Ask five people what digital sovereignty means and you’ll probably get seven different answers. The definitions vary by industry, by sector, by geography, and by if the person you ask is trying to sell you their own version of it. So here’s what I mean by it, and why I think this is a useful framing.
Digital sovereignty is all about control of your data and your systems. The aim is to make sure that the decisions of others cannot prevent you from accessing your data, and cannot prevent your services from running. That is the absolute gold standard, and, frankly, would be almost impossible to achieve in full.
Think about it – no matter how well you control all of your IT systems, if you can’t get anyone to supply you with electricity, then you can’t use them. But, of course, that is a very extreme view – in general, I’m not going to say we should all have our own power plants outside. But I would say you need to have sufficient and tested UPS systems, and potentially a backup generator.
Let’s narrow our focus to the IT aspects of digital sovereignty. So, two main areas: control and access to data, and control and access of systems. By control and access, I mean you are able to decide who gets to see and use your data and systems, and you are not at risk of being locked out by anyone else.
For example, you could have all of your data in cloud storage. It gives you the tools to control who can see it, and use it. If the data is encrypted with a key the cloud provider does not have access to, then you can make sure no-one else can view it. But you can’t guarantee access – the provider could delete the data, change your access privileges, have their data centre burn down, or just go bust.
This isn’t theoretical. When Broadcom acquired VMware in 2023, licence costs for some customers increased tenfold almost overnight. Organisations that had built their entire infrastructure on VMware had almost no leverage. This wasn’t a hacker, not a bad state actor, just business.
At the less dramatic end of potential problems, your software provider could just decide they don’t want to offer that service anymore, leaving you to find a new provider. Or they could decide they want to charge more, and increase charges while you are locked in to their infrastructure, or their software.
What can we do to increase our control and access? The ideal situation could look something like this. Your data sits on your own servers, encrypted with keys only you hold. Your network is isolated — access requires both physical presence and strict digital authentication. Every piece of software you run is open source, so no vendor can revoke your licence.
This is great… except for all the things it cannot do. The network is isolated – how does new data get into it? How does data get out? You also can’t access anything unless you are in the building. And what happens if there is a fire? Great, you have a sovereign and secure solution, but you can’t do much with it.
It’s clear, then, that digital sovereignty can only exist as a spectrum of possibilities, balancing risks against benefits. Like everything else involved with running an organisation, there is no risk free option.
So, simple changes – stop trying to make your primary system completely bullet proof, but build in backups, mitigations, and pivots. Have a copy of your data, immutable, outside of your main systems – so if data is compromised, you can still get access to it. This doesn’t stop other people getting access, but means your access can’t be taken away.
Similarly for processes – if you have to rely on an external provider (for example, maybe you are using frontier AI models, and have to rely on suppliers) then make sure you understand how you could pivot to another similar supplier if necessary. This can be very, very hard, and is an area where risk assessment really needs to shine.
And sometimes the answers aren’t pretty. If there is only one provider who can supply the tools you need, and they are vital to deliver your product, you may just have to accept that there is no mitigation of the risk currently. It is existential if it occurs – but avoiding it would also be existential. Understand this, keep looking for alternatives, but proceed.
If you want to test where you stand, ask yourself three questions. Where does your data live — and what happens if you lose access tomorrow? If your key vendor doubled their prices next quarter, could you move? Do you have a tested backup that exists entirely outside your primary provider?
Digital sovereignty. To me it is simple: control of your own destiny. Your data. Your software. Your processes. Your choices. And acceptance that it will never be perfect, but it should always be understood.
Trevor Roberts is a programme and project management consultant and the founder of Dull Industries – a consultancy focused on project turnaround, AI implementation, and digital strategy.