The unexpected consequences of digital sovereignty

The unexpected consequences of digital sovereignty

There were good reasons for organizations to embrace the cloud. Now comes a backlash: adoption has led to dependency, and there’s now a push to reduce it. What (sometimes unexpected) consequences must businesses and the public sector consider in their pursuit of digital sovereignty? Experts from Thales, Rubrik, Eurofiber, Dynatrace, and Cloudera share their perspectives on this topic.

The current adoption of Big Tech services has been voluntary. Workplace software, data platforms, and countless other cloud services turned out to be most attractive when purchased from Microsoft, Google, or Amazon. In other words: organizations have built their digital homes in the cloud, according to Frank Beerlage, Managing Director Benelux at Cloudera, but the hyperscalers hold the front-door key. That home was built gradually, he explains, with lucrative cloud contracts that made heavy usage cost-effective. Now that organizations want to reclaim digital control, a painful migration may follow. “Everyone wants to be sovereign, but no one wants to become one,” says Beerlage.

Guido Gerrits, VP of IAM Sales Europe at Thales, acknowledges that there is friction in the transition to sovereign solutions. “On the other hand, you become more flexible and vendor lock-in decreases. But you’ll also have to retrain your staff.” More on that later.

Don’t just run away

The timing is extremely unfortunate. Just as the scale of the public cloud is responding to the rise of AI and hardware costs are skyrocketing, the desire for sovereignty suggests that in-house infrastructure is a requirement. Even the most advanced AI models, available only via cloud-driven APIs, are difficult to reconcile with sovereignty. “Our companies are going to need AI to stay competitive,” notes Chris Geebelen, Solutions Engineering Director for Benelux, the Nordics, Eastern Europe, and Iberia at Dynatrace. “We’re in a global market, not on an island in Europe. U.S. companies have such extensive access to hardware, software, and services that they’re developing at lightning speed. Our companies can’t afford to fall behind.”

From left to right: Guido Gerrits (Thales), Frank Beerlage (Cloudera)

So, we shouldn’t just run away from the cloud and non-European solutions. A certain acknowledgment of the reality in 2026 is necessary. But Filip Verloy, Field CTO for EMEA & APJ at Rubrik, qualifies the assumption that access to top-tier AI models is needed everywhere. “A hospital doesn’t need a frontier model at all to determine from a scan whether there’s a disease. That use case is completely different, and it does require private data.” Nevertheless, Verloy believes that Europe does need to do some soul-searching to remain competitive in the field of AI. “At the same time, you might ask: where does the innovation from the frontier labs come from? Not from our side.”

These are concerns that will linger for a long time. Still, as Europeans, we shouldn’t assume that the desire for sovereignty, if unfulfilled, will simply disappear. “A door has been opened that won’t close again,” says Ivo Veerman, Sales Director at Eurofiber Cloud Infra.

The procurement paradox

The fact that the desire remains does not mean that implementation is going smoothly. Sometimes sovereignty clashes head-on with the European instinct to regulate everything neatly. Beerlage cites bus manufacturer VDL, which opened a production facility in Belgium with substantial government funding, only for a European tender for new buses to ultimately go to a cheaper Chinese manufacturer. “On the one hand, we’re trying to stimulate employment, and at the same time, we have strict procurement rules that force us to buy from the Chinese,” he says. He sees this as a structural tendency among Europeans, one that sometimes has problematic consequences. “We want to do everything fairly and properly. That’s good, but you also shouldn’t be naive.”

Moreover, the pressure is coming from an unexpected direction. Verloy outlines a gray area surrounding the Schwarz Group, the German parent company of both Lidl and cloud provider STACKIT. “Lidl has 150 stores in the United States. Is there an economic link where a decision is made in America: if you want to continue doing business here, then this becomes an interesting leverage point for us?” For Veerman, this dynamic primarily proves that the market won’t resolve this on its own: “If you leave the market to its own devices, this is what happens. So apparently, government intervention is needed.”

Een man met grijs haar en een bril zit op een mosterdkleurige bank en gebaart met zijn hand terwijl hij praat; op de voorgrond zijn nog twee andere mensen gedeeltelijk te zien.
Filip Verloy (Rubrik)

We aren’t consistent in this regard ourselves, Veerman points out: “It’s well known that Huawei equipment is still used in many networks.” Moreover, it’s not an exclusively European issue. “Sovereignty is a huge topic in America,” Beerlage notes, though it’s easier to resolve there, and might even go by a different name. “For them, Microsoft is sovereign,” Veerman adds dryly. Or digitally autonomous, or independent, if you will.

If the plug is pulled

The most immediate danger is that all cloud services could suddenly disappear. That’s mostly theoretical, but it sometimes becomes reality. Veerman points to the Amsterdam Trade Bank (ATB). When it fell under the Russia sanctions, its Microsoft accounts were completely blocked. Shortly thereafter, ATB went bankrupt. “Microsoft didn’t do anything wrong from a security standpoint; they were acting in accordance with an international boycott that we, as a society, support,” says Veerman. “But it had disastrous consequences for the company.”

The reason this is such a sensitive issue lies in the legal reality. The hyperscalers can state that they have never handed over European data under the U.S. Cloud Act, even though this can never be guaranteed. The Patriot Act and Section 702 of the FISA are a complete black box, because they are subject to a duty of confidentiality. Verloy calls the antidote “operational sovereignty”: “If the people who manage the environment locally receive a request under the Cloud Act, they cannot legally comply with it.” The protection then lies within the chain itself. A contractual promise alone is not enough.

But the issue doesn’t even have to be political. Even a routine outage places the burden on the organization itself. For some organizations, cloud providers are responsible for running virtually all IT workloads. That doesn’t mean they’re directly liable for downtime, configuration errors, or other issues. Whether or not the IT infrastructure is sovereign, the organization itself remains ultimately responsible. Veerman argues that new legislation, such as the implementation of the NIS2 Directive, should give organizations pause for thought. “Executives are now personally liable if your organization is not compliant. That’s quite something. Whereas security and IT used to be seen as an expense, that personal liability, coupled with the threat of massive fines, is now providing a huge incentive to take sovereignty seriously.”

Crown jewels

This will have consequences for where data is stored. “It starts with the question: What are my crown jewels? Do I have control, do I have oversight?” says Veerman. “And: what if? If you keep peeling back the dependencies from there and gain insight into the risks, it naturally becomes clear where you can improve.” Gerrits from Thales agrees with this assessment. “What are my critical processes, what are my dependencies, and are those dependencies acceptable, or do I need to adapt to them?”

Een man in een wit overhemd zit aan een tafel met een notitieboekje, een pen, waterflesjes en een beker, en lijkt in gedachten verzonken. Op de achtergrond werkt iemand anders op een laptop.
Ivo Veerman (Eurofiber)

Geebelen observes that the answer to those questions is often less pleasant than one might hope. “We give customers the visibility to see what’s running and where the dependencies lie, because an IT environment is often one big mess. Which components are running where, and what’s the impact if you move something or if it goes down?”

That outage, usually partial or at least short-lived, is easy to outsource. However, blaming a red dashboard at a cloud provider is far too easy. Moving back from the cloud to your own IT infrastructure means you have to rethink availability and how to handle outages. “Disaster recovery is something nobody wants to talk about, just like wanting to become self-sufficient,” says Beerlage of Cloudera. He notes that people are quick to cut corners on this critical task. It is, and remains, an abstract solution to a theoretical problem, until the outage actually occurs.

The resurgence of on-prem

The reevaluation sparked by the sovereignty debate is shifting the focus of data in a measurable way. “Of all data, about 60 to 65 percent is now in the cloud,” says Beerlage. At one time, he notes, growth to 95 percent was a realistic prospect. “That’s not going to happen anymore. Perhaps we’ll slowly move toward a 50-50 split, with confidential, AI-sensitive data moving on-premises and sales reports remaining in the cloud.” For critical infrastructure, that choice is sometimes already a strict requirement. Gerrits sees it in his own pipeline: “We’re already seeing migrations from American access management solutions to European ones.” Countries in the Nordics in particular, and now also the Benelux, are leading the way in this area, he says.

This shift is suddenly making physical infrastructure interesting again. Data centers are back in demand among organizations, Veerman notes. “Demand is surging, and that’s not just from hyperscalers and AI, but also from regular companies that want to manage part of their IT infrastructure themselves.” There’s no shortage of capital, adds Beerlage: from major private equity firms like KKR and EQT to the Norwegian sovereign wealth fund, “the world’s largest investor.” If parties like that back this expansion, that’s more than enough.” At the same time, the problem shifts as well. After all, anyone switching from Azure to a European provider is trading one dependency for another. Beerlage immediately sees a new market there: “Data platform managers that allow you to centrally manage five or six different cloud environments. You then decide for yourself which data runs where.”

Sovereignty versus AI

Amid all this, one issue stands out the most, and it just happens to be the hottest tech topic right now. “Sovereignty versus AI is a battle,” Beerlage summarizes. The core of that battle is the data, not the model. “A self-learning model has no value in and of itself; it needs data,” he explains. “And when you combine that with data storage, it’s surprising, to say the least, that healthcare organizations are pasting patient data into ChatGPT. It’s just as easy as uploading an Excel sheet. The model is trained outside of Europe, and the data is stored there.” The result is predictable: “We’re going to see a lot more data breaches.” Some organizations are now drawing a firm line. “Literally a list: if you use this software, you’ll be fired immediately.”

Een man in een blauwe blazer zit aan een houten tafel met glaswerk en bloemen, terwijl hij voor zich uit kijkt in een moderne, helder verlichte kamer.
Chris Geebelen (Dynatrace)

There’s another way, Veerman emphasizes, and in healthcare, that’s no minor detail. “It’s possible to have mammograms or scans assessed by AI, but only in a closed environment that no one can access.” In other words: private AI. His bottom line is clear: “AI is here to stay; it’s disruptive and important. But if you don’t adopt it securely, as far as I’m concerned, it’s no longer an option.” And the next generation of problems is already looming, warns Beerlage: “With agentic systems, you end up with agents controlling other agents. In no time at all, they’ll create a huge mess, simply because they’re using the wrong data.” This highlights the importance of digital oversight in a broader sense than just the provider.

Be prepared to pay a price

Sovereignty is therefore rarely free; the cost comes in the form of functionality and, temporarily, money. As Gerrits noted at the beginning, the transition comes with friction: “Perhaps a bit less functionality and, temporarily, slightly higher costs.” Verloy illustrates that even the hyperscalers don’t pay the full price, using AWS as an example: “It has a sovereign cloud, but in reality, that’s a partition somewhere in Baden-Württemberg with two availability zones. Even AWS can’t completely disconnect itself from its own commercial cloud.” Nevertheless, hyperscalers regularly charge significantly higher prices for their sovereign options.

Ultimately, the greatest risk is the cumulative effect of dependencies. A standalone SaaS application like Microsoft 365 or Salesforce is virtually impossible to avoid. However, the proliferation surrounding it has never been curbed because sovereignty wasn’t a major issue for years. Beerlage describes how it creeps in: a data platform starts with a small project but gradually expands until it houses the vast majority of the company’s data. “One such system doesn’t make you vulnerable to blackmail. But having all your data consolidated into a single data environment, that’s what makes you vulnerable to blackmail.” Or, to put it in a slightly less dramatic but equally concerning way: dependent.

Conclusion

Opinions differ on where the sovereignty debate is headed. But no one at the table expects a return to the status quo. Beerlage believes it’s only a matter of time before the legislation itself becomes stricter. A drastic example is Turkey, which has established strict mandates to keep personal data almost exclusively within its borders

Gerrits sees the underlying trend continuing unabated. “Europe and America are drifting further and further apart, and that trend isn’t going to stop anytime soon.” He observes that the move toward greater sovereignty continues to gain momentum. His message to organizations that are part of critical infrastructure is that they must, at the very least, take stock of their critical processes and data and implement targeted measures to address them. Beerlage considers it still uncertain what the actual outcome of these digital ambitions will be. Europe is an economic heavyweight, and “even if we make only 10 to 15 percent of our continent more sovereign, that would already be quite good. Two years ago, all of this was still just a thought experiment.” Those days are over.

See also: Digital sovereignty: from idealistic theory to real-world practice