Digital sovereignty: enterprises need to protect against known unknowns
Boards increasingly concerned with sovereignty are finding that isolating technology stacks is no easy task
The late Donald Rumsfeld famously divided problems into three: known knowns, known unknowns, and the unknown unknowns.
For the former US Secretary of Defense, known knowns were risks we know about; known unknowns as “things we know… we do not know”. And unknown unknowns were those problems “we don’t know we don’t know”.
Rumsfeld believed that unknown unknowns posed the gravest threats to the US and its allies. But when it comes to organizations keeping their operations running, “sovereign” control over their systems is increasingly, a known unknown. We know there is a risk with digital sovereignty, but as yet, it is not clear where that risk lies.
Recent world events have brought geopolitical risks to the fore. And, over the last few years the risk that governments, or a vendor working to a government’s orders, could cut off an organization from its technology or deny access to their data, has moved firmly into the realm of the possible.
There is an ongoing debate about whether Chinese vendors in particular have granted their government back-door access to their systems (the vendors strenuously deny this). And lately, western analysts have expressed concern about “kill switches” in Chinese-made electric vehicles including London buses, solar power invertors and other critical equipment.
But concerns about access to data come from the other side of the world. Legislation, such as the US CLOUD Act (Clarifying Lawful Overseas Use of Data) allows US law enforcement agencies to demand that US vendors hand over data, even when it is stored outside the United States. This puts US legislation in direct conflict with regulations such as GDPR.
At the same time, European rules, such as the EU’s Cloud Sovereignty Framework, propose strategic, legal and jurisdictional, and data and AI sovereignty for cloud systems. All this could mean that enterprises are no longer able to simply host their data, or run systems, in the way that best suits their budgets or operational requirements.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Fundamental questions
Where systems are, and where data reside, are now fundamental questions. And these are not easy questions for CIOs to answer.
“Data sovereignty is about where your data sits, and who has jurisdiction over it,” explains Moona Elderveen-Schneider, founder of Resilia Connect, a consultancy. “Digital sovereignty is far more expansive: it is about control over the entire technology stack, cloud infrastructure, operating systems, chips, telecoms networks, and increasingly AI models. You can have data sovereignty without digital sovereignty, but not the reverse,” she tells ITPro.
Laws and regulations, though, are not the only reasons for concern about sovereignty. As Elderveen-Schneider points out, high-profile outages and cyber attacks have forced organizations to reconsider whether they have any real strategic autonomy. “We are seeing the collision of technology and geopolitics,” she says. “Single vendor dependency looked like an efficiency gain until it became a national security risk.”
Organizations in Europe (including the UK) are now largely aware of the need for data sovereignty, not least because of GDPR.
But broader digital sovereignty is more difficult. And full technology sovereignty might not even be possible, or at least not on terms commercial organizations could bear. Achieving technology sovereignty would mean going all the way down the technology stack, ultimately to the level of rare earths and chip foundries, as well as the energy needed to power them.
“No country anywhere in the world can at this point in time have technology sovereignty,” warns Martha Bennett, VP principal analyst at Forrester. “It would probably be feasible for the US or the EU to get a degree of sovereignty that is currently unprecedented, but it would cost,” she tells ITPro. “Sovereignty is about control, but what degree of control do you require, and how realistic is it for you to get that control?”
“Depending on what your requirements are, there might not even be any cloud provider in Europe that can support what you need. So that needs to be built,” she cautions. “Even if it is there, there are not the same economies of scale. It always comes back to costs: what are you prepared to pay for.”
The barriers to sovereignty, then, are both cost and practicalities. Infrastructure and technology, from physical facilities and energy to software stacks and APIs, might not be available.
Where they are, they cost more. “Fragmenting procurement requirements mean enterprises might need different cloud providers for different markets, and sovereign alternatives often cost 15-30% more,” says Ederveen-Schneider. But this is not a niche compliance issue. It is reshaping how multinationals operate.”
Nonetheless, the drive towards digital sovereignty, or strategic autonomy, has prompted organizations to reconsider both their cloud and their software strategies.
Sovereignty, autonomy and compromises
Moving hosting away from (US-based) hyperscalers is increasingly possible, but comes with higher costs and potentially, less advanced technology.
Vendors, including the cloud hyperscalers, have responded by creating availability zones and regions within Europe. SaaS providers give European businesses the option to host data within the EU or UK.
In 2025 alone, Microsoft launched a cloud sovereignty scheme, Google expanded its sovereign cloud services to cover over 42 cloud regions and announced UK residency for agentic AI services. AWS kicked off 2026 by making its European Sovereign Cloud generally available for enterprises.
Others made similar moves, such as Linux distributor SUSE which launched a standalone data sovereignty unit.
“We like cloud, but you need something else,” Kim Larsen, CISO at Keepit, a cloud and data protection provider with a significant European presence, tells ITPro.
“What is the sanity in putting critical data in the cloud? That depends on which cloud you are using and if it suddenly becomes subject to political manoeuvres.”
He points to vendor-independent clouds and physical and logical separation between production and backup data as keys to autonomy, if not sovereignty.
Hardware companies, and data storage vendors in particular, also increasingly promote sovereignty as one reason to host at least some data in-house, rather than on the public cloud.
Moving from proprietary software to open source could also reduce the risk of a government restricting access to essential technology. But this is not guaranteed. “Going for open source doesn’t necessarily address your sovereignty problem, if you pick a piece of software where the sole maintainer is Dmitry in Moscow,” Bennett warns.
To address these challenges, analysts at Forrester have developed a concept of “minimum viable sovereignty”. Here, organisations set out the technology requirements they need, map these against what the markets offer and, of course, the costs.
As author Dario Maisto points out, “not every workload requires sovereign infrastructure – and overengineering can be costly and inefficient.”
Even so, the need for digital sovereignty looks set to move from a known unknown, to known known, in the coming year.
-
Lloyds wants to train every employee in AI by the end of this yearNews The new AI Academy from Lloyds Banking Group looks to upskill staff, drive AI use, and improve customer service
-
Mid-market firms bring cybersecurity in-house as vendor trust wanesNews Advania research reveals UK mid-market firms are increasingly taking cybersecurity into their own hands
