SOV-IT active definition
← back to the SOV system

Italian sovereignty

Data, infrastructure and operations entirely within Italian territory.

IT

// What it means

SOV-IT is the strictest form of digital sovereignty we offer. Hardware, storage, backup replicas, operational logs and the management team all remain entirely within Italian territory. Replicas and remote access outside national borders are excluded from the standard regime; any operational exceptions (e.g. extraordinary maintenance by a vendor) are admitted only with strict contractual clauses, tracked and audited, and explicitly disclosed to the client.

The infrastructure can be on-premise at the client's site (for those who already have a compliant datacenter or server room) or hosted in qualified Italian datacenters. It must be noted that AgID/ACN certification of the datacenter alone does not automatically guarantee the highest level of sovereignty: the actual level depends on the provider's specific qualification (e.g. ACN QC1-QC4), the service class and the signed contract.

For AI workloads, inference runs by default on open-source models executed locally (Ollama, vLLM, llama.cpp) that do not call external endpoints. On request we can design hybrid setups (e.g. local models for sensitive data + cloud models for generic tasks) with explicit guardrails that prevent data under the SOV-IT regime from leaving the national perimeter.

This choice comes at a cost: less global scaling elasticity, higher latency for users outside Italy, no direct access to managed features of non-EU hyperscalers. In exchange you gain legal and operational guarantees that no global cloud can replicate.

// Where the data resides

Where the data physically resides

Datacenter
ACN/AgID-qualified Italian providers · client on-premise
Backup
Replicas only within Italian territory
Operations
Italian team · access via local VPN, audited
AI inference
Local models (default) · hybrid possible with guardrails
Telemetry
Logs and metrics collected and processed in IT

// When to choose it / when not to

Choose it when

  • Public administration and public in-house entities subject to the Italian Cloud Strategy
  • Healthcare and clinical data requiring explicit Italian jurisdiction
  • Defense, national security, critical infrastructure (NIS2 essential entities)
  • Companies that want to exclude any exposure to the US CLOUD Act or non-EU regulations

Avoid it when

  • Workloads requiring a global CDN or multi-region presence
  • SaaS products aimed at an international audience where local latency is critical
  • Use cases requiring proprietary AI models (GPT-4, Claude, Gemini) not available on-prem

// Compliance and standards

Regulatory references and standards applicable to the SOV-IT sovereignty level.

AgID · PSN
Polo Strategico Nazionale, cloud qualifications for public administration (Italian Cloud Strategy)
ACN · QC1-QC4
National Cybersecurity Agency, cloud qualification classes and PSNC
GDPR
EU Regulation 2016/679 on the processing of personal data
NIS2
EU Directive 2022/2555 on essential and important services
eIDAS 2
European digital identity, compatible with SPID/CIE

// Specific FAQ

Does this mean the system is not reachable from abroad?

+
No. The infrastructure is in Italy, but users can access it from anywhere via the internet. SOV-IT concerns data residency and operational jurisdiction, not reachability.

Can I use commercial AI models (OpenAI, Anthropic) in SOV-IT?

+
Not for data under the SOV-IT regime: to maintain sovereignty the model must run on Italian infrastructure, and by default we use open-source models (Qwen, Llama, Mistral) on local GPUs. It is possible to design hybrid setups where SOV-IT data stays local while generic non-sensitive tasks use cloud models, but the boundary must be defined explicitly during design and enforced with technical guardrails.

What happens in a disaster recovery scenario?

+
The secondary site is also in Italy, in a different seismic and network zone from the primary. Never any replicas outside national borders, not even temporary ones.

// Other sovereignty levels

SOV-EU EU
European sovereignty
Data and infrastructure within the European Union, guaranteed GDPR compliance.
SOV-EXTRA WW
Non-EU sovereignty
Data on platforms outside the EU, governed by Standard Contractual Clauses.
SOV-CHAIN
Public blockchain
On-chain data on public decentralized networks, immutable and global.
CONFIGURABILE
Chosen by the client
The sovereignty level is chosen during contracting among SOV-IT, SOV-EU or SOV-EXTRA.

Want to understand which sovereignty level is right for your project? Let's talk.

$ Let's talk