How's Your Digital Sovereignty?

The CrowdStrike case serves as a cautionary example here. A faulty software update from the US security provider led to millions of Windows systems crashing worldwide in July 2024; in Germany, almost half of the affected organizations had to temporarily shut down operations, resulting in billions in economic damage.

The case of Karim Khan, chief prosecutor of the International Criminal Court, vividly illustrates how quickly cloud providers can block access to key services in response to political pressure: Following sanctions imposed by US President Donald Trump against the Hague court in February 2025, Microsoft promptly blocked Khan's email account to avoid coming under scrutiny from US authorities itself.

Being dependent on companies that don't fall under European jurisdiction puts your control over your own data and data protection at risk. For example, US authorities potentially have access to all data stored by US service providers, even if it is located on German or European servers. This is because surveillance laws such as the CLOUD Act and FISA Section 702 require US service providers to grant authorities access to all data – even if it is stored outside the US.

This is particularly problematic when it comes to SSL/TLS termination: in order to identify malicious traffic and defend against encrypted attacks, CDN service providers and web application protection providers must temporarily break HTTPS encryption. This also exposes personal data and confidential information such as business secrets, medical diagnoses, or strategy papers. Only the use of European service providers can guarantee data sovereignty and GDPR compliance in the long term.

• Set a goal for digital sovereignty: Define how much independence and control you want to achieve in the various dimensions (infrastructure, software, data, expertise).

• Align with corporate strategy: Digital sovereignty should be an integral part of your overall strategy to ensure long-term control and competitiveness.

• Systematic risk analysis: Assess the risks arising from existing dependencies (e.g., lock-in effects, business interruption risks, compliance violations, loss of knowledge).

• Prioritize areas for action: Identify particularly critical or sensitive areas where dependency needs to be reduced.

• Technological measures: Check out alternatives to proprietary solutions, like using open source software, multi-vendor strategies, or moving to sovereign cloud services.

• Organizational measures: Promote internal expertise (e.g., through training), establish responsibilities for digital sovereignty, and build internal competencies.

• Procedural measures: Implement continuous monitoring of the IT infrastructure and conduct regular security and compliance audits.

• Contractual measures: Negotiate contracts specifically to ensure data portability, exit strategies, and interoperability.

• Implementation of measures: Implement the prioritized measures, e.g., by migrating critical systems, introducing open source, or setting up redundant systems.

• Monitoring and performance review: Continuously monitor the effectiveness of measures and regularly adapt the strategy to new technological and regulatory developments.

• Raise awareness and get employees involved: Promote awareness of digital sovereignty and involve relevant stakeholders at an early stage.

• Transparent communication: Report internally and externally on progress and challenges to ensure acceptance and support.