Jochen Michels, Director Public Affairs Europe, Kaspersky
Digital sovereignty has become one of the defining political, economic, and technological debates of the twenty-first century. It can be defined as the ability of individuals, companies, institutions, and states to act independently, securely, and autonomously in the digital sphere. At its core, digital sovereignty means maintaining control over data, digital infrastructure, and software systems without becoming irreversibly dependent on a single technology provider. At the same time, digital sovereignty does not imply complete self-isolation or economic autarky. Rather, it refers to the freedom to choose digital technologies consciously, under fair conditions, and with the realistic possibility of changing providers if necessary.
The Growing Importance of Digital Sovereignty
In Europe, the discussion surrounding digital sovereignty has intensified due to geopolitical tensions, economic competition, and technological dependence on foreign powers – most recently, particularly the United States and China. For states and public administrations, digital sovereignty primarily concerns preserving the government’s capacity to act independently. Governments must be able to manage their IT infrastructures and sensitive citizen data without relying excessively on foreign technology corporations. For companies, digital sovereignty is closely linked to economic security and competitiveness. Businesses seek to protect trade secrets, comply with legal frameworks such as the GDPR, and avoid monopolistic pricing structures imposed by dominant technology providers. For individuals, digital sovereignty refers to digital self-determination and digital literacy. Citizens should have control over their personal data and understand how their information is processed, stored, and used.
The Four Central Pillars of Digital Sovereignty
The first pillar is data sovereignty. This refers to control over where data is stored and who has access to it. Concerns about foreign access to data have become especially significant because laws such as the United States Cloud Act potentially allow American authorities to request access to data stored by US companies, even if the data is physically located in Europe.
The second pillar is technical sovereignty. This involves the use of open standards and open-source software. Open-source systems are considered strategically important because their source code can be inspected, modified, and independently maintained.
The third pillar is operational sovereignty. This means the ability to operate, maintain, and control digital systems independently. States and organizations should possess sufficient technical expertise and infrastructure to ensure that critical digital services remain functional even in times of crisis or geopolitical conflict.
The fourth pillar concerns jurisdiction and governance. Digital services should remain subject to the legal systems and democratic institutions of the societies in which they operate.
The European Paradigm Shift: From Regulation to Technological Strength
The broader European debate on digital sovereignty reflects a significant paradigm shift. Through initiatives such as the AI Act, the Digital Services Act, and the Data Act, the EU established strict rules concerning competition, data protection, platform responsibility, and artificial intelligence. However, policymakers and economic actors increasingly contend that regulation alone is insufficient. Critics warn that Europe risks becoming a continent that regulates technologies developed elsewhere rather than building competitive digital industries of its own. As a result, the debate has shifted toward industrial policy and strategic investment in semiconductors, artificial intelligence, cloud infrastructures, quantum computing, and cybersecurity.
Strategic Autonomy and Cybersecurity
However, it is crucial for the European Union to be fully integrated into international trade and to ensure fair competition that includes all providers complying with European rules. This also applies to cybersecurity policy – as illustrated by the ongoing discussion surrounding the revision of the EU Cybersecurity Act (CSA) – particularly with regard to supply chain security. In its draft of CSA 2, the European Commission places a strong emphasis on geopolitical and non-technical risk factors in the context of supply chain security. While these factors undoubtedly merit consideration, this approach has drawn criticism from many Member States, international corporations, and industry associations. Ultimately, the objective should be to develop a clear assessment framework applicable to all cybersecurity providers – especially with respect to the question of trustworthiness.
The Cloud Sovereignty Debate and Dependence on US Providers
Despite these efforts, one of the most controversial aspects of the current debate concerns Europe’s dependence on American hyperscalers such as Amazon Web Services, Microsoft Azure, and Google Cloud. In response to European concerns, some American providers have introduced “sovereign cloud” models. Amazon announced the AWS European Sovereign Cloud. Microsoft introduced the EU Data Boundary initiative; while Google developed sovereign cloud partnerships for European customers. Nevertheless, critics argue that these solutions do not fundamentally solve the problem of technological dependence because the underlying technologies and software architectures remain controlled by American corporations.
In conclusion, digital sovereignty has become a central strategic objective for the European Union. Europe seeks to preserve democratic control, economic competitiveness, and political autonomy in a world increasingly shaped by digital infrastructures and geopolitical tensions. The European approach is characterized by an attempt to balance openness and independence. Instead of isolation, the EU promotes strategic autonomy: the capacity to cooperate internationally while retaining sufficient control over critical technologies and infrastructures. Whether Europe will successfully achieve this goal remains to be seen.
