As we see enterprises increasingly face geographic requirements around sovereignty, IBM Cloud® is committed to helping clients navigate beyond the complexity so they can drive true transformation with innovative hybrid cloud technologies. We believe this is particularly important with the rise of generative AI. While AI can undoubtedly offer a competitive edge to organizations that effectively leverage its capabilities, we have seen unique concerns from industry to industry and region to region that must be considered—particularly around data. We strongly believe the influx of data associated with AI will fuel tremendous business innovations, but requires strategic considerations, including around where data resides, data privacy, resilience, operational controls, regulatory requirements and compliance, and certifications. 

With our long history of working with clients across the globe—and especially in highly regulated industries—we understand the unique requirements enterprises are facing and are prepared to help them address their emerging regulatory demands. Whether a client in Europe is considering how they will be able to meet the proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS) or a client in India needs to keep data in-country, we continue to follow the latest updates from regulatory bodies and monitor draft legislation to support our clients as they make informed decisions based on specific use cases, risk appetite, data type, threat landscape, business drivers, security needs and more.

IBM’s Enterprise Cloud for Regulated Industries

Building on our expertise working with enterprise clients in industries such as financial services, government, healthcare and telco, we saw the need for a cloud platform designed with the unique needs of these heavily regulated industries in mind. We introduced IBM Cloud for Financial Services, which includes an ecosystem of partner banks including BNP Paribas and CaixaBank, to help clients as they work to mitigate risk, address regulations, navigate their compliance and accelerate cloud adoption. In just a few years, we have helped some of the world’s leading banks transform. And our work doesn’t stop there. As clients continue to face industry-specific challenges, IBM Cloud is continuously innovating to help them thrive in areas related to trade finance, payments, high performance computing and more.

At the heart of our enterprise cloud for regulated industries is the IBM Cloud Framework for Financial Services®, which was created as a common set of preconfigured automated controls in collaboration with financial institutions to help clients as they adapt to emerging industry requirements and compliance obligations and mitigate the cost and complexity in an evolving regulatory landscape. The Framework is informed by the IBM Financial Services Cloud Council—a network of more than 160 CIOs, CTOs, CISOs and Risk and Compliance officers from over 90 financial institutions including CaixaBank, Virgin Money, Westpac and BNP Paribas—and continuously evolved upon to help address emerging risks and opportunities around resiliency, third-and-fourth party risk management, multicloud governance and data sovereignty.

As we help clients in highly regulated industries transform with resiliency, performance, security and compliance at the forefront, we have demonstrated a commitment to strong alignment with key industry standards including our alignment with the Cloud Security Alliance’s Cloud Controls Matrix, a cybersecurity control framework for cloud computing.

IBM Enterprise sovereign cloud capabilities designed to help support clients manage their regulatory obligations

Building on our longtime work with clients in regulated industries and the continued growth of our enterprise cloud for highly regulated industries, we recognize the growing needs around sovereign cloud—and have been working with partners and clients to support requirements in regions such as the EU, Saudi Arabia, India, Abu Dhabi and Africa for years. For example, we are working with Bharti Airtel, a major telecom provider, to offer edge cloud services to organizations in India, helping companies looking to leverage edge services and keep their data in-country by meeting the Ministry of Electronics and IT empanelment requirements.

As regulations evolve, we are committed to helping enterprise clients navigate their unique country requirements.

1. Data sovereignty: The importance of privacy and residency

As clients address data residency requirements, we are helping them as they manage customer data in region and specific geographies, and in the location of their choice. We provide clients with the flexibility of choosing the country or regions where they want to build and host their workloads and continue to expand our global data center footprint with new locations, for example, our new Multizone Region (MZR) in Madrid, Spain.

We are also committed to helping clients meet their data privacy requirements and offer innovative confidential computing, encryption capabilities and key management controls. For example, IBM Cloud Hyper Protect Crypto Services offers “Keep Your Own Key” encryption capabilities, designed to allow clients to have exclusive key control and helping them to address their privacy needs, including meeting their requirements such as GDPR in the EU. Additionally, IBM Cloud clients can utilize the advanced confidential computing data security capabilities to protect data even while in use—leveraging virtual servers built on Intel SGX, as well as confidential computing environments provided by IBM Hyper Protect Virtual Servers built on IBM LinuxONE. This allows them to protect what matters most and to host workloads in a secure environment.

The IBM Cloud Data Security Broker solution is data privacy focused and has field level encryption, tokenization and anonymization at a granular level such as PII data in databases to help shield sensitive data from cloud administration and is designed to help clients with their data privacy needs. With these capabilities, we aim to enable clients to control who has access to their data while still leveraging the benefits of the cloud. IBM Cloud’s enhanced data protection capabilities aim to help strengthen clients’ sovereign posture in the public cloud.

2. Operational sovereignty: A focus on resilience and operational controls

At IBM, operational sovereignty is critical to everything we do and we believe it is key to allow clients to have resilience and transparency at all times. For example, the Madrid MZR is designed to deliver European and region resiliency between our Frankfurt MZR and Madrid MZR, and vice versa. For clients using IBM Cloud, any client data provided is stored and processed locally in the selected region—such as our EU-based MZRs in Frankfurt and in Madrid. With the IBM Cloud Security and Compliance Center, clients can gain operational insights about their security and compliance posture. This includes monitoring of how the deployed workloads and data configurations meet their enterprise security policies, detect any drifts in this configuration posture, as well as workload protection and detection of their deployments—available across cloud native workloads, VMs, containers and cloud services. This includes the recently introduced IBM Cloud Security and Compliance Workload Protection capabilities to help clients protect workloads and assess vulnerabilities via quick identification and remediation. We also offer an EU support model that is designed to provide an extra layer of protection for our clients deploying their workloads in Europe.

Finally, our distributed cloud capabilities are designed to focus on running cloud services and applications where data resides—whether it is an on-premise data center or edge location so that not only data, but also compute can be in customer-controlled locations.

3. Digital sovereignty: Addressing regulatory requirements and certifications

We are also working to help clients meet their geographical specific compliance as sovereignty requirements evolve. For example, last year our cloud services in both our MZRs in Frankfurt and Madrid received Spain’s National Security Framework (ENS) High certification. Similarly, in Germany, our C5 attestation can be used by clients and their compliance advisors to help them understand security controls implemented by IBM Cloud, designed to help them meet their C5 requirements as they move their workloads to the cloud. In Australia, we have completed the IRAP assessment across a number of key services, as well as being ISMAP Certified in Japan.

Additionally, the IBM Cloud Security and Compliance center includes pre-defined geospecific profiles of controls, based on industry standards, providing clients with the capability for automated monitoring of compliance and security to help them get a unified view of their posture related to different domains of sovereignty such as data privacy, data residency and resiliency. Late last year, we released multiple profiles supporting regional standards, such as ENS High (Spain), BSI C5 (Germany), ISMAP (Japan), industry specific profile like PCI DSS v4 and AI Infrastructure Guardrails.

Looking ahead

Our progress so far and commitment to future-focused initiatives underscore our expertise in building and delivering the most robust and resilient enterprise grade cloud, helping to address the evolving demands of enterprise and government sectors. By implementing these measures, we aim to inject a higher level of transparency into the adoption of cloud services and not only help clients align with, but also exceed the standards set by increasingly stringent regulatory compliance developments.

Learn more about IBM’s enterprise sovereign cloud capabilities

Statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only.