Digital sovereignty needs an operating model

Europe, and indeed the world, is living through heightened geopolitical uncertainty in which sanctions risk, legal divergence, and cyber-security disruption are no longer abstract, but board-level variables. Digital sovereignty is shifting from aspiration to operational requirement driven by resilience expectations, critical service dependency, and rising geopolitical and cyber-risk.

 

Definitions of sovereignty may vary, ranging from blanket data localisation edicts to industrial policy to national security, but the lack of an agreed definition should not be mistaken for lack of intent. Sovereignty is already shaping procurement, regulatory compliance, and technology strategy.

 

From my years working at the intersection of government and the technology industry, I have seen how quickly digital policy can harden into operational constraints. I have also seen how easily “sovereignty” becomes a stand-in for broader concerns: dependency, geopolitics, and the fear that critical services may not remain available during a crisis.

 

Two key issues are at play. First, policymakers are right: over-dependency on foreign technology can become a national resilience problem. Cloud market concentration is a case in point: last year across Europe, the three leading cloud providers accounted for around 70% of the market, while European providers’ collective share remains around 15%. Concentration is not, by itself, a security failure, but it is a strategic dependency that can become acute when legal regimes diverge, access is contested, or a geopolitical shock tightens the room to manoeuvre. It also increases the “ripple effect”: disruption at a small number of providers can cascade across thousands of organisations and supply chains.

 

Second, business leaders are also right to worry that blunt sovereignty initiatives raise costs and regulatory complexity. If sovereignty becomes a hard localisation mandate or a “sovereign-only stack”, it can duplicate infrastructure, reduce competitiveness and agility, and slow modernisation. In practice, it can also reduce access to best-of-breed technologies and keep organisations on legacy systems longer than planned.

 

This is also showing up in Europe’s competitiveness debate. Former Italian prime minister, Mario Draghi, has argued that security is a precondition for sustainable growth and that deep dependencies can leave Europe vulnerable to coercion as geopolitical volatility increases. The question is not whether sovereignty matters; it is how to pursue it without turning it into a counterproductive procurement ideology.

 

From policy to platform choice

A recent French government move to restrict the use of certain foreign-made video conferencing tools in favour of a homegrown solution illustrates the direction of travel across the EU. Whether one agrees with the decision or not, it signals something bigger: sovereignty is increasingly a set of practical constraints that can reshape technology choices quickly.

 

Many organisations are responding with a third, damaging outcome: delay. In a recent survey commissioned by Zscaler, 73% of respondents said digital sovereignty concerns had caused them to delay or cancel transformation initiatives. That “pause dynamic” is dangerous. It prolongs exposure to legacy risk, weakens cyber-readiness, and leaves organisations less able to absorb disruption from ransomware, supply chain compromise, systemic outages, or sudden changes in cross-border rules at a time when the threat landscape is changing faster than ever before.

 

If Europe wants sovereignty that strengthens resilience rather than undermines it, political and business leaders need a framework that is practical, measurable, and compatible with open markets, and that draws on the technology sector’s expertise. Here is one: Control, Choice, Continuity.

 

An outcome-based framework

Sovereignty begins with what an organisation can control in practice: who can access data, who can administer systems, whether a vendor can see customer content, where logs are stored, how keys are managed, what subcontractors can see, and how policies can be enforced. Control is not about isolation; it is about enforceable governance and reducing hidden dependency.

 

Sovereignty also requires choice: credible options when assumptions break. Too many organisations discover too late that their “vendor strategy” is really a dependency strategy, with few realistic alternatives.

 

Choice is not achieved by buying two of everything. It is achieved through architecture and contracts that keep an organisation mobile and avoid vendor lock-in: portability for data and configurations; full transparency on who they rely on, where access sits, and which jurisdictions and subcontractors are in the chain; and pre-agreed exit paths that can be executed under time pressure. It also requires leaders to prevent the sovereignty debate from becoming an excuse to stop transformation. Every programme facing sovereignty constraints should be forced through a decision path: redesign, mitigation, or exit on a timeline.

 

The third C is continuity: keeping critical services running during any kind of disruption. If sovereignty is meant to reduce strategic vulnerability, continuity is where it either becomes real or becomes theatre.

 

Continuity is measurable: recovery time objectives, tested failover, supplier-failure drills, and exercises for jurisdiction-change scenarios. Across Europe, this urgency is reinforced by the threat environment. Zscaler ThreatLabz data shows increasing numbers of damaging ransomware attacks year over year across Europe: Spain (+116%), Germany (+74%), Belgium (+73%), Italy (+53%), and France (+34%) among others. Research on resilience showed 52% of IT executives believe that their current security measures are insufficient to defend against existing or emerging threats such as agent-based AI and quantum computing. Further, the UK’s National Cyber Security Centre reported a sharp rise (130%) in “nationally significant” incidents over the past year.

 

The risks are accelerating due to AI. AI already gives ‘bad actors’ new capabilities to increase the speed, scale and sophistication of their attacks. There is no choice about whether disruption happens, only whether systems can withstand it.

 

Mandate outcomes, not vendors

Business leaders say sovereignty will raise costs, increase compliance friction, and shrink access to best-of-breed technology. That is often true. Policymakers’ concerns are also strong: strategic dependency can undermine national security and resilience.

 

The mistake is writing sovereignty rules that dictate which vendors to buy rather than what controls buyers must have to keep services running during shocks.

 

The most useful sovereignty requirements are outcome-based: enforceable control over access and data, credible choice through portability and exit, proven continuity through testing and recovery. They create room for organisations to use global platforms safely while meeting local requirements, without freezing modernisation.

 

If sovereignty is now an operating requirement, every stakeholder has a role.

 

Boards should define what “sovereign enough” means for their organisation, then require regular reporting and testing, with incentives tied to resilience outcomes. CEOs and COOs should treat sovereignty as continuity, fund the modernisation that reduces brittle legacy dependency, and force decisions on blocked programmes. CIOs and CISOs should map and minimise third-party access, implement localisation and multi-region resilience where required, and build plans for supplier failure and jurisdiction-change scenarios.

 

Regulators should clarify definitions, harmonise requirements where possible, and create compliance pathways with transition periods that reward modernisation rather than incentivise delay. The solution must be risk based and agreed in consultation with industry.

 

Scaling control, choice and continuity

To make control, choice and continuity achievable at scale, two additional disciplines are required: collaboration and compliance.

 

Collaboration keeps sovereignty compatible with openness through interoperability, shared incident readiness, transparent subcontracting, and trusted vendor partnerships that reduce concentration risk instead of merely relocating it. Solutions must be tailored for local demands and drive investment in local ecosystems.

 

Compliance makes sovereignty measurable through clear definitions, auditable evidence, and regulatory approaches that focus on operational controls so organisations modernise faster, not slower.

 

Sovereignty on European terms should be judged by outcomes, not rhetoric: whether organisations can govern access, keep options open, recover quickly when incidents happen, and continue delivering critical services when dependencies fail. Done well, digital sovereignty becomes a catalyst for resilience, innovation, growth and competitiveness. Done bluntly, it becomes a brake on the very transformation it is meant to protect. 

 

---

 

Casper Klynge is Vice President, Head of Government Affairs and Public Policy in EMEA, at Zscaler

 

Main image courtesy of iStockPhoto.com and Andrii Dodonov