By Dr. Samir Saran and Dr. La Toya Waha
Key Highlights
- Data continuity is a strategic necessity, not an IT function. As governance, critical infrastructure, and economic activity become increasingly digital, resilience depends on preserving the systems that sustain the functioning of the state before crisis strikes.
- Data embassies provide a strategic model for continuity before disruption occurs. Estonia institutionalised the concept after the 2007 cyberattacks, while Ukraine demonstrated under wartime conditions that preserving critical data is essential to maintaining the functioning of the state.
- The next step is to treat trusted digital infrastructure as a strategic reserve. Reciprocal data embassies — and eventually shared computing capacity — would convert political trust into operational resilience, making digital continuity a cornerstone of twenty-first-century security.
The Imperative
Global trends and strategic foresight underscore the imperative of preparing for future crises. As states and societies become increasingly digital, resilience is no₹ longer defined solely by the protection of territory or physical infrastructure, but by the ability to preserve the digital systems that sustain governance, critical infrastructure, and economic activity. Data embassies should therefore be understood not as an IT contingency measure but as a strategic instrument of national resilience, ensuring the continuity of governance, essential public services, and critical societal functions when domestic digital infrastructure is compromised.
From a Theoretical Consideration to a Real-World Threat
In 2007, Estonia became the first state to experience a large-scale cyber campaign against its digital infrastructure. Coordinated cyberattacks disrupted government, banking, and media services, exposing a new strategic vulnerability: in a digital society, attacks on information systems can threaten the functioning of the state as seriously as attacks on physical infrastructure.
Fifteen years later, Ukraine confronted that vulnerability under wartime conditions. Days before Russia’s full-scale invasion in February 2022, Ukraine passed emergency legislation allowing critical government data to be stored outside the country. More than 10 petabytes of government and public-sector data were migratedto secure cloud infrastructure in early 2022, involving multiple ministries and state agencies. The effort relied on encrypted transfers and portable storage systems to relocate critical datasets outside Ukraine as the Russian invasion began. This large-scale migration played a key role in supporting the continuity of essential government functions under conditions of severe wartime disruption.
These two cases mark a turning point in how resilience should be understood. The lesson is not that digital states are inherently fragile, but that digital dependence requires strategic preparation. Estonia institutionalised this insight through the concept of the data embassy: legally protected digital infrastructure hosted on allied territory to ensure the continuity of critical state functions even if domestic systems are compromised. Ukraine demonstrated the same principle under fire, relying on rapid data migration to preserve the operational core of government.
Today, critical organisations all depend on digital infrastructure whose disruption can cascade across society. Data centres, cloud platforms, networks, and the software stack that connects them have become strategic assets – and strategic targets. Whether the disruption stems from armed conflict, cyberattacks, natural disasters, sabotage, or systemic infrastructure failure, the imperative is the same: resilience depends on ensuring data continuity before crisis strikes. Data embassies offer one strategic model for achieving that continuity – not only for governments, but increasingly for the critical sectors upon which modern societies depend. They constitute a significant extension of international law for the digital realm. The Estonian data embassy, for example, builds on a data centre in Luxembourg. Under Estonian control, it enjoys similar rights as physical diplomatic embassies.
The How: Three Architectures for Digital Continuity
Data embassies should not be understood as a single institutional model, but as a continuum of resilience architectures that can be adapted to different threat environments, trusted relationships, and operational requirements. Three models illustrate an incremental pathway from data protection to full digital continuity.
The first model is continuity mirroring. Operationally critical, but not highly sensitive, datasets are continuously replicated to trusted infrastructure abroad. If domestic systems become unavailable, the replicated data provides a rapid foundation for recovery. Like a military exercise, continuity mirroring builds the technical and organisational capabilities required for more advanced forms of resilience.
The second model is the data embassy. Critical government systems are hosted in a treaty-based, legally protected environment on the territory of a trusted partner, following the framework pioneered by Estonia and Luxembourg in 2017. Rather than transferring control, bilateral agreements establish legal guarantees over designated infrastructure and data to ensure the continuity of essential state functions even if domestic infrastructure is compromised. The objective is not secrecy, but availability: preserving access to the digital systems on which governance depends.
The third model extends the concept from data to computation. Rather than safeguarding information alone, trusted partners reserve secure computing capacity that can be activated to run essential government or critical infrastructure workloads when domestic capacity is degraded or destroyed. This “shadow compute” model is largely conceptual for now, but it reflects the next logical step in resilience planning. This model demands the highest level of strategic trust — not merely the agreement to store data, but the commitment to run another state’s critical workloads under crisis conditions. No publicly known treaty-based shadow compute arrangement exists between major economies, yet the logic of strategic reserves makes the gap conspicuous. As governments invest in digital autonomy and strategic digital infrastructure, reserving a fraction of that capacity for trusted partners would create a digital equivalent of a strategic reserve – not of energy or fuel, but of computational capability.
Importantly, none of these models requires the routine sharing of highly classified information. However, a degree of alignment between the data protection regimes of states entering into these models is necessary. The focus is on continuity-critical data and services: population registers, tax systems, emergency communications, and other digital assets essential to maintaining governance and societal resilience. The objective is not to export a state’s most sensitive secrets, but to ensure that governments, critical infrastructure operators, and the societies they serve can continue to function when strategic disruption occurs.
The Strategic Imperative for Governments and Critical Industries
The strategic case for data embassies rests on a simple principle: assets essential to national continuity should never depend on a single point of failure in the long run. States have long stockpiled strategic commodities, dispersed military capabilities, and secured overseas basing rights to ensure continuity under crisis conditions. As governance, critical infrastructure, and economic activity become increasingly digital, the same logic applies to data and the digital infrastructure that sustains it. The objective is not to protect data because it is digital, but because its continued availability has become indispensable to the resilience of modern societies.
Estonia and Ukraine illustrate the cost of waiting for crisis before building resilience. Estonia translated the lessons of the 2007 cyberattacks into a long-term strategy for digital continuity, culminating in the world’s first treaty-based data embassy. Ukraine demonstrated the same principle under wartime conditions through the rapid migration of critical government data to secure infrastructure. Both cases reveal the same strategic lesson: resilience cannot be improvised at the speed with which crises unfold.
For governments, this means identifying the digital assets whose loss would compromise constitutional authority, public administration, or the delivery of essential public services.
The geopolitical implications extend beyond resilience. Strategic reserves have long transformed political trust into shared infrastructure. In 2026, India and the United Arab Emirates expanded their cooperation on strategic petroleum reserves, including reciprocal storage arrangements that strengthen both countries’ energy security. The principle is directly applicable to digital infrastructure: trusted partners can designate protected storage and computing capacity as strategic digital reserves, converting political trust into operational resilience.
To date, no publicly known reciprocal data embassy arrangement exists between two major economies. Establishing such partnerships would move data embassies from a niche solution developed by digitally advanced smaller states to a foundational element of twenty-first-century resilience. The technology exists. The legal precedents exist. What remains is the political will to recognise data continuity as a strategic capability rather than an IT function. The first formalisation of a reciprocal data embassy arrangement will do more than secure the respective countries’ own resilience — it will set the template for how digital infrastructure is shared, protected, and governed in the century ahead. That is not an IT decision. It is a strategic one.
About the author:
- Dr. Samir Saran is President of the Observer Research Foundation.
- Dr. La Toya Waha is a Visiting Fellow at the Observer Research Foundation Middle East.
Source: This article was published by Observer Research Foundation.






