Why a political vision has become a strategic necessity for the economy, public administration and critical infrastructure
Hardly any other term is currently shaping the debate on the future of Europe as a digital business hub as profoundly as ‘digital sovereignty’. At first glance, the term forms part of a long line of technological buzzwords that have shaped business and politics over recent decades. ‘Industry 4.0’, ‘cloud computing’, ‘big data’, ‘Internet of Things’, ‘Smart Factory’, ‘Zero Trust’, ‘Cyber Resilience’ or, most recently, ‘Artificial Intelligence’ have each signalled profound shifts in technological development. In parallel, regulatory initiatives such as NIS2, DORA, the AI Act and the Cyber Resilience Act have moved to the forefront of political debate. Some of these terms disappeared from public discourse after a short time, whilst others have become integral parts of modern corporate and security strategies.
Digital sovereignty, however, differs fundamentally from many of its predecessors. It describes neither a new technology nor a specific product or an innovative process. Rather, it stands for the ability to shape digital developments autonomously and to make technological decisions independently. Behind this lies a question whose implications extend far beyond information technology: who will determine Europe’s digital agency in the future – European companies and institutions, or those international platform operators and software conglomerates on whose solutions the economy and public administration are now largely dependent?
Just a few years ago, this question would probably have been discussed primarily within academic or political circles. Today, it is of great relevance to economic and security policy. The experiences of recent years – disrupted supply chains, geopolitical tensions, Russia’s war of aggression against Ukraine, and the growing rivalry between the United States and China – have made it clear that economic stability and technological independence are closely intertwined. At the same time, there is a growing awareness that digital infrastructures have long since become part of critical public services. Data centres, cloud platforms, communications networks and artificial intelligence systems now form the foundation of almost all economic and social processes. Whoever controls this infrastructure influences not only the capacity for innovation and competitive strength, but increasingly also the resilience of modern economies.
This development is particularly evident among operators of critical infrastructure. Energy supply, healthcare, telecommunications, transport and public administration are now dependent on functioning digital systems to an extent that would have been almost unimaginable just a few years ago. Cyber-attacks, sabotage and technical failures are now among the realistic risk scenarios facing modern security architectures. Less obvious, but equally significant in the long term, are the technological dependencies arising from business models. If product cycles, licence terms or further developments of core software are determined exclusively by a handful of global providers, companies gradually lose control over their own digital infrastructure. Digital sovereignty therefore does not begin with the defence against cyberattacks, but rather with the strategic design of a company’s own IT landscape and the conscious selection of technology partners.
Against this backdrop, it is hardly surprising that the issue has become a key challenge for economic and industrial policy. An important impetus was provided by the joint Franco-German position paper on digital sovereignty, which brings together technological self-determination, economic competitiveness and European values within a common strategic framework for the first time. The Federal Association of IT SMEs (BITMi) expressly welcomed this initiative, but at the same time made it clear that political guiding principles alone are not enough. As long as ambitious goals are not underpinned by concrete measures, reliable timetables and appropriate funding instruments, there is a risk of mere ‘sovereignty washing’. From the association’s perspective, European IT SMEs therefore have a key role to play. For years, its member companies have been developing innovative solutions for business and public administration; however, in many cases, these are still not given the consideration in political strategies and public procurement procedures that corresponds to their actual significance.
It is noteworthy that numerous SMEs have long been ahead of the political debates. Whilst discussions on definitions, standards and responsibilities are still ongoing at European level, many companies have already fundamentally changed their technological focus. This shift was rarely driven by political programmes or regulatory requirements. Rather, it was concrete experiences from day-to-day business operations that led to a change in thinking. Recurring adjustments to third-party product cycles, rising licence costs, a lack of transparency in complex software stacks, and legal uncertainties in international data transfers made it clear that technological dependencies are increasingly becoming a business risk.
Digital sovereignty is thus evolving from a political vision into a concrete management task. It does not merely concern the selection of individual software products or the location of a data centre. Rather, it encompasses the ability to make technological decisions autonomously, to maintain long-term control over critical processes, and to shape innovation strategies independently of the business models of external platform providers. The BITMi describes this concept on the basis of five key elements: technological self-determination, compliance with European law, data sovereignty, digital resilience and digital value creation. Together, they form the framework for an understanding of digital sovereignty that goes far beyond issues of data protection or cloud usage and takes the entire digital value chain into account.
Business practice demonstrates that this development is by no means merely a theoretical discussion. Across a wide range of sectors, strategies are currently being developed to enable companies to strengthen their digital agency and reduce technological dependencies. Some are investing consistently in in-house software development, whilst others are establishing transparent evaluation criteria for sovereign IT infrastructures, building European cloud ecosystems, or viewing regulatory requirements as the starting point for a fundamental modernisation of their digital architecture. Despite all their differences, these initiatives share a common goal: regaining technological autonomy. Digital sovereignty is thus increasingly becoming a competitive factor that influences economic performance, innovative strength and resilience in equal measure.
The following practical examples illustrate how differently companies are pursuing this path and what strategic consequences arise from it.
They illustrate that digital sovereignty is not a rigid concept, and certainly not a short-term fad, but a long-term transformation process that poses challenges for businesses as well as for politics and society.
From political vision to business reality
Policy documents, funding programmes and regulatory initiatives provide important guidelines for digital transformation. However, whether digital sovereignty is actually achieved is not decided at government conferences or in European negotiations, but within the companies themselves. It is there that investment decisions are made, software architectures developed and technologies selected – decisions that often determine a company’s performance for many years to come. It is precisely here that it becomes clear that digital sovereignty is no longer an abstract vision of the future, but is increasingly becoming an integral part of corporate strategy.
It is striking that the motivations of many companies are remarkably similar, whilst their approaches to solving problems differ significantly. Only rarely did political programmes or industrial policy considerations mark the start of a transformation process. Rather, the triggers were practical experiences: recurring adjustments to third-party product cycles, rising licence costs, a lack of transparency in complex software landscapes, or legal uncertainties regarding cross-border data transfers. Many companies arrived at the same conclusion independently of one another: any organisation that bases its core business processes permanently on technologies whose development and strategic direction lie beyond its own sphere of influence places itself in a position of dependency that can, in the long term, impair its capacity for innovation and its competitive strength.
TEK-SERVICE AG provides a clear example of this. Since 2000, this family-run business has been developing web-based procurement solutions for public sector organisations and medium-sized enterprises. However, the term ‘digital sovereignty’ – now widely used – did not feature at the start of the transformation process. Rather, it was recurring experiences in day-to-day operations that prompted the company to rethink its approach. Regular product and version updates from a dominant international software provider meant that bespoke customer solutions had to be continually adapted or redeveloped. Development resources were thus increasingly channelled into ensuring compatibility with external platforms, rather than providing new functions for customers.
Rather than undertaking a radical technological change, TEK-SERVICE opted for a long-term, step-by-step overhaul of its own system landscape. Over the course of several years, in-house software components were developed in parallel with day-to-day business operations, gradually replacing the existing infrastructure. Planning, development, testing, documentation and the transfer of knowledge to staff and customers took place continuously whilst operations continued. It was only after the completion of this long-term transformation process that the new platform was fully commissioned at a German data centre. Since then, further developments have been guided exclusively by customer requirements and no longer by product cycles, licensing models or strategic decisions made by external software providers. The company thus serves as a prime example of a path along which technological autonomy has been built up step by step, without jeopardising the continuity of day-to-day operations.
Whilst TEK-SERVICE focuses primarily on technological self-determination, VITAS concentrates on another core aspect of digital sovereignty – the sovereign handling of sensitive data. The company develops AI-supported telephone assistance systems for healthcare organisations and decided at an early stage to rely consistently on European infrastructure when processing personal health data. The decisive factor was the realisation that the physical location of a data centre alone does not provide a reliable indication of the actual legal sovereignty over data. International regulations such as the US CLOUD Act make it clear that data may be subject to non-European legal jurisdictions even when stored within Europe.
For hospitals, doctors’ practices and other organisations handling particularly sensitive information, the company believes that the statement ‘hosted in Germany’ is therefore insufficient. What matters far more is who operates the technical infrastructure, which jurisdiction the providers are subject to, and whether key components such as language processing or large language models can be controlled independently. VITAS therefore made targeted investments in developing its own European platform components. The associated investments were substantial, but at the same time strengthened the company’s technological autonomy and increased its customers’ confidence in the secure handling of sensitive health data.
Schwarz Digits is pursuing a different approach. The focus there is less on the development of individual applications and more on the question of how digital sovereignty can be objectively assessed and made comparable. The ‘European Sovereign Stack Standard’ (ES³) is an assessment model that analyses digital services against more than one hundred criteria. The aim is to provide companies with a transparent basis for decision-making when investing in sovereign IT infrastructures, whilst at the same time creating transparency regarding complex technology stacks.
This approach highlights that digital sovereignty cannot be reduced to the location of data centres or the origin of individual software products. Only by considering the entire technology stack – from the infrastructure and the software used through to operational processes, responsibilities and the legal framework – is it possible to make a robust assessment of actual technological capacity for action. Furthermore, by having the standard independently audited by the accountancy firm BDO, Schwarz Digits aims to develop digital sovereignty from a political objective into a verifiable quality benchmark.
These three examples already illustrate how differently companies are charting their course towards greater technological autonomy. Whilst TEK-SERVICE focuses on long-term in-house development, VITAS concentrates on sovereign data processing in the healthcare sector. Schwarz Digits, for its part, is creating tools that, for the first time, allow digital sovereignty to be systematically measured and compared. Despite their differing business models, the companies are united by a shared understanding: digital sovereignty does not arise from a single technology or a specific product. It is the result of strategic decisions that take equal account of architecture, operations, data sovereignty, innovation and long-term corporate development.
This, in turn, is changing the way we view digitalisation itself. For many years, the focus was primarily on speed, scalability and economic efficiency. Today, another dimension is gaining in importance: the ability to continue developing digital technologies in the long term within one’s own economic, legal and organisational framework. Digitalisation and digital sovereignty are therefore not opposites.
Rather, sovereignty is increasingly becoming a prerequisite for ensuring that digitalisation can be shaped in a way that is resilient, trustworthy and capable of innovation in the long term.
Resilience, regulation and innovation – Why digital sovereignty is becoming a key challenge for Europe’s future
The practical examples illustrate that digital sovereignty encompasses far more than simply choosing a particular cloud provider or operating a data centre within Europe.
It is changing the way we view the entire digital value chain – from the development and operation of digital services, through the selection of strategic partners, to the long-term control of business-critical systems. At the same time, the issue is gaining further momentum as a result of European regulation. Directives and regulations such as NIS2, the Data Act, the AI Act and the Cyber Resilience Act are often discussed primarily in terms of increasing compliance requirements. In fact, however, they mark a fundamental shift in perspective. For the first time, the focus is not solely on the technical security of individual systems, but on the ability of companies to maintain long-term control over, understand and take responsibility for their digital infrastructure.
This is particularly evident in the implementation of the NIS2 Directive. Whilst many organisations initially focus on the additional documentation and organisational burden, the Directive also opens up the opportunity to fundamentally review existing IT structures. One of its key components is the consideration of the entire supply chain.
In future, companies will not only have to ensure the security of their own systems, but also assess risks that may arise from software suppliers, cloud service providers or external IT partners. As a result, issues of transparency, traceability and technological dependency are coming more into focus in business decision-making.
This is precisely where Basec GmbH’s argument comes in. The company does not view NIS2 primarily as an additional regulatory obligation, but rather as a strategic impetus for the sustainable modernisation of existing IT landscapes. Any organisation that is already evaluating suppliers, analysing risks and reviewing existing contracts as part of the implementation process should seize this opportunity to strengthen its own technological independence at the same time. European cloud providers, open-source technologies or specialised security service providers can help to reduce dependencies whilst better meeting the requirements for data protection, information security and compliance. From this perspective, NIS2 is evolving from a legal obligation into a tool that supports companies in building up their digital resilience in the long term.
However, digital sovereignty by no means implies having to develop or operate all IT services in-house in future. Rather, it is about the ability to consciously manage responsibility and to be able to make critical decisions independently at any time. Esono AG takes up this idea. According to the company’s observations, the discussion surrounding cloud strategies has changed significantly in recent years. The focus has long since shifted away from the fundamental choice between the public cloud and in-house infrastructure. Instead, companies are seeking operating models that combine professionally managed services with the greatest possible transparency and control. Particularly for applications in the fields of software development, data analysis and artificial intelligence, hybrid operating models are increasingly emerging, in which specialised service providers take over technical operations whilst data sovereignty, governance and strategic responsibility remain with the company. Digital sovereignty thus becomes not a synonym for in-house operation, but for the ability to consciously organise and consistently exercise responsibility.
Another key component is provided by Mitteldeutsche IT GmbH, whose approach centres on the discussion surrounding a European cloud value chain. The company aims to establish a digital ecosystem that interconnects European cloud infrastructures, office applications, communication solutions and AI technologies. What is remarkable here is not so much the technical implementation as the strategic thinking behind it. Digital sovereignty is not seen as a substitute for individual products, but rather as the interplay of coordinated components that offer companies a genuine alternative to international platform ecosystems. At the same time, this example demonstrates that economic competitiveness and European technologies need not be a contradiction. Experience from client projects shows that transparent cost structures, short decision-making processes and close collaboration with regional partners are often just as important as technical performance or scalability.
Taken together, the examples presented make it clear that digital sovereignty can be achieved in a wide variety of ways today. TEK-SERVICE strengthens technological independence through consistent in-house development; VITAS combines data sovereignty with the specific requirements of the healthcare sector; Schwarz Digits develops evaluation criteria for sovereign IT architectures; Basec views regulation as a driver of innovation; Esono highlights new forms of responsible cloud usage; and the Central German IT sector is establishing European value-added structures. Together, these approaches illustrate that digital sovereignty is not a rigid technical concept, but rather a strategic framework that is tailored to the respective business models and requirements of different sectors.
This is simultaneously changing the role of European SME IT firms. For many years, they were primarily perceived as specialised solution providers occupying individual niches or complementing large platforms. However, current developments paint a different picture. SME IT companies are increasingly developing independent platforms, creating technological alternatives and driving innovation in areas that are equally important for both the private sector and public administration. A study by the Chair of Business Informatics at the University of Potsdam impressively underscores this development. According to the study, 44.3 per cent of SMEs in Germany already rely on software solutions from SME IT providers. Even more than one in five large enterprises uses such solutions. These figures refute the commonly held assumption that digital innovation originates exclusively from international technology conglomerates. Rather, it is evident that European SME IT providers have long since become key drivers of innovation in the digital transformation.
Against this backdrop, attention inevitably turns to the political framework. The Federal Association of SME IT Providers has long been calling for the capabilities of SME providers to be given greater consideration in digital strategies, funding programmes and public procurement procedures. This is explicitly not about protectionism or the isolation of European markets. Rather, the aim is to create a level playing field where technically equivalent solutions are available. In this sense, digital sovereignty means, above all, freedom of choice. Only when companies can actually choose between different high-performance offerings does the technological self-determination that lies at the heart of the concept emerge.
The debate on digital sovereignty will therefore continue to shape Europe well beyond the current legislative term. The changes currently being driven by digitalisation, artificial intelligence and geopolitical shifts are simply too far-reaching. It is likely that this concept too – like many technological paradigms before it – will continue to evolve and take on new dimensions. However, it is already becoming apparent that digital sovereignty describes far more than just a political objective. It is developing into a strategic guiding principle that links economic competitiveness, technological innovation and societal resilience.
The companies presented in this article demonstrate that this transformation has already begun. They pursue different strategies, respond to different market demands and prioritise different technological areas. What they have in common, however, is the conviction that long-term competitiveness is inextricably linked to the ability to act technologically. Digital sovereignty is thus not an end in itself, but a prerequisite for companies, public administrations and operators of critical infrastructure to be able to shape the digital transformation in the long term in accordance with their own economic, legal and societal aspirations. Whether Europe achieves this goal will therefore be determined less by policy statements than by the investment, development and innovation decisions made by its companies. It is here that it will ultimately become clear whether a political vision can be transformed into a sustainable foundation for Europe’s digital future.
