In June 2025, Microsoft France’s legal director was asked under oath before the French Senate whether he could guarantee that French citizens’ data would never be transferred to US authorities without French consent. His answer was simple: No. That single word confirmed what many European security leaders have been debating for years. Data sovereignty is not a setting you enable. It is not a checkbox in a vendor contract. And it is no longer primarily a legal question. It is an architecture decision, and the window to get it right is closing.

Three forces are converging that make this urgent for every European CISO and IT leader: geopolitical fragmentation, extraterritorial data access, and supply chain cyber exposure. Each one, on its own, demands attention. Together, they fundamentally change how European organizations need to think about where their data lives, who can reach it, and how resilient their infrastructure actually is.

Geopolitical Fragmentation: The Map You Drew Last Quarter May Already Be Wrong

Most enterprise network architectures were designed for a world that assumed stable routing, neutral infrastructure, and borderless cloud regions. That world no longer exists.

When Russia invaded Ukraine in February 2022, organizations relying on Eastern European SD-WAN paths had to reroute traffic within days. The ones that recovered fastest had architectures allowing policy-driven rerouting without rebuilding from scratch. That was not luck. That was design.

Since then, the fragmentation has accelerated. EU digital sovereignty legislation is tightening. The US has pulled back from multilateral technology commitments. China continues expanding state-controlled network infrastructure. Sanctions and export controls reshape which cloud regions, vendors, and transit paths organizations can operationally rely on, sometimes overnight. In November 2025, EU Member States adopted a Declaration for European Digital Sovereignty, a non-binding but clear political signal that digital autonomy is now a strategic priority. Meanwhile, the European Commission has opened investigations into whether AWS and Microsoft Azure should be designated as core platform services under the Digital Markets Act.

For security leaders, this means the network map drawn last quarter may already be wrong. Architecture that can adapt to geopolitical change is no longer optional. It is foundational.

Extraterritorial Data Access: Jurisdiction Follows the Company, Not the Data

The US CLOUD Act, passed in 2018, allows US authorities to compel American companies to hand over data, regardless of where that data is physically stored. For European organizations using US-headquartered cloud, security, or SASE platforms, this creates a structural conflict with GDPR and European data protection principles.

This is not theoretical. In his testimony before the French Senate, Microsoft France’s Anton Carniaux confirmed under oath that a valid US government request would need to be honored, even for data stored on European soil. Around the same time, the International Criminal Court in The Hague announced it was replacing Microsoft Office with OpenDesk, a European open-source alternative, after its chief prosecutor was temporarily locked out of his Microsoft account following US sanctions. The ICC’s IT manager stated publicly that the court needed to reduce dependencies and strengthen technological autonomy, even if it was expensive and inconvenient.

Then there is the Solvinity case in the Netherlands. Dutch government agencies, including the municipality of Amsterdam and the Ministry of Justice, had deliberately chosen Solvinity, a Dutch managed cloud provider, specifically to reduce dependence on American firms and mitigate CLOUD Act risks. In November 2025, US-based Kyndryl announced it would acquire Solvinity. Amsterdam was informed one day before the public announcement. Overnight, a sovereign cloud choice became subject to US jurisdiction. The Dutch parliament has since voted on a motion to accelerate investment in European cloud alternatives.

For CISOs, the implication is clear. Where your vendor is headquartered matters as much as where your data is stored. A European data center does not guarantee European sovereignty if the parent company sits under US law.

Supply Chain Cyber Exposure: The Soft Underbelly Is Your Vendor

Nation-state actors have learned that attacking enterprises directly is expensive. Targeting the providers those enterprises trust is far more efficient. One compromised managed service provider or security platform gives attackers privileged access to dozens or hundreds of organizations simultaneously.

The pattern is now well established. In January 2024, Chinese state-affiliated actors (tracked as UNC5221 by Mandiant) exploited zero-day vulnerabilities in Ivanti Connect Secure, a widely deployed secure access product. Thousands of organizations globally were affected. The attackers did not target endpoints or users. They walked in through the security product itself.

And the pattern has repeated since. In early 2026, Ivanti disclosed two more critical zero-day vulnerabilities in its Endpoint Manager Mobile product, this time affecting the European Commission and the Dutch Data Protection Authority among others. Researchers attributed nearly 20 attacks to the same China-linked group, with victims spanning telecommunications, healthcare, and aerospace across Europe.

Your SASE platform is not outside your supply chain. It is your supply chain for network access, policy enforcement, and security telemetry. The organizations with the strongest posture do not just rely on vendor risk questionnaires. They build continuous verification into the network layer, so that even if a vendor is compromised, lateral movement is constrained.

Why These Three Risks Are Converging Now

Each of these forces is serious on its own. What makes the current moment different is that they are no longer separate problems. They are converging.

Geopolitical fragmentation accelerates extraterritorial reach, as governments expand emergency powers and intelligence-sharing agreements. Extraterritorial data access exposes supply chains, because a vendor under foreign jurisdiction becomes a legal access point to your data. And supply chain compromises become sovereignty events, because attackers increasingly exploit the very platforms that organizations depend on for policy enforcement and security.

The organizations that navigate this well are not reacting to each crisis individually. They are the ones that have already made data sovereignty an architecture decision: continuous verification, supply chain visibility, and policy-driven controls built into the network layer from the start.

This is why a growing number of European organizations are rethinking how network and security architectures are designed in the first place. Instead of relying on globally centralized platforms, they are moving toward sovereign, policy-driven SASE models that can operate within clearly defined jurisdictions and maintain operational control closer to where data and users actually reside.

That is the approach we take at Open Systems with managed SASE, because we have seen firsthand that the organizations that treat this as a design principle, rather than a crisis response, are the ones that stay ahead.

What European Security Leaders Should Do Now

Audit your vendor jurisdiction, not just your data residency. Understand where your SASE, cloud, and managed service providers are headquartered, and what legal exposure that creates. Build policy-driven architecture that can adapt to shifting geopolitical realities without a rebuild. And demand supply chain visibility that goes beyond questionnaires, with continuous verification built into your network design.

Data sovereignty is no longer something you negotiate in a contract. It is something you design into your infrastructure. The organizations that understand this now will be the ones still standing when the next disruption hits.

Data sovereignty will not be solved by regulation alone. It will be solved by architecture. At Open Systems, we work with European enterprises to design and operate sovereign SASE architectures that address exactly these challenges.

Talk to the Open Systems team about managed SASE built for the realities European organizations face today.