Digital Sovereignty: How Europe’s Industry Remains Capable of Action in Uncertain Times

Status Quo: High Dependencies Shape the Situation in Europe

Studies show that virtually all European companies are heavily dependent on imported digital technologies: according to a Bitkom analysis from 2025, around 96 per cent of German firms import digital technologies and services from abroad, often from a handful of large providers. At the same time, geopolitical tensions and regulatory conflicts are intensifying – making these dependencies politically even more precarious.

The good news: awareness of the issue is growing. Open-source software has achieved widespread adoption; three in four companies are already using it, and 73 per cent explicitly regard it as an instrument for securing digital sovereignty. Nevertheless, around 60 per cent have no documented open-source strategy and no clear processes for systematically harnessing openness and security. The picture regarding data sovereignty is similarly ambivalent: a recent report notes that, in 2025, despite high awareness of regulatory requirements, one in three European companies experienced at least one data sovereignty incident.

Against this backdrop, the 2026 World Economic Forum in Davos explicitly discussed the possibility of a “one-off collapse of the world order” and the need to build a “new, independent Europe” that strengthens its economic and technological capacity to act. The message to industry is clear: digital dependencies have long since ceased to be a purely IT matter – they represent a strategic risk with a direct bearing on security of supply, competitiveness, and political resilience.

How Companies Can Increase Their Digital Sovereignty

A central lever lies in the design of infrastructure and cloud architecture. Sovereignty is achieved when workloads are portable, exit scenarios have been explored contractually and technically, and critical systems are not tied exclusively to a single hyperscaler. Multi-cloud and hybrid scenarios reduce lock-in risks and facilitate responses to political or regulatory changes.

A growing number of companies are deliberately choosing EU-based providers in order to keep data under European jurisdiction and minimise regulatory uncertainty – particularly in connection with US surveillance legislation. It is important that not only the formal data location is correct, but that the company also retains technical key sovereignty in order to enforce exclusive access.

At the application level, open standards and a systematic Software Bill of Materials (SBOM) are decisive. Whether proprietary or open source: for any software in use, companies should be able to trace at any time which components are involved, where they originate, and what security vulnerabilities or licence conditions apply. This is further driven by requirements such as the EU Cyber Resilience Act and is simultaneously a prerequisite for reducing dependencies in a targeted manner.

Identity and access management (IAM) becomes the “sovereign anchor” of a digital architecture. Any organisation that manages all user and machine identities via a single external identity provider runs the risk – in a worst-case scenario – of losing access to its own infrastructure, for instance in the event of sanctions, outages, or contractual disputes. Sovereign approaches rely on hybrid or federated IAM architectures that use open standards and provide local fallback mechanisms.

With the growing use of AI systems, the question of which data flows into which models and who owns the resulting intellectual property becomes a sovereignty issue. Companies should define data classes and binding rules governing which categories may be fed into external AI services – including technical controls such as pseudonymisation, anonymisation, and “private” model services. Data spaces emerging in Europe and initiatives such as Gaia-X enable the secure, standardised exchange of production and plant data between companies without any single actor losing control.

Digital sovereignty cannot be achieved through technology procurement alone; it requires clear structures and responsibilities. Companies need governance models that bring infrastructure, applications, security, procurement, and business units to the same table in order to regularly assess dependencies and set priorities. This includes, for example, a central body for sovereignty matters, defined criteria for the selection of cloud and software providers, sponsorship at board level, and planned exit scenarios.