Sovereign 2.0: Control-Plane Sovereignty for Cloud Systems Under Disruption

TL;DR

This paper proposes Sovereign 2.0, a control-plane-centric model for cloud sovereignty that emphasizes governance, trust, and incident response beyond mere data location, especially under geopolitical disruptions.

Contribution

It introduces a comprehensive sovereignty model with a risk-assurance framework and highlights the importance of post-quantum cryptography for long-term trust.

Findings

Defines management sovereignty as control over services regardless of infrastructure

Proposes a three-layer risk-assurance framework for sovereignty

Emphasizes post-quantum cryptography as foundational for trust

Abstract

Cloud sovereignty can no longer be defined by data residency or infrastructure location alone. Under conditions of geopolitical disruption, legal exposure, and expanding service boundaries, sovereignty must be understood as enforceable control over how digital services are governed, operated, and recovered. This paper introduces Sovereign 2.0, a control-plane-centric model that extends sovereignty beyond localisation to include governance authority, privileged access, cryptographic trust, data lifecycle control, observability, and incident response across federated environments. We define management sovereignty as the sovereign ability to govern, operate, evidence, and recover services regardless of underlying infrastructure dependencies. To operationalise this model, we propose a three-layer risk-assurance framework spanning governance, operational, and technical controls, enabling sovereign outcomes to be specified and continuously evidenced under both steady-state and crisis conditions. We further position post-quantum-ready cryptographic control, particularly TLS and key custody, as foundational to long-term sovereign trust. These contributions reframe sovereignty as an evidence-backed control system rather than a property of location, with implications for cloud architecture, procurement, and resilience design.