High-performance computing: The new frontier in data sovereignty
Cloud strategy is at the heart of two divergent trends. Traditional Hyperscaler’s (Cloud Service Provers CSP’s) have become a dominant feature in enterprise IT as organisations rely on the limitless scale of the cloud. In parallel, regulators have created data sovereignty laws and compliance requirements limiting cross-border data transfer.
The current push for high-performance computing (HPC), as one of the enablers for enterprise AI, puts this conflict under the spotlight. HPC’s potential for providing the compute power for AI, advanced research or complex modelling is constrained by cloud governance, security and cost. This isn’t just a technical hurdle, it’s a strategic challenge.
For CIOs and CTOs, the question is, how do you create a compliance-driven cloud strategy that delivers the business outcomes HPC promises?
Data residency and sovereignty – the minefield of compliance
While GDPR kickstarted the focus on data protection and privacy within the EU, arguably the turning point was the Schrems II ruling (2020). This decision invalidated the EU-US Privacy Shield, making most EU-US data transfers non-compliant overnight. Since then numerous legislation and regulations have been introduced impacting data residency and sovereignty.
Cloud compliance requirements
ISO 27001:2022
The addition of Annex A 5.23 to ISO 27001 introduced cloud compliance to ISMS. Organisations with ISO 27001 certification now need processes that cover the lifecycle of cloud services from onboarding to exit. These include carrying out due diligence on CSPs to assess how sensitive data is processed. The annex also made accountability explicit. Information security risk remains with the customer’s organisation.
NIS2 Directive (Oct 2024)
The EU’s directive labelled CSPs and data centres as essential services and increased the cyber security measures required around them. The directive reinforced the focus on accountability with the introduction of fines for non-compliant organisations. Its shared responsibility model means the customer is responsible for securing data and applications within the cloud.
EU Data Act (Sep 2025)
A more recent law forces CSPs to allow easy and low-cost switching to other CSPs. No more vendor lock-in. As well as reducing the risk of single-vendor dependency, the legislation provides legal support for hybrid cloud strategies, making it especially relevant for HPC solutions.
UK’s approach to sensitive data
After Brexit, the UK adopted GDPR rules but has since diverged from the EU on data residency. The UK guidance for government departments allows data to be held outside the UK. There is no blanket mandate for government data classified as OFFICIAL to be physically located in the UK. Although the National Cyber Security Centre advises that the public cloud is not designed to protect SECRET and TOP SECRET information.
Cloud governance and compliance for regulated industries
Regulated industries like financial services, have additional requirements to contend with. The EU’s Digital Operational Resilience Act (2022) demands strong ICT security for financial services firms. It requires direct oversight of critical providers and mandates specific contractual obligations for all ICT providers, but does not change residency rules.
In the UK, the Financial Services and Markets Act (2023) gives the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority the power to oversee critical third-party (CTP) cloud providers. Financial services firms are accountable for their operational resilience and managing third-party risks, but there is no requirement for UK residency.
What’s next: Upcoming HPC and cloud regulations
The acceleration of AI adoption and the need for HPC mean that further compliance changes are on the horizon.
Euro HPC Joint Undertaking
The EU’s aim for Europe to be more self-sufficient in technology is behind the push for a sovereign HPC infrastructure. The goal is to give Europe its own infrastructure to drive research and advanced data processing.
European Cybersecurity Certification Scheme
Under development is an EU certification scheme for cloud led by the EU’s cybersecurity agency, ENISA.
EU Cloud and AI Development Act
The drive for data sovereignty is also behind the EU’s aim to triple data centre capacity across Europe within 5 to 7 years. While not yet in law, the EU’s aspirations are clear.
HPC compliance: strategies for regulated industries
Designing a cloud strategy that delivers the benefits of HPC and stays compliant with data regulations is the challenge. The solution is not one-size-fits-all. The most pragmatic strategy is to adopt a tiered approach to data sovereignty; applying best practices to HPC solutions especially in regulated industries.
Classify your data based on its sensitivity and deploy the most suitable level of cloud based on data sovereignty laws. This approach optimises your HPC solution for compliance and data protection:
Tier 1: ‘The crown jewels’
The most critical data needs the strongest controls. Whether you’re modelling financial risk, analysing patient data, developing defence research or processing other ultra-sensitive data through HPC, it’s essential this data is managed through a hybrid cloud with on-prem infrastructure.
Your organisation keeps absolute control over the physical hardware, the network and the data’s location. This model also provides total clarity around jurisdiction so you can prove to regulators where the data is, who can access it and which laws apply to it. The hybrid model de-risks your assets.
With the use of leading server CPUs, it’s possible to shrink the footprint of data centres making on-prem data compliant solutions more viable. For example, AMD HPC products, including EPYC CPU and Instinct GPU, feature high core counts and scalable fabrics optimising AI workloads and accelerating research both in the cloud and on-prem.
Tier 2: Sensitive data
For sensitive data that is less critical, sovereign cloud solutions are the answer. Many CSPs offer data centres within physically isolated cloud regions giving you control over data residency, access and compliance. For example, depending on the location of your data you could opt for a UK offering or a EU-based provider. Sovereign cloud solutions can form part of your hybrid model, so you keep control of regulated data and leverage cloud scalability.
AMD Infinity Guard Security Features here, including SME (Secure Memory Encryption & SEV (Secure Encrypted Virtualization) as two pillars for creating & having confidential compute.
For further information refer Infinity Guard and AMD Security Solutions
Tier 3: Non-sensitive
Handling non-sensitive data such as general workload outside of HPC, is less constrained by a compliance-driven cloud strategy. Enterprise IT solutions for traditional business workloads which benefit from the flexibility and scalability of the global public cloud can still operate there. However, at scale, this approach can still be significantly more costly.
Practical steps for data sovereignty compliance
Implement encryption and key management
Encrypt data both at rest and in transit. More than end-to-end encryption, what counts is that your organisation must hold the encryption keys to stop unauthorised access to your data by your CSP or unwanted parties. The architecture choices for your HPC solution also have a major impact on security. For example, AMD HPC processors, including AMD EPYC™ (CPU) processor and AMD Instinct™ GPU. These encrypt and protect each VM’s memory space from the hypervisor and other VMs using individual keys, with support for up to 1006 keys.
Apply strict access controls
Enforce zero-trust verification and least privilege principles. Limit data centre and on-prem infrastructure access to only your authorised staff. Tracking and monitoring data processing within your IAM policies will give you a complete and verifiable audit trail. A must for compliance. Building zero trust into your architecture also means considering components like the AMD Secure Processor that manages cryptographic keys and enforces hardware-based security policies.
Classify your data
Check where your data is stored, processed and transmitted. Classify it by sensitivity and which data sovereignty and localisation laws apply. An agreed strategy allows you to decide the most appropriate location – hybrid, sovereign or public cloud. But data flows also need to be audited regularly to avoid cross-border data transfers. For highly sensitive data, cloud compliance requirements might go beyond data storage. Infrastructure and operations (including technical support) may have to be located within the same jurisdiction and subject to local oversight.
Establish clear contracts
Define clear responsibilities with your CSP, HPC-as-a-Service provider and other suppliers. Contracts need to define the roles and responsibilities for data handling, storage locations and security measures to ensure coverage for your HPC regulatory compliance.
Scan for new regulations
Proactive monitoring of emerging regulations across jurisdictions is critical. Compliance is an ongoing process. By staying informed about legislative changes you can adapt your HPC and cloud strategies to stay compliant.
The takeaway
Organisations that thrive will be those that build a flexible, secure hybrid footing, leveraging sovereign platforms and on-prem infrastructure. As your partner, we can help you realise your ambitions to harness the power of HPC to enable enterprise AI. Using our technology expertise we can partner with you to build a solution where your data remains secure, compliant and sovereign.