty is increasingly a key strategic priority for operators. It is also shaping regulatory discussions regarding AI, cloud, and data protection. The report focuses data sovereignty and finds it presents challenges for businesses, including additional operational costs and difficulties in implementing new processes.
The European Union (EU) set a blueprint that it intended others to replicate, announcing its European Cloud Sovereignty Framework in October 2025 which covers data sovereignty. However, many Asian countries such as India, Vietnam and Indonesia are doing the same thing.
So far more than 100 countries (see map below) have adopted some form of data sovereignty or localisation laws, but Omdia’s research shows requirements vary significantly. Countries with the strictest regulation include Russia, China, Vietnam and Indonesia. While the EU’s General Data Protection Regulation does not strictly mandate data localisation, it restricts data transfers to countries that do not have adequate data protection standards.
Meanwhile, the US’s rules are sector-specific with requirements applying to sectors such as healthcare or finance, rather than covered by a single federal law. The overall global trend, however, is towards increasing data localisation.
Sarah McBride, Principal Analyst, Regulation, at Omdia, notes, “Despite many jurisdictions incorporating some form of sovereignty into their data protection regulations, there is no universally agreed definition, making compliance challenging. This has resulted in the growing fragmentation of regulatory frameworks worldwide.
“Data sovereignty raises questions about the use of cloud services and imposes operational expenses on businesses, requiring them to train employees on sovereignty laws, design new technologies, recruit staff, and implement new processes” she says.
McBride continues, “Not only are there differences between countries, but even at a national level, data sovereignty is often regulated through several different laws, rather than just one standalone regulation. As a result, businesses are facing diverse and sometimes conflicting rules on data protection, localisation, and cross-border data flows. The fragmented landscape also raises compliance costs and operational complexity which multinational businesses must navigate.”
