Digital Sovereignty in action: Learnings from regulations and market impacts across the globe

Download Listen

With growing concerns over citizens privacy and rapid growth of the data centre market, digital sovereignty is a term rapidly growing in recognition across the world’s governments. Legislators and regulators are increasingly focused on controlling their countries digital assets and cybersecurity. The recent boom in AI has only increased the perceived requirement for digital sovereignty. Companies within the data centre ecosystem must not just be aware of the evolving global legislative landscape, and the downstream impact on the markets in which they operate, but proactively develop strategies to succeed within 2030’s regulatory landscape.

In this article we will be looking at 5 examples across the world of how different countries have sought to secure their future digital sovereignty, and provide recommendations to data centre operators, developers, suppliers and investors for how to leverage regulatory insights for winning growth strategies.

France

The most interesting evidence of France’s prioritisation of digital sovereignty comes away from the regulatory landscape, and can be seen in the importance Emmanuel Macron has given to leading the way among his European counterparts in terms of building an AI narrative for Europe. Pursuit of “the third way”, a path towards AGI (autonomous general intelligence) independent of efforts focused in the US or China, is seen as integral for retaining sovereign autonomy in a future where the footprint of AI will span far beyond a web-based chatbot.

Indeed, France have taken some significant leaps towards making this “third way” a reality already in 2025. Macron has looked to cross-border partnerships to allow France to compete on scale of facility, a key enabler of leading AI model training, with the US and China. Both his co-chairing of the recent AI Action Summit alongside India, as well as up to €50 billion of investment into expanding French data centre capacity alongside the UAE, are indicative of the recognition that France, and for that matter no country in Western Europe, has the scale of resources or skills to compete with countries at the frontier of AI development. The partnerships do not end there however, as Mistral, the leading European based frontier model developer, and Orange, announcing a strategic partnership to “accelerate artificial intelligence development in Europe”, adding connectivity prowess to the mix alongside significant data centre investment and regional narrative leadership.

Of course, none of this AI and digital autonomy and sovereignty is possible without the requisite data centres, in both capacity and capabilities. To this end, their €109 billion AI action plan is focused on just this, and includes the aforementioned UAE investment, alongside investments from north America and a range of Leading French companies, such as Orange and Thales. The UK government’s AI action plan, announced just last month, already looks in need of a top-up at just £14 billion. What France have achieved here is a balanced pathway to sovereignty while competing in the global AI market, encouraging outside investment while retaining sovereign asset ownership and stimulating their local economy through partnerships with the local private sector.

This is complemented by a rigorous regulatory approach, with the Secnumcloud Certification security framework the basis for much of France’s regulations for hosting service providers – indeed it is a requirement to serve the French public sector as customers, and aims to guarantee data security and sovereignty for public organisations. To attain certification as a ‘trusted cloud provider’ you have to comply with stringent data localisation restrictions (on personal and non-personal data). At the end of 2024, very few companies had obtained these certifications. The legislation has delayed the ability of major hyperscalers to sell their services to the public sector, and opening the door to local hosting competitors, both colocation and cloud services providers, although Google and Microsoft have now partnered with French based companies, creating S3NS and Bleu to work around these regulations.

While these regulations only apply to public sector customers, they are indicative of the kind of regulations that can stop the hyperscaler march and open the door to regional data centre operators, possibly in partnership with local cloud services providers. However, the response of the hyperscalers is also a word of warning in their ability to quickly partner with leading local service providers in order to work around regulations implemented. Data centre operators globally should learn from the turn-based games between regulators and hosting providers in mature markets, and run war-gaming exercises to prepare for a rapid response to possible future regulatory changes. When such regulatory opportunities or challenges arise, they must act quickly and decisively to retina, or grow, market share in times of market instability.

USA

Being the market leaders in terms of cloud computing and frontier AI model development, and with the likes of OpenAI, Google, AWS, Microsoft, x.AI and more headquartered in the US and enjoying a largely positive relationship with their current administration, the USA has less to worry about when it comes to partnerships and fiscal stimulus.

However, there are lessons to be drawn from their regulatory landscape, and principally how regional regulatory differences have impacted data centre hubs across the country. Northern Virginia is a colossal data centre market, and, of course, the rise to such dominance is not solely down to regulations, with historic digital infrastructure and energy stability key drivers at play. However, there have been several local regulations to stimulate and accelerate capacity building in the region, such as tax exemptions and flexibility in energy procurement, which have contributed to the multiplier effect we see persisting today where the more capacity is built, the more of a hub the region becomes, and the more new facilities are planned and build. There have even been some suggestions of regulatory capture from coalitions of data centre operators aimed at staving off more restrictive regulation in the region.

In contrast, California, home of the California Consumer Privacy Act, enforces strict data protection regulations on its citizens data, as well as mooted regulations to protect consumers from bearing the financial burden of energy infrastructure development in support of data centre capacity building. These state-level case studies demonstrate the regional complexity possible within a country, in a key consideration for developing entering markets globally where regulations can be implemented regionally instead of nationally.

In addition, the USA’s CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a key example of both why countries are prioritising digital sovereignty, as well as how interdependent and complex the digital regulatory landscape can become. It states that US authorities have the legal right to access data stored through US-based cloud service providers, even if that data is stored outside the US. Whilst welcomed domestically, the cloud act can be directly attributed to the increased awareness of digital sovereignty around the world, as countries do not want to have critical sensitive data accessible to the USA via their hyperscalers at any time.

The US stands out as a country with real influence on the global data centre market, both through regulations impacting hyperscalers headquartered in the US (eg the CLOUD Act) and in their globally leading capacity and distribution, the efficacy of which to support the scaling of AI models has a material impact on downstream global inferencing demand.

From a digital sovereignty perspective, lessons should be taken from the US around how to navigate a complex and regionally diverse regulatory landscape, a challenge which is likely to re-emerge in other geographically large and diverse economies, such as Brazil and India – both countries with significant potential hosting and digital infrastructure markets.

Drive success in the expanding data centre landscape

Navigate the rapidly growing data centre market with our expert insights. Contact us to explore how we can support your growth.

Book a call with the Data Centres team

India

India’s 2023 Digital Personal Data Protection (DPDP) Act establishes comprehensive guidelines for the processing of personal data in India, including restrictions on cross-border data transfers. The law applies to everyone in India, including foreign citizens receiving digital services from a foreign provider, creating a demand for local hosting and data centre services. In addition, India have not been afraid to use digital sovereignty as part of their wider geo-political strategy, best demonstrated through their 2020 ban on TikTok, which was caused in part by data security concerns, but was stimulated by border disputes between India and China, where ByteDance, TikTok’s parent company, is headquartered. This demonstrates the fragility of the digital economy to external forces such as global geo-political tensions, a particular concern at a time in which such events are on the rise.

Whilst not as stringent as France, India has been ramping up its digital regulatory landscape in an attempt to ringfence its digital sovereignty. The vast quantity of data produced by its citizens is seen as an asset that can be used to stimulate domestic growth through in-country processing, and looking to the local private data centre sector to enable this, and a new version of the 2023 DPDP is already undergoing consultation, underlining the fast moving regulatory landscape which prospective developers in the country must contend with.

The key takeaway for those in the data centre ecosystem is to stay cognisant of fast-moving technology regulations, and wider geo-political landscape in emerging digital economies. In this instance, strict regulations on software and content could have wide-ranging implications, including a banned content platform churning away from their local hosting provider, or a new content platform emerging in popularity with a different hosting strategy needing to rapidly expand.

Saudi Arabia

The Saudi Data and AI Authority is the beating heart of Saudi Arabia’s rapid digital transformation and digital sovereignty initiatives. Through the Personal Data Protection Law (PDPL), SDAIA mandates that personal data of individuals be processed within the country, generating a growing market for data centre services in Saudi, in particular given the scale of investment in the Saudi Vision 2030 strategy, including vast greenfield construction projects such as Neom.

At the core of Saudi Arabia’s digital sovereignty strategy is a substantial $18 billion data centre strategy, backed by the Saudi government and involving partners such as one of the regional data centre leaders in Gulf Data Hub. Since this strategy was unveiled in January 2022, not only have all three of the largest US hyperscalers either completed or begun work on a region in the country, but the aforementioned local player Gulf Data Hub has been backed by globally-renowned private equity firm KKR, in a clear signal of the high returns on capital expected in a digital economy which is both accelerating rapidly and prioritising sovereignty.

Despite a tight regulatory landscape around data storage and control, Saudi Arabia are very much still in the market for investment from abroad, as the investment from the big three US-based hyperscalers and KRR show. Data centre developers should look to the Saudi market for a case study for what can happen when fiscal and regulatory stimulus are acting in lockstep with one another, enabling rapid development from a low baseline. Data centre operators in emerging markets should leverage the success of this case study to lobby local regulators into adopting similar strategies.

Nigeria

Nigeria’s digital sovereignty initiatives blend regulatory and fiscal strategies to bolster its data centre market. The Nigeria Data Protection Act of 2023 mandates that sovereign data is stored domestically, reinforcing control over critical digital assets. Complementing this, restrictive foreign land ownership laws require foreign firms to secure a ‘Certificate of Occupancy’ (CofO), capped at 99-year leases, nudging them toward establishing subsidiaries or partnering with local companies and stimulating the local economy. The government has openly championed these policies to cultivate a local data centre industry where the rewards of success are retained within Nigeria.

However there are certain provisions in place to ensure prospective foreign investment is not rejected, such as streamlined CofO processes and potential fiscal incentives, such as tax breaks or infrastructure grants, to attract foreign investment. Such policies have help attract global players, such as Equinix, and grow the Lagos data centre market to around 100MW, the largest metro market by capacity in West Africa. One other key example of the potential of foreign investment is Airtel’s commitment to building 180MW of capacity across the African continent, with a 38MW facility in Lagos one of its core hyperscale facilities.

Analysis of the Nigerian digital sovereignty landscape further demonstrates the flexibility of regulations to facilitate mutually beneficial investment for both the data centre developer and the local regulator. Developers, especially in more nascent data centre markets, should collaborate with local regulators to demonstrate the mutual benefits of investment, and help shape a successful regulatory landscape for the market.

Key recommendations

In summary, our key learnings from each market are:

  • France – the importance of analysing global regulatory negotiations, and run war-gaming exercises to prepare for a rapid response to possible future regulatory changes.
  • USA – how to navigate a complex and regionally diverse regulatory landscape.
  • India – staying cognisant of fast-moving technology regulations, and wider geo-political landscape in emerging digital economies.
  • Saudi Arabia – a blueprint for rapid development from a low baseline, provided fiscal and regulatory stimulus are acting in lockstep.
  • Nigeria – collaborate with local regulators to demonstrate the mutual benefits of investment, and help shape a successful regulatory landscape for the market.
Jonas Topp-Mugglestone

Jonas Topp-Mugglestone

Jonas Topp-Mugglestone

Consultant

Jonas is a Consultant at STL Partners, specialising in data centres and M&A.

Looking for advisory services in data centres? Schedule a call.

Private Networks Insights Service

5 key takeaways from Data Centre World 2025 

5 key takeaways from Data Centre World 2025 highlight trends insights and innovations shaping the future of data centres See what industry leaders shared

Read more
Private Networks Insights Service

Data centres in the Middle East & North Africa

Data centres in the Middle East are booming, driving digital transformation and cloud growth. Explore key trends, investments, and future potential.

Read more
Private Networks Insights Service

Data centre trends: Reflecting on 2024 & predicting 2025

Discover the latest data centre trends in AI, government intervention, and connectivity in 2024, plus our 2025 predictions for each.

Read more