Introduction  

Europe’s pursuit of strategic autonomy has moved from the policy forum to the procurement desk. Hyperscalers are responding with billion-euro commitments, such as Amazon’s €7.8 billion investment in the forthcoming “AWS European Sovereign Cloud,” set to launch in 2025¹. In Luxembourg, DEEP and OVHcloud have announced a sovereign region² endorsed by the Grand Duchy’s government.

Yet lawmakers are still debating the legal definition of sovereignty. The most prominent example is the EU Cloud Services Scheme (EUCS), Europe’s flagship cybersecurity label. Initially, it required cloud providers to be shielded from non-EU law, preventing U.S. authorities from accessing data  under laws like the CLOUD Act, for example. However, this requirement was removed in the latest draft, prompting tech associations to push for a quick decision³ while local European providers argue that this change is unfair⁴. In parallel, new regulations such as the AI Act, Data Act, and DORA are introducing fresh obligations on model training, data lineage and portability, requiring boards to prove control over their digital operations, not just claim it.

Meanwhile, national-level initiatives are progressing steadily. In France, the SecNumCloud label remains a benchmark for high-assurance cloud services. Players like Scaleway and S3NS (a joint venture between Orange and Google Cloud) are seeking or have gained top-level certification, showing that local compliance remains key to digital autonomy.

Gartner⁵ defines digital sovereignty as a strategic imperative for ensuring autonomy over data, operations, and technology within specific geographic areas, aligning with local regulations. It mitigates the risks associated with foreign data control or influence and enhances compliance with local regulations. It aims to achieve a secure and resilient IT ecosystem, driven by national security and economic considerations.

Based on these developments, it is crucial to define what digital sovereignty actually means. In this context, we believe:

• Digital sovereignty is multidimensional, not binary.
• It is measurable across operations, data, software, and infrastructure.
• It must be pursued strategically, balancing control with cost, speed, and innovation.

Where sovereignty matters most

Cloud, data, and collaboration platforms are today’s front line because they blend technical dependency with extraterritorial legal exposure. 

Measuring sovereignty: from label to scorecard

Digital sovereignty is best understood through four technical pillars, with security encompassing all of them. Deloitte’s Sovereignty Framework, which consists of 4+1 dimensions⁶, translates abstract principles into actionable questions that a board can address. 

Each pillar represents a distinct aspect of sovereignty, so instead of pursuing a single score, organizations should decide how much control they need in each area. A spider chart effectively visualizes this by using each axis to represent a pillar, with the distance from the center showing the level of control. This approach simplifies this complex topic, facilitating a more business-oriented discussion.

There are three key steps to measuring sovereignty:

1. Set the desired sovereignty level for each pillar based on your risk profile.
2. Measure actual control using clear indicators, and align with the segmentation logic in Section 3.
3. Take action if any area falls short of your threshold, just as you would with other operational risks.

Strategy before spend: Choosing where to be sovereign

Sovereignty requires investment, but not everywhere, all the time. With budgets under pressure, organizations must focus on where control actually reduces risk. Below are four critical considerations to guide your decision-making:

a. Segment by risk, not ideology

Sovereign control should reflect business and regulatory exposure, not blanket rules. Classify workloads into three zones:

• Mission-critical & regulated: e.g. core banking systems, health records
  • Aim for maximum sovereignty on all pillars.
• Differentiating IP: e.g. AI models
  • Focus on Data and Software control; leverage sovereign regions for training while keeping models exportable.
• Commodity workloads: e.g. test environments, public websites
  • Standard public cloud with encryption and exit clauses is often sufficient.
     

b. Use market offerings tactically

Sovereign-labeled services can help, but don’t assume they deliver real autonomy. Ask three questions:

• Key custody: Are HSMs operated by an entity shielded from non-EU law?
• Support reach: Can admins outside the EU access unencrypted data?
• Exit path: How portable is the workload? What’s the cost to leave?

If the answer to any is unclear, you have a dependency, not sovereignty.
 

c. Extend the lens to data sharing and AI

New rules blur internal vs. external data. The AI Act and Data Act will make logs, lineage, and consent records sensitive assets. Build architectures that:

• Segregate sensitive metadata
• Automate access control
• Digitally sign data packages for integrity outside the perimeter
   

d. Plan for shifting standards

Regulatory definitions of sovereignty are still evolving. The EUCS debate proves the need for flexibility. Adopt a “living roadmap” for sovereignty and review it annually to stay aligned without starting from scratch.

Conclusion

Digital sovereignty is no longer a buzzword, it is a tangible risk that demands attention at the board level. Organizations that define control objectives, score their estate, and invest where the blast radius is highest will turn compliance into competitive advantage.

Action plan for leaders

1. Set the bar: Approve an internal policy mapping EUCS, DORA, AI Act and Data Act to concrete technical controls.
2. Score your estate: Use the four-dimension sovereignty framework to highlight gaps that exceed risk appetite.
3. Invest where it counts: Prioritize key custody, workload portability and data-lineage automation.
4. Test the plan: Run an annual “sovereignty drill” simulating a subpoena, provider outage and exit.
5. Shape the standard: Engage industry bodies and regulators, early adopters influence, latecomers comply.

Despite challenges such as higher costs for sovereign regions, limited talent, and evolving regulations, by explicitly defining and measuring sovereignty, organizations can secure innovation on their own terms.