In 2025, AI regulations were established in four major global regions.

Greetings from the island nation of Japan.

We often observe the complex, multi-layered strategies of the major global powers (Japan, China, the EU, and the US) with a kind of detached, yet deeply involved, professional interest. The concept of Sovereign Cloud and AI Governance is essentially the high-stakes game of ensuring that while we all use the same global infrastructure—the "Cloud"—the rules governing our most precious data are rooted firmly in local soil.
It’s the digital equivalent of trying to share a sandbox while each kid brings a lawyer to argue over the precise jurisdiction of their respective sandcastles. As 2025 marks the convergence of key AI-related legislation across these four major actors, their individual approaches—from Japan's standards-driven path to China's hard-law mandates—reveal not just differing legal frameworks, but entirely distinct philosophical approaches to data sovereignty.
This article will quietly lay out the strategic comparisons, allowing you to sidestep the noise and political heat, and instead focus on the quietly essential compliance and strategic maneuvers required to thrive in this new, rule-bound era of global digital competition.

Sovereign Clouds and AI Governance: A Comparative Analysis of Strategies in Four Major Blocs

Introduction

This summary is a result of my own research and reflection, prompted by encountering the term "sovereign cloud" in an article about AI in China. The year 2025 marks a point where AI-related legislation is set to be in place across four major blocs (Japan, China, the EU, and the United States), and each country's digital sovereignty strategy is becoming clearer. This raises questions about how we, as general users and general social developers, should navigate these developments.
Up until now, the rules, particularly "laws," have been somewhat ambiguous. However, with these regulations now emerging, it is important to consider how to operate effectively "within the rules" going forward.

---

Chapter 1: What is Sovereign Cloud?

Difference from Data Localisation

Many people tend to confuse these two, but they are distinct concepts.

• Sovereign Cloud
  • Purpose/Philosophy: A cloud service or design philosophy that aims for a state where data, systems, and overall operations are under the exclusive protection of the laws of a specific country or region, free from the laws and external influences of other countries.
• Data Localisation
  • Means/Requirement: A regulation or measure that mandates the physical storage and processing of data within a specific country or region.

In other words, data localisation is a foundation for achieving a sovereign cloud, and it is one specific action.
Let's not confuse the purpose with the means.

---

Chapter 2: The Three Requirements for Constituting a Sovereign Cloud

A sovereign cloud is comprised of the following three sovereignty requirements:

1. Data Sovereignty

• Data Localisation
  • Data is stored and processed physically within the country (mandatory requirement).

• Jurisdictional Clarity

  • Guarantee that access to and disclosure requests for data are based solely on domestic legal regulations (e.g., Japan's Act on the Protection of Personal Information, the EU's GDPR).
  • The applicable laws vary depending on the product or service. While not yet the case, you might have noticed recently that voice and facial data may soon be included under Japanese personal information regulations.
  • Exclusion of the influence of foreign laws (e.g., the US CLOUD Act).
  • Mr. Altman from OpenAI is also working on this matter recently. He was essentially asking the government to do something about it! The US is also in a development race there. In the US, laws differ by state, which seems to make development challenging. To put it very loosely and concisely, his argument is: "It's expensive to develop, but we don't want to lose the AI development race, so give us tax breaks and speed up permits and environmental reviews for projects using federal land or funds!" https://cafe-dc.com/cloud/openai-asks-trump-administration-to-offer-ai-tax-cuts-proposes-govt-focused-classified-stargate/

• Management of Encryption Keys

  • Enable users in countries/regions with data sovereignty to manage the keys used for data encryption/decryption themselves.

2. System Sovereignty

• Portability
  • The ability for systems and data to be easily migrated from a specific cloud environment.
  • Prevents vendor lock-in and ensures technological independence.
    • Corporate Lock-in: A situation where it is difficult to switch to another vendor because the partner vendor has a deep understanding of the specifics of one's own company.
    • Technology Lock-in: A state of dependence on a vendor's technology.
  • There are basically these two types. It's not good because it's difficult to transfer accumulated knowledge and know-how over many years in a short period, both in terms of personnel and systems! It also costs money to change systems, and you might end up reverting.
• Domestic Control of Technology
  • Selecting, designing, operating, and maintaining core technologies such as cloud infrastructure, operating systems, and security technologies within one's own country.
  • Reduces technological dependence on other countries.
  • This became a hot topic. If AWS goes down, half the servers in the world will stop, the backend of smartphones will die, Netflix will stop, Slack will die – it's seriously at the level of civilizational collapse. If Amazon's e-commerce site disappeared, it would be "well, it's inconvenient..." but if AWS stopped for a day, the global economy would be in serious trouble. Both companies and other businesses would be in an uproar.
• Ensuring Transparency
  • Ensuring a level of transparency for application and infrastructure source code and specifications that allows users to perform audits and verifications.

---

3. Operational Sovereignty

• Operations and Support Structure
  • Access to cloud infrastructure, technical support, and customer service is provided by residents of the user's own country, in accordance with domestic laws, regulations, and security policies.
  • While I've handled numerous customer service inquiries both domestically and internationally in my professional capacity, international communications often tend to be more dramatic. For services based in the US, it's common for them to essentially say, "That's beyond what's covered in the documentation, and since you're trialling it, investigate the technical details yourself." The default attitude is often "I'm not to blame for this," and being passed around between departments is a frequent occurrence.
• Access Control
  • Strict mechanisms (logical and physical separation) to restrict or eliminate access routes for foreign national employees of cloud providers to sensitive data and systems, even from within the provider's organisation.
• Governance
  • Operational policies, disaster recovery plans, and responses to security incidents are decided and managed in a way that allows the user's government or an independent advisory committee to be involved.
  • This brings to mind the separation of powers.

---

Chapter 3: Sovereign Cloud Strategies of the Four Major Blocs

Countries and regions are pursuing digital sovereignty through different approaches.

Bloc	Leading Axis of Strategy	Primary Goal	Characteristics	Key Sovereign Clouds
Japan	Government Guidelines & Standardisation Led	Ensuring economic security and establishing a secure cloud usage environment free from the influence of foreign laws	Defining standards for security and governance based on ISMAP and the Act on Promotion of Economic Security. Controlling services from domestic and foreign vendors.	Sakura Internet, NTT Data, NEC
China	National Laws & Regulations Led	Ensuring national data sovereignty (cyber sovereignty) and protecting the domestic market	Mandating the domestic storage (data localisation) of important data collected domestically, based on laws such as the Cybersecurity Law.	Alibaba Cloud, Huawei Cloud, Tencent Cloud (domestic regions)
Europe	Standards & Ecosystem Led by GAIA-X	Establishing European digital sovereignty. Excluding the application of US law and setting unique standards for reliability, security, and interoperability.	Global hyperscalers also offer services compliant with these standards, placing the entire ecosystem under European law.	GAIA-X Compliant Services (OVHcloud), AWS European Sovereign Cloud, Oracle EU Sovereign Cloud
United States	Hyperscaler Strategy Led	Maximising efficiency and innovation in cloud usage, and responding to the stringent regulatory requirements of government and military agencies	For government and military agencies, providing dedicated sovereign regions that strictly comply with FedRAMP and have restricted operations and access privileges.	AWS GovCloud (US), Microsoft Azure Government, Google Cloud (Dedicated Regions)

Comparison of Sovereign Cloud Strategies in the Four Major Powers

Japan's strategy focuses on "standardisation", China's on "state control", the EU's on "ecosystems", and the US's on "market leadership". Their strategies are unfolding along different axes, reflecting a considerable divergence in national cultural backgrounds and philosophies. While they maintain control over key aspects, distinctive features are emerging.

---

Chapter 4: AI Governance Trends in 2025

2025 was a year dominated by AI globally. Frankly, it felt like being inside a washing machine. This situation looks set to continue next year as well. However, with AI becoming increasingly integrated into our lives, determining legal boundaries has become a significant challenge. 2025 saw substantial progress in this regard, marking the year when AI-related laws from the four major powers were established. This is what prompted me to write this article. They've finally all come out.

Japan's AI Promotion Act

I had thought that Japan's AI regulations were not progressing much, but in fact, they are being systematically developed. Little by little, the approach is distinctly Japanese: " Let's do things well within the rules ," with a very accommodating stance from the perspective of developers. While aiming for the ambitious national goal of becoming " the easiest country in the world to develop and utilise AI ," it seems likely that Japan will settle in a good position compared to other countries, with a balance of guidelines and laws, from the viewpoint of those who enjoy development. Utilisation, however, is still being explored.

China and EU's Hard Law

China and the EU have a strong " hard law " aspect in their AI-related regulations, making them straightforward due to clearly defined penalties. China and the EU are leading with "hard laws" that carry penalties, while Japan and the US are focusing on "guidelines" and "standardisation."

Impact of China's Cybersecurity Law Revision

Particularly noteworthy is the revision of China's fundamental Cybersecurity Law (enforced January 2026), which now includes AI provisions.

• Expansion of Extraterritorial Application
  • Previously, it was sufficient to consider the Personal Information Protection Law. However, this revised Cybersecurity Law also incorporates extraterritorial application. Consequently, considerations will now be needed for providing overseas AI products to users within China.
• Reference Links
  • China's Network Data Security Regulations (PwC Explanation)
  • https://www.pwc.com/jp/ja/knowledge/column/awareness-cyber-security/china-cyber-security-law.html
  • Cybersecurity Laws and Policy Trends in Various Countries (PwC)
  • https://www.pwc.com/jp/ja/knowledge/column/awareness-cyber-security/cybersecurity-laws-and-policy-trends-cn-tw.html

I predict that around three major legal news events are likely to occur in 2025 and 2026.

Summary

• Sovereign Cloud is not merely a matter of data storage, but the core of a nation's digital sovereignty strategy, meeting three requirements: data sovereignty, system sovereignty, and operational sovereignty.
• Each of the four major powers is taking a different approach, with Japan focusing on standardisation, China on legal regulations, the EU on ecosystems, and the US on efficiency.
• 2025 is the year when AI-related laws will be fully established, and China's revised Cybersecurity Law, in particular, creates new compliance requirements for global AI business development. As a differentiating point, Japan may also adopt a strategy of integrating AI domestically.
• In the future, as companies expand their businesses globally, addressing the sovereign cloud requirements and AI governance of each country will become increasingly important.