Digital Sovereignty: navigating innovation, dependency and risk profiles
A report on the sovereignty debate at Cloud Expo 2025
Anyone walking through the halls of Cloud Expo noticed it right away: this year, the conversation wasn’t just about AI, cloud migrations or zero trust, but about digital sovereignty and cybersecurity. The booths of major cloud providers drew plenty of attention, as always, yet in the panels and the conversations afterwards one question kept coming back: how dependent do we actually want to be? And what does that mean for our cyber resilience?
With players like Microsoft prominently present, the debate felt more relevant than ever. In a world where geopolitics, technology and security increasingly overlap, one question takes centre stage: who is in control?
What is digital sovereignty?
Digital sovereignty is about the ability to make your own decisions regarding technology, data and digital infrastructure. It’s not a romantic ideal, but a practical question:
- Where is your data stored?
- Who has legal and technical access to it?
- What happens if a vendor goes down, is acquired, or is compelled by foreign legislation to provide access?
This goes straight to the heart of data sovereignty: the right and the ability to maintain control over your own data, including the capacity to retain operational access regardless of the status of your vendor.
Freedom of choice, control and equality form a triangle that organizations constantly navigate. The more convenience you buy, the more control you often give up. The more autonomy you want, the more responsibility, and cost comes with it.
The geopolitical layer
Digital supply chains today are rarely local. Vendors operate under different jurisdictions, from the U.S. CLOUD Act to European regulations such as NIS2 and GDPR. As a result, international tensions, sanctions and economic interests increasingly influence technical decision-making. The debate at Cloud Expo made one thing clear: geopolitics is no longer a distant concern, but a reality that CISOs, CTOs and policymakers must learn to navigate.
Digital sovereignty is also a political issue. The debate highlighted that the Netherlands is simply too small to set its own course in a world dominated by a handful of major tech companies. That’s why digital sovereignty, like energy and trade policy, must be shaped at the European level. Only then can we effectively counterbalance global players and extraterritorial legislation.
The digital sovereignty debate at Cloud Expo 2025
Four propositions, four perspectives
At the sovereignty debate at Cloud Expo, several prominent figures from the tech and political domains were present, including Rob Elsinga (Microsoft), Ellen Mok (De Digitale Doetank), Ferry S (SIDN) and Martijn Hoogesteger (S-RM). Moderated by Lucinda Sterk and Lisa de Wilde, they discussed digital sovereignty and the dependence on major tech companies, with attention to both the political and strategic dimensions.
Statement 1: Dependence on non-European vendors is a risk for all Dutch citizens.
Supporters of this statement point to extraterritorial legislation and uncertainty around data access. Stricter regulation, they argue, would help protect national security interests more effectively.
Opponents highlight the advantages of international providers: innovation power, scalability, security standards and continuity that smaller players can rarely match. Full autonomy sounds appealing, but should not come at the expense of progress.
The real challenge emerges when asking how to balance risks and opportunities:
- Which dependencies are acceptable?
- Which require compensating measures?
- And where does freedom of choice actually increase complexity?
Dependency itself is not the problem, unconscious dependency is.
Statement 2: The government should establish clear rules on digital sovereignty, even if this goes against market forces.
Stricter frameworks can help organizations make better and more informed choices. Think of transparency requirements, guarantees on data access, or limits on certain types of dependency. Supporters view this as a necessary step, comparable to regulation in the energy or healthcare sectors. At the same time, it was emphasized that the Netherlands is too small to regulate this issue alone. Only at the European level can legislation truly impact the power position of major providers. National rules are valuable as a framework, but the real game is played in Brussels, where the balance must be found between innovation, security and market access.
Others fear that an overly rigid approach will slow down innovation. The cloud market moves fast; legislation, by definition, moves slowly. And the reality is that many organizations simply cannot—or do not want to—operate without the major players. not zonder grote partijen kunnen of willen.
The consensus in the room: rules can provide direction, but organizations must continue to analyze their own scenarios, risks and dependencies. Sovereignty cannot be outsourced.
Statement 3: The societal and economic costs are already high; we must invest in digital sovereignty to protect our future economic strength.
Supporters argue that digital autonomy is necessary to make the economy future-proof. Cyber incidents cost billions each year; dependencies can potentially amplify that damage.
Critics take a more nuanced view: focusing solely on sovereignty risks losing sight of innovation, especially in the field of AI. The question is not whether you are dependent, but how you manage that dependency. Data processing, AI models and modern cloud architectures inevitably run on global infrastructures.
Another important point raised in the debate: the dependence on large tech companies did not emerge overnight. We actively built that dependency ourselves over many years, driven by innovation, convenience and speed. Breaking away from such ecosystems is therefore complex and costly. This makes the sovereignty discussion not only technical and political, but also economic: which dependencies do we accept because they offer strategic advantages, and which do we not?
Statement 4: The path to digital sovereignty is clear enough — organizations can start tomorrow.
In theory, yes. But in practice, getting started mainly requires making trade-offs: less convenience, higher costs, more complexity or slower innovation. For some organizations, that is a logical choice; for others, it is simply not feasible.
That is why digital sovereignty does not begin with technology, but with a risk profile.
The debate emphasized that when defining their risk profile, organizations must consider not only technical vulnerabilities but also geopolitical risks. How likely is it that international legislation will affect data access? What would a shifting geopolitical landscape mean for your supply chain? And which scenarios are realistic enough to include in your continuity planning? Sovereignty begins with making these risks explicit. Only then can informed choices be made about technologies and vendors. Soevereiniteit begint met het expliciet maken van deze risico’s. Pas daarna kunnen er keuzes gemaakt worden in technologie en leveranciers.
How organizations can sharpen their risk profile
Many companies have a risk document on paper, but lack a realistic understanding of their actual digital vulnerabilities. A mature risk profile consists of three components:
1. Identify where you are vulnerable through pentesting and red teaming
- Pentests map out vulnerabilities in systems, applications and cloud configurations. They show which data can be accessed through misconfigurations or flaws in identity structures — crucial input for data sovereignty.
- Red team engagements simulate an entire attack chain: from phishing to privilege misuse and supply-chain routes. This reveals how operationally dependent you are on vendors, detection capabilities and internal processes.
2. Governance & policy: translating risks into decisions
Once you know where you are vulnerable, the policy work begins:
- classifying data
- defining agreements with vendors
- determining the maximum acceptable level of dependency
- evaluating legal risks
Sovereignty is not a binary concept, but a strategic journey across different areas of risk.
3. Embedding it in the organization: security awareness & culture
No strategy works without the right behavior. That’s why every risk profile must include investment in people:
- Security awareness for all employees
- Training on cloud security, data minimization and privacy
- Incident response exercises and phishing simulations
- Building awareness of which data is considered critical and how it may be processed
From insight to action
With a clear risk profile, organizations can take deliberate steps, such as:
- using multi-cloud or hybrid cloud to spread dependencies
- exploring alternatives such as European cloud providers
- tightening vendor contracts around data access, logging and exit strategies
- revising identity and access structures
- investing in monitoring, detection and incident response
- running structural security awareness programs
Digital sovereignty then becomes not a goal in itself, but a strategy for maintaining control over your digital future.
Questions organizations should be asking themselves
- Where is our most sensitive data stored, and who has access to it?
- What vulnerabilities emerged from recent pentests or red-team engagements, and what do they reveal about our dependencies?
- Which risks do we accept, and why?
- What is the minimum level of control we are never willing to lose?
- Are our teams sufficiently trained to understand and support sovereignty-related decisions?
- What will have the greatest long-term impact on our economic strength: sovereignty, innovation, or the balance between the two?
Conclusion: sovereignty is not an end state, but a conversation about risk
Digital sovereignty is not a black-and-white goal you can simply tick off. It is an ongoing conversation within every organization about its risk profile:
- What is the likelihood that a particular risk will materialize?
- What are the consequences if it does?
- And which level of risk do we consciously accept, and which do we absolutely not?
Only when these questions are clear does sovereignty gain meaning. Not as a political or ideological stance, but as a strategic consideration within your operations.
The real strength lies in consciously choosing from the many options the market offers. Organizations have more choices than they often realize: from European cloud providers to multi-cloud strategies, from stricter contractual agreements to data minimization, from technical controls to organization-wide security awareness.
Digital sovereignty is therefore not about one “correct” path, but about choosing the path that fits your risks, context and ambition. It is a continuous process of weighing, adjusting and improving. And that is exactly what mature cyber resilience requires.
