The data sovereignty challenge in Europe

Rob Elliss at Thales explores the growing awareness of digital sovereignty amongst organisations, fuelled by geopolitical tensions and increasing European regulation

 

In recent years, the EU has placed increasing focus on extending its digital sovereignty. Geopolitical tensions, including the energy and commodity shortages that followed Russia’s invasion of Ukraine, highlighted the dependence of the region on certain imports. Changes in tone from the US Government, meanwhile, have encouraged the bloc to look at ways to build indigenous cloud and chip industries, or at least create means to reduce EU dependence on sole foreign suppliers. 

 

The emergence of digital sovereignty as a priority across both business and Government reflects a global shift in favour of nations reclaiming authority over their digital infrastructures, as well as how data flows. As nation states increasingly leverage cyber-attacks alongside other defence strategies, the emphasis on securing national digital assets has grown.

 

Many countries have enacted legislation, such as the EU’s GDPR, to mandate that the data of EU citizens is stored and processed within national borders. Safeguarding personal information introduces complexities for companies managing cross-border data flows, and it has become imperative to introduce region-specific compliance strategies. 

 

 

Maintaining agility

In short, we’re at a tipping point. The typical organisation is deeply intertwined with international cloud providers, identity platforms, and email infrastructures. In this new sovereignty-first reality, dependence on these ecosystems is increasingly seen as risky. Digital autonomy is no longer a luxury. It is essential for business continuity.

 

Digital sovereignty is about making informed choices, spreading risks, and retaining control over your most essential processes. European alternatives do exist — from cloud services to encryption and IAM solutions — and they are now fully viable options. In the case of data encryption, for example, it’s possible for organisations to manage their own encryption keys to comply with European legal frameworks.

 

Cloud strategies, meanwhile, are also having to evolve. Many organisations are moving to hybrid and multi-cloud models in order to maintain their agility in response to the demands of compliance. ‘Sovereign clouds’ have emerged as cloud environments specifically configured to meet digital sovereignty requirements, most notably in France, where the government has set out policy mandating a framework and qualification procedure for all cloud computing service providers.

 

The intention is to provide stronger guarantees that data will not be accessible, transferred or processed outside of the European Union, alongside various other criteria around safety, security and reporting.

 

For CISOs, they will likely see their role changing to incorporate more management of regulatory relationships and engaging with data protection authorities as these governmental policies evolve, as much as the more traditional task of safeguarding digital assets. 

 

The likes of NIS2 and DORA legislation set high standards for the security of both data and the networks it travels across, including taking measures to ensure continuity. As CISOs look into this more closely, it doesn’t take long to realise the complexity of current dependencies. Full decoupling is not feasible, but it is possible to gain better control over these connections.

 

 

Start with your exit strategies

An important first step is to develop an exit strategy, or plan B, in case IT services fail for whatever reason. CISOs should determine which processes are most critical to their organisation, find where the greatest dependencies are, and assess the potential impact of disruption or interference.

 

Many risk analysis templates exist, with a Failure Mode and Effects Analysis (FMEA) being a particularly good one. Set priorities and focus on vulnerable areas, such as:

• Identity and access management (IAM). Identity is the new security perimeter in a world of cloud storage. But who controls this access, and are those decisions routed through an external provider? How might that leave your organisation vulnerable? 
• Data sovereignty. Then there is the question of your organisation’s actual data - where is it stored? What jurisdiction does your data provider and any of their subcontractors fall under?
• Backups. Having second and third copies of operational data backed up in different locations is crucial to ensuring continuity. Are backups stored locally, encrypted, and disconnected from the primary provider? This ensures operational continuity.
• Mail infrastructure. For many organisations, email remains core to business operations. Have you considered what happens if this infrastructure becomes temporarily unavailable?
  

 

An ongoing project

Digital autonomy and sovereignty are tasks that are never complete. Instead, they should be seen as a continuous process of optimisation. With organisations varying significantly in their structures, operations, and needs, there is no universally perfect degree of digital sovereignty.

 

CISOs must set priorities and focus on the most critical processes. Take control, increase resilience, and be prepared for the unexpected.

 

---

 

Rob Elliss is EMEA Vice President, Data and Application Security at Thales

 

Main image courtesy of iStockPhoto.com and artisteer