Digital sovereignty for greater freedom of choice and less dependency

Digital sovereignty determines whether companies remain capable of acting in crises or have to react in a way that is dictated by others. Especially in times of geopolitical tensions and growing dependence on a few technology providers, the question arises: Who actually controls your data, your cloud environments, and your digital processes? This guide shows what digital sovereignty means, why it is indispensable today, and how companies can achieve it step by step.

Digital sovereignty describes the ability to act autonomously and independently in the digital world without having to rely completely on individual external providers. For companies, this means retaining control over their data, IT infrastructure, and digital processes as far as possible.

The focus here is less on self-sufficiency—which is unrealistic for globally networked companies anyway—and more on the goal of securing one's own freedom of choice and not being restricted in one's ability to act by dependencies.

The term itself is derived from the classical understanding of state sovereignty: the ability to make self-determined decisions without external control. For a long time, sovereignty was understood primarily in political terms. Today, it is also applied to the digital world: to states, organizations, and individuals.

Digital sovereignty is not evident in a single area, but in several closely interrelated dimensions. Anyone who wants to remain independent and capable of acting in the long term must keep an eye on infrastructure, data, and key technologies in equal measure.

The IT infrastructure forms the foundation of every digital organization. This includes data centers, networks, and cloud platforms. Companies that are too dependent on individual external providers run the risk of losing control over their own processes. In the event of disruptions or provider changes, a concrete Plan B or exit strategy should therefore be developed. Those who prepare technical and organizational alternatives remain capable of acting in an emergency, even if a multi-cloud strategy is not (yet) in place.

Sovereignty therefore means making a conscious decision to make critical systems less dependent on individual providers and designing them in such a way that they remain portable in an emergency. This is the only way to ensure availability even in times of crisis.

Data is the gold of the 21st century, and sovereignty over it is the basis of digital self-determination. In this context, it is worth distinguishing between different levels of sovereignty:

IT security forms the technical basis, data sovereignty describes operational control over one's own information, and digital sovereignty ultimately describes the overarching strategic goal: the ability to shape the digital value chain in a self-determined manner.

Companies must ensure that sensitive information is not only protected by technical measures such as encryption, but also remains legally secure. The GDPR sets standards for this across Europe. In addition, it addresses aspects such as the protection of trade secrets and intellectual property, both of which are fundamental to a company's competitiveness.

In order to strengthen confidence in data control among European customers, major US providers are currently working on solutions for this market. One example is the promise that only employees based in Europe will manage the cloud services behind the company data. To this end, Microsoft is introducing new services and tools for managing external keys and tools for tracking access to the technical infrastructure located in the cloud.

In addition, there are solutions such as "bring your own key" that allow data to be stored in encrypted form in the cloud, but leave access to the key under the control of the company. Alternatively, data is processed in the cloud but stored locally or with a provider in the EU.

Whether cloud services, AI models, or industry-specific software: access to trustworthy key technologies is crucial to remaining competitive. Digital sovereignty does not mean developing everything yourself, but rather securing strategic freedom of choice.

Open-source solutions, European AI models, or software from independent providers are valuable alternatives that reduce dependencies and avoid lock-in effects. At the same time, access to such technologies is itself becoming an important competitive factor.

Until now, we have primarily considered the corporate perspective on the topic of digital sovereignty. However, it has been clear for some time now that digital sovereignty is no longer just an IT issue, but has long since become a political and social leitmotif with corresponding implications. While states are trying to secure their digital capacity to act, companies and citizens are also increasingly coming into focus. This is because digital dependencies have a direct impact on the economy, administration, and everyday life.

In Germany, the federal and state governments have been addressing the issue of how to reduce digital dependencies for years. The CIO Bund (Federal IT Commissioner) is developing strategies for projects and structures aimed at creating modern, secure, and independent IT in public authorities.

At the European level, initiatives such as the European cloud initiative GAIA-X, the European Data Act, and the Data Governance Act are taking center stage. The goal is to build a strong European ecosystem that protects data spaces, strengthens Europe's digital independence, and specifically promotes domestic providers.

A conflict between the legal guidelines in Europe and the United States, home to many prominent hyperscalers, is intensifying the debate. With the GDPR, Europe has created a data protection law that serves as a global benchmark and guarantees strong data sovereignty for individuals and companies.

At the same time, the US CLOUD Act is causing uncertainty: it allows US authorities to access all data held by American cloud providers in emergencies, without regard for the rights of European customers. This creates a potential area of conflict between European law and US legislation, which represents a significant compliance and risk issue for companies.

The first important political milestones have been reached: awareness of digital sovereignty has reached the highest levels, support programs have been launched, and initial alternatives have been created with European cloud initiatives.

However, there are still significant gaps: European providers have comparatively small shares of the global market because most companies continue to rely on the large hyperscalers. There is also a lag in innovation when it comes to the use of artificial intelligence, and implementation is often hesitant in government and small and medium-sized enterprises. Many companies also criticize the complexity of the structures, particularly in the case of GAIA-X.

Obstacles on the path to European digital sovereignty are therefore characterized by three areas:

These framework conditions form the context in which companies must develop their own strategies.

For companies, these considerations are by no means abstract. Political developments can influence which cloud, data, and AI solutions enjoy trust and which do not. The outcome of the 2024 US election alone, for example, triggered great uncertainty and a certain loss of trust in American providers among many companies. The reason for this was not even a specific change in legislation, but simply the prospect of a potentially more volatile new government. At the same time, political initiatives are opening up new opportunities – for example, through the promotion of sovereign cloud environments, open-source projects, or European AI alternatives.

So keep an eye on the political situation, but at the same time develop your own strategies so that you are not dependent on the pace of politics.

International cloud providers have responded to the growing demand for digital independence. Initiatives such as the AWS European Sovereign Cloud and Microsoft Cloud for Sovereignty are creating models that aim to anchor data storage, control, and jurisdiction entirely in Europe. These solutions enable companies to continue using existing technologies while complying with European data protection and security requirements. For many companies, this is a pragmatic way to strengthen their data sovereignty without having to forego proven technologies.

Nevertheless, there are still restrictions that you should factor into your risk management: Since the parent companies continue to be subject to US law, there is a residual risk from the US CLOUD Act despite European operating structures. In addition, the range of functions and speed of innovation of these sovereign clouds may be lower than that of global variants, even if they come from the same provider.

Companies that place particular emphasis on data sovereignty can counter this risk with hybrid models. This includes, on the one hand, processing more sensitive data via European providers or on-premise solutions. On the other hand, open source-based platforms can be taken into account when selecting cloud services – for example, by using PaaS offerings based on open standards, such as Kubernetes-as-a-Service. This preserves technological independence and makes it easier to migrate workloads to other infrastructures or operate them yourself if necessary.

Digital sovereignty cannot be bought like a software package. It is the result of conscious decisions, a clear strategy, and the courage to gradually reduce dependencies. For companies, this means one thing above all else: gaining an overview and identifying and prioritizing specific areas of action.

Anyone who discovers gaps here has already identified the first areas for action and can develop a confident digital strategy on this basis.

The debate surrounding digital sovereignty is often marked by skepticism. Similar arguments crop up time and again, particularly when it comes to European providers or alternatives to hyperscalers. However, many of these arguments can be viewed in a more nuanced way and, on closer inspection, turn out to be myths or at least half-truths.

There is (still) some truth in this statement. The big hyperscalers score points with their enormous range of functions and computing power. But the crucial question is: Does my company really need every single function?

For many business models, it is sufficient to reliably cover the core functions. In many cases, European providers are already competitive in this area and can map most of the relevant functions. They also offer tangible advantages in terms of data protection and compliance. Open source solutions offer the possibility of replicating missing functions.

The benchmark is often set incorrectly here. European AI does not have to cover all use cases of global generalists such as OpenAI or Google. It is much more important that European models are used specifically where data protection, domain knowledge, or regulatory requirements are crucial—for example, in healthcare or public administration. Rather than being weaker, European AI is often the more appropriate choice in these scenarios.

Complexity is not an insurmountable obstacle, but rather a question of approach. Instead of rebuilding everything at once, companies can use proof-of-concepts and pilot projects to determine which systems should be migrated first. Practical experience shows that clear priorities and a step-by-step introduction can limit risks while building valuable expertise within the company.

At first glance, hyperscalers often appear to be cheaper. But this calculation is deceptive: aspects such as vendor lock-in or compliance risks can end up costing you dearly later on. At the same time, when comparing prices, it is important to remember that every company has different needs that are factored into the costs of a particular provider—including those of European hyperscaler alternatives. If you know what services you need, you can plan for the long term in line with your requirements and negotiate the best deal.

Digital sovereignty is essential for companies to act independently and actively shape their digital future in an uncertain world. Achieving this is not a utopian dream, but a realistic and practical goal.: Step by step, thanks to clear priorities and conscious decisions.

For companies, this results in a clear call to action: they should start now to identify responsibilities and dependencies, consider alternatives such as open source models and European providers, and strengthen internal expertise in these areas. This will enable them to find the best solution for their individual situation.

There is no single path to digital sovereignty, but you can strengthen the resilience of your business processes and the innovative power of your employees by gaining a competitive edge over competitors who are still putting off addressing this issue.

At the same time, you should consider and examine how much responsibility can be kept in-house or outsourced. MaibornWolff has been supporting companies on this path for over 35 years. With analyses, strategies, and concrete implementation steps that reduce dependencies and ensure the ability to act. The decisive factor here is individual tailoring: solutions always arise in the context of specific business processes, risk appetite, and corporate culture.

Three examples from our service portfolio illustrate this:

• Sovereignty assessments: A thorough analysis shows where a company is already confident and where critical dependencies exist.
• Strategy development for cloud operations: With tailor-made architectures, the organization remains capable of acting even in times of crisis.
• AI consulting and sovereignty check: We conduct a detailed assessment and validation of your AI application scenarios, allowing you to leverage AI opportunities and minimize AI risks.

MaibornWolff not only provides support with technical implementation, but also with sustainable competence building within the company—so that digital sovereignty becomes a reality, step by step.