System sovereignty and ArcGIS systems

Sovereignty means being in control of your own decisions and actions, especially in relation to governance, law, and territory. Digital sovereignty refers to the ability of a state, organization, or individual to have control over their own digital infrastructure, data, and technologies, without undue dependence on external entities such as a third party provider or foreign government, ensuring autonomy and security in the digital realm.

Designing a geospatial system that is completely independent of all external entities is a difficult and costly endeavor, but properly assessing risks associated with system sovereignty, how they apply to GIS operations and how organizations can adapt in response to change should be a consideration, especially for mission-critical systems.

Regulatory bodies such as the European Commission are working on frameworks to define sovereignty for the purposes of resilience during global change. The European Cloud Sovereignty Framework provides a useful structure for any organization to evaluate sovereignty across multiple dimensions — from data and legal exposure to supply chain and operational independence. The sections below address each of these dimensions and how they apply to ArcGIS system design.

For all of the topics on this page, the ArcGIS Trust Center is an essential reference, providing documentation and guidance related to compliance, regional and global legal frameworks, and software options.

Strategic sovereignty

Strategic sovereignty refers to an organization’s ability to make autonomous decisions about its technology direction, free from undue influence by external vendors, foreign governments, or market dependencies. It encompasses ownership stability — whether control over the systems and software an organization depends on can shift unexpectedly — as well as governance influence over the roadmap and direction of core platforms, and alignment with local strategic priorities such as national digital strategies or sector-specific technology policies.

Relevant resources include national and regional digital strategy documents — such as the EU Digital Compass 2030 — as well as procurement frameworks that guide technology acquisition for public bodies in various countries. The ArcGIS Trust Center documents Esri’s commitments related to licensing continuity and product governance that are relevant to this assessment.

Legal sovereignty refers to the legal environment governing a technology system, including which jurisdiction’s laws apply, what exposure exists to foreign legal authority (such as extraterritorial data access laws), and whether contractual and regulatory rights are practically enforceable.

A common concern for organizations evaluating cloud-hosted platforms is the potential reach of foreign legislation. National laws can compel companies to produce data stored anywhere in the world in response to a legal order, regardless of where that data physically resides. This creates legal exposure that may not be fully addressed by data residency choices alone.

For ArcGIS deployments, organizations should evaluate the jurisdiction under which Esri or a hosting provider operates, the governing law in service agreements, and the availability of contractual protections such as data processing agreements and government-specific terms. The ArcGIS Trust Center publishes the legal frameworks and certifications applicable to ArcGIS Online and ArcGIS Enterprise deployments. Organizations in regulated sectors or sovereign contexts should engage their legal advisors to assess residual legal risk.

Note:

The legal landscape for cross-border data access and jurisdictional exposure is evolving rapidly. Refer to your organization’s legal advisors and monitor developments in applicable international law and bilateral agreements.

Data sovereignty

Data sovereignty is a broad concept with various definitions and components, but generally refers to the concept of storing, managing and accessing data within a certain national border or political entity. Data sovereignty requirements are often raised due to laws and regulations of a certain country or jurisdiction, related to the users of a system, the hosting location of the system, or the company that builds and operates a system or software offering. In the context of ArcGIS systems, data sovereignty most often refers to the storage of user data such as login credentials and content along with geospatial data, and attempts to store those data in a way that complies with these regulations.

Examples of data sovereignty laws or regulations include:

  • Canadian Consumer Privacy Protection Act (CCPPA)
  • General Data Protection Regulation (GDPR)
  • Australian Privacy Principles (APP)
Note:

The status of individual laws or regulations for a certain region or country is a rapidly-changing area of law. Please refer to local resources or your organization’s specialists and legal advisors for the specific requirements for a specific system.

Data sovereignty requirements are common for businesses that store data in the cloud, so they can ensure that they are able to observe the laws and regulations of the country or jurisdiction. Organizations often respond to these requirements by carefully designing data and storage tiers of their architecture to align to the requirement, with architectural implications that may conflict with access or redundancy goals. Designs can also pursue flexibility and mobility of solutions or data, so that a change in legal position can be met with a change to a different architectural approach without significant disruption.

Any strategic approach to data sovereignty also needs to consider more generic data security requirements and patterns such as encryption, access control and monitoring.

Data residency is a related topic to data sovereignty, but is more focused in definition — it refers specifically to where a piece of data is stored, usually focused on geographic location, and reflecting a current point in time. Residency usually applies to the physical location of data, which is often in a data center provided by a public cloud provider or a managed services provider, and can sometimes be difficult to clearly establish with the various layers of storage abstraction and redundancy that are offered by many cloud hosting services. Understanding data residency is essential to adhering to data protection regulations, bolstering security, and providing access to data.

Note:

In today’s service-oriented architectures, the true residency and location of data in motion becomes somewhat subjective. If a database is hosted in Country A, but published as a web service, and a user in Country C is connected to a VPN to Country B, then queries 100 records from the web service to make a map in their browser (running in a laptop in Country C), where does the data reside? At a granular level it is now in multiple places, with one serving as the “source”, another where the data transits or requests could be logged, and a third location where it is “consumed.”

Data localization refers to an increasingly common requirement that data generated within a country’s borders must be exclusively stored and processed within that same country. While data localization dictates where data must be stored, and data residency indicates its current location, the primary goal of data localization is to control data flow and usage, to safeguard it according to the local laws and standards. This may include ensuring that the users and clients of a certain set of data are only allowed to access it from within a certain country’s boundaries.

Operational sovereignty

Operational sovereignty is the practical ability of local actors — whether within an organization, a national agency, or a regional authority — to operate, maintain, and evolve a technology system without ongoing dependence on foreign entities or a single external provider. It goes beyond legal or contractual protections and asks whether, in practice, the skills, access, documentation, and support capabilities exist locally to keep a system running under a range of conditions including vendor disruption, geopolitical change, or network isolation.

For GIS systems, operational sovereignty considerations include whether system administrators and developers within an organization can independently deploy, configure, update, and troubleshoot the platform; whether adequate training and documentation are available in local languages and contexts; and whether the system can continue to function if connectivity to external services is interrupted.

ArcGIS Enterprise, when self-hosted or deployed in a managed environment under local control, offers a higher degree of operational sovereignty than a fully cloud-hosted SaaS arrangement. Esri’s ArcGIS Enterprise documentation and Esri training resources support organizations in building the internal capacity needed to sustain operations independently. For air-gapped or highly restricted environments, ArcGIS also supports fully disconnected deployment configurations.

Supply chain sovereignty

Supply chain sovereignty addresses the geographic origin, transparency, and resilience of the technology components that underpin a system — including hardware, software libraries, hosting infrastructure, and third-party services. A system with supply chain vulnerabilities may be exposed to risks that originate not in the primary platform but in its dependencies: a cloud provider headquartered in a foreign jurisdiction, an open-source component maintained by a small team in an unfavorable geography, or infrastructure subject to export controls.

For ArcGIS system designers, supply chain considerations include the geographic distribution of Esri’s own infrastructure and systems, the cloud hosting provider used for a given deployment, and any third-party data services or APIs integrated into the system. Organizations with high supply chain sovereignty requirements may prefer to build systems based on ArcGIS Enterprise, deployed on infrastructure operated by nationally or regionally headquartered providers, or on government-owned data center infrastructure.

The ArcGIS Trust Center provides information on Esri’s infrastructure partners and shared responsibility model. For organizations operating under frameworks such as the EU Cybersecurity Act, supply chain transparency is increasingly a formal requirement, and architecture documentation should explicitly address these dependencies.

Technology sovereignty

Technology sovereignty refers to the degree to which a technology stack is open, transparent, and independent — enabling organizations to understand how systems work, modify or extend them without vendor permission, and avoid deep lock-in to proprietary implementations. It is closely related to interoperability: systems built on open standards and published interfaces are generally more technology-sovereign than those built on closed, proprietary architectures.

In the GIS domain, technology sovereignty considerations include adherence to open geospatial standards (such as those published by the Open Geospatial Consortium), the availability of open APIs and data formats for import and export, and the degree to which the platform’s capabilities can be replicated or migrated using alternative tools if necessary.

ArcGIS supports a broad range of open standards including OGC APIs, WMS, WFS, and GeoJSON, and provides open REST-based APIs that enable integration with non-Esri systems through well-documented methods and resources.

Security and compliance sovereignty

Security and compliance sovereignty refers to the extent to which security operations, compliance obligations, and resilience measures for a system are controlled locally — by the organization or jurisdiction operating the system — rather than delegated entirely to an external provider. This includes the ability to define and enforce security policies, conduct independent audits, respond to incidents without relying on a foreign vendor’s cooperation, and demonstrate compliance with locally applicable regulations.

For GIS systems handling sensitive or classified data, security sovereignty is often a primary driver of architecture decisions. Organizations may require that encryption key management remain entirely within their control, that security monitoring and logging be performed using locally operated tools, and that penetration testing and audit rights be available without restriction.

ArcGIS Enterprise supports a range of security configurations that enable local control, including deployment to existing secure networks, integration with enterprise identity providers, support for customer-managed encryption keys in certain deployment configurations, and compatibility with third-party security information and event management (SIEM) systems. The ArcGIS Trust Center documents current compliance certifications including FedRAMP, ISO 27001, and regional equivalents, which are relevant benchmarks for organizations assessing their security posture. The ArcGIS Enterprise Hardening Guide provides clear, consistent security profiles that can be applied to ArcGIS Enterprise systems in response to security and compliance requirements.

Note:

Compliance certifications held by a software vendor or platform do not automatically confer compliance on systems built on that platform. Organizations are responsible for assessing how their specific configurations, customizations, and data practices affect their overall compliance posture.

Sovereignty in the design process

Discussions related to sovereignty in its many dimensions are all increasingly common, for a variety of reasons:

  • In a more networked world, more datasets cross borders each day than ever before. Many organizations and businesses now operate regionally and globally, with users located in different countries and locations, often far from the source systems they engage with.
  • Increasing concerns around data privacy and awareness of the importance of personal information protection has raised this issue for individuals, organizations, and government entities that have passed laws generally intended to protect consumers, individuals and national interests.
  • Rising geopolitical and economic tensions have raised awareness of inter-reliance on systems and services from other countries. Organizations are carefully examining their existing systems and providing more robust sovereignty requirements in the design of new systems.
  • An ever-evolving landscape of cyber-security risk and the risk of data loss or leakage has increased interest in data residency knowledge and management, so that when bad things happen, the impact can be better understood and mitigated more quickly.
  • In the world of AI and large language model-based interfaces, the distinction between data residency and data processing has become blurrier — as systems located in various data centers are able to process data, work with services through agentic workflows with or without a human in the loop, and make decisions based on data.

All of these reasons bring an increased focus on sovereignty in a system design process.

Approaches and options

A sovereignty strategy for a GIS system can include some or all of these topics:

  • Understanding and making intentional decisions related to reliance on local compute and storage providers. This may mean using national or regional cloud service providers or using local data centers.
  • Strategies to achieve compliance with applicable local laws, business practices and values.
  • Maintaining understanding and control over software, software updates, licensing and data access.

ArcGIS offers a range of software and services options that can be used to balance cost, reliability, accessibility, security and sovereignty, depending on your organization’s needs.

Software-as-a-Service options like ArcGIS Online offer lower cost, greater reliability and can offer useful security patterns, while also offering less digital sovereignty. Regional ArcGIS Online data hosting in geographies like Europe and Southeast Asia provide an option for organizations in those regions.

A system built on ArcGIS Enterprise can take advantage of hosting options such as managed cloud services or can be self-hosted by an organization to offer greater sovereignty control, often with a trade-off of increased costs and effort. Compute infrastructure can be on premises or in a data center controlled by the organization. Cloud options include hosting in a global hyperscaler such as Microsoft Azure or Amazon AWS, in a local cloud provider under the local national jurisdiction.

GIS sovereignty is a requirement that will vary from organization to organization and from region to region. Being aware of it as a requirement and electing to balance it with other resiliency system requirements is foundational to ensuring resiliency.

Top