With the rise of nation-state cyberattacks and the rapid development of AI, geopolitical concerns are growing every day. Organizations are challenged to find the balance between innovation and security, and they’re feeling the pressure to relocate and fortify their workloads from global cloud vendors to local alternatives.
More recently this concept has been termed geopatriation. This is the strategy of moving globally hosted workloads to an environment that can offer greater sovereignty, either on-premise or in the local region of the customer. This concept has gained significant momentum, so much so that in 2026, Gartner identified geopatriation as one of the top strategic technology trends for the year.
As per Gartner®, “Intensifying geopolitical turbulence is raising concerns in both public and private sectors about dependencies on IT vendors based outside their own regions or countries.” – Gartner, Top Strategic Technology Trends for 2026: Geopatriation, Alessandro Galimberti, Lydia Leong, et al., 18 October 2025
When organizations are exploring how to ensure compliance, protect data, and maintain stakeholder confidence, geopatriation will have a larger role than ever before.
The challenge: Maintaining sovereignty
Cloud sovereignty has driven the importance of geopatriation, as it requires organizations to address the concerns related to cross-border data transfer. To reduce geopolitical risk, customers need control over where and how their data is stored and processed. Cross-border technology dependencies means relying on global cloud providers where data isn’t guaranteed to be isolated within the customer’s region. How does this impact sovereignty?
It is no secret that the United States is a big cyber attack target on the world stage. The Department of Homeland Security Office of Intelligence and Analysis, in their 2025 Homeland Threat Assessment, identified that “the PRC, Russia, and Iran will remain the most pressing foreign threats to our critical infrastructure. Most concerningly, [they] expect the PRC to continue its efforts to pre-position on US networks for potential cyber-attacks in the event of a conflict with the United States.”
When data travels internationally, there are different protocols, regulatory variations, and standards across regions. This creates vulnerabilities when services are dependent on infrastructure outside of the customer’s local jurisdiction. How does one know which requirements are being followed, and how data storage and processing rights are being restricted, when laws vary country by country?
But achieving sovereignty extends beyond the geographic isolation of infrastructure. Local support and expertise matters, too. When mission-critical systems need attention, the support should come from trusted, verified professionals who operate within the same regulatory and security framework as the customer’s organization. When support personnel fall outside of local jurisdiction, organizations can face loss of control during geopolitical events, and security controls are ultimately only covered up to the infrastructure layer.
When an organization doesn’t prioritize geopatriation, there could be loss of control, loss of data, and loss of reputational trust. Cloud benefits are undeniable, but the need to balance mitigating the risk of exposure to geopolitical uncertainty with the need for innovative technologies is more important than ever.
The challenge: How to achieve geopatriation without compromise
As per Gartner®, “Examples of geopatriation include:
- Reinforce: Stay in the hyperscaler but reinforce your risk mitigations.
- Redeploy: Stay with the hyperscaler but redeploy the workload to a local, sovereign or distributed cloud solution.
- Remove: Remove the workload from the hyperscaler and go to a local cloud provider.
- Repatriate: Move workloads on-premises.”
Gartner, Top Strategic Technology Trends for 2026: Geopatriation, Alessandro Galimberti, Lydia Leong, et al., 18 October 2025
Each of these options come with their own pros and cons, so how does an organization decide which route to take as they begin navigating workloads to a sovereign environment?
The reinforce route allows the customer to remain with their current hyperscaler while strengthening their risk mitigation measures. It’s an opportunity to double down on security strategies and ensure that the hyperscaler supports these expectations. The challenge with this approach is that residual geopolitical risk remains. Customer data is still subject to foreign jurisdiction, extraterritorial laws, and government access requests.
The redeploy approach retains the current hyperscaler while transitioning workloads from a global platform to a local region or sovereign government cloud. The challenge here? Operational fragmentation. If an organization chooses to only move their mission-critical workloads to a government cloud, managing workloads across multiple regional offerings increases complexity. This approach also doesn’t address the in-region support personnel for the cloud applications.
The remove approach requires withdrawing workloads from the existing hyperscaler and transitioning to a local cloud provider. But there are inherent challenges when migrating an environment to a new provider, especially if the local provider isn’t mature enough to handle large-scale workloads. In some instances, smaller providers may lack the hyperscaler-level security tooling, automation, multi-region failover, and threat intelligence.
Repatriate, the strategy of moving cloud workloads to on-premise infrastructure, may be the least appealing strategy for many. It’s a step backward in the innovation roadmap that highly regulated organizations are working towards. On-premise also comes with higher upfront investment in hardware, facilities, and ongoing maintenance. And the customer becomes responsible for security and compliance.
Before taking the step of geopatriation, organizations must weigh out the pros and cons of these strategies. They have to decide their priorities and what compromises they’re willing to make.
Do organizations choose a global technology vendor or a local technology provider? Do they risk global data exposure with a large-scale provider located overseas? What about adopting less advanced tech offerings from a small-scale, local tech vendor? Customers are looking to maintain control over their data while still accessing enterprise-grade cloud capabilities.
There’s a solution to this debate that allows customers to never compromise between sovereignty, security, and innovation. SAP customers need a partner who meets geopatriation requirements by deploying all SAP workloads in the U.S. and has a U.S. based organization with SAP solution and compliance expertise. It is essential that the partner be fundamentally and structurally built to deliver secure solutions. It is also crucial that enterprise applications are up and running to help ensure that compliance and SLA’s are provided up to the application level.
This solution is only delivered by SAP NS2. For two decades, SAP NS2 has been the only provider to deliver industry-leading SAP cloud solutions, complete geographic isolation within the continental U.S., and 24×7 support from U.S.-based SAP experts. Geopatriation shouldn’t mean settling for less, and with SAP NS2 you don’t have to.
[1] GARTNER is a trademark of Gartner, Inc. and/or its affiliates.
[2] Starks, Tim. 2026. “Taiwan Blames Chinese ‘Cyber Army’ for Rise in Millions of Daily Intrusion Attempts.” CyberScoop, January 7, 2026. https://cyberscoop.com/taiwan-china-cyberattacks-2025-energy-hospitals-nsb-report.
[3] U.S. Department of Homeland Security. Homeland Threat Assessment 2025. Office of Intelligence and Analysis, September 30, 2024. PDF file, 5.11 MB. https://www.dhs.gov/sites/default/files/2024-10/24_0930_ia_24-320-ia-publication-2025-hta-final-30sep24-508.pdf
[4] Cybersecurity and Infrastructure Security Agency. 2025. Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure, Advisory AA25-343A, December 9, 2025. U.S. Department of Homeland Security. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
