In times of growing geopolitical tensions, the importance of global dependencies is moving into the public focus. This is not just about oil and gas, but also about the resource "data". However, digital sovereignty is more than a political ideal or strategic advantage. From our perspective, it will also be a mandatory prerequisite for the competitiveness of companies in the future.

In this blog post, we want to focus on precisely this: Why is digital sovereignty strategically important for companies? And above all: What can be done to achieve digital sovereignty?

More than autarky: What exactly is digital sovereignty anyway?

At its core, digital sovereignty describes the ability of individuals, companies, and states to determine, secure, and independently exercise their role in the digital world. This is explicitly not about developing every technology themselves or completely doing without external providers. Rather, it is about the ability to have a choice.

Therefore, he who is sovereign is not the one who does everything themselves, but the one who is not forced to make themselves dependent.

This ability is evident on several levels. Technologically, it means understanding, controlling, and, if necessary, being able to change the systems in use. Operationally, it is about remaining capable of action – even when framework conditions change or providers disappear. And at the data level, the focus is on the question of who actually has access, control, and decision-making authority over information.

These dimensions do not only affect individual companies, but run through the whole of society – from individual users to the economy, all the way to state institutions.

Between regulation and reality

Europe recognized early on that digital sovereignty cannot function without clear rules. With the GDPR, a globally respected standard for data protection was created, and the EU AI Act also pursues the goal of bringing transparency and risk awareness to the handling of artificial intelligence. The direction is correct: Trust, security, and clear responsibilities are central prerequisites for digital sovereignty.

In practical implementation, however, a field of tension emerges. Many companies struggle with the complexity of the requirements, unclear interpretations, and high implementation efforts. What is intended as a protective mechanism is not infrequently perceived as a brake on innovation. This creates a conflict of objectives that cannot be easily resolved: How much regulation is necessary and at what point does it become a disadvantage for the location?

The structural dependence of Europe

The challenge becomes even clearer when looking at the actual use of digital technologies. A large portion of the solutions used does not come from Europe, but primarily from the US and China. At the same time, trust in European providers is high – but usage is comparatively low.

This discrepancy reveals a central problem:

Europe is highly dependent on external technologies, although the desire for more independence is clearly present.

This ambivalence is also evident at the state level. While billions are being invested in programs to strengthen digital sovereignty, significant funds are simultaneously flowing into software solutions from international providers to equip the federal government. This is not a contradiction out of negligence, but rather the expression of a structural dilemma: The most powerful solutions are often not the ones that protect our data best.

Cloud Computing as a reality check

This conflict is particularly evident in the area of cloud computing. Hardly any technology is so central to digital transformation and at the same time so heavily dominated by a few global providers.

The large hyperscalers convince through their speed of innovation, scalability, and a broad service portfolio. Their technological lead is substantial and can hardly be caught up with in the short term. For companies, this means: Those who want to remain competitive can hardly bypass these offerings.

Precisely here, however, is where the greatest dependency arises. Data, processes, and entire business models are tied to external platforms whose control can only be influenced to a limited extent.

In this context, digital sovereignty does not mean dispensing with the cloud. Rather, it means dealing with this dependency consciously and actively shaping it.

Why companies should get active now

Those who currently rely on hyperscalers in their company initially benefit from efficiency. Especially in the initial phase, highly integrated platforms from overseas seem attractive, as they enable rapid implementations, reduce operational complexity, and accelerate time-to-market.

In parallel, a technological path dependency is created. Proprietary services make adjustments more difficult, do not sufficiently take regulatory requirements into account, and complicate strategic changes of direction. Control over the use of cloud services gradually slips away, making data flows increasingly non-transparent.

However, the actual risks only unfold in the long term. Operational decisions turn into a structural dependency that is very difficult to break. Vendor lock-in prevents the integration of other tools.

At the same time, companies lose strategic bargaining power: Those who cannot effectively switch have almost no influence on prices, contract terms, or the further development of core platforms.

Regulatory aspects are also increasingly gaining weight. A wide variety of requirements for data residency, access controls, or international data flows can only be met flexibly if the underlying architecture is prepared for them.

In the end, it is not a single risk, but a cumulative development: rising costs, decreasing flexibility, and declining control.

From theory to practice: What companies can concretely do

The path to more digital sovereignty rarely leads through radical ruptures, but rather through a variety of "small" levers and, above all, a strategic engagement with the topic. Those who recognize now that digital sovereignty is important have taken the most decisive step.

Specifically, we recommend the following measures:

1. A central lever is the conscious avoidance of lock-in effects. Instead of binding oneself completely to one hyperscaler, we recommend a multi-cloud or at least a multi-vendor strategy. The goal is not maximum diversification at all costs, but a controlled distribution of critical dependencies. This increases operational complexity, but creates bargaining power and reduces systemic risks.

   
   

2. Not only the onboarding of technologies matters, but also the offboarding. A resilient exit strategy should be part of every architectural decision from the very beginning. This includes clearly defined and documented (!) strategies, including backups, which are regularly tested.

   
   

3. Technical portability is the operational core of digital sovereignty and consistently requires interoperability, i.e., the ability of different systems, applications, or organizations to work together seamlessly and exchange data.

   
   

4. Companies should specifically rely on open source as well as decoupled and interoperable architectures to reduce dependencies and keep system boundaries flexible. Technologies like Kubernetes or Docker make it possible to run workloads platform-independently while ensuring technical exchangeability. This entails short-term investments, but pays off in the long run through significantly increased strategic maneuverability and independence.

   
   

5. Digital sovereignty does not only mean being technologically independent, but also being able to fully understand and control where data resides, who is allowed to access it, and under which jurisdiction it is processed. Exactly here is where the term data sovereignty is often interpreted too narrowly: It is not enough to rely on the European branch of a hyperscaler. Rather, the decisive factor is the legal control over the provider itself. Many large cloud providers originate from the US and are therefore subject to US law – regardless of where the data is physically stored. This results in European data potentially being subject to access by US authorities. Legally central to this is the US CLOUD Act. This law obliges US companies to hand over data if a corresponding order is issued by US authorities – even if this data is stored outside the US.
   
   This creates a structural conflict with the European logic of data protection: The EU General Data Protection Regulation (GDPR) is based on territorial data protection and strict purpose limitations.  The CLOUD Act, on the other hand, enables extraterritorial data access by US authorities. A dilemma that is impossible for companies to fully overcome, but one that must be managed. The solution must not only lie in physical data location, but can also be achieved through Confidential Computing, which ensures that data remains encrypted even at runtime in memory.

   
   

6. From our point of view, security forms an important building block: Without robust encryption, resilient backup and recovery strategies, and clearly defined governance structures, any form of sovereignty remains incomplete. Zero-trust architectures, consistent identity and access management, and regular audits are the decisive buzzwords here.

Generally:

Companies need internal know-how to evaluate architectural decisions and to be able to critically question providers. Those who outsource this competency entirely will be left behind and remain dependent on others.

Thus, digital sovereignty does not arise from individual measures, but through the interplay of different building blocks.

Outlook: Artificial Intelligence as an accelerator

With the increasing use of AI, the discussion intensifies further. The potential is enormous, ranging from more efficient processes to better insights, all the way to new business models. At the same time, the demands on data quality, regulation, and organizational maturity continue to rise.

Particularly in this context, it becomes clear once again: Those who have no access to their data and models quickly lose control over core value creation processes. Digital sovereignty here becomes the decisive competitive factor.

Thus, sovereignty is a query of decisions.

Digital sovereignty is not a state that can be achieved once and then checked off. It is a continuous process that connects technological, organizational, and strategic decisions.

How much dependence are we willing to accept – and in which areas not?

Companies that consciously answer this question and shape their architecture accordingly gain a real advantage. Not because they are independent of everyone, but because they know their dependencies and can steer them.

Complete digital sovereignty remains a utopia, but addressing the topic is a strategic necessity.