Why this term matters for cloud services
Cloud and supplier terms matter because Cyber Essentials covers services that store or process organisational data. The cloud provider secures part of the stack, but the applicant remains responsible for identity, access, configuration, data, and monitoring decisions.
A useful evidence set includes the cloud service inventory, administrator access controls, MFA enforcement, shared responsibility notes, and any supplier-risk decision where an external provider handles organisational data.
How Fig uses this term
Fig Group uses Data Sovereignty as part of a practical Cyber Essentials and compliance vocabulary. The purpose is to make assessment decisions easier to verify: what the term means, where it appears in evidence, which control it supports, and which buyer or assessor question it helps answer.
If this term affects your Cyber Essentials submission, treat it as an evidence question rather than a definition question. Document the relevant owner, system, configuration, policy, or workflow so an assessor can see how the control works in your environment.
Official sources and related guidance
For scheme interpretation, verify against official NCSC and IASME material. Fig's glossary is designed to translate those concepts into implementation language for UK organisations, MSPs, and procurement teams.