Digital sovereignty plays a crucial role in whether organizations can proactively influence critical situations or merely respond to them. It mitigates risks associated with supply chains, cloud dependencies, and compliance—if it is established as a management priority rather than being viewed as a standalone IT project. The foundation for it lies in four management principles and an honest assessment of your existing situation.
Digital sovereignty plays a crucial role in whether organizations can proactively influence critical situations or merely respond to them. It mitigates risks associated with supply chains, cloud dependencies, and compliance—if it is established as a management priority rather than being viewed as a standalone IT project. The foundation for it lies in four management principles and an honest assessment of your existing situation.
Digital sovereignty: awareness among executives, dependence in practice
Recent studies indicate a significant dilemma within the executive suites of German companies. Digital sovereignty is acknowledged and deemed a vital success factor for their businesses (source: ZEW on behalf of the Federal Ministry for Economic Affairs and Climate Protection). Concurrently, surveys conducted by the industry association bitkom highlight considerable dependencies:
- 90 percent of companies rely on overseas providers or partners (source: bitkom)
- Almost two-thirds of companies in Germany would be unable to operate without cloud services source: bitkom)
Digital sovereignty is therefore not merely a theoretical topic for the future; it represents a tangible risk factor for business models, value chains, and corporate governance.
Why is the implementation of digital sovereignty stalling in many companies?
In our daily experiences, we frequently notice a particular trend: board members and management express their dedication to digital sovereignty, yet when faced with actual implementations, they revert to traditional methods. This theoretical dedication is at odds with a practical mindset of “We've always done it this way.”
This seems understandable: Economic challenges, along with cost and time constraints, regulatory ambiguities, and entrenched structures, render change significantly more complicated than what strategy presentations imply. Moreover, a further hurdle is the perception of digital sovereignty as a substantial initiative in itself – an "extra construction site" that runs parallel to existing transformation and efficiency programs.
A productive strategy, however, could involve directly linking digital sovereignty to current initiatives, realignments, and transformation projects within the company, instead of addressing it separately. For instance, if a decision regarding cloud migration is on the table, sovereign variants can be executed with relatively little extra effort – as long as digital sovereignty is taken into account from the outset. Simultaneously, this establishes a reference project for subsequent actions aimed at enhancing sovereignty.
Actual examples: When a lack of digital sovereignty becomes expensive
Digital sovereignty plays a crucial role in whether organizations can proactively influence critical cases or merely respond to them. Common trends can be seen in real-world scenarios:
Strong ties to proprietary services: Databases, message queues, or analytics platforms that are hard or even impossible to substitute – despite the availability of sovereign alternatives.
Lack of exit strategies: No documented migration paths in case a provider (e.g., supply chain service provider, but also hyperscaler) fails or needs to be changed.
Unclear responsibilities: When it comes to data storage and incident management (especially in an outsourcing environment), it is often unclear who has to make which decisions in an emergency.
Lack of effectiveness checks: A guaranteed compliance in the service provider contract does not equate to actual security and effective resilience.
In practice, these trends can become a problem more quickly than expected. Two examples illustrate this.
Example 1: Proprietary software as a cost and flexibility trap
A hidden champion in the automotive supply sector relies on specialized software for managing its production. Everything runs seamlessly—until the provider unexpectedly alters its pricing model and ceases support for previous versions. The consequences:
- Cost explosion: The company is compelled to allocate significant funds quickly or seek alternatives while under immense pressure.
- Limited ability to act: The proprietary architecture makes migration practically impossible without massive effort.
- Production delays: Critical updates can now only be accessed via costly service agreements, leading to software issues that impact the production process.
Example 2: External service provider as an unrecognized weak point
A prominent industrial machinery manufacturer has delegated the management of its cloud-based data platform to an external IT service provider. An internal audit has uncovered that sensitive product information and customer data are accessible through poorly secured interfaces.
- Unnoticed data access: The service provider has access to critical company data, although the exact extent of this access cannot be fully traced.
- Regulatory risks: There is a risk of violations of data protection and export control regulations, as some of the data is stored outside the EU without explicit permission.
- Weaknesses in the supply chain: The IT service provider uses subcontractors in third countries, which multiplies the security risks.
Digital sovereignty is not merely a theoretical IT risk; it fundamentally concerns a company's ability to operate effectively. Consequently, it transcends being just an IT matter. It is, in fact, a management concern.
What does digital sovereignty really mean for companies?
Digital sovereignty is not a final destination; rather, it is the capacity to manage risks effectively. In this context, sovereignty does not imply attaining self-sufficiency at all costs, but rather involves deliberately engaging in dependencies, minimizing them, and having the ability to make changes when uncertainty arises. Ultimately, while complete independence is unrealistic, the ability to maintain control is within reach.
To attain this level of control, a definitive management position is essential for the entire company to rally around. It is only when this position is established at board tier that all parties involved can systematically collaborate to ensure the company achieves digital sovereignty. Formulating clear principles for this purpose is beneficial:
- They enable consistent decisions to be made in uncertain situations.
- They create a common basis across departments, functions, and locations.
- They prevent solutions from being implemented without assessing their effects on sovereignty and resilience.
Four guiding principles for making controllable decisions
We believe there are four principles that make a difference in practice when it comes to systematically establishing digital sovereignty.
- Controllability over convenience
Decisions ought to be made in a manner that keeps options available and allows the organization to stay flexible. This principle holds true even when the well-known route appears to be the simpler choice in the short run. The ease of today should not turn into a hindrance for tomorrow.
- Real control instead of compliance on paper
Guidelines, policies, and governance frameworks are insufficient if their effectiveness cannot be demonstrated. What truly counts is the effectiveness of controls, the actions taken by those in charge, and the actual reduction of risks—not merely the availability of documents.
- Be prepared for change
Alternatives need to be identified, assessed, and carefully considered from both a technical and organizational standpoint while things are calm, rather than solely in moments of crisis. Those who proactively develop exit strategies, migration paths, and contingency plans in advance acquire crucial time and flexibility when faced with an emergency.
- Technology follows attitude
Technologies, platforms, and architectures should consistently follow the previously defined attitude toward digital sovereignty. Individuals, roles, and processes need to be empowered first—resilience isn't solely about having the right tools. It is essential to define roles, responsibilities, and decision-making processes clearly before committing to any technology investments.
What is the first step that can be taken to achieve digital sovereignty?
A definitive position on digital sovereignty is essential at the management level. However, having a position is not sufficient. Before organizations can take action, they must conduct an honest assessment of their current situation: Where are we really at? Where are our blind spots? What risks are present – particularly in vital processes, infrastructures, and supply chains? What alternatives are available to us in the short, medium, and long term?
A structured overview of the situation creates transparency regarding dependencies, controllability, and priorities. It enables you to prepare sound decisions rather than reacting impulsively.
In the second installment of this series, we will demonstrate how a situation assessment operates in real life, the various dimensions it includes, and the questions you ought to consider during the process.
How can we help you putting digital sovereignty into action?
Our specialists are looking forward to hearing from you.