Digital infrastructure is now the indispensable foundation of all economic activity. At the same time, the demands for data privacy, availability, and legal security are growing. With the current discussions surrounding the CLOUD Act, the impact of international sanctions, and the debate over training data for AI systems, one question is coming to the forefront:
How can companies secure their technological agency and independence for the long term?
IT sovereignty, understood as the ability to have full control over all aspects of data, systems, and technological decisions, is becoming a strategic business objective.
In this blog, we will explore the specific technical and organizational measures that help companies regain and sustainably secure their freedom to make decisions and shape their critical systems and data. We will examine the concept of IT sovereignty from the perspective of our concrete consulting practice – always in relation to real-world project requirements. Our goal is not to provide a universal definition or a political statement, but to address practical questions: What challenges related to IT sovereignty are emerging in IT projects today, and what approaches can help companies weigh the associated risks?
For a variety of reasons, digital dependencies can quickly become a business-critical vulnerability. According to a study by BARC [1], companies see legal requirements (69%), political developments in the US (46%), cybersecurity incidents (42%), and the general risks of dependency on public cloud offerings (40%) as the primary drivers of this topic.
This sentiment is fueled by a multitude of developments.
On the regulatory side, legal tensions between European regulations like the GDPR and international laws such as the US CLOUD Act, which allows US authorities to access data stored outside the US, play the most prominent role. For our clients in the DACH region, this creates significant uncertainty, both from a legal perspective – in terms of legal certainty – and strategically with regard to their own IT sovereignty.
This growing uncertainty is amplified by specific incidents where individuals' access to cloud services was blocked by government order. Particularly striking was the case in the spring of 2025 involving the chief prosecutor of the International Criminal Court: he used the email services of a major American cloud provider, which were suspended on short notice due to US sanctions. This action was interpreted worldwide as a warning signal for a lack of digital sovereignty [2,3].
Past incidents also show how strongly political decisions can influence digital services. For example, a globally used code-sharing platform and a widespread communication and collaboration tool restricted access for users in countries like Iran, Syria, and Cuba, sometimes without warning and with immediate consequences for ongoing projects [4,5].
Another driver of the IT sovereignty debate is the increasing importance of data as an economic asset. Training data for AI applications, research data, or technical operational data are not only sensitive but often decisive for business success. Whoever loses control over this data risks more than a data privacy breach – they potentially lose the ability to drive their own innovation.
Changes in software licensing models or pricing can also have significant impacts on companies, creating both economic and legislative challenges. IT sovereignty in the form of system portability allows for a flexible response to such changes – for instance, by switching software providers in response to unfavorable developments, rather than being at the mercy of a single vendor.
These examples make it clear: technological dependencies often only surface in exceptional circumstances but develop gradually over a longer period – for example, through contractual obligations, proprietary standards, or inflexible licensing models. In many cases, a long-term commitment to specific providers leads to a so-called vendor lock-in—a dependency that makes switching to other solutions difficult or economically unattractive. This is another area where IT sovereignty comes into play: it creates the technical and contractual conditions to deliberately avoid such lock-in situations.
When implementing IT sovereignty, different interests and perspectives collide – which complicates not only the selection of suitable solutions but also communication about them. It is therefore important to understand the objectives pursued by the respective stakeholders:
These different perspectives mean that "sovereignty" is interpreted differently depending on the context.
From a business perspective, the discussion around IT sovereignty can be broken down into three central areas of action:
Data Confidentiality: Any form of data storage creates potential risks of unauthorized access. This gives rise to fundamental security requirements, regardless of where the data is stored. In the cloud, however, additional dimensions come into play. On one hand, there is the possibility of government access, as regulated for US hyperscalers under the CLOUD Act or FISA. On the other hand, in a shared responsibility model, one is also generally dependent on the cloud provider diligently fulfilling its security and confidentiality obligations.
Service Availability: The provision of digital services often depends on individual providers. In the event of political measures, trade conflicts, adjustments to licensing models, or critical changes to a service's functionality during an update, core value-chain processes can be suddenly and severely jeopardized. This risk affects not only infrastructure but also services at the application level. For example, after the start of the Russian war of aggression against Ukraine, the three major hyperscalers announced in unison that they would no longer offer new products or services in Russia – a move that was seen as a clear signal of geopolitically motivated restrictions on digital services [6].
Legal Certainty: Legal requirements are constantly changing—at the European level through regulations like the GDPR, the Data Act, or DORA, and at the national level through laws like Germany's IT Security Act 2.0. The latter, for example, obligates operators of critical infrastructure to use attack detection systems and provide proof of compliance to the German Federal Office for Information Security (BSI) [7]. For companies, this means IT systems must not only comply with the current legal framework but also be flexibly adaptable to future changes, such as new reporting obligations, control mechanisms, or protection requirements.
IT sovereignty provides the structural foundation for these three areas of action. It creates the latitude to not only cope with regulatory and technological change but to proactively integrate it into IT -architecture decisions, software strategies, and the selection of external service providers.
In public discourse, IT sovereignty is often equated with complete technological independence. In business reality, the question is more nuanced: Which dependencies are tolerable, which are critical, and which can be reduced with reasonable effort?
Not every technological dependency is inherently a disadvantage—on the contrary. For example, the targeted use of cloud services from major hyperscalers can, of course, also bring significant benefits to companies. These solutions are often technologically mature, highly scalable, and enable the rapid implementation of innovative ideas. They offer access to state-of-the-art technologies like AI, data analytics, or global infrastructure without companies having to build and operate them themselves. Here, the immediate business benefit can outweigh the potential risks of dependency –especially when this dependency is entered into consciously and managed strategically. In this context, IT sovereignty does not necessarily mean complete self-sufficiency, but rather the ability to make technological decisions in an informed and self-determined manner – even if this includes the use of external services.
The key is to consciously manage technological dependencies, not to avoid them wholesale. Whoever manages data with sovereignty and remains independent in technological decisions creates the foundation for innovation, adaptability, and sustainable digital value creation.
This way, data is not only protected but can be used strategically: for instance, for AI-driven business models, personalized services, or integration into digital ecosystems. As a result, companies gain the freedom to align their digital strategy independently and to flexibly adapt to changing market conditions.
Companies that strategically control their data, processes, and systems, while carefully weighing where a technology partnership brings real value and where it becomes a critical dependency, secure clear advantages: faster development cycles, greater adaptability, stronger customer loyalty, and more independence in their value creation. Thus, IT sovereignty becomes a driver of innovation and differentiation—far beyond mere security issues.
The foundation for digital independence lies in architectural decisions. At the very start of planning a solution – for data processing, user management, or system integration – the degree to which a company will depend on external components is determined.
Technical sovereignty arises when companies retain control over central components: data storage, the operating environment, and software development. This does not necessarily mean operating everything yourself. The crucial factor is the availability of choices when framework conditions change.
This includes the ability to switch providers without fundamental software adjustments or data format changes during a migration (e.g., by using standardized interfaces and portable technologies), as well as clear contractual and technical regulation of operational and data responsibilities. These principles not only enable autonomy but also improve resilience against external disruptions.
Implementing a customized, sovereign architecture comes with several challenges. Companies must clarify numerous questions beforehand: Which data and systems are truly business-critical? Where do dependencies already exist today? What regulatory requirements apply in the respective business area, and what new ones are on the horizon? Do proprietary offerings provide a significant added value that justifies accepting specific dependencies?
Only with this analysis can a decision be made on which architecture is viable and strategically sensible in the long term.
Whether a solution is IT-sovereign can be assessed using three central questions. They help to systematically analyze existing dependencies and identify areas and opportunities for action:
These guiding questions create the foundation for sound decisions at the technical, contractual, and organizational levels, making it clear where control lies within the company and where it does not.
The implementation of IT sovereignty can be approached in different ways—depending on the industry, risk appetite, and technical complexity. In our project work, we see three primary approaches for implementing IT infrastructures with heightened demands for IT sovereignty:
In many cases, a hybrid solution is sensible – for example, running critical systems on European infrastructure while using supplementary cloud services from US hyperscalers for scalable processing or AI-powered analytics.
A well-thought-out software design that considers aspects like data localization, encryption, modularity, and interoperability can reduce dependency on external providers and thereby increase control over critical data and processes. The use of open-source software can help increase transparency and flexibility, as it allows companies to review, adapt, and further develop the source code without being dependent on proprietary solutions. By implementing open standards and avoiding vendor lock-in situations, companies can strengthen their flexibility and independence. When a company designs its software to be flexible, transparent, and independent, it can more easily ensure that it complies with all relevant regulations and laws. This reduces the risk of compliance violations and strengthens the company's autonomy regarding its IT infrastructure and data management.
Innovation-driven companies, in particular, can benefit from a software design that enables data portability, openness, and interoperability – as this is the only way they can flexibly integrate new technologies, develop their own digital services, or scale data-based business models. Here, it is especially important to carefully examine which IT dependencies should be accepted to increase one's own pace of innovation. Companies that rely on closed platforms may run the risk of limiting their innovative capacity in the medium term and being forced to adapt to market dynamics rather than helping to shape them. On the other hand, maintaining competitive open systems can also involve disproportionate effort. The most prominent example of this is currently the commercial offering of high-performance Large Language Models, which, depending on the application, cannot truly be replaced by an open alternative.
For companies, IT sovereignty does not mean making a radical break with existing structures. Rather, it is a structured evolution of the organization and the IT systems it uses. Companies are not facing the question of "cloud or not," but rather the task of designing control over their data and systems in a way that allows them to operate flexibly, compliantly, and economically in the long term. Although the initial architectural decision plays an outstanding role regarding IT sovereignty, implementing an IT sovereignty strategy is not a finite project but a continuous design process. Organizations that constantly engage with their dependencies and define their own options for action create the basis for technological decisions that remain viable even under changing regulatory, political, or economic conditions. They not only strengthen their resilience – they create the foundation for future projects, for digital independence, and for the ability to actively shape their own role in the market. IT sovereignty is thus also an expression of entrepreneurial autonomy: the freedom to decide how to handle data, technology, and innovation – in order to do more than just react.
Only those who develop a solid IT sovereignty strategy and regularly put it to the test can make conscious decisions about their digital infrastructure and IT sovereignty as part of their strategic freedom.
In our next post, we’ll show how the principles of IT sovereignty specifically impact data analytics architectures – with practical examples tailored to the diverse requirements of our clients.
Sources:
[1] BARC (retrieved on July 8, 2025): Datensouveränität sichern – Handlungsempfehlungen für Unternehmen.
[2] Heise (May 18, 2025): Strafgerichtshof: Microsofts E-Mail-Sperre als Weckruf für digitale Souveränität.
[3] Golem (Mai 15, 2025): Microsoft sperrt E-Mail-Konto – US-Sanktionen behindern Arbeit des IStGH.
[4] The Verge (July 29, 2019): GitHub restricts developers in Iran, Syria and other sanctioned nations.
[5] BBC (December 21, 2018): GitHub code-sharing site hit by takedown over anti-censorship tool.
[6] TechCrunch (March 10, 2022): Amazon, Microsoft and Google suspend cloud sales in Russia.
[7] BSI (retrieved on July 10, 2025): IT-Sicherheitsgesetz 2.0 – Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme.
