What is digital sovereignty, and why your tech stack depends on it

In May 2025, the International Criminal Court's chief prosecutor had his Microsoft Outlook account shut down overnight. Not because of a billing issue. Because the United States government sanctioned him.

Within days, ICC judges across Europe lost access to their email, their calendars, their cloud files. One French judge was banned from Amazon, PayPal, Airbnb, and Expedia. His hotel reservation, in his own country, was canceled. His purchased Kindle books vanished. He described the experience as "being transported back to the 1990s."

The ICC is based in The Hague. Its staff are European. Its servers were in Europe. None of that mattered. The software was American, and that was enough.

By October 2025, the court announced it would replace Microsoft 365 across all 1,800 workstations with openDesk, a European open-source suite. The ICC's statement was blunt: "We must reduce dependencies and strengthen the technological autonomy of the Court, even if this is expensive, inefficient and inconvenient in the short term."

This is not an abstract policy debate. This is what digital sovereignty looks like when you don't have it.

A definition, not a slogan

Digital sovereignty has become a buzzword in Brussels. But strip away the politics and the concept is straightforward.

Digital sovereignty is the capacity to make independent choices about your digital infrastructure. Where your data lives. Who can access it. What happens when a foreign government changes its mind.

The European Commission's Joint Research Centre defined it clearly in a December 2025 policy brief: "the EU's capacity to exercise strategic independence in the digital domain." The same document adds that this "does not equate to isolation or protectionism."

That distinction matters. Sovereignty is not about banning AWS or boycotting Salesforce. It's about having alternatives. It's about not being one executive order away from losing your email.

Former EU Commissioner Thierry Breton put it simply: "This is not a protectionist concept. It is simply about having European technological alternatives in vital areas where we are currently dependent."

Three pillars: data, infrastructure, software

Experts and industry typically break digital sovereignty into three layers. Understanding them helps CTOs identify where their real vulnerabilities sit.

Data sovereignty is about control. Where does your data physically reside? Under whose legal jurisdiction? Who can compel access to it? The critical tension here is between the EU's GDPR, which restricts data transfers and prohibits foreign government access without proper agreements, and the US CLOUD Act, which lets American authorities demand data from US companies regardless of where servers are located. These two laws directly contradict each other. If you use AWS, Azure, or Google Cloud, your data exists in this legal grey zone.

Infrastructure sovereignty is about who operates the servers, the networks, the data centers that your business runs on. Today, AWS, Microsoft Azure, and Google Cloud control roughly 70% of the European cloud market (Synergy Research Group, 2025). European providers hold about 15%, down from 29% in 2017. That trend is going the wrong direction.

Software sovereignty is about who controls the code. Proprietary software creates lock-in. When Broadcom acquired VMware and hiked prices by 800 to 1,500% overnight, thousands of European organizations (hospitals, universities, municipal authorities) discovered they had no leverage and no alternatives ready. Open-source software, by contrast, can be audited, forked, and self-hosted. It's the reason the ICC could switch away from Microsoft in months rather than years.

The regulatory framework: five laws you need to know

Europe has built the most comprehensive digital regulation framework in the world. If you're a CTO or founder choosing your tech stack, here's what actually affects your decisions.

GDPR remains the foundation. Seven years in, it has generated over 7 billion euros in cumulative fines (DLA Piper, January 2026). The practical takeaway for stack decisions: Articles 44-49 govern international data transfers. If you send data to US providers, you rely on the EU-US Data Privacy Framework, the third attempt at a transatlantic data deal after Safe Harbor and Privacy Shield were both struck down by the EU Court of Justice. The DPF is currently under appeal. Plan accordingly.

The US CLOUD Act (2018) is GDPR's structural adversary. It authorizes US law enforcement to compel any US-based tech company to hand over data in its possession, even if that data sits on a server in Frankfurt or Dublin. The company may receive a gag order preventing it from telling you. During a French Senate hearing, Microsoft France's president admitted the company could not guarantee EU customer data would never be accessed under the CLOUD Act. The EDPB (European Data Protection Board) has concluded that the only reliable technical countermeasure is customer-controlled encryption where the keys never leave the EU.

The EU AI Act entered into force in August 2024 with phased implementation. Prohibited AI practices (social scoring, emotion recognition in workplaces) are already banned. General-purpose AI model obligations took effect in August 2025. Most high-risk AI obligations kick in by August 2026. Penalties run up to 35 million euros or 7% of global turnover. For CTOs deploying AI: where your model runs and who controls the infrastructure matters for compliance.

The Data Act became applicable in September 2025 and directly addresses vendor lock-in. Cloud providers must now remove all switching barriers. Migration must complete within 30 days. By January 2027, switching fees are completely eliminated. Chapter VII explicitly protects data stored in the EU against unlawful foreign government access, a direct counter to CLOUD Act overreach.

NIS2 is the cybersecurity layer. It covers 18 critical sectors, imposes mandatory incident reporting (24-hour early warning), and introduces personal liability for management boards on cybersecurity. Crucially for tech stack decisions, NIS2 requires supply chain security assessments, which means evaluating whether your US cloud provider's exposure to the CLOUD Act constitutes a risk. Around 16 member states have transposed it so far. Germany's implementation entered force in December 2025.

These laws don't operate in isolation. They interlock. GDPR sets the data protection floor. The Data Act enables switching away from non-compliant providers. NIS2 forces you to assess supply chain risk. The AI Act regulates what you can build and where. Together, they create a regulatory environment where digital sovereignty is no longer just a nice idea. It's increasingly a compliance requirement.

What this means in practice

If the regulatory framework sounds abstract, here are concrete scenarios that European companies have already lived through.

Overnight price shocks. When Broadcom acquired VMware, it ended perpetual licenses, bundled 160+ products into 4 packages, and shifted to mandatory 3-year subscriptions. Tesco, the UK's largest supermarket, sued for 100 million pounds after Broadcom refused to honor existing contracts. VMware runs 40,000 server workloads for Tesco, including its tills and supply chain logistics. Tesco warned the dispute could affect food supply in the UK and Ireland.

Sovereignty lost through acquisition. In November 2025, US company Kyndryl acquired Solvinity, a Dutch cloud provider specifically selected by Dutch government clients (the municipality of Amsterdam, the Ministry of Justice) because it was Dutch-owned and not subject to the CLOUD Act. Amsterdam was notified one day before the announcement. The Dutch Parliament voted to block the deal. Years of deliberate sovereignty planning, undone by a single acquisition.

Geopolitical retaliation. In December 2025, US Trade Representative Jamieson Greer explicitly threatened European companies SAP, Spotify, and Mistral AI with fees and restrictions if the EU didn't back down on tech regulation. The same month, the US banned former Commissioner Breton and four others from entering the country. Whether or not these threats escalate, they show that US tech policy is increasingly weaponized, and European businesses sit in the crossfire.

The DPF time bomb. The EU-US Data Privacy Framework, which enables most EU-US data transfers, survived its first legal challenge in September 2025. But an appeal is now before the EU Court of Justice. Meanwhile, Trump dismissed members of the PCLOB oversight board (a cornerstone of the adequacy decision) in January 2025, leaving it without a quorum. Both predecessor agreements were invalidated. If the DPF falls, every European company transferring data to US services faces an immediate compliance gap.

The ecosystem is bigger than you think

Here's the good news. Europe's tech ecosystem has matured significantly, and European alternatives exist across every major software category.

In cloud infrastructure, providers like OVHcloud, Hetzner, and Scaleway offer compute, storage, and networking entirely under EU jurisdiction, a real option for teams looking to move away from AWS. In CRM, Odoo (Belgium) is an open-source ERP powering 12+ million users. In AI, Mistral AI (France) offers open-weight large language models with a sovereignty-first approach. In team communication, Element runs on the Matrix protocol, the same one the French and German armies use.

Europe has over 58,000 tech startups, 601 unicorns, and a venture ecosystem that deployed roughly 62 billion euros in 2024. The continent's AI market alone is projected to reach 58 billion dollars in 2025. None of this means Europe has closed the gap with the US. It hasn't. But the idea that there's nothing to work with is simply outdated.

A 2025 Proton survey found that 73% of Europeans believe their societies are too dependent on US tech. Over half of those who follow the news said they would prefer European alternatives. The demand is there. The supply is catching up.

Sovereignty is a spectrum, not a switch

No company is going to replace its entire tech stack overnight. And no one should. Digital sovereignty isn't binary. It's a risk management strategy.

The practical approach for most CTOs: classify your workloads by sensitivity. Keep your most critical, regulated, and sensitive data on EU-controlled infrastructure. Use customer-controlled encryption wherever possible. Evaluate European alternatives category by category. Build exit strategies for every major vendor. The Data Act now gives you the legal right to leave.

The Franco-German Digital Sovereignty Summit in November 2025 brought 900+ policymakers together and secured 12 billion euros in voluntary company commitments. The EU has mobilized billions through its Chips Act, IPCEI cloud projects, and Digital Europe Programme. The trajectory is clear.

As the ICC's experience showed, digital sovereignty isn't something you think about after the email stops working. It's something you plan for while it still does.