Who really controls the data in the cloud era? The challenge of cryptographic keys
In the debate on digital sovereignty, one of the most widespread beliefs – even amongst industry professionals – is that the location of data is synonymous with control over it. However, the idea that ‘data hosted in Europe’ automatically equates to ‘data under European control’ is increasingly at odds with the reality of digital infrastructure. The spread of the cloud and of hybrid and multi-cloud models has, in fact, permanently separated two aspects that once overlapped: where information is stored and who can actually access it. In this scenario, the critical issue is no longer simply the data centre as the physical infrastructure where data resides, but the mechanism that makes the data readable: encryption and, above all, the management of encryption keys is one of the fundamental building blocks.
The European regulatory framework is accelerating this shift, and the NIS2 Directive – transposed into Italian law by Legislative Decree 138/2024 – not coincidentally requires organisations deemed essential and important to strengthen their cyber governance, with direct responsibilities for management and stringent risk management obligations. At the same time, schemes such as the EUCS (European Cybersecurity Certification Scheme for Cloud Services) promoted by ENISA and European strategies on cloud computing and data point in a clear direction: security is no longer merely an infrastructural issue, but one of operational and jurisdictional control. Furthermore, the Draghi Report on European competitiveness has highlighted a structural issue, namely Europe’s dependence on non-European digital infrastructure – a dependence that concerns not only computing capacity but also the deepest levels of data control. And it is on this issue that an often-overlooked point emerges: the true scope of digital sovereignty is not the place where data is stored, but the point at which it is made readable.
The Cloud and jurisdiction: three different models
Encryption, by definition, is the mechanism that protects data by rendering it unusable without a specific decryption key. This technical principle gives rise to a consequence that is as simple as it is decisive, and which has direct implications at a legal and regulatory level: whoever controls the key controls the data. Key management models are therefore at the heart of the issue, because they do not represent three levels of security, but rather three different answers to the question “who holds the key?”. Let us examine them in detail.
In the traditional cloud model, the keys are managed by the provider, creating a situation similar to that of a bank customer who rents a safe deposit box: it is always the bank that holds both the box and the key required to open it. In the BYOK (Bring Your Own Key) model, the company retains ownership of the key but entrusts its operational management to the provider’s infrastructure, which enables it to be used to encrypt and decrypt data. In the HYOK (Hold Your Own Key) model, on the other hand, the key remains entirely outside the cloud provider’s control and is held in an environment under the control of the organisation or an independent third party.
The difference between the various models is not only architectural but also legal: in the first case, the provider is technically able to access the data, whilst in the second the separation is partial, and in the third, access is subject to external and non-automatic authorisation. This distinction is also significant in light of the US CLOUD Act, which allows US authorities to request data held by providers subject to US jurisdiction, even if it is physically stored outside the United States. In a traditional or BYOK scenario, the order may result in a request for access to the data or to the keys themselves from the provider; in the HYOK model, however, the provider does not hold the key and cannot physically hand it over, shifting the point of control to the party that holds it.
The technical issue therefore becomes one of governance, and critical sectors such as finance, healthcare, public administration, energy and infrastructure are already facing increasingly stringent requirements, not least due to the introduction of the NIS2 regulation, which strengthens risk management obligations and the accountability of senior management. In this context, the management of cryptographic keys goes beyond the realm of implementation and becomes a central component of companies’ security strategy, as they are called upon to tackle a new crucial step: it is not enough to protect data; it is necessary to govern the parties who can make it readable.
Keys and digital sovereignty: the TIM Enterprise model
If control over data increasingly equates to control over keys, then the jurisdiction within which the keys are held takes on crucial importance. And it is precisely on this point that the model proposed by TIM Enterprise comes into play, interpreting key management as a structural element of digital sovereignty.
The first element of the company’s vision and proposed solutions concerns, precisely, jurisdiction. TIM Enterprise is an entity governed by Italian and European law and the keys held within its infrastructure therefore fall within a defined regulatory framework, not subject to extraterritorial legal systems such as that of the United States and the potential implications of the CLOUD Act. This aspect is particularly relevant for organisations operating in regulated sectors that must ensure compliance with increasingly stringent regulations.
The second element of the proposal is architectural in nature. The model is based on a HYOK approach that allows for the separation of key management from the use of cloud platforms. TIM acts as the “sovereign custodian” of the keys, and corporate customers can therefore continue to use the advanced services of global hyperscalers for computing, storage and AI applications, whilst retaining exclusive ownership of the keys within a separate domain under European control. In this way, the cloud is not replaced but decoupled from the control function: in other words, the provider continues to deliver services, but is not in a position to decrypt the data independently.
The third element concerns the physical and operational infrastructure. The keys and hardware security modules (HSMs) can be hosted in Data Centres of TIM Enterprise and managed by staff subject to Italian jurisdiction, ensuring high standards of security, resilience and reliability. The link between logical and physical control – an increasingly important element in advanced security models – is therefore fully assured. Finally, there is a systemic element.
Key management forms part of a broader context of critical infrastructure and services for the public sector and regulated enterprises, areas in which the ability to guarantee operational continuity, resilience and regulatory compliance is now as much a prerequisite as technological performance. This service is constantly evolving, and TIM Enterprise is preparing to introduce Quantum Safe solutions as well, in line with market trends and the solutions required and available from the leading cloud providers.
In a scenario where digital sovereignty is increasingly measured by the ability to govern keys, access and jurisdictions, cryptographic control therefore becomes a strategic element of risk management. For organisations operating in regulated environments or handling particularly sensitive data, the adoption of advanced key protection models now represents a concrete means of strengthening security, compliance and operational control.

