Eight Steps to Digital Sovereignty
We show companies how to find their way into digital sovereignty. This lays the foundation for secure and independent IT.
(Image: heise medien)
- Holger Pfister
The dependence on individual tech providers and proprietary IT infrastructures is increasingly becoming the focus of strategic IT planning. Public organizations and companies today must navigate a complex web of self-developed applications, purchased SaaS solutions, and cross-border data flows. The key is to ensure long-term digital sovereignty – that is, to maintain full operational capability over one's own IT. But how can the path to this be structured?
Step 1: Involve Stakeholders and Identify Specific Sovereignty Needs
Becoming digitally sovereign is a process that, like most transformation projects, begins with open dialogue. The first step is to engage with key stakeholders such as board members, technology partners, and IT teams to understand their requirements, concerns, and priorities. On this basis, the transformation process can be shaped together and the central themes identified.
All these stakeholders bring different requirements and perspectives to essential questions: Where should sensitive data reside? Who should have access to it? And how can technological dependence on individual providers be avoided? Answers to these questions not only provide insights into individual needs but also into potential risks. Thus, these discussions form the basis for sound decisions in the three central fields of action: data, operations, and technology.
Step 2: Monitor Regulatory Changes
After internal needs, risks, and priorities have been identified, the next step is to focus on external framework conditions. Data protection, data localization, and control mechanisms are increasingly coming into the focus of government regulation worldwide. Programs such as FedRAMP in the USA, the New Zealand Information Security Manual (NZISM), or China's strategy for technological self-reliance are just a few examples of national regulations that define digital sovereignty in very different ways.
Within the EU, there is also a complex interplay of EU-wide requirements, such as the GDPR, the NIS2 Directive, and the DORA regulation. In addition, there are national initiatives such as France's SecNumCloud or Germany's Cloud Computing Compliance Criteria Catalogue (C5). These regulations pursue two central goals: protecting European data and ensuring independence from non-European providers in strategic areas such as defense, finance, or healthcare.
For organizations, this means constantly keeping an eye on regulatory developments and adapting their strategies accordingly. Official sources such as EUR-Lex or information from the EU Commission help to maintain an overview.
How can companies and authorities break free from their dependence on US hyperscalers, American or Chinese AI providers, and software manufacturers? Experts from politics, business, and academia will discuss this on November 11 and 12 at the IT Summit by heise in Munich. You can find lectures and speakers in the IT Summit program. On the first day of the conference, there will also be a free workshop that will show how open-source solutions can contribute to digital sovereignty and cybersecurity. Book your ticket now.
Step 3: Map Ecosystem and Software Supply Chain
A key component on the path to digital sovereignty is a precise understanding of the entire software supply chain and its complete documentation. A helpful tool for this is a Software Bill of Materials (SBOM). It is used particularly for critical applications and is based on recognized standards such as SPDX or CycloneDX. Thus, an SBOM makes it possible to systematically record all software components, their origin, and existing dependencies.
Particular attention should be paid to applications that process highly sensitive data, including personal information, financial data, or data that falls under the definition of critical infrastructure. Such applications are usually subject to particularly strict regulatory supervision and compliance requirements.
Step 4: Classify Workloads by Sovereignty Risk
In addition to particularly sensitive applications, all everyday workloads must be recorded and evaluated. An important step is to identify those workloads for which organizations truly must process their data on their own servers or in completely isolated, network-isolated environments. Technical measures can make the decisive difference here, such as an open-source stack with Kubernetes orchestration, air-gap capabilities, and its own package management.
For highly regulated environments, it is also advisable to ensure the security of the software supply chain, for example, through certifications according to Common Criteria EAL 4+ or recognized security standards such as SLSA. These measures help to demonstrably ensure the integrity of the entire application from development to deployment.
Step 5: Implement Sovereign Architecture
Once the applications have been mapped and evaluated, the focus shifts to the architecture as a whole. It should be based on open standards, offer clear interfaces, and be able to work with different systems. This openness creates freedom of choice, reduces dependencies on individual providers, and facilitates the integration of new components.
The architecture must also be firmly anchored within the organization. This is achieved when responsibilities are clearly defined and workflows are clearly structured.
Videos by heise
Step 6: Consistently Align Technology Stack with Open Source
The technology stack forms the backbone of a sovereign architecture. Consistent use of open-source technologies creates the necessary transparency and control to avoid technological dependencies in the long term. Open source code allows for independent security audits, quick fixes for vulnerabilities, and flexible adaptation of functions to one's own requirements.
Standardized interfaces and open formats ensure interoperability between different systems and facilitate the exchange of individual components. This allows new technologies to be integrated without jeopardizing the operation of existing systems. Open source also offers the opportunity to access a broad ecosystem of tools and communities.
Step 7: Plan Business Continuity
In addition to a robust technology stack, organizations should also prepare for emergencies and plan their business continuity. Business continuity planning focuses on establishing risk management procedures to prevent interruptions of business-critical services and restore full functionality with minimal downtime.
A business continuity plan should specify how systems will react when central providers fail – for example, due to sanctions or the loss of control systems outside the EU. It is important to secure critical workloads in such a way that they can quickly move to other locations in the event of failures. Geo-clustering, i.e., distributed replication across multiple geographically separate data centers, can, for example, minimize the risk of regional disruptions and thus keep business-critical processes running.
Step 8: Anchor Digital Sovereignty as a Core Principle of IT Strategy
A business continuity plan ensures operations in an emergency. However, for digital sovereignty to endure in the long term, it must become an integral part of the IT strategy. Organizations should not view it as a one-time measure, but as a fundamental principle that permeates all IT processes.
This includes regularly reviewing systems and environments, identifying risks early, and making adjustments as needed. Relevant stakeholders should be continuously involved, while regulatory changes and technological developments are kept in view. This makes digital sovereignty a fundamental principle that makes organizations permanently capable of action, resilient, and independent.
At its core, digital sovereignty is about the interplay of data, operations, and technology. The eight steps make it clear: Those who recognize and address the growing dependence on external IT providers create the basis for long-term operational capability. Digital sovereignty does not function as a one-time project, but as a continuous process and a firmly anchored fundamental principle. If it is consistently integrated into structures, processes, and corporate culture, it creates a future-proof, secure, and independent IT.
(nen)
