MA · Data Sovereignty · 2026
Module MA — Digital Sovereignty
Data as a
sovereign
asset.
Classification · Residency · Lifecycle · Data Act
Fundamental Right #5 — ORBii Framework

"Protect your data from external interference: controlled physical residency, managed third-party access, effective audit rights, genuine portability."

What this module covers

Critical data mapping, operational classification, residency and localization, Data Act & portability, cross-border data flow auditing.

Regulatory scope

GDPR Art. 44-49, Data Act 2025, BCBS 239, DORA Art. 28, Cloud Act vs GDPR, Schrems II, PSD3.

Target audience

CDO, DPO, CISO, Data Owners, IT legal counsel, compliance teams, data architects.

Recommended duration

Half day (3h30) — 2 theoretical sessions + 1 mapping workshop.

ORBii.Academy — Digital Sovereignty & AIMA · P.01
MA · Data Sovereignty
Right 5 — Protect your data

Operational data classification.

Every sovereignty framework starts with knowing which data deserves what level of protection. Classification must be actionable, not academic.

🌐 Public Freely accessible data with no impact if disclosed. Websites, press releases, published regulatory data. No residency constraints. Open
🏢 Internal Internal use only. Operational data, reporting, internal communications. EU cloud acceptable with encryption in transit and at rest. EU Cloud
🔒 Confidential Customer data (GDPR), sensitive financial data, trade secrets. EU residency mandatory. Third-party vendor access subject to enhanced DPA. EU Residency
🛡️ Critical DORA-critical data, encryption keys, AI model governance data, BCBS 239 Level 1 regulatory data. On-premise or certified sovereign cloud. On-premise / Sovereign

The 5 residency questions

Q1 — Where is your data stored?

Physical datacenter, country, applicable jurisdiction. A contract stating "EU" does not guarantee the absence of metadata transfers.

Q2 — Who can access it without notifying you?

Government access clauses (US Cloud Act, UK CLOUD Act). Mandatory vendor access audit trail (DORA Art. 28.3.e).

Q3 — Does your AI training data leave the EU?

Fine-tuning and RAG via external API = potential transfer. EU AI Act requires training data traceability for high-risk systems.

Q4 — Can you retrieve your data in full?

Data Act Art. 23-35: right to portability of data generated by digital services. 30-day deadline, interoperable format, no excessive fees.

Q5 — What happens to data after contract termination?

Certified destruction clause (GDPR Art. 28.3.g). Residual technical retention by the vendor = regulatory and competitive risk.

⚠ Major warning signal

Any cloud contract that fails to answer these 5 questions exposes the organization to a latent GDPR violation and a DORA risk to business continuity.

ORBii.Academy — Digital Sovereignty & AIMA · P.02
Protected content

You have viewed the preview of this module (first 2 pages).
To access the full content, enter your access code or request access.

12 remaining pages Personal link · Valid 24h