Survey reveals data sovereignty gap despite high spend

Kiteworks has published survey findings that point to a gap between organisations' understanding of data sovereignty rules and their ability to prevent sovereignty-related incidents.

The Data Security and Compliance Risk: Data Sovereignty Report draws on responses from risk management, compliance, IT, and security professionals in Canada, the Middle East, and Europe. It examines compliance pressures tied to frameworks including PIPEDA, PDPL, and GDPR, as well as emerging requirements for AI governance.

Across all regions, 44% of respondents said they were "very well informed" about data sovereignty requirements. Despite that, incident rates were high: 23% in Canada, 32% in Europe, and 44% in the Middle East.

The results suggest that organisations face operational risk even when internal teams believe they understand the rules. The most commonly reported incidents were data breaches with sovereignty implications (17%) and third-party compliance failures (17%).

Respondents also cited regulatory investigations (15%), unauthorised cross-border transfers (12%), and government data access requests (10%).

"Organisations across every region we surveyed are spending millions on sovereignty compliance, scoring high on awareness, and still getting hit by breaches, unauthorised transfers, and government access requests," said Dario Perfettibile, EMEA GM of GTM and Customer Operations at Kiteworks.

Many respondents said they spend more than USD $1 million a year on sovereignty compliance. The largest areas of spend were technical infrastructure changes (59%) and legal and compliance expertise (53%).

Regional pressures

The Middle East stood out for both compliance focus and incident experience. Almost all respondents in the region (93%) said PDPL and SDAIA regulations directly affect operations. Two-thirds reported annual spending above USD $1 million, yet the region still recorded the highest incident rate (44%).

Canada reported the lowest incident rate, but cross-border data exposure remained a concern. Some 40% of Canadian respondents cited changes to Canada-US data sharing as their top issue, while 21% pointed to the US CLOUD Act as a direct sovereignty threat.

Europe showed a different pattern, with cloud provider assurances emerging as a major constraint. In the survey, 44% of European respondents said provider sovereignty guarantees were their top barrier to cloud adoption. Kiteworks framed this as a gap between data residency and control over access to encrypted content.

The report also highlighted encryption key ownership in cloud environments, noting that some configurations can meet residency requirements without giving customers sole control of encryption keys. In those cases, the provider may still have the technical ability to access customer data.

From policy to controls

Over the next two years, respondents expect to prioritise technical measures. Compliance automation and stronger technical controls featured as leading initiatives across the three regions.

The report links that shift to a broader interpretation of sovereignty requirements. The focus has expanded beyond where data is stored to include who can access it, who controls encryption keys, and what evidence an organisation can produce during audits and investigations.

"Sovereignty used to mean geography-keep the data in the right country and you're covered," said Dario Perfettibile, EMEA GM of GTM and Customer Operations at Kiteworks. "That era is over. Regulators, customers, and procurement teams now want proof: who can access the data, who controls the keys, and can you demonstrate compliance on demand. The organisations that build that proof into their architecture will pull ahead. Everyone else will keep knowing the rules and keep getting hit."

AI governance

The report also flagged AI data sovereignty as an emerging concern, with practices and policies still developing. Around one-third of respondents said they keep all AI training data within their home region. Another third reported a mixed approach, depending on data sensitivity.

A further 21% said they are still developing an AI sovereignty policy. The report linked this group to the risk of entering enforcement cycles without a defined approach as AI rules expand across jurisdictions.

The survey referenced EU rules alongside AI governance activity in Saudi Arabia through SDAIA. The findings suggest that planning for where AI training and processing occur is becoming part of broader sovereignty compliance, alongside controls for file movement, third-party access, and audit evidence.

Kiteworks markets a Private Data Network product to address these requirements, focusing on customer-controlled encryption key custody, jurisdictional deployment options across on-premises and cloud, immutable audit logs, and centralised governance for data exchange channels including email and file transfer.

Perfettibile said the issue is execution rather than awareness. "The gap is not knowledge. It's the distance between policy documents and architecture that actually enforces residency, controls access, and produces audit-ready evidence on demand," he said.