Across many organizations, IT has quietly shifted over the past decade. Applications moved. Processes were outsourced. Responsibility slowly migrated outward. What once lived inside company owned infrastructure now runs on platforms operated by others.According to IDC, around 60 percent of European enterprises now run most of their business critical systems as SaaS services. CRM, ERP, collaboration, security, identity management and monitoring are no longer internal systems. They are external services. This has created a new form of dependency. And with it, a question that used to sound abstract and now feels very real. Who actually owns this data.Formally, the answer seems simple. Most contracts state that the customer remains the owner of the data. But there is a growing gap between legal ownership and operational control. The vendor decides where data is stored, how it is replicated, how long it is retained, what metadata is generated, what kinds of analysis are technically possible and what interfaces exist. The customer remains the legal owner but gives up a significant part of practical control.A CIO from a European industrial company put it like this. We own our data on paper. But we live inside someone else’s infrastructure. That changes the balance of power.
Jurisdiction becomes an IT issue
Since Schrems II, the US Cloud Act and the enforcement of the GDPR, it has become clear that data is not only technical. It is also legal and political. Data does not simply exist in the cloud. It exists under specific legal jurisdictions.This puts particular pressure on US based providers. Even when data is physically stored in Europe, US authorities may under certain conditions request access. For many organizations, this is no longer a theoretical concern. It has become a governance issue.
A CISO from the financial sector described it this way. We no longer discuss only encryption and access rights. We discuss state access, political risk and our ability to act in a crisis.
Why CIOs are becoming uneasy
In conversations with IT leaders, the tone has clearly shifted. A few years ago, the focus was on cost, scalability and speed. Today, it is about control, resilience and strategic autonomy. Many CIOs are asking themselves how much control they still have when critical systems are operated entirely by external platforms.An IT director in manufacturing explained it simply. When an internal system fails, we can intervene. When a platform fails, we can only wait. That asymmetry changes the risk profile.
What companies are actually doing
Organizations are not reacting ideologically. They are reacting pragmatically.Some are adopting multi cloud strategies to reduce dependency on any single provider. Others are working with European vendors or so called sovereign cloud models where infrastructure, operations and legal control remain within Europe. Some are placing their most sensitive data into private SaaS environments where the software is external but the operational control is higher.This is not a retreat from the cloud. It is a recalibration of responsibility.An architect in the telecom sector described it this way. We are not going backwards. But we are becoming more deliberate. We now decide very carefully which data goes where.
How the market responds
Vendors are responding as well. Major platforms now offer regional cloud zones, dedicated compliance environments, customer controlled encryption and more granular control mechanisms. Not out of idealism, but because customers are demanding it.At the same time, new providers are emerging who explicitly position themselves around European data sovereignty. Not as a political statement, but as a business differentiator.
What remains
The shift to SaaS will not reverse. It is structurally efficient and economically compelling. But it changes power, responsibility and dependency. That shift is now visible. And it is being debated.Legal ownership is easy to define. Operational control is the real issue. And that question will continue to shape the European technology landscape.Whether this leads to new standards, new platforms or new regulation remains open. What is clear is that data is no longer just a technical asset. It has become a strategic one. And whoever controls it, controls a part of the future.
