At a recent Digital sovereignty in practice event, public sector leaders and practitioners came together to discuss one of the least clearly (yet) defined concepts in technology governance right now: digital sovereignty.
The conversation featured Kalle Ylä-Anttila from Yleisradio, Maarit Waskilampi-Kuikka from the City of Espoo, Mikko Saariaho from Fintraffic, Jani Kykyri from Terveystalo, Tuomas Lindholm from Sevendos, and Mikael Kopteff and Juha Rantanen from Reaktor.
Digital sovereignty does and will continue to mean different things for each organization, but the useful questions to ask are the same:
- What data is critical to us?
- Where does that critical data reside?
- What are our critical systems and operations?
- How dependent are we on individual actors, suppliers, providers, or nations?
- What’s the plan if something becomes unavailable?
Sovereignty is a risk management question, not an ideology
Digital sovereignty is risk management. Where does your critical data live? How dependent are you on a single supplier or a single country? Which systems, if they went down, would genuinely stop you from operating?
Complete independence isn't the goal, and in a globally interconnected world, it's not even sensible to pursue. The more useful question is whether you're self-sufficient in the things that actually matter. Identifying those things, and making conscious choices about them, is where the real work starts.
Context determines what sovereignty means
There's no universal definition of sovereign that applies across all organizations and all data. For some, the priority is keeping sensitive data absolutely locked inside the organization, for others, making sure a service stays up regardless of what's happening externally.
Take an example from traffic control: When a train control software fails, the fallback isn't necessarily always digital. It's people in the field, directing trains manually. The physical and analog layers can still be part of the resilience architecture. The point is to map the risk and have a plan ready to go if it materializes.
From European cloud alternatives to cloud portability and interoperability
Cloud-first remains the right default for many organizations. But the evaluation framework around cloud decisions needs to account for the sovereignty angle in a way that most procurement processes or technology decisions haven’t in the past.
European cloud alternatives do exist, and in larger numbers than the "there are no European options" narrative suggests. Finland has UpCloud, Germany and France have providers that can run AI models, and the hyperscalers themselves are building localized European infrastructure and teams. The honest limitation of European alternatives right now is capacity. For large organizations with serious production workloads, the ceiling comes down fast.
The more productive framing isn't European versus American providers. It's about portability. Building systems so that critical components can be moved, or run locally when a SaaS service goes down, is one of the largest investments an organization can make in its own resilience.
Portability requirements can also be written straight into procurement requirements, though no one would yet argue that it's easy.
Organizations also need to consider the interoperability of partners and vendors. The ability to move a critical component from one provider to another assumes those providers can actually operate alongside each other. And it’s what actually enables portability and gives you the freedom from vendor lock-in.
Alongside portability requirements, organizations should be asking vendors how their systems communicate with others, what open standards they support, and where they've built deliberate lock-in into the product. Those answers tell you more about long-term sovereignty than almost anything else in a contract.
The question worth carrying forward: How digitally sovereign and resilient are you?
What you can do, is move toward greater sovereignty where you can, in the areas where it counts, without treating every component as equally critical. A solid approach could be phrased as 'Sovereignty first, at the points where it matters most'.
If someone came to evaluate your organization's digital resilience today, what would you have to show them?
Again, there’s no one answer, nor a right answer.
But, the window for making thoughtful choices, before those choices have to get made under pressure, can be narrower than it appears.
