Press release. In a context marked by increased regulatory control and geopolitical tensions, data sovereignty is increasingly gaining weight on the business agenda. In this scenario, regulatory compliance is no longer seen as a formal requirement and becomes a business priority.
This is stated by Matías Cascallares, OEM Technologist at Confluent, who warns that “The location and control of information are already decisive factors in the choice of suppliers and the design of systems”. According to Cascallares, “This paradigm shift is leading companies to rethink what they really consider a data risk and how they guarantee their operational resilience in the face of new regulatory frameworks such as the Digital Operational Resilience Act (DORA)”.
Furthermore, the scope of data sovereignty is no longer limited to the most critical information, but now also includes data that was traditionally considered secondary, such as emails, system logs, usage data or metadata. The objective is clear: to guarantee comprehensive control over all data, and not only over the most sensitive ones.
Data sovereignty goes beyond your location
Data sovereignty has become an operational challenge for companies, especially in international environments where activity is distributed across different countries. The current approach goes beyond physical location to focus on how information is accessed, who can manage it, and under what conditions.
This new reality is reflected in everyday situations such as global services that operate continuously, where managing a case from another jurisdiction can raise questions about regulatory compliance, even when the data is not physically moved. Thus, remote access, in itself, has become a risk factor to consider.
These issues become relevant in key decisions such as supplier selection or contracting processes, while, in parallel, the lack of regulatory clarity is pushing companies to seek greater legal and operational security.
As a result, regulatory compliance has escalated to a strategic level and is now part of the management agenda, with technology providers also coming under increasing scrutiny over their data management practices.
This change is also evident in the evaluation processes, where companies are no longer satisfied with general mentions in compliance questionnaires, but rather require specific analyzes on data residency, cross-border access and operational control. “At Confluent we have verified that interest in these issues has multiplied in the last year, going from being a secondary aspect to becoming the central focus of any supplier evaluation”says Cascallares.
Regulatory compliance becomes a business priority
In the financial sector, the growing demand for data sovereignty has intensified significantly. Today, this factor determines decisions from the initial phases, even before evaluating the technical capabilities of a solution.
Increasing regulatory demands, driven by frameworks such as the DORA Law, are forcing organizations to strengthen their control over technological risks, especially when external providers are involved, reflecting a greater requirement for operational resilience in an environment increasingly dependent on third parties.
In this context, the adoption of managed platforms introduces a new balance, since, although companies delegate the daily management of the infrastructure, the ultimate responsibility continues to fall on them, maintaining as their own obligations the supervision of access to data, traceability or the ability to demonstrate controls independently of the provider.
As a consequence, new internal dynamics are being generated. While technology teams drive global and distributed models, legal and compliance areas demand greater guarantees and control, giving rise to a new role for providers, who increasingly act as intermediaries to close that gap.
Regulatory requirements redefine business operations
All of this reflects a fundamental change: compliance with regulations has ceased to be a secondary requirement and has become part of the daily operation of companies. The pressure to ensure transparency and control is forcing providers to strengthen their processes, from certifications to audit and governance systems.
The impact on the organization is direct. Compliance is no longer just a legal issue, but a function that requires resources, specialized equipment and conditions the way services are designed and operated.
In this sense, companies must take a more active role in managing their data. Thus, knowing what information they handle, where it is stored and who can access it is no longer a good practice and has become a necessary condition in an increasingly demanding regulatory environment.
Governance as a new point of control
Beyond the policies, what really differentiates is how access, traceability and responsibility are managed in practice. Thus, data governance ceases to be a theoretical framework and becomes a key operational control tool.
This requires greater internal coordination and a more demanding relationship with suppliers, where real operations weigh as much as certifications. In this sense, the ability to demonstrate control is becoming consolidated as a clear indicator of the degree of maturity of market players. As Cascallares points out, “What we are seeing is that organizations are no longer differentiated by what they say in their policies, but by their ability to demonstrate how they actually manage their data”.
Although it may be perceived as a regulatory burden, this new scenario responds to the evolution of the cloud model towards more demanding environments, integrating governance into the day-to-day life of organizations and their positioning in the market. Furthermore, the regulatory focus will continue to evolve with new areas, such as post-quantum cryptography, which anticipate that the requirements will continue to expand.
The market is already reacting: suppliers are strengthening their processes, improving transparency and raising control standards, in a movement that points towards a more solid and prepared ecosystem, in which the ability to manage these requirements can become a differentiating factor.
