The cloud used to be simple. Pay as you go, instant scalability, no infrastructure headaches — businesses loved it. But that cloud is starting to fragment. Across APAC, governments are tightening control over data, requiring sensitive information to stay onshore, firmly under local jurisdiction.
The global cloud ecosystem that has dominated the tech market for decades is cracking under the pressure of sovereignty requirements. And while this trend is reshaping the entire region, it’s not just a bureaucratic hurdle; it’s a shift that’s changing the way companies operate and compete.
The rise of data sovereignty
At its core, data sovereignty means that data is subject to the laws of the country where it’s stored. In an era where information is a critical asset, countries don’t want their sensitive data stored in foreign territories, under the watchful eye or potential future control of other governments or corporations. What’s at stake here isn’t just privacy — it’s control. That’s why we’re seeing nations like Australia, Singapore, China, and Japan put their foot down.
Australia, for instance, has taken significant steps to ensure that critical data remains under sovereign control, from the whole-of-government hosting strategy to the upcoming changes to the Privacy Act, which are expected to heavily impact data handling practices.
Comparatively, while Singapore’s Personal Data Protection Act (PDPA) doesn’t enforce strict data localisation, it requires businesses to safeguard cross-border data transfers. The country has focused on flexible regulatory frameworks, emphasising global standards and cooperation, such as through the Australia-Singapore Digital Economy Agreement, recognising the need for both local control and secure global exchanges.
The challenge for businesses
For businesses however, these changes throw a spanner in the works. The traditional cloud model — borderless, global, and frictionless — is running up against an inconvenient truth: Data localisation laws are here, and they’re not going anywhere.
It highlights a big challenge: how do you maintain the flexibility and speed of the cloud when you’re restricted by local laws? Companies that have relied on the instant scalability of the cloud now face a new kind of complexity: managing a patchwork of sovereign clouds, each tailored to a specific country’s regulations.
But this isn’t just about legal compliance; it’s about navigating a world where geopolitical tensions are reshaping the business landscape. In APAC, where cyberthreats and state-sponsored hacking are on the rise, governments are increasingly viewing data as a national security issue. In this environment, trusting foreign cloud providers with sensitive data feels risky.
The new cloud landscape
Japan and South Korea, for example, are imposing tough restrictions on where data can be stored and who can access it. The result? The seamless, borderless cloud is starting to break apart, and companies that want to operate in this region need to adapt.
The ripple effects of these sovereignty rules are starting to reach cloud giants. Providers like AWS, Google, and Microsoft, who have thrived on offering global solutions, are suddenly being asked to play by local rules. And so, some are asking if it’s worth investing in building sovereign cloud regions within individual countries.
This is easier said than done in the context of data centres, which can range from hundreds of millions to billions of dollars of upfront cost before a dollar in revenue is transacted. While these companies are pouring billions into creating localised infrastructure, this fragmented approach isn’t as efficient as the global cloud that businesses have become accustomed to. It’s also more expensive, and those costs can trickle down to customers.
So, what does all this mean for businesses? The days of relying on a single global cloud provider for all your needs are over. Instead, companies need to embrace hybrid or multi-cloud strategies that allow them to meet local sovereignty requirements without sacrificing the agility and scalability they’ve come to rely on.
For example, enterprises can adopt a split model, where sensitive data remains stored and backed up in-country in compliance with local laws, while less sensitive workloads continue to run in the global cloud. This ensures they remain compliant while still leveraging the benefits of international cloud services. Alternatively, companies can turn to sovereign cloud solutions, where cloud providers offer country-specific infrastructure and services that meet local regulatory demands.
One leading ride-sharing and food delivery platform in Southeast Asia revamped its storage and backup environment by licensing a modern software-defined storage service via AWS Marketplace — deployed in-country with a AWS hybrid edge solution — ensuring it complies with Vietnam’s Decree 53 requirement to locally store local customer data. It has also provided a foundation for the company to replicate the platform in five additional countries.
The rise of data sovereignty is fundamentally reshaping the cloud landscape in APAC. But this isn’t just a trend — it’s the future. Governments are not going to back down on their demands for data control, and companies that fail to comply are risking more than just fines. They also risk losing their ability to operate in key markets.