Data Sovereignty Is a National Security Imperative

How corporate, regulatory, and legal conflicts are reshaping U.S. cyber posture and where security leaders should go from here

Over more than 30 years investigating multinational corporate cybercrime cases, I’ve seen enterprise data governance and national security converge into a single problem.

Vendor architecture decisions across U.S. enterprises now carry national security implications. Foreign government access rights structurally expose the data architecture of U.S. critical infrastructure, defense industrial base, and AI providers by default. Litigation imports conflicting data sovereignty expectations across borders.

Data jurisdiction has become an architectural property of enterprise digital infrastructure and a strategic variable in U.S. cyber posture, in ways that current policy, legal, and security operations frameworks have not yet caught up to.

As Forgepoint Capital prepares to co-host the 4th annual National Cyber Innovation Forum next week alongside Carahsoft, bringing together senior executives, entrepreneurs, investors, and government officials to strengthen U.S. cyber resilience, national security, and technological innovation, here’s what’s top of mind for me heading into the convening:

Who Does Data Belong To?

The difficulty in reconciling U.S. and international data frameworks is primarily philosophical, not technical. The two systems start from different premises about who holds the fundamental right to determine how data is used.

The U.S. and EU offer the clearest illustration of this divide, and the marked difference between them defines the playing field for most other national frameworks.

Data Ownership in the United States

In the United States, data is largely treated as a corporate asset under the control of the entity that collects and manages it. The federal regulatory baseline is built around consumer protection: the FTC Act prohibits unfair and deceptive practices, while sector-specific statutes such as HIPAA and FERPA protect defined categories of sensitive data. The overall framework is reactive and harm specific.

In the absence of a sector-specific rule, a company generally has broad discretion over how it retains, uses, and shares the data it collects. While California’s CCPA and CPRA have moved the state meaningfully toward individual rights in the past few years, it is an outlier. In practice, the baseline remains company-centric for most enterprises.

Data Ownership in the EU

Compare this approach to the European Union, where data belongs to the individual as a matter of constitutional law. Article 8 of the EU Charter of Fundamental Rights enshrines the protection of personal data as a fundamental right, alongside the right to private and family life under Article 7.

Further, GDPR Recital 1 states that data protection is a fundamental right of natural persons. Under this framework, a company does not own the data it collects; rather, it holds a purpose-bound right to process it within conditions the data subject can enforce. The GDPR codifies eight data subject rights: to be informed, to access, to rectification, to erasure, to restriction of processing, to data portability, to object, and to protection from solely automated decision-making including profiling.

Under GDPR, the company is a controller or processor, not an owner. This is more than a regulatory detail: it is a fundamental conception of what data is and who it belongs to.

Data Ownership in Other Regions

Most recent nation-state data frameworks align closer to the EU model than to the U.S. model. Brazil’s LGPD, South Korea’s PIPA, Japan’s upcoming amended APPI, India’s DPDPA, and China’s PIPL all establish individual data subject rights, even where enforcement priorities and specific provisions differ.

Practically speaking, when a U.S. company operating abroad treats data as its corporate asset, and a foreign regulator treats the same data as belonging to the individuals whose information it represents, there is no purely procedural solution. The regulatory conflict reflects a genuine disagreement about rights.

Growing Regulatory Fault Lines

The philosophical divide between the U.S. and EU has shaped a global regulatory landscape that goes well beyond the two. The past decade has seen a wave of overlapping and often contradictory national data frameworks built on these competing foundations:

• European Union: The GDPR sets the most demanding framework in scope and penalties. The 2023 EU Data Act and 2024 European Health Data Space Regulation have added sector-specific data-sharing mandates and localization requirements for sensitive categories, while the NIS2 Directive has elevated supply chain accountability.
• United States: The 2018 CLOUD Act empowers U.S. law enforcement to compel U.S.-headquartered cloud providers to produce data stored abroad, including on servers in foreign jurisdictions. Section 702 of FISA authorizes the collection of communications by non-U.S. persons located outside the United States without an individual warrant, including data stored with U.S. service providers and data transiting U.S. communications infrastructure. Neither authority requires the knowledge or consent of the data subject’s home-country government, and in most cases neither requires notification to the service provider’s customers.
• China: The PIPL, DSL, and 2022 cross-border data transfer regulations collectively require that personal information generated in China remain in China unless a government-approved transfer mechanism is in place. The DSL delegates the definition of “important data” to sector-specific implementing regulations, and those definitions have in some sectors been drawn broadly enough to cover categories of ordinary business operational data.
• India: The DPDPA, enacted in 2023, restricts transfers of personal data to jurisdictions not designated as approved by the Indian government. The approved country list had not been finalized as of early 2026, leaving enterprises managing Indian personal data in structural uncertainty.
• Russia, Saudi Arabia, Vietnam, Indonesia, and Turkey: Each of these countries has enacted or strengthened data localization laws requiring certain categories of data to be stored on domestic servers, in some cases subject to government access on demand.

The result is a landscape in which a single dataset- for example, employee records for a multinational workforce, or operational telemetry for a global logistics company- may simultaneously be governed by five or more incompatible legal regimes. What one jurisdiction requires a company to retain, another may prohibit storing in that form. What one government can compel a company to produce, another may criminalize for producing.

Government Access: Where Compliance Becomes a National Security Issue

Government access rights represent a fundamentally different category of risk than standard regulatory compliance. Compliance violations are typically civil matters resolved through fines, remediation orders, and audits. Government access compulsions, particularly those tied to national security authorities, are often secret, legally non-negotiable, and carry consequences for disclosure.

Consider that when a U.S.-headquartered cloud provider receives a FISA order, it is typically prohibited from disclosing its existence to the data subject, the subject’s government, or the subject’s customers. On the other hand, when a Chinese-domiciled company receives a request from Chinese security or intelligence agencies, Article 7 of China’s National Intelligence Law requires that all organizations and citizens support, assist, and cooperate with national intelligence work, while Article 36 of the Data Security Law restricts those same companies from providing data to foreign judicial or law enforcement agencies without state approval. Data managed by Chinese-domiciled entities is therefore both subject to Chinese government access and protected from foreign legal compulsion.

The Known Unknown for Enterprises and National Security Operators

These examples show the structural national security implications within enterprise digital infrastructure. The recent TikTok/ByteDance investigation and the protracted Meta EU-to-U.S. transfer dispute both turned on this exact dynamic. Regulatory action did not require proof of specific government access in either case. The exposure was defined by jurisdiction itself: the legal authority a foreign state holds over a vendor’s data architecture, regardless of whether that authority had been exercised.

The practical implication for U.S. enterprises is that they do not fully know who has access to their data because their own legal exposure is layered on top of their vendors’ jurisdictional exposure. The reality for U.S. policymakers and cyber operators is that this opacity is embedded in the architecture of American digital infrastructure and presents national security risks.

When eDiscovery, National Security, and Sovereignty Collide

There is a third layer to this problem that sits squarely between data governance, legal, and national security, and in my view is underdiscussed: how eDiscovery during litigation can import foreign data sovereignty conflicts.

FRCP and GDPR Can Conflict in U.S. Litigation

The crux of this collision in U.S.-based litigation involves the Federal Rules of Civil Procedure (FRCP). Under FRCP Rules 26 and 34, parties to U.S. federal litigation must suspend document retention and destruction policies and preserve, disclose, and produce electronically stored information (ESI) relevant to case claims or defenses when litigation is “reasonably anticipated.” This principle was established in Zubulake v. UBS Warburg (S.D.N.Y. 2003-2005), where UBS’s failure to preserve relevant emails resulted in a jury award of $29.3 million. Failure to comply can result in sanctions, cost-shifting, and adverse inference instructions, as codified in FRCP Rule 37(e).

The conflict arises when EU personal data is involved. In these cases, enterprises must decide how to scope and implement a hold across data to comply with FRCP- data that may also be subject to conflicting minimization and storage limitation principles under GDPR. For example, GDPR Article 5(1)(e) states that personal data may be retained only as long as necessary for the purposes for which it was collected, while GDPR Article 4(2) states that every stage of eDiscovery constitutes data processing requiring a lawful basis. A litigation hold that forces broad, indefinite retention of EU personal data for use in U.S. proceedings puts U.S. litigation procedures and GDPR compliance in direct conflict.

This is not a theoretical problem. U.S. federal courts applying the comity framework established in Societe Nationale Industrielle Aerospatiale v. U.S. District Court, 482 U.S. 522 (1987), have consistently held that foreign privacy statutes do not override a U.S. court’s authority to order production. More recently, in In re Mercedes-Benz Emissions Litigation (D.N.J. 2019), a court rejected GDPR-based objections to production and ordered disclosure subject to a confidentiality designation.

The Flip Side: EU-Based and International Litigation

Adding to the complexity, for a U.S. company’s foreign subsidiary or EU-based operations, the local data protection authority has independent enforcement jurisdiction and does not defer to U.S. court orders. German data protection authorities, for example, assess the proportionality of litigation-related data transfers by standards that may differ materially from the FRCP Rule 26 standard applied by U.S. courts; disclosures characterized as exceeding what is strictly necessary may be treated as GDPR violations subject to enhanced fines.

U.S. Enterprises Are Caught In Between

The result for enterprises is genuine two-sided exposure: comply with a U.S. court order and risk foreign DPA enforcement action in the jurisdiction where the data originated, or withhold on data protection grounds and risk FRCP sanctions or contempt.

The most consequential recent development in this area sharpens the conflict further. In Norra Stockholm Bygg AB v. Per Nycander AB (CJEU Case C-268/21, March 2, 2023), the Court of Justice of the European Union held that GDPR governs the production of evidence containing personal data in civil court proceedings. National courts must conduct a proportionality and necessity analysis before compelling production and must consider data minimization measures such as pseudonymization where full production isn’t justified. The ruling establishes that EU data protection authority is not confined to regulatory enforcement: it governs the civil litigation discovery process itself. In other words, foreign courts are asserting authority over a process U.S. courts and statutes alone used to govern. A U.S. court applying FRCP standards and an EU court applying GDPR proportionality principles can now reach materially different conclusions about the same dataset, with no binding procedure for resolving the conflict.

For U.S. enterprises in critical infrastructure, the defense industrial base, or AI, production decisions now turn on technical specifications, threat intelligence, and operational telemetry whose disclosure carries national security implications. The legal frameworks that determine which way those decisions go are increasingly written in courts and capitals outside the United States.

Where do we go from here?

None of this fits neatly inside an agency’s mandate, an industry’s compliance program, or a CISO’s operational scope. Heading into the 2026 NCIF forum next week, here are some of the questions I think U.S. cyber leaders need to collectively grapple with:

How should U.S. cyber practitioners and policymakers think about sovereign cloud architecture and customer-managed encryption as instruments of national cyber posture, not just enterprise compliance? When a critical infrastructure operator selects a cloud provider, that decision now carries jurisdictional consequences that were not visible to procurement frameworks designed a decade ago.

As AI agents and autonomous systems process sovereignty-protected data at machine speed, including through cross-border integrations, how do existing frameworks need to evolve? The frameworks we have now were not designed for workloads that move, generate, and transfer data without human review at every step.

What does meaningful public-private coordination on jurisdiction risk look like in practice, and who owns it? Right now, this conversation is happening in fragments across DPA enforcement actions, CFIUS reviews, litigation between firms, and IT procurement decisions. It needs to happen in a forum where these fragments become a strategic posture supporting US enterprise and national security.

In Closing

Data jurisdiction is no longer a background concern. It is a first-order architectural variable in U.S. cyber posture for enterprises and government agencies alike. The boundary between enterprise data architecture and national security has effectively dissolved.

The conversation about how to manage this can’t wait any longer. The public and private industry leaders who successfully navigate the next phase of digital sovereignty will need to understand their jurisdictional exposure as clearly as their attack surface. I am looking forward to having these conversations with security leaders from industry and government at the NCIF forum next week.