Digital sovereignty: the term everyone uses – but doesn’t mean the same thing

There’s a problem with the term – it’s too broad to have just one meaning

Digital sovereignty is not a term that has been precisely defined anywhere and then found its way into strategy papers, regulatory documents and vendor pitches. It is the other way round: each party has imbued the term with its own meaning, and all these meanings are, in their own right, legitimate.

This becomes clear when viewed from three perspectives.

The regulatory perspective – that is, what BaFin, the EBA and DORA mean – asks above all: Can financial institutions control, audit and, if necessary, bring back their outsourced processes? The ability to exit, access for audits, and the ability to control third-party providers. This is an obligation, not an option. Anyone who fails to fulfil this obligation has a compliance problem.

The strategic European perspective – championed by the European Commission, Gaia-X and national initiatives – takes a broader view: Who controls the digital infrastructure on which Europe’s economy operates? Whose laws apply when data is processed? Digital sovereignty is framed here as a geopolitical issue, not merely as IT architecture or a technological design principle.

The commercial perspective – and this is where it gets interesting – is the one presented by cloud providers. Sovereign cloud, European data storage, local operations. That sounds like everything financial institutions need. And it is true, at least part of the story.

Why this is not an academic problem

Imagine the following situation: During an executive board meeting, someone says, ‘We’re well positioned on this issue – we have a sovereign cloud solution.’

The obvious follow-up question is: In what exactly do you believe you are sovereign and acting as such?

Not because the statement itself is incorrect. But because it is almost always viewed in too one-dimensional a way. A technology or a provider is no substitute for a strategy. Availability and confidentiality are necessary conditions, but not sufficient ones. Are financial institutions still the sole masters of their data? Are they the only ones who can work with this data? Do they know exactly where the data is located – not just in which data centre, but throughout the entire processing chain?

DORA and the EBA guidelines on outsourcing require financial institutions to be able to specify the location where their data is processed – including all sub-outsourcing arrangements – at any time. Those who cannot do so have not only a knowledge problem, but also a compliance problem.

Digital sovereignty is not a state that can be described simply as ‘yes’ or ‘no’. It has at least three dimensions – data, technology and operations – and is permanently framed by a fourth: regulation.

The European Commission has broken this down into eight dimensions in its Cloud Sovereignty Framework – ranging from legal jurisdiction and operational autonomy to supply chain sovereignty. This framework is not a policy document, but a working framework for specific procurement and architectural decisions.

What this series of articles is about

This series is not intended to provide simple answers. Rather, it aims to build decision-making capacity amongst CIOs and COOs, members of executive boards, supervisory boards and advisory boards, who are increasingly confronted with this topic without always having the tools to ask the right questions.

The series explores the various dimensions of digital sovereignty: from the issue of data sovereignty and technical dependencies to operational resilience and governance.

The aim is always the same: to be able to make informed and, therefore, well-founded decisions.

In the next instalment, we’ll take a closer look at the dimension that is mentioned first in strategy discussions and is most frequently underestimated: the question of who really owns a financial institution’s data.