The many shades of sovereignty: digital sovereignty in practice

Image by freepik

Every current digital technology policy discussion seems to touch upon digital sovereignty. Its importance has grown gradually over the past year, quickly reaching the executive-level priority now placed on the topic. Reflections that began across governments on every continent regarding the different shades of sovereignty have been rendered recently in the form of concrete legal, policy and procurement instruments that impact buying entities and technology vendors.

Digital sovereignty’s impact extends well beyond the traditional framing of anything ‘digital’ as pertaining to the IT function or as primarily addressing online operations. That is because it is part of wider strategic geopolitical considerations relating to economic security, access to raw materials, sustainability, competitiveness, innovation and cyber resilience.

In practice at the organisational level, procurement requirements of public sector entities and their regulated industry counterparts, such as banking, insurance and healthcare, may be where digital sovereignty considerations show up first. It follows that this policy shift would have an equivalent impact on digital technology vendors who minimally would need to consider new assessments. It’s more likely that they would need to revise or develop new processes, or conduct a broader review of their operations, even their business model in some cases.

Calling things by their name

Sovereignty is a foundational concept in international law. Derived from the Latin superanus, meaning ‘above’, it relates to the supreme power of a state to control its legal order without being legally subordinate to other states.

By analogy, digital sovereignty should mean the power of a country or an organisation to retain control of its digital infrastructure. Therefore, the key notion of digital sovereignty should be ‘control’, a familiar concept to privacy professionals operationalised through governance rules and policies.

Building on a foundation of control may offer a more constructive and realistic approach than an inward-looking stance of self-sufficiency driven primarily by an interest in eliminating dependencies on foreign technology and exposure to foreign governments. Operationally, controls for digital sovereignty require augmented governance strategies that enable choice and flexibility based on the different levels of sensitivity across an organisation’s entire digital infrastructure.

Apples and oranges

Digital sovereignty is often considered in terms of data sovereignty or cloud sovereignty. However, digital sovereignty is not limited to data access, data storage, data residence or data localisation.

Data sovereignty refers to laws and governance around data collection and storage, whereas cloud sovereignty might best be thought of as a means to achieve data sovereignty. AI sovereignty, another component of this multifaceted topic, is about controlling the entire AI value chain. These facets of sovereignty are interrelated, but distinct.

Encompassing data, cloud and AI sovereignty, digital sovereignty is a wider concept. It relates to the control of the entire digital infrastructure including software, hardware, networks, digital platforms and services. Having a correct and common understanding of the terminology can help organisations adequately respond to the emerging frameworks and requirements.

More than meets the eye

Covering the entire digital infrastructure of an organisation, digital sovereignty is multidimensional. It is not limited to legal and jurisdictional considerations as frequently perceived.

For example, the European Commission’s new Cloud Sovereignty Framework, introduced for a specific tender, sets out a methodology to measure and score the sovereignty of cloud services across eight aspects: strategic (ownership, EU presence and investment), legal and jurisdictional, data and AI, operational, supply chain, technology, security, and compliance. The self-assessment required by cloud providers is a complex exercise necessitating thoughtful technology, technical and operational analyses across the supply chain.

Introduced also in late 2025, Canada’s digital sovereignty framework aims to further strengthen contractual instruments in procurement and put in place technical and supply controls to improve visibility, assess system criticality, ensure consistent service reliability and compliance, and reduce external dependencies and reliance on proprietary technologies.

Earlier in 2025, the Australian government adopted its ‘Buy Australian Plan’. It includes an official ‘Australian business’ definition for the first time and aims at building domestic industry capability through the Australian government’s purchasing power. ‘Buy national’ policies in government procurement or beyond is a trend across many major economies worldwide.

Blue-sky thinking

Against the background of continuing geopolitical tensions, an intriguing initiative discussed in Davos 2026 relates to the notion of ‘Digital Embassies for Sovereign AI’. The World Economic Forum is currently exploring a Digital Embassy Framework for designing, governing and operating digital embassies worldwide.

The concept relates to the immunities that embassies enjoy on foreign soil including for their staff, infrastructure and data. The host state does not have access or control of those. By analogy, digital embassies would enable countries to make use of infrastructure or technology in another country with the highest level of trust and protection for their data.

Rules related to data protection and data transfers as well as international law principles need to be considered. This framework would create a competitive market with countries such as Malaysia and Switzerland that are already positioning themselves in this space. The inevitable question, which is key to its success, relates to whether countries would trust each other to respect and enforce international law.

Not a one-size-fits-all exercise

A single approach is not suitable for digital sovereignty. Within each organisation there will be different levels of sensitivity and varied needs.

For highly sensitive policies and operations, organisations may need full control of the entire enabling digital infrastructure. In less sensitive areas, the priority may be focused on data sovereignty and making sure data is always accessible as well as protected from unwanted foreign access. In other cases, sovereignty may just mean avoiding dependency on a single technology provider.

Therefore, an effective digital sovereignty strategy may need to be designed not only at entity-level but potentially also at operation-level or process-level. A logical starting point for a strategy is to classify the varied sovereignty needs based on different levels of sensitivity, potentially building on existing policies in place, e.g. on data classification. This should occur before considering operational needs, performance criteria, compliance requirements and strategic objectives. To this end, partnering with technology providers who can demonstrate technical superiority for trustworthy performance but importantly also offer flexibility in deployment to accommodate the different levels of sensitivity, will be essential. Operationally, digital sovereignty designed on this premise should also result in effective cost control and resilience in the long-term by maintaining choice in the market and avoiding vendor lock-in.

Back to basics: governance and transparency

To design and implement their unique digital sovereignty plan, organisations need more sophisticated governance, a concept well-understood by privacy and AI governance professionals. Strengthened governance policies across multiple dimensions including data, AI, security, privacy, compliance and the supply chain, will help assess risk exposure and determine where absolute controls are needed whilst enabling flexibility proportionate to the sensitivity of each piece of the digital infrastructure puzzle.

Finally, digital sovereignty demands greater transparency from all parties across their entire operations. Ultimately, where digital sovereignty frameworks are introduced, they will aim to enable control and help build resilience through transparency. They require thoughtful responses to novel questions about the entire operations that organisations may not have considered previously outside a specific context, such as legal compliance or increased productivity.

Indisputably, digital sovereignty is driving a shift that impacts every actor in the digital infrastructure supply chain. Time will tell if this shift may result in a major reset for businesses, governments and international relations.

To find out more about SAS’s approach to sovereignty, visit sas.com/sovereignty.

Kalliopi Spyridaki

Kalliopi Spyridaki is a lawyer and public policy leader based in Brussels, specialising in international privacy, data, and AI regulation. As the chief privacy strategist for EMEA and Asia Pacific at SAS, she drives engagement with regulators and policymakers to help shape laws impacting the tech sector and advises on corporate strategy, product development, and legal compliance.

Related Posts

• 

  Why AI governance is crucial to your public sector mandate – and five practical steps to embedding it
  Why AI governance is crucial to your public sector mandate – and five practical steps to embedding it
• 

  Government organisations over-relying on unproven AI, global study finds
  Government organisations over-relying on unproven AI, global study finds
• 

  The economics of government innovation
  The economics of government innovation
• 

  From adoption to disruption: experts share viewpoints on driving impact from government AI
  From adoption to disruption: experts share viewpoints on driving impact from government AI