Digital Sovereignty: What It Actually Means

The term "digital sovereignty" entered mainstream European policy discourse around 2019-2020, driven by the convergence of several forces: the Snowden revelations (2013), the Schrems judgments (2015, 2020), escalating US-China tech competition, the CLOUD Act (2018), and the COVID-19 pandemic's exposure of Europe's dependence on non-EU digital infrastructure for critical services.

In February 2020, the European Commission published its communication "Shaping Europe's Digital Future", placing "technological sovereignty" alongside sustainability as a core pillar of EU digital strategy. This was operationalised through a cascade of legislative initiatives: the Data Governance Act (Regulation (EU) 2022/868), the Data Act (Regulation (EU) 2023/2854), the AI Act (Regulation (EU) 2024/1689), and the Digital Markets Act — each embedding sovereignty-adjacent requirements around data portability, interoperability, and jurisdictional control.

The European Council has reinforced this trajectory. In October 2020, EU leaders adopted conclusions on "Europe's Digital Sovereignty", calling for reduced strategic dependencies in key technology areas. By 2024, sovereignty had become a lens through which virtually all EU technology policy was evaluated — from semiconductor supply chains (European Chips Act) to cloud certification (EUCS) to critical raw materials.

Digital sovereignty is not a binary state. It operates across multiple interdependent layers, each of which must be assessed when evaluating an organisation's autonomy over its digital infrastructure:

• Legal sovereignty (jurisdiction): Whose laws govern your data and operations? Data stored in the EU by a US-headquartered provider is subject to both EU law (GDPR) and US law (CLOUD Act, FISA 702). True legal sovereignty requires that only EU/EEA law applies — achievable only by using providers incorporated and headquartered exclusively within the EU with no foreign parent company.
• Operational sovereignty (control): Who operates your infrastructure? Even if data sits in an EU data centre, operational control may rest with staff in non-EU locations, or with automated systems managed from a foreign headquarters. France's SecNumCloud 3.2 and the proposed EUCS sovereignty tier specifically address this by requiring EU-based operations and personnel.
• Technical sovereignty (portability): Can you leave? Sovereignty is meaningless if switching providers is technically impossible or prohibitively expensive. This layer encompasses data portability (can you export your data in standard formats?), application portability (is your workload containerised and cloud-agnostic?), and API portability (do you rely on proprietary managed services with no equivalent elsewhere?).
• Strategic sovereignty (capacity): Can Europe build and sustain alternatives? This encompasses industrial policy, R&D investment, skills development, and the health of the European technology ecosystem. A continent that cannot produce competitive cloud infrastructure, AI models, or semiconductor designs cannot achieve durable sovereignty regardless of regulatory frameworks.

While the EU sets the regulatory framework, sovereignty strategies are implemented at the national level, and approaches vary significantly:

France has adopted the most aggressive sovereignty posture. ANSSI's SecNumCloud 3.2 qualification, effective since 2022, requires that certified cloud providers be majority-owned by EU entities, headquartered in the EU, and immune from non-EU jurisdictions. The French government mandated SecNumCloud-qualified providers for all sensitive public-sector workloads through a 2023 circular. French providers OVHcloud, Outscale (Dassault Systèmes), and 3DS Outscale have obtained or are pursuing qualification.

Germany has taken a dual approach. The BSI's C5 criteria catalogue provides a technical security standard without explicit sovereignty requirements, while industrial policy focuses on building capacity through initiatives like the Sovereign Tech Fund — established in 2022 with €67.5 million to fund open-source digital infrastructure projects. Germany also championed the Gaia-X initiative, launched jointly with France in 2019 as a federated data infrastructure framework.

The Netherlands has focused on open standards and open source as sovereignty levers. The Dutch government's open-source-first policy requires public bodies to consider open-source alternatives before procuring proprietary software. Dutch municipalities have been among the most active in Europe in deploying Nextcloud, Element/Matrix, and other open-source collaboration tools to reduce dependence on US SaaS platforms.

The ultimate test of digital sovereignty is not where your data sits today, but whether you can move it tomorrow. An exit strategy — the documented, tested, and resourced ability to migrate away from a provider — is what separates genuine sovereignty from the appearance of it.

The EU's Data Act (Regulation (EU) 2023/2854), which became applicable on 12 September 2025, directly addresses this. Articles 23-31 impose obligations on cloud providers to facilitate switching and interoperability, including:

• Providing switching assistance (technical support, documentation, data exports) to customers at no charge beyond the direct cost of the switching process
• Eliminating switching charges entirely after a transitional period (maximum 3 years from the Act's application)
• Ensuring functional equivalence for data exports — customers must receive their data in formats that allow import into alternative services
• Complying with open interoperability specifications for common cloud service types

Beyond legal obligations, practical exit capability requires architectural discipline from the start. This means containerising workloads (Kubernetes, OCI-compliant runtimes), using infrastructure-as-code (Terraform, OpenTofu) with provider-agnostic patterns, avoiding deep integration with proprietary managed services where open-source equivalents exist, and regularly testing migration playbooks — not as a theoretical exercise but as a periodic operational drill.

Organisations that invest in exit capability gain negotiating leverage, regulatory compliance, and genuine resilience. Those that don't discover the true cost of lock-in only when they need to leave — and by then, the switching costs may be prohibitive.