Digital sovereignty is, contrary to some misconceptions, about the right and ability to maintain control over your digital dependencies, data and critical infrastructure. Digital autonomy means being able to continue operating even in the face of cyberattacks, disruptions, geopolitical uncertainty or reliance on external parties. Simply put, sovereignty is the power to decide. Autonomy is the ability to act. And the term "self" does not refer to individuals or nations alone.
My point is straightforward. True digital sovereignty isn't achieved by a few organisations becoming highly secure. It only comes when cyber hygiene is widely improved across society. I say this seriously: it's increasingly clear that cybersecurity is becoming a class issue. Digital democracy is at risk of being undermined. Cybersecurity must be for everyone. When enough organisations have reasonable resilience, effective continuity and basic cyber hygiene, society as a whole becomes harder to disrupt. An incident can still happen, but it will be harder for it to spread, escalate and trigger a societal crisis.
This is what I mean by digital herd immunity — not as a precise medical analogy, but as a societal vision.
The strategic perspective: Sweden, the EU and the world
At a strategic level, digital sovereignty concerns a question that has become increasingly important: who really controls what we depend on?
For Sweden, this is no longer a future issue. We are one of the most digitalised countries in the world. That's a strength, but it also makes us vulnerable. As healthcare, energy, transport, education, municipal services and business become ever more reliant on digital systems, digital resilience becomes a matter of national security.
Sweden obviously needs international suppliers, cloud services, AI solutions and global technology platforms. It would be neither feasible nor sensible to try to build everything ourselves, despite conspiracy-minded voices promoting a nationalist agenda around digital sovereignty and autonomy. But we must understand our dependencies and realistically assess the risks they pose. We need to know which dependencies are acceptable, which require alternatives, and which are so critical that we require special control, transparency or in-house capabilities.
This is where the EU's work on digital sovereignty becomes crucial. Europe wants and should be open, innovative and competitive. But it does not want to be powerless or toothless. If clouds, data, AI, semiconductors, identity systems and digital infrastructure are controlled by a handful of global actors outside the EU, strategic dependencies arise. These dependencies are not necessarily wrong, but they must be understood, governed and manageable.
Digital sovereignty is therefore not about digital nationalism. It is not about closing the door to the world. It is about collaborating without becoming helpless.
This development I describe is reflected in regulations such as NIS2 and DORA. These are not just legal requirements. They represent a broader shift from traditional cybersecurity towards digital resilience. The question is no longer just "How do we protect systems?" but also "How do we ensure society keeps functioning?"
Globally, beyond Sweden, this becomes even clearer. Cyberattacks, supply chains, AI, cloud platforms and digital infrastructure have become part of geopolitics. A cyber incident is not always just a technical event; it can impact the economy, defence, democracy, public services and public trust.
Therefore, in my view, Sweden and Europe must build digital herd immunity. Not just within the state, defence or large companies, but across the entire chain: councils, regions, energy companies, ports, healthcare providers, schools, industrial firms, SaaS providers and small subcontractors. An attacker does not always have to target the strongest actor; often, it suffices to find the weakest link.
In an interconnected society, my weakness is someone else's risk. But an organisation's maturity can also be someone else's protection.
The operational perspective: everyday life in critical societal functions
If the strategic perspective is about Sweden, the EU and the world, the operational perspective is about something much more concrete: the day-to-day when systems fail.
Digital autonomy isn't noticeable when everything runs smoothly. It becomes apparent when the cloud service is down, when a supplier suffers a ransomware attack, when identity systems malfunction, when staff cannot access the right information, when a business system is unresponsive, or when data remains intact but trust in it is damaged.
But it's also at these moments that the big words are truly tested.
For critical and essential societal functions, this is no theory; it's operations. Electricity, water, healthcare, transport, communications, food supply, municipal services and financial services all depend on digital chains where many parts must work simultaneously. When one link fails, it affects not just technology but people.
That's why cyber hygiene must mean more than just updated systems and strong passwords. That's the foundation, but not the whole structure. True cyber hygiene also involves knowing which functions are most critical, which systems support them, which suppliers are needed, which identities have access, which data flows are vital, and what manual procedures exist if technology fails. It's not enough to have backups if no one knows the order in which systems should be restored. Having an incident plan means little if management has never practiced decision-making under pressure. Supplier contracts mean nothing if no one has considered what happens when the supplier itself is affected.
Digital herd immunity is built from the ground up in everyday work within organisations: through tested procedures, secure identities, clear responsibilities, practised crisis management, employees who dare to report when something seems wrong, and organisations that understand cybersecurity is not just an IT issue, but a matter of delivery capability.
We must also stop saying that humans are the weakest link. That's both unfair and unhelpful. Yes, if you look only through the narrow lens of football cones, humans can be the weakest link. But the perspective is much broader. People make mistakes, especially under stress. But people are also an organisation's most important sensors. It's people who notice when something is wrong, who stop a suspicious payment, call a colleague, report a suspicious email, or find a temporary workaround when systems are down. High cyber hygiene is not created through fear, but through habit, clarity and practice.
An organisation that shames mistakes is met with silence. An organisation that encourages reporting gains early warnings and makes cybersecurity part of its DNA.
Cyber hygiene is a competitive advantage
It's easy to see all this as a cost: more requirements, more controls, more exercises, more documentation.
But that's only half the story.
In a digital economy, trust becomes a competitive edge. Customers, citizens, investors and partners will increasingly ask whether an organisation can deliver even when things go wrong. Those who demonstrate control over their dependencies gain credibility. Those who manage incidents effectively become more reliable. Those who recover quickly are more attractive partners. That's why cyber hygiene is not just protection; it's business capability, societal capability and ultimately national competitiveness.
For Sweden, this is crucial. We want to be digital, innovative and open. But we must also be resilient, or our digital strengths risk becoming vulnerabilities.
Together, we must become harder to shake
Digital sovereignty is not about managing everything alone, even though control is a key part of its definition. Digital autonomy is not about isolation either. Both are about something more practical: maintaining control, continuity and freedom of action when the world shakes. This requires technology, but also leadership, training, culture, collaboration and fundamental cyber hygiene across society.
We need to see cybersecurity as a team sport. The EU can set direction. Sweden can devise strategy. Authorities can provide support and requirements. But real resilience is built through thousands of daily decisions across organisations.
When a council rehearses manual procedures. When an energy company tests restoration. When a supplier secures its identities. When a region understands its critical dependencies. When a company dares to ask how long it can manage without its key cloud service. When employees report uncertainty before it becomes an incident. That's when cyber hygiene rises from a checklist to a societal capability.
That's how digital herd immunity is built.
And perhaps that's how we should understand the future of digital sovereignty: not as a dream of standing alone proudly, but as the ability to stand firm together.
