- A new model for data sovereignty is based on access, not location
- Sovereignty tunnels enable global teams to collaborate while maintaining local data compliance
- The capability could redefine global cloud strategy
They say you learn something new every day. But this is not actually true — especially if you work in the communications industry, where 99% of ideas are reconstituted from things that were thought of several years or, in the case of AI, decades ago (unless you're reading something on LinkedIn, in which case the derivative score is typically so close to 100% that the difference is academic).
But this week, talking to Kevin Cochrane, CMO at Vultr, a genuinely new thought — and a new concept — emerged.
And here it is: sovereignty tunnels.
The term was coined almost casually in conversation. But like many useful ideas, it immediately clarified something that has been hiding in plain sight. Sovereignty tunnels describe a model in which data remains fixed within a jurisdiction, while access is extended across borders through tightly controlled, policy-driven pathways. No duplication, no relocation, and no need to replicate legal or corporate structures in every market.
As Cochrane put it, “We’ve built a sovereignty tunnel to India for a customer so that they don’t actually have to incorporate there.”
That single line captures the shift.
For years, data sovereignty has been treated as a matter of geography. If a company wanted to comply with European regulations, it deployed infrastructure in Europe. If it needed to satisfy national data residency laws, it built or rented capacity inside that country’s borders. Compliance meant presence — and presence meant duplication of infrastructure, operations and often legal entities.
That model is now starting to fracture.
What is emerging instead is a way of designing sovereignty directly into the architecture of systems. Rather than asking where data resides, companies can focus on how it is accessed, who can interact with it, and under what conditions. Data remains legally anchored in one jurisdiction while teams in another work with it in a controlled, compliant way.
The mechanism behind this shift is not exotic. It is something enterprises have been building toward for years: identity and access management. But the level of granularity now available changes the equation. As Cochrane explained, “We took our enterprise identity and access management to the next level, with incredible granularity for how you can build and manage multiple organizations, roles, groups, and policies.”
That granularity is what makes sovereignty tunnels possible. Instead of replicating entire environments across borders, companies can segment infrastructure into discrete organizational units aligned to specific jurisdictions, and tightly control how access flows between them. Sovereignty is no longer enforced by physical separation alone, but by policy, identity, and control.
Sovereignty tunnels have a familiar ring. They echo the shift in the 1990s from Ethernet switching to virtual LANs. Back then, the breakthrough was simple but profound: networks no longer had to be physically defined. Access and segmentation could be constructed through software, governed by virtual rules rather than fixed wiring.
At the time, that was revolutionary. Today, it is taken for granted.
And yet, in the world of data sovereignty, we seem to be rediscovering the same idea. Sovereignty tunnels apply that principle to compliance: instead of building systems around physical location, you construct access around policy, identity, and control.
Everything old, it seems, is new again.
Tunnel focus
The India example brings this into sharp focus. Traditionally, if a global company wanted to leverage a development or service delivery team in India while serving customers in Europe or the United States, it would need a complex legal and operational framework. Local incorporation, separate governance structures, duplicated infrastructure — these were the costs of compliance.
With a sovereignty tunnel, that complexity collapses into architecture. As Cochrane described it, “You could set up an India organization with all its resources in India, and then act as an in-house service delivery function to all of your other organizations.” The team operates across borders, but the data does not. Access is granted, monitored, and constrained — but never uncontrolled.
This hinges on a subtle but critical distinction: access is not the same as transfer. Sovereignty tunnels operate in that gap. They allow systems in one country to interact with data in another without copying it, moving it, or subjecting it to a different legal regime.
Whether regulators will accept that distinction remains an open question. The line between access and transfer is not always clean, particularly as legal frameworks evolve. Much will depend on how rigorously these systems enforce controls such as encryption, auditability, and data minimization — and how convincingly organizations can demonstrate that data has not, in any meaningful sense, moved.
It doesn’t surprise me that Vultr is leading the market with this capability. While it is sometimes conflated with neo-cloud operators, it is a different animal altogether—a bird of quite a different feather.
Where many neoclouds have built their businesses around a handful of large hyperscaler contracts, effectively acting as capacity extensions, Vultr has taken a more disciplined and vertically integrated approach. Its platform is designed for enterprise use from the outset, with automated, on-demand infrastructure, full-stack orchestration across CPU and GPU environments and a focus on operational control rather than ticket-driven provisioning. It is built to serve many customers well, not just a few very large ones.
What sovereignty tunnels require
That distinction matters. Sovereignty tunnels are not just about infrastructure — they require precision, consistency, and control at the architectural level. And that is far easier to deliver when the platform is designed for it from the ground up, rather than retrofitted around a small number of hyperscale relationships.
What is clear is that this represents a deeper structural shift in the cloud.
For decades, compliance has been mapped onto location. Infrastructure sat in a place and that place determined its legal status. Now, compliance is being engineered into systems themselves. Infrastructure is no longer just geography; it is policy, identity, and control working together to define how data can be used.
The implications are significant. Startups can expand internationally without establishing legal entities in every market. Mid-sized firms gain access to compliance strategies once reserved for large enterprises. And global teams can collaborate without fragmenting systems along national lines.
There is also a competitive dimension. If sovereignty can be delivered through software-defined controls rather than a physical footprint alone, the advantage of hyperscale providers may begin to erode. Smaller, more agile providers could be better positioned to experiment with these architectures and deliver more flexible approaches to compliance.
For now, sovereignty tunnels remain an emerging concept rather than a formal standard. But they point toward a future in which compliance is not something you bolt onto infrastructure — it is something you design into the system from the beginning.
Because if sovereignty tunnels work as intended, the question is no longer where your data sits.
It is who can reach it — and how tightly that path is controlled.
Stephen M. Saunders MBE is a communications analyst and USPTO-registered inventor examining how digital infrastructure — 5G, cloud, and AI — is reshaping industry, power and society, as well as underpinning the emerging, ubiquitous global digital economy. As anchor of FNTV and a longtime industry insider, he focuses less on growth narratives and more on execution, risk and how hyperscale technology is distorting markets, governance and society at scale.
Opinion pieces from industry experts, analysts or our editorial staff do not necessarily represent the opinions of Fierce Network.