I've been carrying a kind of "unease in the stomach" for a while now. It didn't start with a headline or a report, but with endless conversations and dialogues within the industry. From law students, IT specialists, behavioural scientists, cybersecurity experts and countless others with insights and opinions, a viewpoint began to form in my mind. It took real shape after many discussions with leaders who are smart, pressured, and human, but with different focuses than cybersecurity experts like myself. The same pattern recurred: when we talk about digital sovereignty, digital independence, we often become very good at pointing to a place, a country, a flag—and less good at answering the difficult question: who holds control when the storm arrives?
Because in a digital world, the storm will come sooner or later, incidents happen and will continue to happen. It's not dramatic, it's just... weather. Capricious politicians come and go, decision-makers with varying understanding and insight into the digital world. Geopolitical situations storm and calm with clear skies and friendly clouds (intended pun). Organisations are like boats on this vast digital ocean. And this is where I want to place the whole debate: digital sovereignty is not about where the boat is registered. It's about which lifeboats can actually be launched, who holds the keys, and whether the crew has practised getting ashore when the weather turns. Seaworthiness on a sensible basis with control.
This might sound obvious. Yet we are stuck in a conversation that often slides towards two extremes. One side acts as if geography solves everything. The other as if scale solves everything. I believe both sides miss something. But I also believe the "geographical" side risks missing the most and at the greatest cost to the digital society.
The serious objection: jurisdiction is not a conspiracy theory, it is a risk
I want to say this first, because it's important for the integrity of this post: there are legitimate reasons to be sceptical of dependencies and jurisdiction. When European actors highlight extraterritorial application of non-European laws as a cybersecurity risk, it's not automatically conspiracy. For example, the French presidency has explicitly identified extraterritorial application of non-European law related to digital technology as a risk dimension Europe must be able to manage (Élysée, 2025).
There are also attempts to sober up the debate considerably, especially regarding the American CLOUD Act, which has caused some to panic. Some analyses try to clarify what it actually means in practice, which misunderstandings circulate, and what controls can reduce the risk (CMS, 2026).
The point is simple: jurisdiction can be a relevant vulnerability, especially for the most sensitive and critical societal data. To pretend it doesn't exist is just as dishonest as pretending it automatically means "everything is monitored". Both sides create more heat than light.
But, and here's my stance, jurisdiction is not a geographic sentence. It is a risk factor that must be translated into control requirements that are proportionate.
When the debate loses footing: sovereignty theatre
What makes me allergic is when sovereignty is reduced to changing the flag on the invoice from the service provider and then calling it control, compliance ticked off. That's when we end up with sovereignty theatre: repainting the lifeboats and hoping the storm will be impressed. It's nothing but false security, safety, and control.
I think the European Commission is on to something sensible here: trying to make sovereignty measurable and evidence-based, instead of symbolic. Their Cloud Sovereignty Framework describes sovereignty in several dimensions and aims to make it something that can be tested, not just felt (European Commission, 2025).
And the Commission's Joint Research Centre expresses a position I find unusually reasonable in a polarised debate: Europe should be open, but not powerless. Digital sovereignty then means strategic freedom of action and capability, not isolation or protectionism for its own sake (European Commission, Joint Research Centre, 2025).
That is precisely where I want to land: sovereignty as control, not as "here's where the server stands".
The second serious objection: "But what about American clouds, aren't they a risk too?"
Yes, absolutely. If someone claims everything becomes safe just because it's called Azure, Amazon Web Services or Google Cloud, they have confused marketing with meteorology. The storm doesn't care. At the same time, we must be very clear on one thing: hyperscale providers have a scale that can deliver real operational capability. Microsoft's Digital Defense Report, for example, describes the extent of their security organisation and signal processing (Microsoft, 2025), which is unmatched if what we want is real and straightforward security.
I'm not quoting this to say "therefore American clouds are the best". I quote it to say: if we compare security, we must compare capability. It's not enough to say "we build it ourselves" and believe that automatically provides the same lifeboat capacity, the same level of drills, and the same rescue chain.
This is where I think the geographical sovereignty debate risks becoming dangerous. Not because it wants to reduce dependencies, but because it sometimes pretends you can replace operational depth with political declarations. And note, this is also where EU lawmakers want real resilience, where the ability to maintain genuine continuity is measurable.
"Splinternet" and data localisation: when the wall becomes a vulnerability
There is another problem often overlooked. When we build sovereignty as walls, we risk driving fragmentation and digital exclusion. This kind of fragmentation has costs, both economic and security-related.
The European Parliamentary Research Service has described how internet fragmentation ("splinternets") involves diverging standards and protocols, which can affect innovation, interoperability, and governance (European Parliamentary Research Service, 2022).
The Organisation for Economic Co-operation and Development also shows how data localisation measures are increasing and becoming more restrictive, and how they can impact businesses and cross-border flows (Ferencz & López González, 2023).
This is an area where I think the debate sometimes sounds like "local is always better" or "Swedish clouds are better than American". But local can also mean: smaller ecosystems, fewer talent pools, more expensive redundancy, and several special solutions. And special solutions often, in practice, represent a security risk because complexity is a favourite dish for both incidents and attackers. You are actually more vulnerable with local and home-grown solutions. Just look at recent incidents like Miljödata.
I'm not saying localisation is always wrong. I'm saying localisation is a measure with clear trade-offs. And pretending trade-offs don't exist is like selling a lifeboat without a plug. Or from a control perspective: do you have the control you want over your data in local clouds and technical solutions comparable to the alternatives? Where is your data safest and most secure considering your core operations, costs, capability, and proportionality?
EU's internal conflict: the technical became political
If anyone wants to see that "both sides" really exist within the EU itself, it's enough to follow the debate around cloud service certification and sovereignty requirements. The EU Institute for Security Studies describes how a technical issue has become a political stress test: how Europe should balance security, performance, and dependence on dominant American providers (European Union Institute for Security Studies, 2025).
This is good to keep in mind because it shows the issue is not simply "anti-USA" or "pro-cloud". It is a real conflict of interests between risk types: legal control, operational robustness, market dynamics, and geopolitical freedom of action.
My conclusion: control is the lifeboat, geography is just the harbour
Here is my core point, which I stand by even after listening carefully to the "other side": digital sovereignty is real only when we can demonstrate control in three simple questions:
Firstly: can we manage access and keys in a way that withstands both technical and legal shocks?
Secondly: can we detect and isolate damage quickly, even when the supply chain is disrupted?
Thirdly: can we truly recover, and prove it with exercises, not just documents?
It doesn't matter if the boat is European or American if the lifeboats can't be launched. And this is where I think conspiratorial arguments become a problem for our digital society and public and private organisations. Not because they're always "wrong" in their concerns, but because they often skip many important steps needed to prove their thesis and stance. They replace risk management with moral panic. They sound like they seek control. But in truth, they often deliver only fear, ignorance, and sometimes panic.
Fear can make us move. But fear can also make us run in the wrong direction.
Herd immunity as a mature response in a borderless storm
My own position in all this is therefore a combination I find both realistic and responsible: cooperation with like-minded democracies where possible, and selective, evidence-based sovereignty where the consequences demand it.
The EU and the US already have structures for cooperation on technology, standards, and resilience thinking through the Trade and Technology Council, showing that "alliance logic" in the digital space is a concrete, ongoing strategy, not just an idea (U.S. Trade Representative, 2024).
That doesn't mean we should be naive. It means we should be mature. In a world where attackers, supply chains, and geopolitics cross borders as if they were lines in the sand, the most practical form of sovereignty is often common minimum requirements, a shared threat picture, and shared capability to recover.
I believe the future's competitiveness will be measured by how well we can stay the course in storms on the global digital oceans. Not by how loudly we shout "independence" from the deck while sailing around in a small dinghy in the local harbour.
Final thought: the storm will come anyway, the question is whether we have practised
If I am to leave you, the reader, with one image, it is this. Picture a captain standing on the bridge with a map marking all the dangers. The map is beautiful. But it is also useless if the lifeboats have never been tested, if the keys are on the wrong keyring, and if the crew has never practised responding when it happens.
Digital sovereignty is not an address. It is a capability. It is control.
And if we want integrity in the debate, we must be able to say this simultaneously: yes, jurisdiction and dependencies are a real risk. Yes, hyperscale can be a real strength. Yes, walls can become a real vulnerability. And no, we must not turn security into theatre.
Because the storm doesn't care about our slogans. It cares about our lifeboats.
References
European Commission. (2025). Cloud Sovereignty Framework (PDF).
European Commission, Joint Research Centre. (2025). Open but Not Powerless: Towards a Common Understanding of EU Digital Sovereignty (Policy brief).
European Parliamentary Research Service. (2022). "Splinternets": Addressing the renewed debate on internet fragmentation (PE 729.530).
European Union Institute for Security Studies. (2025). Technical is political: When a cloud certification scheme divides Europe.
Élysée. (2025). Achieving Europe's Cloud and Data Sovereignty.
Ferencz, J., & López González, J. (2023). The Nature, Evolution and Potential Implications of Data Localisation Measures (OECD Trade Policy Papers, No. 278). OECD Publishing.
Microsoft. (2025). Microsoft Digital Defense Report 2025.
U.S. Trade Representative. (2024). U.S.–EU Joint Statement of the Trade and Technology Council.
