In 2025, the landscape of Digital Sovereignty will become increasingly diverse, with organizations facing a myriad of sovereignty needs and solutions. This article explores some components of this diversity, focusing on the rise of Sovereign AI, privacy-enhancing technologies (PET) and sovereign cloud offerings, and the implications of recent developments involving major tech companies like Microsoft and Google.
In this article, we propose a return to a risk-based approach to navigate this diversity and find effective solutions to digital sovereignty requirements.
The growing interest in Sovereign AI
The demand for Sovereign AI is on the rise as organizations become more aware of the risks associated with using standard AI solutions [1]
The primary concern is the potential leakage of sensitive data, which has led to a growing interest in sovereign solutions. However, it’s crucial to understand that Sovereign AI is not merely about having local infrastructure to run AI models. The concept is far more nuanced, encompassing data governance, compliance with local regulations, and ensuring AI models are trained and operated within a framework that respects national interests. This comprehensive approach is essential for organizations aiming to maintain autonomy over their AI-driven processes and needs to include an analysis of all the dimensions of the data and technological sovereignty, which are the two pillars of our definition of Digital Sovereignty. It is also important to acknowledge that AI specificities (e.g. training phase on large data sets, and notion of responsible AI) require sovereign solutions, which are different from the ones we can apply to standard cloud computing.
Hence, the Sovereign AI trend is contributing to the increasing diversity of digital sovereignty needs and of forthcoming solutions to answer them.
More sovereignty solutions with PET and Sovereign Cloud Offerings
The landscape of sovereign cloud offerings is rapidly evolving. Several solutions are already available, with more on the horizon, particularly in Europe [2]. Some of these offerings are developed in partnership with American hyperscalers, addressing certain sovereignty requirements that organizations demand. However, these solutions come at a higher cost or have limited features compared to their non-sovereign counterparts.
Simultaneously, privacy-enhancing technologies (PET) are making significant strides [3]. These technologies enable organizations to run sovereign workloads in public cloud environments while ensuring data sovereignty. For example, this could be running a sensitive workload on a public cloud inside a confidential VM based on trusted technology or leveraging homomorphic encryption to process sensitive data in a public cloud without decrypting it first. PETs offer a promising solution for maintaining data sovereignty in third-party environments like public clouds, but they have limitations. For instance, they cannot mitigate the risk of a shutdown ordered by a foreign government that holds influence over the cloud service provider.
Sovereign cloud offerings and PETs are addressing the need for increased sovereignty in public clouds through two different methods:
- By creating a trusted environment
- By safeguarding workloads to operate in an untrusted environment
Both approaches have advantages and disadvantages. Driven by their business needs, organizations may opt for the first available solution on the market. As a result, there is a growing number of both types of these solutions.
In the news: Sovereignty risks and consequent needs
In 2024, significant revelations emerged regarding the sovereignty of data managed by major cloud providers. Microsoft admitted that there is no guarantee of sovereignty for UK policing data, as reported by Computer Weekly. Similarly, Google communicated its legal obligation to disclose confidential user information under certain circumstances, as highlighted by The Daily Star.
These developments highlight the difficulties organizations encounter in maintaining data sovereignty when using hyperscalers.
Now, organizations may reconsider their choice of cloud provider for certain use cases. They seek greater clarity on the level of sovereignty they can expect from public cloud environments. This is why, for example, the EUCSHighPlus.EU community has requested EU member states to support the reintroduction of High+ criteria in the EUCS certification scheme.
A risk-based approach to navigate the multiplicity of requirements and solutions
In the face of increasing diversity in sovereignty needs and solutions, organizations must adopt a risk-based approach to effectively navigate this complexity and identify the most suitable solutions for their specific needs and with the lowest impact on their business competitiveness.
This approach, illustrated in Figure 1, involves conducting a risk analysis and implementing security controls to mitigate the most significant risks. It is standard in cybersecurity, however in the context of Digital Sovereignty, it has some specific aspects.
Step 1: After clarifying the organization sovereignty challenges, the sovereignty objectives must be clearly defined from a business or functional standpoint. As sovereignty topics often involve a lot of myths, it is important that all organization’s stakeholders agree on the tangible challenges and objectives they need to address.
Step 2: Starting from the business risks, the organization needs to translate them into more concrete and technical threat scenarios and apply standard risk analysis methodology. At this step, it is crucial to consider the level of trust the organization has towards the technologies already used and the ones considered to be leveraged to mitigate these risks. The notion of trust, often overlooked in standard risk-based approaches, is essential for ensuring effective digital sovereignty.
Step 3: A Sovereignty framework is defined by listing all the organizational and technical controls which need to be implemented to reduce the sovereignty risks down to an acceptable level.
Expertise and experience in Digital sovereignty projects will help in addressing the mentioned specific sovereignty aspects in this methodology, which are not easy to handle at first. Organizations should not hesitate to leverage third party consultancy, like Eviden’s, to maintain control over their digital assets, ensure their sovereignty in an increasingly interconnected world and, thereby, ensure success in this journey.
Connect with me for a more detailed conversation on a robust risk-based approach to Digital Sovereignty.
Learn more about how Digital Sovereignty can help you prepare for a trusted digital future.
- [1] https://www.gartner.com/en/articles/hype-cycle-for-artificial-intelligence
- [2]https://www.businesswire.com/news/home/20241218283889/en/EU-Sovereign-Cloud-Initiative-Drives-Single-Source-Solutions/
- [3] https://www.isaca.org/resources/white-papers/2024/exploring-practical-considerations-and-applications-for-privacy-enhancing-technologies
