What Digital Sovereignty Really Means
Digital sovereignty was long a topic for data protection officers and lawyers. That has fundamentally changed. With DORA (Digital Operational Resilience Act), NIS2 and growing geopolitical uncertainty, the topic has landed on the desks of CIOs and IT boards — and it is staying there.
The concept is broader than often assumed. It is not just about data storage within the EU. It is about an organisation's ability to control its critical IT systems, processes and data — even if an important supplier fails, regulation changes, or geopolitical tensions restrict access to technology.
- Data sovereignty: Where is our data stored, who has access, under which legal framework is it processed?
- Operational sovereignty: Can we maintain our critical processes without specific suppliers?
- Technology sovereignty: Are we dependent on proprietary platforms where exit would be prohibitively expensive?
The Regulatory Reality: DORA and NIS2
DORA obliges financial institutions from 2025 to implement comprehensive ICT risk management — including detailed requirements for third-party risk management. Critical IT service providers must be identified, assessed and contractually bound. Concentration risks with individual providers must be explicitly addressed.
NIS2 significantly expands the circle of affected organisations and tightens requirements for supply chain security and incident reporting. For many companies, this means: structured third-party risk management as a regulatory obligation for the first time.
A Pragmatic Four-Step Approach
- Step 1 — Inventory: Identify and classify critical systems, data and suppliers
- Step 2 — Risk assessment: Systematically evaluate dependencies and concentration risks
- Step 3 — Strategy: Make a conscious decision for each dependency: accept, reduce or eliminate
- Step 4 — Governance: Establish regular monitoring and clear accountability
Conclusion
Digital sovereignty is not an end in itself, nor a plea for technological nationalism. It is about conscious risk management — and staying capable of action as an organisation even when the environment changes. IT leaders who address this today will not have to catch up tomorrow as a compliance exercise.