The EU is forcing the conversation
Find Threat Talks on
The EU is forcing the conversation
Cloud adoption made infrastructure easier. It also made organizations dependent. Data sovereignty is often reduced to location, but that is only one part of the story.
Real control goes further.
In this episode of Threat Talks, Lieuwe Jan Koning, Co-founder and CTO at ON2IT Cybersecurity, speaks with Lokke Moerel, Professor of Global ICT Law at Tilburg University and a leading expert in EU cybersecurity regulation, to break down what data sovereignty actually means in practice.
From jurisdictional reach to operational dependency, the conversation shows how control over data, systems, and access is shaped by laws, providers, and geopolitical realities.
As organizations move deeper into cloud and AI, this becomes a question of AI data governance as well. Who controls the data that trains your models? Who controls access? And what happens if that control is taken away?
Cloud is no longer just infrastructure. It is critical infrastructure.
What you’ll learn
- What data sovereignty really means beyond data location
Why storing data in Europe does not guarantee control when access, metadata, and jurisdiction are still external - How cloud dependency creates hidden risk
Why reliance on a single provider or foreign infrastructure introduces both operational and strategic vulnerabilities - Why data sovereignty and AI data governance are connected
How control over training data, models, and infrastructure defines the future of AI - What organizations can do to reduce dependency
Why multi-vendor strategies, procurement choices, and shared knowledge are key to strengthening control
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Lokke Moerel
Professor of Global ICT Law
Tilburg University
Episode details
Data sovereignty is often misunderstood.
Most organizations assume that if their data is stored locally, they are in control. In reality, sovereignty has multiple dimensions. It includes where data is stored, who can access it, whether systems remain operational without external dependencies, and which legal frameworks ultimately apply.
This episode breaks those layers down.
Lieuwe Jan Koning and Lokke Moerel explore four forms of sovereignty: data, operational, jurisdictional, and strategic. Each introduces a different type of risk. Even when data is physically located in Europe, foreign laws such as the US Cloud Act can still apply. At the same time, dependency on external providers raises questions about continuity. If access is restricted or services are disrupted, organizations may lose the ability to operate.
This shifts the conversation from security to control.
A key theme is the transition from “lock-in” to “lock-out.” Where organizations once worried about being tied to a single provider, the risk now includes being cut off entirely due to geopolitical or legal decisions. That makes dependency on cloud providers a business risk, not just a technical one.
The discussion also connects this to AI data governance.
As organizations adopt AI, the importance of controlling training data, model behavior, and infrastructure increases. Initiatives such as GPT-NL show how sovereign AI models can be developed using high-quality, compliant data sets. Instead of scraping public data, these models are trained with curated, legally sourced data, aligned with public values and regulatory requirements.
This reflects a broader shift in Europe. Regulation alone is not enough. Building capabilities is becoming just as important.
The episode also highlights practical steps.
Organizations should rethink procurement decisions, consider multi-vendor strategies, and better understand their dependencies. Sharing knowledge across industries becomes critical, especially when evaluating alternatives and identifying viable solutions.
The core message is simple.
You may use the cloud.
You may store your data locally.
But unless you control access, operations, and dependencies, you do not fully own it.
And as AI becomes part of that ecosystem, data sovereignty and AI data governance become inseparable.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
