Sovereign Cloud redefining the cloud market: Omdia market radar

Independent analyst and consultancy firm Omdia has released its market radar paper, exploring the sovereign cloud market and how cloud service providers (CSPs) responded to the trend.

The 2025 IT Enterprise Insights study analysed the top five Western public cloud providers – AWS, Azure, Google, IBM, and Oracle – and discovered they make up 86% of the cloud market, with a presence in 33 countries as of 2024. North America has 347 data centres, Europe 194, and China has just three. Although cloud is available worldwide, the report reveals its infrastructure remains regional.

According to Omdia’s research new formats like edge cloud and sovereign cloud are on the rise, plus there’s a higher focus on environmental sustainability which, the company surmises, will see more players enter the market.

CSPs around the world are expected to witness increased pressure as China-based CSPs expand globally. The market has evolved in recent years, with CSPs now broadening their approach by providing additional choices to meet operational autonomy, data residency, and resiliency needs.

Omdia found that the EU is leading in data protection and sovereign cloud initiatives, like General Data Protection Regulation (GDPR) and Gaia-X. Regions like the Middle East are starting to develop similar regulations, with initiatives including the Saudi Vision 2030. 60 new data centres have been set up in the Middle East, highlighting how its local infrastructure is growing.

The growth of genAI has prompted countries to consider “sovereign AI,” developed and run inside national borders, bringing data under local control. This creates challenges for CSPs that do not offer local facilities, and some are losing out on business potential business that goes to locally-based data centres.

Omdia says it expects 2026/27 to be important for AI development, with the idea of “sovereign generated data” becoming more talked-about, with organisations needing to protect this AI-generated data from internal information requiring the same levels of protection as original datasets. This raises complex questions about digital ownership in the AI era, the paper states.

Omdia have set recommendations for enterprises, service providers, and technology vendors based on its sovereign cloud model. The latter highlights how the “attributes of a sovereign cloud can be applied at six different levels of sovereignty.”

For enterprises, Omdia’s recommendation is to understand which parts of the business and data are subject to local regulations, and develop an architectural approach showing how they will implement sovereign cloud capabilities in their IT systems.

Omdia recommends service providers develop partnerships with local organisations to receive official approval ()or accreditation) from national governments to be able to deliver sovereign cloud solutions.

Technology vendors are recommended to investigate what’s required to meet local sovereignty regulations. Omdia also suggests making applications more modular, so they can be separated in accordance with local sovereignty rules.

Omdia’s sovereign cloud model

To evaluate accurately the degree of sovereignty in a cloud deployment, Omdia has proposed a six-level model, one that corresponds to the increasing levels of control and compliance necessary.

The model reflects how a country’s laws and regulations address data protection, processing, control, and privacy.

The six levels are:

Data residency

Data must be stored in the country, with laws mandating that certain types of data, like personal or sensitive information, cannot be hosted outside national borders.

Data processing

Data must be processed locally by approved entities following stringent privacy rules and consent, thus ensuring tighter control over who can handle the data and how.

Data privacy

Focusing on access controls, if data is stored and processed locally, it needs to be protected against unauthorised access, particularly from foreign authorities. One of the biggest privacy challenges currently comes from the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) of 2018.

This allows authorities to demand access to data that is stored by US-based companies, even when the data is stored on foreign servers. Understandably, this raises a major red flag for those wanting to keep their citizens’ digital information private and under local jurisdiction.

Generated data access and control

Omdia recommends sovereign frameworks should define who has ownership and control over generated data.

Cloud resiliency

Cloud resiliency ensures cloud services are not dependent on foreign infrastructure, helping to reduce the risk of potential disruption outside national control, such economic or geopolitical upheavals.

Cloud as important infrastructure/operational jurisdiction

Level 6 suggests the cloud is treated like a national utility, such as energy, water or telecommunications. This entails governments able to regulate, audit, and oversee the cloud in its jurisdiction.

How CSPs are responding

Beginning with a “sovereign-by-design” strategy, which essentially builds cloud platforms with sovereignty in mind, CSPs have had to evolve, shifting to a more customised and flexible model, one that aligns with specific regional regulations. CSPs are responding to the growing demand for sovereign cloud with two main approaches.

The first model the company urges cloud providers to approach is full isolation with region-specific offerings. Major CSPs like AWS and Oracle are creating separate, isolated cloud environments in a country or region. These are then separated from the provider’s cloud infrastructure and managed by local personnel, without access by foreign staff. The model is designed to meet stringent compliance needs, like GDPR.

The second approach comes in the form of a partnership model, something CSPs like IBM and Huawei have embraced. In this model, a local service provider or national telecom company operates the cloud services on behalf of the global CSP. The partners then deploy and manage the CSP’s cloud stack in the country, providing localised compliance. Data stays in the jurisdiction, allowing local staff to handle operations.

Both models are part of a wider trend, as CSPs can no longer offer one-size-fits-all cloud solutions under the increasing raft of laws developed by nation states. Cloud providers are required to build sovereign variants that allow customers to choose the right level of control, compliance, and privacy to meet their needs and those of local laws. According to Omdia, “the optimal approach remains dependent on the individual customer.”

(Image source: “Clouds” by Kiwi Tom is licensed under CC BY 2.0.)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.