Those who understand where they are gain sovereignty: assess where you’re at, clarify your target vision, and stay empowered to take action.
New regulatory requirements are increasing the demands on digital sovereignty. Resilience is now essential. Conducting a systematic assessment of where you are at across the five dimensions of technology, operations, data, skills, and regulatory compliance enhances decision-making capabilities and minimizes dependencies. By concentrating on practical steps, you can achieve rapid and measurable progress.
Digital sovereignty is increasingly recognized as a crucial element of responsible corporate governance in Germany. Regulatory frameworks like NIS-2, DORA, and the German KRITIS Regulation necessitate stronger security protocols. Organizations in regulated sectors, especially those managing critical infrastructures, must show resilience, proactively handle dependencies, and offer solid justifications when uncertainties arise.
Demonstrating that digital infrastructures are well-managed is now an essential requirement rather than just a desirable feature – this applies to both regulatory standards and market expectations. Customers, partners, and investors demand trustworthy responses regarding emergency and exit strategies, management of service providers, and data portability. Digital sovereignty offers a structure to align these needs with the requisite entrepreneurial flexibility.
The first part of our series highlighted the risks that inaction as regards digital sovereignty poses to executives (LINK). In this second installment, we shift our attention to the "how": emphasizing the importance of methodically evaluating the organization's current state and generating momentum through practical, prioritized actions.
Thorough situation assessment as the foundation for digital sovereignty
Digital sovereignty is not achieved instantly. It starts with an honest assessment of the present situation and progresses through steady, well-prioritized choices. Only individuals who understand where they are can guarantee their capacity to respond, even in urgent scenarios. A comprehensive understanding of an organization's digital sovereignty considers five dimensions:
- Technology: Technical dependencies and critical systems
- Operations: Controllability of processes and service providers
- Data: Storage location, access rights, and portability
- Skills: Expertise and decision-making ability in key roles
- Regulatory compliance: Demonstrable fulfillment of regulatory requirements
These five dimensions are interconnected. Technical sovereignty holds little value if operational processes are ineffective. Data sovereignty becomes merely theoretical without the necessary skills to implement it. Additionally, assessing where one's at is not a one-off task: dependencies shift, new technologies arise, and regulations develop. Thus, regular assessments are essential for upholding sovereignty.
Five dimensions of digital sovereignty at a glance
Technical dependencies can creep in quietly: via proprietary databases, exclusive APIs, handy platform services, or limited export and audit rights. This may appear innocuous in daily operations—until circumstances shift, a provider increases fees, a service is discontinued, a legal jurisdiction becomes precarious, or a change in operator is on the horizon.
Key questions:
- Which systems and platforms are business-critical?
- To what extent do you rely on proprietary technologies?
- Are there documented alternatives and migration paths?
- Is there a recovery plan in place for the failure of central systems?
A structured analysis of these aspects uncovers how technological dependencies may evolve into significant business risks, and identifies where specific actions can enhance controllability.
Operational sovereignty refers to the capability to respond effectively not just on a technical level but also in terms of organizational structure during a crisis. This represents a significant accomplishment in management and organization: it requires that roles, escalation paths, communication channels, and training routings function cohesively.
Key questions:
- Are roles and responsibilities for critical processes documented?
- Are there established emergency plans in place for the failure of central systems or service providers
- To what extent do you rely on individual service providers or subcontractors?
- Can alternatives be activated quickly in an emergency?
- How transparent are supply chains and service provider relationships?
A well-defined operational framework enhances resilience and minimizes the chances of technical issues worsening because of inadequate organization.
Organizations require complete transparency and authority regarding the handling of their data. Insufficient clarity results in compliance challenges and complicates reliable collaboration – particularly in ecosystems or when utilizing AI applications. Data sovereignty includes the categorization of sensitive information, key sovereignty, such as through proprietary key management, well-defined roles and rights concepts, and contractual agreements concerning jurisdiction, data storage, and subcontractors.
Key questions:
- Where is data, including metadata and logs, physically stored?
- Which data is subject to which legal framework (e.g., GDPR, export control)?
- Who has technical and legal access to the data – directly or indirectly (e.g., cloud providers, subcontractors)?
- Can data be exported in full and in usable formats?
- Are data flows between systems documented and traceable?
A strong level of data sovereignty enhances compliance while also allowing for flexible choices in technologies and partners.
The effectiveness of technology and processes hinges on the individuals who manage them. Therefore, digital sovereignty transcends being merely a tool-related concern; it fundamentally revolves around the skills required in management and key roles. Leadership teams must possess a current grasp of cloud, security, and governance matters. They should be capable of posing the right questions, establishing priorities, and enabling their employees.
Key questions:
- What knowledge is needed in-house to operate or migrate critical systems yourself?
- Is there a clear understanding of the contractual arrangements and legal framework?
- Are teams able to assess and implement alternatives?
- 0How are employees trained on issues of sovereignty and resilience?
- Is access to external expertise guaranteed if internal know-how is insufficient?
- Is knowledge documented, or does it rely on specific individuals?
Developing proficiency in these fields enhances the caliber of investment and technology choices while minimizing the risks associated with strategic lock-in.
In numerous organizations, a portion of risk management is effectively delegated to IT service providers. Nevertheless, the ultimate responsibility cannot be transferred. Organizations need to guarantee that they can oversee service providers and that there are adequate reporting and auditing mechanisms established. Recent regulatory changes are also shifting the emphasis towards effectiveness and verifiability: the existence of policies is less significant than the actual performance of the measures that have been put into action.
Key questions:
- What regulatory requirements apply (e.g., GDPR, NIS2, DORA, export control)?
- Can it be proven that these requirements are being met?
- Are there documented and tested exit strategies and contingency plans?
- Are contracts designed in such a way that the ability to act is maintained in case of need?
- How quickly can you respond to regulatory changes?
A significant level of regulatory sovereignty minimizes liability risks and enhances credibility with supervisory authorities, stakeholders, and the general public.
Small steps: putting digital sovereignty into action
The five dimensions offer a realistic view of the current state of digital sovereignty. At the same time, this analysis frequently uncovers a significant level of complexity: making progress appears challenging, and the obstacles to structural changes seem substantial. In this context, practical actions contribute to generating momentum and showcasing early achievements.
1. Focus on quick wins
Especially at the outset, it is crucial to concentrate on strategies that deliver swift results and significantly lower risks without the need to completely overhaul existing architectures. Examples of quick wins:
- Review and refine existing contracts to clearly to explicitly define export and audit rights and create transparency regarding subcontractors.
- Review critical configurations, particularly identities and access rights, with the goal of minimizing rights to the bare essentials.
- Simulating a central emergency scenario to test isolation, switching, and restarting in a realistic manner.
The goal is not to achieve perfection, but to make the initial, verifiable steps towards enhanced controllability—thereby establishing a strong base for future decisions.
2. Make guidelines visible
A fundamental foundation for advancing digital sovereignty is the establishment of comprehensive company-wide guidelines. These guidelines guarantee that decisions are made uniformly across various departments, projects, and timelines. Common guidelines might encompass criteria for dependencies, exit strategies, and the auditability of solutions, as well as stipulations for the portability and data sovereignty of architectures. By clearly and authoritatively defining these principles, aligning them with management, and embedding them within the organization, one can create significant momentum for subsequent sovereign initiatives.
3. Structure decisions
Based on the defined guidelines, it is recommended to offer employees a well-defined decision-making process. This should encompass minimum criteria that need to be satisfied for each pertinent decision, a decision template that specifically addresses sovereignty issues, and explicit instructions for recording risks, considerations, and outcomes to ensure they can be referenced for future reviews, audits, or modifications. This type of decision-making framework allows for a tangible consideration of digital sovereignty while enabling swift and cautious action.
Summary: From situation assessment to controllable digital sovereignty
Digital sovereignty is not established through mere declarations of intent; it is built on thorough analysis, well-structured decisions, and consistent execution. An honest assessment of the present situation uncovers the risks that pose the most significant impact on business and identifies the countermeasures that offer the most substantial leverage. This lays the groundwork for clear decision-making pathways: not a blanket approach of “everything new”, but rather a focus on what is “targeted and manageable”. Investments can be prioritized, dependencies can be consciously designed, and regulatory requirements can be aligned with business agility.
As consultants specializing in management and transformation, we assist businesses in methodically establishing digital sovereignty. Together, we develop a comprehensive understanding of the current landscape, identify and prioritize risks, articulate a target vision, and design a detailed roadmap that includes both quick wins and long-term strategies.
How can we help you putting digital sovereignty into action?
Our specialists are looking forward to hearing from you.