A chess piece shaped like a black knight with glowing digital circuit patterns stands at the center of a futuristic chessboard, whose squares are decorated with golden stars and circuit traces, symbolizing the strategic use of technology.
Digital sovereignty: The ability to act in uncertain times

Technological dependencies, geopolitical tensions and new regulations are fundamentally changing IT. Digital sovereignty means remaining strategically capable of action. Find out which levers are crucial right now at it-sa 365.

Relevant dependenciesBest practiseFAQ

Digital sovereignty: Your guide to strategic IT capability

Digital sovereignty determines how resilient your IT strategy remains in dynamic conditions. Whether it's cloud strategy, identity management or data usage, companies need to reassess their technological control capabilities. On this it-sa 365 topic page, you will find well-founded classifications, concrete approaches and practical ideas for a resilient, future-proof security architecture.

What does digital sovereignty mean and why is it crucial now?

Digital sovereignty describes the ability of organisations to operate their IT infrastructure, data, identities and software in a controllable, adaptable and legally compliant manner. It includes, among other things, sovereignty over data and encryption, freedom of choice among technology providers, transparency in software supply chains, and independent identity and access control based on open standards.

It is not about complete independence from technology providers. In a networked world, that would be neither realistic nor economically viable. What is crucial is the ability to adapt technological decisions even when regulatory, geopolitical or market conditions change.

In the European context, digital sovereignty is also a strategic location issue. The aim is to secure critical value chains, make dependencies transparent and strengthen innovation capacity in the European single market in the long term – through clear standards, resilient architectures and regulatory stability.

Those who operate irreplaceable systems, cannot control data access or tie business-critical processes to individual platforms lose strategic room for manoeuvre. Digital sovereignty is therefore an instrument of modern risk prevention. It protects against technological dead ends, regulatory conflicts and geopolitical dependencies, making it a key success factor for resilient IT strategies.

Insights on digital sovereignty from it-sa Expo&Congress 2025

Challenges in the area of digital sovereignty

language
96%
of the German companies surveyed source digital services and technologies from abroad.
Digitale Souveränität 2025 | Studienbericht der bitkom (German only)
vpn_lock
90%
of the companies surveyed consider themselves to be highly or somewhat dependent on international partners.
Digitale Souveränität 2025 | Studienbericht der bitkom (German only)

Digital sovereignty in practice: infrastructure, software, identity and data

From a technological perspective, digital sovereignty is based on four key areas of action. Only those who consistently control and secure infrastructure, software, identities and data can minimise risks, ensure compliance and remain capable of acting.

Infrastructure & Cloud: Freedom of choice

cloud_circle
Sovereign cloud stacks
Sovereign IT strategies rely on multi-cloud environments, hybrid architectures and portable workloads. The aim is to avoid vendor lock-ins and ensure technological flexibility.
exit_to_app
Exit strategy as standard
The architecture should be designed in such a way that it is possible to switch providers at any time.
security
Hardware-Resilience & Trustend Computing
Hardware resilience, supply chain security and transparent components are basic requirements for sovereign IT security.

Software & applications: Trust through transparency

assured_workload
Software Bill of Materials (SBOM)
An SBOM (EU Cyber Resilience Act compliant) forms the basis for security audits, including with regard to components used or rapid response to vulnerabilities. 
lock_open
Open Source as strategic factor
Open source software enhances transparency, reduces dependencies and increases interoperability. Provided that structures and security processes are professionally organised.
select_all
Avoiding black box systems
In safety-critical areas, systems should be traceable, verifiable and documentable.

Identity & Access: The Sovereign Anchor

fingerprint
Identity as a strategic control point
Identity and access management (IAM) systems are the backbone of digital sovereignty. Complete dependence on central identity providers can become a risk.
lock_person
Self-Sovereign Identity (SSI)
Decentralised models for user and machine identities enable control over digital identities, minimisation of external dependencies and improved data protection mechanisms.
verified_user
Zero trust architectures
Zero Trust means: access only after verification, regardless of location or network. In a sovereign IT architecture, access control remains under your own authority.

Data & AI: Control throughout the life cycle

model_training
Data sovereignty & training
Control over what data flows into AI models and who owns intellectual property rights to feedback loops.
dataset_linked
Interoperable data rooms
Data rooms and standards (e.g. Gaia-X) enable secure data ecosystems with clearly defined standards.
policy
Compliance does not equal sovereignty
GDPR compliance is a minimum requirement. Strategic data sovereignty goes beyond this and creates competitive advantages.

Digital sovereignty affects every role – with different levers

Whether strategic management, operational implementation or regulatory responsibility: digital sovereignty is not an isolated IT issue. It affects decisions at management level as well as architecture, operational and compliance issues.

It is crucial to identify the relevant dependencies within your own area of responsibility and to reduce them in a targeted manner. You can find best practices for each area in this article.

A golden arrowhead with a glowing shield icon moves across a blue digital dial toward the word “STRATEGY,” which is surrounded by icons representing cybersecurity and network technology.

For strategists and IT decision-makers

(e.g. CIO, CDO, management)

Focus: Resilience, investment protection and controllability

Digital sovereignty is a strategic risk management tool. It protects against uncontrollable cost increases, geopolitical influences and technological dead ends.

Key questions in this area are:

  • Where are there critical dependencies on suppliers?
  • Which systems are business-critical but cannot be replaced?
  • How resilient is our cloud and security strategy in the face of regulatory changes?

Possible courses of action are:

  • Establish exit capability as a KPI in IT architectures
  • Evaluate multi-cloud and hybrid strategies
  • Focus investments more strongly on open standards and interoperability
  • Define digital sovereignty as part of your corporate strategy

For IT- & Security-Professionals

(e.g. IT architects, administrators, SecOps)

Focus: Control, transparency and technological capability

Sovereignty is reflected in the architecture. Systems must be traceable, migratable and auditable – especially in security-critical areas.

Key questions in this area are:

  • Are our workloads portable?
  • Can we manage identities independently?
  • Do we know all software components and their dependencies?

Possible courses of action are:

  • Establish SBOM management
  • Implement zero trust architectures with your own policy control
  • Prioritise open interfaces
  • Check redundant identity and access models
A large magnifying glass dominates a blue, futuristic interface of concentric circles, data lines, and security icons, symbolizing the analysis and monitoring of digital systems.
A glowing digital padlock on a shield sits at the center of a circular structure made of circuit lines, surrounded by small human figures and binary code, symbolizing data protection and compliance requirements.

For compliance and administration

(e.g. regulations, public sector, KRITIS)

Focus: Legal certainty, transparency and social responsibility

Digital sovereignty is a prerequisite for regulatory stability and government capacity to act in the areas of compliance, the public sector and critical infrastructure. European regulations such as NIS 2 and the Cyber Resilience Act require traceable, controllable and resilient IT structures. Transparent supply chains, auditable systems and sovereign procurement strategies are thus becoming strategic cornerstones of modern administration.

Key questions in this area are:

  • Are our IT systems auditable and documented?
  • How do we ensure transparency in software supply chains?
  • How can we prevent structural dependencies in critical infrastructures?

Possible courses of action are:

  • Integrate sovereignty criteria into procurement guidelines
  • Establish binding transparency requirements (e.g. SBOM)
  • Align cloud and data strategies with European standards
  • Regularly test resilience and emergency plans

More information on regulations: EU directives, national laws and industry-specific requirements.

5 best practices for digital sovereignty in IT security

Digital sovereignty is not achieved through strategy papers, but through architectural decisions. The following measures help to systematically reduce dependencies and make security risks manageable.

 

1. Test exit scenarios regularly

Document and simulate exit scenarios for business-critical cloud services on an annual basis. Be aware of migration duration, costs, technical hurdles and security risks before a change is forced upon you. Exit capability is a security feature.

What role does the European cybersecurity marketplace play in resilience, competition and cloud independence? This session provides first-hand insights.

 

2. Establish mandatory SBOM management

A Software Bill of Materials (SBOM) provides transparency about the components used and dependencies. In the context of the EU Cyber Resilience Act, it is increasingly becoming a regulatory standard. Only those who know their software supply chain can quickly and confidently fix vulnerabilities.

More information on SBOM

 

3. Encryption with your own key sovereignty (BYOK)

Utilise cloud infrastructures, but retain control over cryptographic keys (Bring Your Own Key). Without control over your own keys, there is effectively no complete data control.

 

4. Build identity redundancy

Central identity providers can become a single point of failure. Hybrid IAM architectures with local fallback – especially for administrative access – ensure operational capability even in the event of failures or political restrictions.

More information on identity access management

 

5. Prioritise open standards over proprietary features

When making new purchases, rely on interoperable standards such as OIDC or S3-compatible APIs. Open interfaces increase portability, reduce lock-in risks and strengthen long-term security architectures.

More information about secure APIs

 

Conclusion: Digital sovereignty is strategic IT security

Europe is increasingly becoming a global trendsetter for cyber resilience, data protection and secure digital infrastructures. Organisations that embrace European standards, transparent supply chains and sovereign architecture principles at an early stage not only ensure compliance, but also long-term innovation and competitiveness.

Digital sovereignty is therefore not just risk prevention – it is strategic positioning in the European market.

You can find more information on the topic of digital sovereignty in these articles on it-sa 365:

Strengthening digital sovereignty – in the it-sa 365 community

Digital sovereignty is built on knowledge, collaboration and strong networks. Connect with IT security experts in the it-sa 365 community, share experiences and stay informed about the latest developments.

As a member, you’ll benefit from:

  • Exchanges with peers and industry experts
  • Exclusive specialist content and insights
  • Personalised topic feeds on relevant security trends
  • Direct access to solution providers
Join the community and play an active role in shaping digital sovereignty!
Keyboard with red community button

FAQ on digital sovereignty

Digital sovereignty means being able to operate IT infrastructure, data, identities and software in a controllable, adaptable and legally compliant manner. The aim is to reduce technological dependencies and secure strategic freedom of action.
Geopolitical tensions, stricter EU regulations such as the NIS 2 Directive and the EU Cyber Resilience Act, and increasing cloud and platform dependencies are increasing the risk of strategic loss of control.
No. Digital sovereignty does not mean isolation, but freedom of choice. Multi-cloud strategies, exit scenarios and key sovereignty enable cloud usage without complete dependency.
IT security is a core component of digital sovereignty. Without control over identities, encryption, software supply chains and data flows, true sovereignty cannot exist.
Through open standards, interoperable interfaces, documented exit strategies, portable workloads and modular architectures.
An SBOM lists all software components and dependencies. It increases transparency, facilitates security audits and is relevant in terms of regulations in the context of the EU Cyber Resilience Act.
Central identity providers can become single points of failure. A sovereign architecture requires redundancy, its own policy control and, if necessary, hybrid IAM models.
GDPR compliance regulates data protection. Data sovereignty goes further and encompasses control over storage location, access, encryption, interoperability and use, particularly in the context of AI.
About KPIs such as exit capability, degree of standardisation, number of critical vendor dependencies, SBOM coverage, or key sovereignty in cloud environments.
By conducting a risk analysis of critical dependencies – particularly in the cloud, identity management and software supply chains – and defining clear architectural principles.

More topics

Cloud SecurityCyber AttacksAwarenessKRITISData Center SecurityIT RegulationArtificial IntelligenceNetwork & Application Security