Analyst(s): Fernando Montenegro
Publication Date: November 11, 2025
The foundational assumption of a borderless global cloud is over, fractured by escalating legal and geopolitical conflicts such as the US CLOUD Act and the EU’s GDPR. This fragmentation, dubbed the “Westphalian World Web,” creates a new “Splinternet” where data sovereignty is a primary concern. Futurum examines how this new reality poses a direct challenge to dominant SaaS security architectures and forces a fundamental rethinking of global vendor strategy.
Key Points:
- The legal “catch-22” between the US surveillance reach (CLOUD Act) and EU data rights (GDPR) presents a significant compliance risk for cross-border telemetry flows required by global SaaS security platforms.
- Cybersecurity vendors now face a costly “sovereign premium” to re-architect platforms for local data processing, a move which also risks “balkanizing” global AI models into less effective regional versions.
- Success in this fragmented market requires a shift to a federated, partner-led go-to-market model and a new value proposition based on “verifiable trust” through technical controls, such as confidential computing.
Overview:
The era of a single, borderless global cloud is no longer valid. We have entered a “Westphalian World Web,” where national sovereignty over data, compute, and AI is the new operating system, driven by escalating geopolitical tensions and “techno-nationalist” policies. This fragmentation is accelerating, primarily driven by the fundamental legal conflict between the 2018 US CLOUD Act, which grants US authorities extraterritorial access to data, and the EU’s GDPR, a conflict that the 2020 Schrems II ruling has amplified. This is not just a US-EU problem; a “global ripple effect” is spurring similar data control laws in India, Brazil, and China, further complicated by new AI-specific regulations.
This legal conflict has forced the market to demand “sovereign-ready” offerings. Cloud providers such as AWS, Google, and Microsoft have responded with a range of offerings, spanning technical controls (e.g., AWS Nitro System) and software-defined boundaries to fully separate, legally isolated, partner-led infrastructure (e.g., Microsoft’s “Bleu” model in France). This infrastructure-level shift creates a downstream mandate for the entire software stack, including cybersecurity. The dominant multi-tenant SaaS security model – used by modern SIEM, XDR, and SASE platforms – which relies on centralizing global telemetry for analysis, is now increasingly misaligned with this new reality. These vendors are now forced to “Build Local,” investing heavily to create isolated, in-country versions of their platforms so that customer telemetry never leaves the jurisdiction.
This trend is bifurcating the competitive landscape. US-based hyperscalers and security vendors, such as Zscaler, CrowdStrike, and Palo Alto Networks, must invest in this “sovereign premium” or risk being excluded from regulated markets. They face new competition from European providers (e.g., OVHcloud, T-Systems) whose primary value proposition is not feature parity but “Trust Over Features” – specifically, “jurisdictional immunity” from the US CLOUD Act. This is a costly architectural overhaul at a time when budgets are already stressed. Furthermore, it creates new AI complexity, as vendors must choose between training less effective global models on anonymized data or building expensive, “balkanized” AI models on smaller, regional datasets. The go-to-market model must also evolve from selling a single global SKU to a federated, partner-led approach, elevating “national champions” (such as Thales or Capgemini) from simple resellers to core strategic assets for navigating local trust and regulations. For US vendors, the message must pivot from “trust us” to “trust the technology” by heavily marketing verifiable controls to prove technical data isolation.
What to Watch:
- How will global enterprises be forced to navigate regional security differences, and will this lead to an imbalanced global risk profile with fragmented operational views?
- Will confidential computing and other “verifiable trust” technologies transition from a niche differentiator to a non-negotiable, baseline requirement for US vendors to compete in sovereign-conscious regions?
- Which major US-based security incumbent will be the first to acquire a “jurisdictionally safe” regional provider, using M&A as the fastest path to a compliant footprint and a trusted local brand?
The full report is available via subscription to Futurum Intelligence’s Cybersecurity & Resilience IQ service—click here for inquiry and access.
Futurum clients can read more in the Futurum Intelligence Platform, and non-clients can learn more here: Cybersecurity & Resilience Practice.
About the Futurum Cybersecurity & Resilience Practice
The Futurum Cybersecurity & Resilience Practice provides actionable, objective insights for market leaders and their teams so they can respond to emerging opportunities and innovate. Public access to our coverage can be seen here. Follow news and updates from the Futurum Practice on LinkedIn and X. Visit the Futurum Newsroom for more information and insights.
Declaration of Generative AI and AI-assisted Technologies in the Writing Process: While preparing this work, the author used Google Gemini to summarize the original report. After using this service, the author reviewed and edited the content as needed. The author takes full responsibility for the publication’s content.
Author Information
Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity & Resilience at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.
Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.
Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.
