The Cloud Sovereignty Test: 5 Questions Every NZ Organisation Must Ask
2 October, 2025
It's time to cut through the marketing spin and get serious about what cloud sovereignty really means for New Zealand.
In boardrooms across New Zealand, a critical conversation is happening. Directors and executive teams are grappling with cloud migration decisions that will shape their organisations for decades to come. Yet many are making these choices based on incomplete information, marketing claims, and a fundamental misunderstanding of what digital sovereignty actually means.
The stakes couldn't be higher. Every day, more of New Zealand's most sensitive data—from government records to healthcare information, from financial transactions to intellectual property—flows into cloud infrastructure. But who really controls that data? Where do the profits go? And what happens when foreign laws conflict with New Zealand's interests?
The Problem: Sovereignty Theatre
Right now, the cloud sovereignty conversation in New Zealand is broken. IT decision-makers have been led to believe that sovereignty simply means "New Zealand-owned" or having a local presence. This oversimplified view has created what we call "sovereignty theatre"—impressive-sounding claims that don't stand up to scrutiny.
Some providers point to New Zealand ownership, while their staff operate under foreign laws. Others build local infrastructure but funnel profits overseas through licensing arrangements. Still others claim sovereignty while remaining subject to foreign government data access laws that supersede New Zealand's legal protections.
Legal experts are sounding the alarm. A 2022 legal opinion by James Every-Palmer KC warns that "the only way to avoid jurisdictional risk is by holding governmental information exclusively in New Zealand and by a provider that is not a subsidiary, or otherwise under the control, of a foreign company." The opinion specifically highlights how laws like the US CLOUD Act can compel disclosure of data held by New Zealand subsidiaries of foreign companies, often without notice to New Zealand authorities.
This isn't just an academic debate. When foreign governments can access New Zealand data through their own laws, when critical decisions about our information are made in distant boardrooms, when the economic benefits of our digital transformation flow offshore—our sovereignty is compromised, our national interests are at risk, and our obligations under Te Tiriti are not being met.
The Solution: The 5 Questions of Cloud Sovereignty
To cut through the confusion, we need objective criteria. We need a framework that separates genuine sovereignty from marketing spin. That's why we've developed the 5 Questions of Cloud Sovereignty—a practical test that every New Zealand organisation should apply when evaluating cloud providers.
These five questions expose the gaps between sovereignty claims and reality:
1. Is the provider controlled by New Zealand entities?
True sovereignty starts with ownership and control. It's about whose interests the company serves, which society and economy it's part of, and which laws ultimately govern its operations. A genuinely sovereign provider isn't just incorporated in New Zealand—it's owned by New Zealand entities that pay taxes here and are accountable to our legal system.
2. Are all staff with access to customer data employed under New Zealand law?
Your data is only as secure as the people who can access it. This question isn't just about where the data centre is located—it's about every person with administrative access, from system engineers to senior management. When staff are employed under foreign laws, they may face conflicting legal obligations that compromise your data security.
3. Can foreign governments access customer data through their laws?
This is where many sovereignty claims fall apart. Foreign governments have increasingly aggressive data access laws—from the US CLOUD Act to Australia's surveillance and disruption legislation. The Australia-US CLOUD Act Agreement now allows US law enforcement to access data held by Australian companies, regardless of whether they have US parent companies.
Legal analysis shows that these risks extend beyond data location. As one expert opinion notes: "where the information is held exclusively in New Zealand by a New Zealand company, jurisdictional risk still arises where the provider has an overseas parent." Foreign governments can assert jurisdiction over data held by New Zealand subsidiaries of their companies, often without notice to New Zealand authorities.
For Māori data, this issue carries particular cultural significance. As Te Mana Raraunga states, Māori data sovereignty recognises that "indigenous data should remain subject to indigenous governance." When cloud providers expose Māori data to foreign jurisdiction, they undermine this fundamental principle and breach the Crown's Te Tiriti obligations of active protection.
4. Where do profits and intellectual property go?
Economic sovereignty matters for both immediate and long-term national interests. When cloud spending flows to offshore parent companies through licensing fees and profit transfers, New Zealand loses twice—we miss out on the economic benefits of our digital transformation, and we become dependent on foreign entities for critical infrastructure.
True sovereignty means keeping the economic benefits of the digital economy in New Zealand, but it goes deeper than just profit retention. It means building the human capacity of our people—ensuring New Zealanders know how to build, maintain, and operate cloud infrastructure, not just use it. When we rely entirely on foreign expertise and intellectual property, we create dependencies that compromise our long-term digital autonomy.
Investment in local cloud capabilities builds sovereign capacity that benefits our entire digital economy, from government services to private enterprise innovation.
5. Who makes final decisions about data access?
When disputes arise, emergencies occur, or legal requests are made, who has the final say? If the ultimate decision-makers are in foreign boardrooms, subject to foreign laws and pressures, then your sovereignty is theoretical at best. Genuine sovereignty means New Zealand leaders making decisions about New Zealand data under New Zealand law.
Why This Matters Now
New Zealand is at a digital crossroads. The decisions we make today about cloud infrastructure will determine our digital sovereignty for generations to come. We can choose to build our digital future on genuinely sovereign foundations, keeping control of our data, our economic benefits, and our destiny in New Zealand hands.
Or we can continue down the current path, where sovereignty is a marketing slogan rather than a reality, where our most sensitive data is subject to foreign laws and control, and where the economic benefits of our digital transformation flow offshore.
The legal risks are real and immediate. The Waitangi Tribunal has recognised that mātauranga Māori includes Māori rights and interests in the digital domain, warning of "the failure to appreciate or understand the link between data and mātauranga Māori, a taonga also guaranteed to Māori under te Tiriti/the Treaty." When we allow Māori data to be subject to foreign laws and control, we fail in our Treaty obligations.
The Test Challenge
We challenge every New Zealand organisation to apply these five questions to their current cloud providers. We challenge every cloud provider to answer them honestly. And we challenge our industry to move beyond sovereignty theatre toward genuine digital sovereignty.
The results might surprise you. Many providers who claim to offer sovereign solutions will struggle to give satisfactory answers. Some questions may reveal uncomfortable truths about foreign ownership, offshore staff, or overseas profit flows.
But this discomfort is necessary. Only by honestly assessing our current situation can we make informed decisions about our digital future.
Transforming the Conversation
At Catalyst Cloud, we're committed to transforming New Zealand's cloud sovereignty conversation. We're sharing this framework not to win arguments, but to elevate the debate. We believe that when New Zealand organisations have access to clear, objective criteria, they'll make better decisions about their digital future. We invite you to join us.
The five questions of cloud sovereignty aren't just a test—they're a call to action. They challenge us to demand better, to think more critically, and to build a digital future that truly serves New Zealand's interests.
Because in an interconnected world, the organisations and nations that control their data, their infrastructure, and their digital destiny will be the ones that thrive. The others will simply be along for the ride.
Ready to test your cloud provider's sovereignty claims? The five questions are waiting. The real question is: are you prepared for the answers?