Sovereignty has been important since the advent of nation-states – defined by borders, laws, and taxes applied both domestically and externally. This concept has deep roots in political and social history, forming the foundation of national identity and independence. While many have tried to define it precisely, the core idea remains: nations or jurisdictions seek to maintain control over their territory and resources, usually to the benefit of their citizens and stakeholders within their borders.
Digital sovereignty is a relatively new concept that is also difficult to define but simple to understand. Unlike physical sovereignty, which is clearly marked by geographical boundaries, digital sovereignty refers to a country’s or entity’s ability to control its data, infrastructure, and digital services in cyberspace. Data and applications do not inherently understand borders unless these borders are defined and enforced in the form of policies, embedded as code within IT infrastructure.
In the beginning, the World Wide Web had no such limitations and was considered an open, borderless space. Social groups like the Electronic Frontier Foundation, service providers and hyperscalers, non-profits, and businesses all adopted a model that suggested data would take care of itself in a free and global environment. This approach, while bringing many benefits including free access to information and unprecedented innovation, gradually created new challenges in data control and security.
Why is Digital Sovereignty Critically Important Today?
But data will not take care of itself for various reasons, and this is an undeniable reality in the digital age. Firstly, data has spun wildly out of control; we are constantly generating more of it, from personal data to sensitive organizational information. For at least two or three decades (based on historical reviews I have conducted), most organizations have not fully understood their data assets, not knowing what information they have, where it is stored, or what its value is. This lack of understanding and control creates inefficiency and significant risk – and most importantly, widespread vulnerability to cyberattacks.
Risk equals probability multiplied by impact – and currently, the likelihood of unfortunate incidents has drastically increased. Recent events such as military invasions, trade tariffs, and international political tensions have added new urgency to the discussion of digital sovereignty. This time last year, the idea of disconnecting another country’s IT systems was not even on the radar of analysts and policymakers. Now we are witnessing it happen – including actions like the US government blocking access to digital services abroad, which has widespread implications for global businesses and users.
Digital sovereignty is not merely a European concern, although it is often portrayed as such due to strict regulations like GDPR and the EU’s efforts for digital independence. This concept has resonated worldwide and become a global concern. For example, in South America, I am told that sovereignty is at the forefront of discussions with hyperscalers (large cloud service providers), and countries are seeking greater guarantees for controlling their data. In African countries, this is explicitly stated in supplier agreements, indicating its growing importance. Many jurisdictions are observing, evaluating, and re-evaluating their stance on digital sovereignty to protect their national interests in the digital space.
As the saying goes: a crisis is a problem for which there is no time left to solve. Digital sovereignty was also a problem waiting, which has now reached an emergency stage. This issue has transformed from an “abstract right of sovereignty” into a clear and present concern, impacting not only governmental thinking and macro-policies but also corporate risk assessment and how our computer systems are architected and operated. This evolution indicates that the discussion of digital sovereignty is no longer a theoretical concept but a practical necessity for national and organizational security and independence.
What Does the Current Digital Sovereignty Landscape Look Like?
Much has changed in the digital sovereignty landscape since this time last year. Many unknowns and ambiguities still remain, but much of what was unclear this time last year is now solidifying, and clear paths are emerging. Terminology and concepts have also become clearer – for instance, there is now more discussion about data classification and localization rather than broad and vague concepts. This precision in terminology helps organizations and governments formulate more effective policies.
We are witnessing a shift from theory to practice in the field of digital sovereignty. Governments and organizations are formulating and implementing policies that did not exist before, indicating the seriousness of this issue. For example, some countries have adopted “in-country” data as their primary goal, meaning data must be stored and processed within the host country’s geographical borders. Others (including the UK) are adopting a risk-based approach grounded in trusted zones, which provides more flexibility while still emphasizing security and control.
We are also seeing a change in risk priorities in this area. From a risk perspective, the classic triad of Confidentiality, Integrity, and Availability (CIA triad) lies at the heart of the digital sovereignty conversation. Historically, the focus has been more on confidentiality, primarily stemming from concerns about the US Cloud Act and the fundamental question: Can foreign governments view my data without my consent? These concerns have driven many countries to develop protective solutions.
This year, however, availability has gained greater importance due to geopolitics and very real concerns about data access in third countries. This includes the fear of sudden disruption of access to services or data in the event of international tensions. From a sovereignty perspective, there is less talk about integrity, but its importance as a target for cybercrime – with ransomware and fraud being two clear and present dangers – is no less. Maintaining data integrity is crucial to ensuring the accuracy and reliability of information, especially in the face of increasing cyber threats.
How are Cloud Service Providers Responding?
Hyperscalers are playing catch-up in this regard and continue to seek ways to meet the spirit of the law (in the French sense, meaning the intent and purpose of the law), while they may be forced to settle for its letter. It is not enough for Microsoft or AWS to say they will do everything to protect a jurisdiction’s data when they are legally obligated to do the opposite. Legislation, especially US legislation regarding data access, is determinative – and we all know how fragile the current state of international relations and extraterritorial laws is.
We see hyperscalers making progress where they offer technology for local management by a third party, rather than themselves. This model allows local providers to manage infrastructure and data within their own country, addressing sovereignty concerns to some extent. For example, Google’s partnership with Thales, or Microsoft’s with Orange, both in France, are examples of this approach (Microsoft also has a similar one in Germany). However, these are often point solutions and are not yet part of a general standard or global framework. Meanwhile, AWS’s recent announcement about creating a local entity in some regions does not fully resolve the problem of excessive US influence and potential data access, which remains a key issue for many countries.
In this space, non-hyperscaler providers and software vendors have found an increasing role. Companies like Oracle and HPE offer solutions that can be deployed and managed locally, providing greater control for organizations. Also, Broadcom/VMware and Red Hat offer technologies that local private cloud providers can host. This means that digital sovereignty is a catalyst for redistributing “cloud spend” among a wider range of players, including local and private cloud providers, which can lead to a more diverse and resilient cloud ecosystem.
What Can Large Organizations Do About It?
Firstly, view digital sovereignty as a core element of your data and application strategy, not merely a regulatory requirement or a technical challenge. Just as for a nation, sovereignty means having strong borders, control over intellectual property, and GDP growth, the goal for enterprises is the same – achieving full control over their data and operations, self-determination in technology decisions, and increased resilience against external disruptions. This strategic perspective helps organizations adopt a comprehensive and long-term approach.
If sovereignty is not considered a strategic element and is merely relegated to the implementation layer, it will lead to inefficient architectures and redundant efforts. This reactive approach is not only inefficient but also imposes significant hidden costs on the organization. It is much better to decide from the outset which data, applications, and processes should be considered “sovereign” and then define a clear and purposeful architecture to support them. This proactive planning can prevent future complexities and pave the way for effective implementations.
This sets the stage for informed decisions about sourcing and platform selection. Your organization may have made significant investments in key vendors or hyperscalers in the past, but today, multi-platform thinking is increasingly prevalent. This approach involves using multiple public and private cloud providers, with integrated operations and management. Within this framework, sovereign cloud becomes one of the core and vital elements of a well-structured multi-platform architecture, enabling the organization to maintain the necessary flexibility and control.
Delivering sovereignty is not cost-neutral and may require initial investments, but the overall business value and return on investment must be tangible and justifiable. A sovereignty initiative should bring clear benefits, not only for the goal of sovereignty itself, but also through advantages gained from better control over digital assets, increased operational visibility, and improved overall efficiency. These benefits also include reduced legal risks, enhanced cybersecurity, and increased customer trust.
Where to Start? Focus on Your Own Organization First.
Sovereignty and systems thinking go hand-in-hand: it all comes down to scope. In enterprise architecture or business design, the biggest mistake is “boiling the ocean” – attempting to solve everything at once without prioritization. This approach usually leads to failure and wastes resources.
Instead, focus on your own sovereignty and prioritize your organization’s core concerns. Worry about your organization, your jurisdiction, and know where your own digital borders lie. Understand your customers and their specific requirements. For example, if you are a manufacturer selling your products to specific countries – what specific legal or technical requirements do those countries have for your data or digital services? Address those needs first, not everything else. Don’t try to plan for every possible future scenario; a focused, operational approach is much more effective.
Focus on what you have, what you are responsible for, and what you need to address now. This means conducting a thorough assessment of your existing data assets. Classify and prioritize your data assets based on actual risk – i.e., probability and potential impact. Do this, and you are halfway to solving digital sovereignty – with all the benefits of efficiency, control, and compliance that come with it. This step-by-step approach ensures your resources are used more effectively and will lead to tangible results.
Ultimately, digital sovereignty is not just a regulatory issue; it is a deeply strategic one. Organizations that act now and place this concept at the core of their strategies can significantly reduce operational and legal risks, improve operational clarity, and prepare themselves for a future based on trust, full compliance with laws and regulations, and high resilience against unforeseen challenges. This preparedness will bring a significant competitive advantage in global markets.
Source: Reclaiming Control | GigaOm
