Digital Sovereignty is far more than compliance

I have honed my expertise in digital sovereignty in recent years largely as a result of it being one of the things our EMEA-based partners and customers always ask about. There is no one unifying reason for this increased interest in digital sovereignty, but rather several converging factors are accelerating its urgency.

The most obvious is geopolitical instability. Sanctions and trade wars continue to disrupt global business operations. As reported, a coalition of nearly 100 organisations has urged European Commission leaders to establish a dedicated fund for building technological independence. In a joint letter addressed to President Ursula von der Leyen and Digital Commissioner Henna Virkkunen, the group advocated for strategic investments in homegrown infrastructure to reduce reliance on non-European tech giants.

Another concern is that seemingly neutral cloud providers can become liabilities. One example is the high profile move of a major hyperscaler to cut off the International Court of Justice’s email access following political pressure, highlighting that vendor obligations can sometimes override customer needs.

In addition to geopolitical concerns, regulatory pressure is also mounting, with regulations like DORA (Digital Operational Resilience Act) and NIS2 in Europe requiring financial institutions and critical infrastructure providers to ensure operational resilience. 

While it is true that geopolitical dynamics have put digital sovereignty into the spotlight, it would be a misconception to think of this as a fresh challenge, as at its core digital sovereignty is about resilience and autonomy. Organisations need to prove they can operate independently, even when global political shifts or vendor decisions disrupt their operations.

Prepare for unintended consequences

In April 2022, the Amsterdam Trade Bank (ATB), a financially stable Dutch institution, was forced into bankruptcy. This wasn’t due to poor management or insolvency, but rather because of sanctions imposed on its Russian parent company, Alfa Bank.

When the US, the EU and UK enacted sanctions against Russian entities in spring 2022, the ripple effects were catastrophic for ATB. Despite ATB being fully compliant with Dutch and EU laws, service providers, again being respectful with the same laws and sanctions, were obliged to abruptly terminate critical cloud services, including email and core banking operations. Without access to cloud-based workspaces and business software suites, ATB lost the ability to communicate internally or with customers, leading to its sudden collapse.

While the sanctions against Alfa Bank have been implemented in a different context this case nevertheless underscores a critical distinction when it comes to the question of sovereignty: Own compliance does not guarantee autonomy. Even legally sovereign organisations can fail if they lack operational resilience. ATB’s total dependence on their service providers left it defenceless when they withdrew support, a stark warning against vendor lock-in.

While “digital sovereignty” refers to government-mandated control, such as GDPR or data localisation laws, “digital autonomy” is about an organisation’s ability to operate independently, regardless of whether disruptions originate at the geopolitical or vendor level. This distinction has now been officially defined in the Netherlands by the Dutch government.

ATB was sovereign (regulated under Dutch law) but not autonomous, so when its cloud providers pulled the plug, it had no backup plan. And, of course, ATB is not alone, in Australia another major hyperscaler accidentally deleted superannuation fund UniSuper’s online account. Thankfully for UniSuper and its half a million members, they had taken the wise step of having a third party back-up. 

Building true autonomy takes a strategic approach   

To avoid ATB’s fate, organisations need to take proactive steps towards technology and systems resilience. First, they should eliminate single points of failure by adopting multi-cloud or hybrid cloud strategies including on-premise solutions, reducing reliance on any single provider. Open source solutions, such as Red Hat OpenShift, offer portability across environments, helping businesses avoid lock-in to a single vendor’s ecosystem, and providing customers with the flexibility, privacy and portability required to adapt to future regulations and sovereign requirements. In addition to this, specific technologies such as Confidential Computing can help you to continue using  your current investments in cloud technologies while protecting your data from third party operations. Open source software, being a neutral decentralised way to develop software, delivers access and transparency while not relying on a single vendor, instead leaning on the decentralised community as the real back up.

Next, organisations must control their exit strategy, for a smooth migration of data and applications if vendors change policies or face geopolitical restrictions. Lastly, they should invest in community-driven resilience that can provide an additional safety net. The CVE database, a cornerstone of global cybersecurity, nearly collapsed after US funding cuts but was saved by international collaboration, demonstrating the need for decentralised solutions and also the need to be able to keep innovating while protecting global collaboration and contributions. Innovating is costly and if you are only a consumer you may miss important advances and security. 

While digital autonomy is needed, we also must protect global collaboration and innovation with open source communities at its centre. Open source provides transparency and control of code while at the same time accelerating innovation, making it a key strategic investment for local/sovereign talent development.

Organisations cannot afford to take a wait-and-see approach when it comes to establishing their digital future. Sovereignty laws will evolve, but resilience is permanent. Digital sovereignty isn’t just a regulatory obligation, it’s a strategic imperative for survival. The ATB and UniSuper cases showcase that legal compliance alone is insufficient, and that true autonomy requires technical resilience and independence from vendor lock-in.