In February 2026, the US State Department issued an iinternal cable, signed by Secretary of State Marco Rubio, directing American diplomats to lobby foreign governments against data sovereignty and data privacy laws. The cable described these laws as threats to “AI services, global data flows, and civil liberties.”

Two weeks later, US federal agencies were banning Chinese AI tools from government devices. The stated reason: The stated reason: national security concerns about where data goes and whose jurisdictionit falls under.

The principle behind both positions is identical. The difference is only the direction.

The Contradiction at the Heart of the Debate

I am not pointing this out to be critical of the US government. Both positions make sense from the respective national interest. But the contradiction is worth examining honestly, because it reveals something important: every major government in the world is now applying sovereignty logic to data and technology. The US is no exception, it just uses different language for it.

“Data sovereignty” is not a European euphemism for protectionism. It is the same operational question that drives CFIUS reviews of Chinese cloud infrastructure, DeepSeek bans on federal devices, and the longstanding restrictions on Huawei in US telecommunications. You need to know whose jurisdiction your data and decisions fall under. That need does not disappear because your headquarters is in a country with a strong tech industry.

What Sovereignty Actually Means

The definition is simple: you know where your data is, who can access it, under which laws, and you have architectural control over those boundaries.

That is it. Nothing in that definition is European. Nothing in it is anti-American. It is a governance requirement for operating in a world where data is subject to legal authority – and every country exercises legal authority over data within its borders.

A US company with 10,000 employees in Germany is legally required to handle their data under GDPR. The same company operating in China must comply with China’s Personal Information Protection Law (PIPL), which requires data to remain in-country and grants Beijing broad access authority. In Saudi Arabia and the UAE, local data residency requirements are now standard. India is moving in the same direction. 

These are not European rules. They are the architecture of the world as it actually exists.

The Patchwork Every Global Enterprise Now Navigates

If you run IT or security for a genuinely global company, this is your reality today:

European Union: GDPR sets strict rules on data transfers. But a European data center does not solve the problem if your vendor is US-headquartered. The CLOUD Act gives US authorities the ability to compel US companies to produce data stored anywhere in the world. European data protection law and US law are in direct conflict – and enterprises are caught in the middle.

China: PIPL mandates local data storage and grants the Chinese government broad access rights. This is not a gray area. You cannot route Chinese operations through a global platform that does not have jurisdiction-aware architecture.

Middle East: The UAE Personal Data Protection Law and Saudi Arabia’s National Data Management Office framework are increasingly modeled on GDPR, including local residency requirements. These markets are growing in both strategic importance and regulatory complexity.

The United States itself: As the DeepSeek episode showed, the US is applying exactly the same logic to data from adversary nations that European regulators apply to US data transfers. The reasoning is sound. The principle is universal.

This is not a temporary situation. Regulatory fragmentation is accelerating, not converging. Any enterprise architecture built on the assumption that data flows freely across all jurisdictions is already out of date.

Why a Single Global Platform Cannot Solve This

The appeal of a centralized global security platform is obvious: one vendor, one management plane, consistent policy everywhere. That model made sense when the biggest concern was network performance and threat coverage. However, it does not map to a world where the same data may be subject to six different legal frameworks depending on where it sits and who the vendor is.

Sovereignty-aware architecture means something specific: policy controls that understand which data sits in which jurisdiction, which access rules apply in which region, and which vendors are operating under which legal authority. It means being able to enforce different policies for different jurisdictions from a single management interface. It also means not routing all traffic through a single global infrastructure – which would simply create a new jurisdictional exposure.

This is what sovereign SASE – jurisdiction-aware Secure Access Service Edge – actually means. Not “European SASE”. Not a product built to comply with one regulation. A model designed for the operational reality that the rules are different everywhere, and that is not going to change.

What Global IT Leaders Should Be Asking

Before you evaluate any SASE or managed security platform for global deployment, the questions that matter are not about performance benchmarks or threat intelligence feeds alone. They are:

  • Where does my data actually reside? Not where the vendor says it does – where does it legally sit, and under which jurisdiction?
  • What legal authority can compel my vendor to disclose my data? CLOUD Act, local law, national security orders – these are real risks, not theoretical ones.
  • Can my security platform enforce jurisdiction-specific policies without requiring a different platform for each region?
  • If the regulatory landscape in a specific country changes, how quickly can my architecture adapt?
  • Does my vendor have a government interest in my data? Headquarters location determines legal exposure more than marketing language does.

At Open Systems, we are Swiss-headquartered, which means no home government has a political interest in our customers’ data. We operate across 185 countries. Our managed SASE model was built from the beginning around the reality that compliance requirements differ by jurisdiction – and that “one global platform, one set of rules” is an assumption the world has already disproved.

Sovereignty Is Not About Nationality. It Is About Control.

The US State Department cable and the DeepSeek bans are not contradictions because one government is hypocritical. They are a signal that every major actor in the global system now understands that data jurisdiction matters. The question is whether your enterprise architecture reflects that reality.

If your security infrastructure was designed for a world of free data flows and single-jurisdiction compliance, it is time to reassess. The global patchwork is not a problem that will be resolved by diplomatic pressure in either direction. It is the environment your IT and security decisions need to operate in.

Jurisdiction-aware architecture is not a European niche – it is the operational requirement for any organization doing business across borders. If you want to talk through what that looks like for your security infrastructure, reach out to the Open Systems team. The questions above are exactly where those conversations start.