What is digital sovereignty and how are countries approaching it?

This article has been updated.

Back in March 2021, leaders of four European countries wrote a joint letter to European Commission President Ursula von der Leyen making proposals for the accelerated achievement of European 'digital sovereignty'.

"Now is the time for Europe to be digitally sovereign,” then German Chancellor Angela Merkel, Danish Prime Minister Mette Frederiksen, former Estonian Prime Minister Kaja Kallas, and former Finnish Prime Minister Sanna Marin wrote.

“We have to foster the Digital Single Market in all its dimensions where innovation can thrive and data flow freely. We need to effectively safeguard competition and market access in a data-driven world. Critical infrastructures and technologies need to become resilient and secure. It is time for the digitization of governments in order to build trust and foster digital innovation.”

Since then, the EU has established the Digital Markets Act (DMA), the Digital Services Act (DSA) and the Artificial Intelligence Act (AI Act), which collectively aim to regulate the digital economy and emerging technologies within the bloc.

Digital sovereignty goes beyond regulation to include fostering entrepreneurship and funding innovation – but the different approaches countries take are increasing competition.

Digital sovereignty, cyber sovereignty, technological sovereignty and data sovereignty refer to the ability to have control over your own digital destiny – the data, hardware and software that you rely on and create.

Or, as the Centre for Africa-Europe Relations puts it: the physical layer (infrastructure, technology), the code layer (standards, rules and design) and the data layer (ownership, flows and use).

Countries generally agree on the need to foster homegrown tech industries, particularly where there are potentially significant national security consequences.

But there different approaches around the governance of these technologies and data. These varied approaches to digital sovereignty have deepened geopolitical competition between the US, China and the EU.

Digital sovereignty has become a concern for many policymakers who feel there is too much control ceded to too few places, too little choice in the tech market, and too much power in the hands of a small number of tech companies, who control massive amounts of data about their users.

The EU’s General Data Protection Regulation, or GDPR, is one example of how digital sovereignty manifests in everyday life. It seeks to unify how personal data is looked after online through rules and regulations and with the threat of punitive sanctions.

Under the terms of the GDPR, any organization, no matter where it is based, must abide by a set of data management rules if it wants to trade with customers in EU countries. Those rules make it possible for individual citizens to take more control of how their data might be used. It also sets potential fines of almost $25 million for data breaches.

In more recent years, there has been growing concern in the EU around the dominance of China and the US in terms of both innovation and competition. China's Digital Silk Road initiative aims to expand digital technologies in developing countries, challenging US dominance and raising security concerns due to the potential for surveillance and data collection.

China's own digital sovereignty approach is set by a trio of laws: the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL), the equivalent of GDPR, which jointly govern cybersecurity and data protection.

The growing global landscape of AI governance is similarly characterized by divergent approaches, reflecting the geopolitical tensions and competing visions of digital sovereignty. The European Union has taken a proactive stance with its comprehensive regulatory framework, including the AI Act, DMA and DSA.

These regulations emphasize a human rights-oriented approach, mandating conformity assessments for high-risk AI systems and imposing transparency requirements on recommender engines.

In contrast, the United States has historically favoured a more hands-off approach, relying on corporate self-regulation. But under the Biden administration, recent initiatives like the AI Bill of Rights signalled a shift towards more stringent oversight. Under the incoming Trump administration, the dial on regulation could shift again. It remains to be seen whether Congress will enact the proposed American Privacy Rights Act in 2025.

China, on the other hand, has implemented measures such as the Internet Information Service Algorithmic Recommendation Management Provisions and the National Integrated Circuit Industry Investment Fund, reflecting its state-centric model of AI governance.

These varying approaches have significant geopolitical implications, potentially leading to the fragmentation of technological ecosystems and complicating efforts for global AI governance cooperation.

The EU-US Trade and Technology Council represents an attempt to bridge some of these differences, but challenges remain in aligning governance models across major AI powers. As the AI landscape evolves, the tension between national interests and the need for international cooperation in AI governance continues to shape the geopolitics of digital sovereignty.

The regulatory landscape surrounding digital sovereignty has become increasingly complex, with myriad laws and frameworks emerging to address the challenges of data protection, AI governance, and cross-border data flows.

The EU has taken a proactive stance with its comprehensive regulatory framework, including the Data Act, Data Governance Act, AI Act, and GDPR, which collectively aim to safeguard European citizens' data rights and promote digital autonomy.

However, these regulations have created significant challenges for transatlantic data transfers, particularly in the wake of the Schrems II decision, which invalidated the EU-US Privacy Shield agreement.

To address these issues, the EU and US have worked on the EU-US Data Privacy Framework, which aims to provide adequate protections for EU citizens' data when transferred to the US. This framework includes binding safeguards that limit US intelligence authorities' access to data, addressing a key concern raised in the Schrems II ruling.

Despite these efforts, legal challenges persist, with the possibility of a "Schrems III" case looming. The ongoing negotiations and legal developments underscore the need for a robust, transatlantic approach to digital regulation that balances data protection with the need for innovation and cross-border data flows.

Sovereign cloud implementation has emerged as a critical enabler for organizations seeking to achieve data sovereignty in an increasingly complex regulatory landscape.

This approach involves deploying cloud infrastructure that aligns with specific geographic and legal requirements, ensuring data residency and compliance with local regulations.

A roadmap for sovereign cloud implementation typically includes strategic planning, regulatory compliance analysis, and careful cloud vendor selection.

Organizations must consider factors such as data classification, metadata management, and cross-border data transfer restrictions when designing their sovereign cloud architecture.

The public sector has been at the forefront of adopting sovereign cloud solutions, driven by stringent data protection requirements and national security concerns. However, the concept is gaining traction across various industries, particularly those dealing with sensitive data or subject to strict regulatory oversight.

As AI and machine learning technologies continue to evolve, sovereign cloud implementations are becoming increasingly crucial in providing a secure and compliant foundation for these data-intensive applications.

A multi-cloud strategy that incorporates sovereign cloud elements can help organizations balance the need for global scalability with localized data control and privacy requirements.