- Company
-
Products
Products
New ProductCloud Server
Fully managed virtual server infrastructure. Setup in minutes, hourly billing and 24/7 expert support so you can focus on your business.
Try Now -
Solutions
Backup & Security
Data SecurityRansomware & encryptionCloud BackupSecure backup to data centersImage BackupFull disk image + fast recoveryOff-Site BackupOff-site disaster recoveryMobile BackupiOS & Android photos/contactsRansomware ProtectionAgainst ransomware attacksTwo-Factor Auth2FA account security - Plans
- Resources
- Partners
- Blog
Digital Borders and Data Sovereignty: Is Your Data Really Safe?
In Whose Hands Is Our Data?
Türkiye’s Cloud Sovereignty Question
Imagine an entrepreneur who launches a small e-commerce business in Türkiye. Products are selling, customer data is flowing, things are going well. But where is that customer data actually stored? On which country’s servers? Subject to which laws? Most entrepreneurs do not know the answer. They simply say “in the cloud” and move on.
This uncertainty, however, is not just a concern for small businesses. The data held by Türkiye’s banks, hospitals, and public institutions also sits “somewhere” in the cloud. And that “somewhere” is often outside Türkiye’s borders — meaning the laws that actually govern that data are not Türkiye’s laws.
Who Holds the Digital Title Deed?
The advantages of cloud computing are undisputed. But that is no longer the real question. The real question is: when institutions use this cloud, how much control can they retain over their own data?
A concrete example: suppose a bank in Türkiye stores customer data with a U.S.-based cloud provider. When the U.S. government requests access to that data under the CLOUD Act, the Turkish bank has few options. Because physical and legal control of the data is not in Türkiye. The issue is no longer “the most affordable cloud”; it has become a question of whose legal system the data is subject to, whose hardware it sits on, and whose software processes it.
The Current Picture in Türkiye
Türkiye is not starting from scratch on this. The Personal Data Protection Law (KVKK) has been in force since 2016, and the 2024 amendments modernized the cross-border data transfer regime. Cybersecurity Law No. 7545 came into force in March 2025. The Banking Regulation and Supervision Agency (BDDK) requires banks to keep their systems within the country. The Digital Transformation Office is developing a certification mechanism for public cloud services. Türk Telekom–TÜBİTAK BİLGEM is developing a domestic cloud platform, and the HIT-30 Program targets more than 30 billion USD in high-technology investment by 2030.
However, these steps are advancing independently of one another. A framework that evaluates cloud services through a holistic sovereignty lens does not yet exist. It is precisely from this need that an eight-dimensional Cloud Sovereignty Objectives (CSO / BEH) framework can be defined.
Cloud Sovereignty Objectives (CSO / BEH)
The table below summarizes the eight fundamental dimensions along which cloud service providers should be evaluated from a digital sovereignty perspective.
| # | Sovereignty Objective | Description |
|---|---|---|
| BEH-1 | Strategic Sovereignty | The provider’s ownership structure, management headquarters, funding sources, and alignment with Türkiye’s strategic priorities. |
| BEH-2 | Legal and Jurisdictional Sovereignty | The legal framework governing the service, exposure to foreign jurisdictions, and the effective applicability of Turkish law. |
| BEH-3 | Data and AI Sovereignty | Control over data encryption, keeping storage and processing within the country, and the independence of AI models. |
| BEH-4 | Operational Sovereignty | The ability of Turkish operators to run the system independently, vendor lock-in risk, and access to source code. |
| BEH-5 | Supply Chain Sovereignty | Geographic origin, transparency, and resilience of hardware, software, and firmware components. |
| BEH-6 | Technology Sovereignty | Compliance with open standards, open source software, independent auditability, and interoperability. |
| BEH-7 | Security and Compliance | Compliance with KVKK, the Cybersecurity Law, and international standards; security operations conducted within the country. |
| BEH-8 | Environmental Sustainability | Energy efficiency, renewable energy use, carbon footprint transparency, and circular economy practices. |
Sovereignty Assurance Levels (TEGS)
Each objective is assessed on a five-tier assurance scale. TEGS-0 indicates that no sovereignty assurance is provided, while TEGS-4 indicates that full digital sovereignty has been achieved.
| Level | Name | Description |
|---|---|---|
| TEGS-0 | No Sovereignty | The service is entirely under foreign control; Turkish law cannot be practically enforced. |
| TEGS-1 | Legal Sovereignty | Turkish law formally applies, but enforcement capacity is limited; the service remains under the control of foreign parties. |
| TEGS-2 | Data Sovereignty | Turkish law is both applicable and enforceable; however, significant foreign dependencies remain. |
| TEGS-3 | Digital Resilience | Turkish actors hold meaningful influence; foreign control is marginal. |
| TEGS-4 | Full Digital Sovereignty | Technology and operations are entirely under Türkiye’s control; subject solely to Turkish law; no critical foreign dependencies. |
Assessment Weightings
The weight of each sovereignty objective in the overall score is shown below. The highest weight is assigned to supply chain sovereignty, because control over the origin of hardware and software directly affects every other dimension.
| # | Sovereignty Objective | Weight |
|---|---|---|
| BEH-1 | Strategic Sovereignty | 15% |
| BEH-2 | Legal and Jurisdictional Sovereignty | 10% |
| BEH-3 | Data and AI Sovereignty | 15% |
| BEH-4 | Operational Sovereignty | 15% |
| BEH-5 | Supply Chain Sovereignty | 20% |
| BEH-6 | Technology Sovereignty | 10% |
| BEH-7 | Security and Compliance Sovereignty | 10% |
| BEH-8 | Environmental Sustainability | 5% |
| TOTAL | 100% |
Data Sovereignty ≠ Data Localization
Data sovereignty does not simply mean “keeping data within the country.” It means retaining genuine legal, technical, and operational control over the data itself. Data may physically reside in Türkiye, but if encryption keys are held by a company in another country, if source code is not accessible, or if you depend on a foreign provider for security patches, it becomes difficult to speak of sovereignty at all. Making this distinction clearly is a fundamental prerequisite for a sound assessment framework.
The Role of the Domestic Ecosystem
Sovereignty is not achieved merely by building massive data centers. Domestic alternatives across a wide spectrum — from the backup solutions and file sharing platforms institutions use every day, to video surveillance infrastructure and object storage services — are also a critical part of sovereignty. Because what actually determines where data flows is often these “ordinary” looking tools.
As part of this ecosystem, Narbulut offers a broad product portfolio ranging from backup software and object storage to a document collaboration platform and cloud-based video surveillance solutions, enabling institutions to keep their data within Türkiye’s borders and subject to Turkish law. The strengthening of such domestic companies carries strategic value on a par with large infrastructure investments.
Conclusion
The pieces are on the table: the legislation exists, the investment plans exist, domestic companies exist, political will exists. What is missing is a holistic perspective that connects them. The later this perspective takes shape, the more data will have moved beyond Türkiye’s control.
Digital sovereignty is as strategic a matter as independence in the defense industry. Just as a missile shield cannot be borrowed from someone else, neither can data sovereignty. The only difference: the absence of a missile shield is visible to everyone. The absence of data sovereignty is only noticed once it is too late.
- CLOUD Act — U.S. Congress Official Text
- Law No. 6698 on the Protection of Personal Data (KVKK)
- Cybersecurity Law No. 7545
- Presidency Digital Transformation Office — Public Cloud Computing Strategy
- HIT-30 Program — Data Center, Artificial Intelligence, Quantum, and Industrial Robotics Calls
- BDDK Information Systems Regulation
- Türk Telekom – TÜBİTAK BİLGEM Domestic Cloud Platform Collaboration
Author: Bahri Uludağ – Information Technology Manager
