This is a question we increasingly receive from clients. The trigger is usually current geopolitical developments and the related media coverage. We are by now all familiar with the (legal) boundaries of the European Economic Area (EEA) under the GDPR, but the issue of digital sovereignty goes further than that. It is explicitly about (undesirable) dependencies on technology and suppliers in general. What does this mean for you as an organisation? And what can you do about it in practice? In this blog, we explain further.
In practice, the terms digital autonomy and digital sovereignty are often used interchangeably. Depending on the source you consult, the meaning may differ.
In general terms, digital sovereignty refers to the extent to which an organisation maintains control over its IT and OT landscape and the data processed within it. This includes insight, control, and the ability to switch systems and associated suppliers if desired. In that sense, digital sovereignty resembles an ideal marriage: you know what you have with each other, the relationship is balanced, agreements are honoured, no unwanted third parties can disrupt the arrangement, and if things no longer work out, you can part ways without too much collateral damage.
To be clear: digital sovereignty is not something you can simply “tick off” (much like a successful marriage, incidentally). Most organisational processes are now deeply intertwined with systems managed by a limited number of major suppliers, meaning that a quick switch is complex and often not realistic. In addition, alternatives are often still limited, and many organisations have a relatively weak negotiating position vis-à-vis large (international) vendors. Digital sovereignty therefore requires a strategic, multi-year approach.
To implement such an approach, it is important for organisations to clearly identify:
A practical way to address this topic is to integrate digital sovereignty into the organisation’s existing risk management processes. Many organisations already work with risk assessments, mitigating measures (both legal and technical), and governance decision-making in the areas of privacy and cybersecurity. It is often already clear which processes (and therefore supporting systems) are business-critical.
For these business-critical processes and systems, the first step is to map current dependency risks and determine the desired level of digital sovereignty over time (for example, over 5- to 10-year horizons). To document this, organisations can make use of existing frameworks such as the European Commission’s Cloud Sovereignty Framework or the Dutch DICTU “Sovereignty of Cloud Services: Assessment Tool”.
Finally, one practical tip: address this topic before entering into new partnerships, not once the relationship is already established. During the “honeymoon phase,” parties are typically more willing to accommodate each other, including making ambitious contractual commitments on topics such as key management, data portability, change of control, and exit strategies. (And that is where we will leave the marriage analogy.)
Do you have questions about digital sovereignty, conducting risk assessments in this area, or negotiating contracts with suppliers? We are happy to assist. Please feel free to contact Michelle Wijnant, attorney IT, Privacy & Cybersecurity law.
Would you like a monthly overview of updates and blog posts in your inbox? Subscribe to our newsletter!
