The prospect of retaliatory economic measures has only sharpened the realisation that Europe must strengthen its autonomy and articulate a coherent digital sovereignty strategy.

Yet, the implementation of such a strategy is far from straightforward. American providers continue to dominate the European market for software, infrastructure and cloud services. Across Europe, between 85% and 90% of data-centre infrastructure is built on US technologies, with AWS, Azure and Google Cloud leading the market.

This raises a key question: what exactly do we mean by digital sovereignty? Is it full independence, tighter control over data protection, or a strategic counterbalance to global tech giants? And, even if it were achievable, would that level of sovereignty ultimately be desirable for Europe’s highly interconnected economies?

In this article, Fabrice Aresu, our CEO, helps unpack these questions.

Digital sovereignty: the art of staying in control when everything else is shifting

Digital sovereignty refers to the ability of a state, an organisation or a continent, such as Europe, to control its critical infrastructure, data and technologies without being overly dependent on foreign actors. Originally, the concept was widely used to refer to hosting sensitive data within European borders.

Over time, however, its scope has broadened considerably. It now covers data governance and data flows, control over both hardware and software infrastructure, and the ability to shape a regulatory framework that protects not only citizens but also businesses.

Data governance

In today’s digital economy, data has become a strategic asset. Whether contractual, technical, administrative or operational, data represents both a major source of value and a significant point of vulnerability for organisations today.

For companies, the challenge is no longer limited to monitoring where data is hosted. It now lies in controlling data flows by understanding who can collect, transfer or process data, and under what conditions. This is where the main risk emerges, in the data-handling chain. Even with strong internal safeguards, leaks can arise through seemingly harmless and convenient practices, such as sharing sensitive documents via a mainstream file-sharing service.

Such practices bypass official controls and expose sensitive information to uncontrolled channels. Digital sovereignty therefore requires more than compliant storage. It also demands sovereign data transfer networks capable of ensuring end-to-end data confidentiality.

This approach sits at the core of  our strategy.  “All our infrastructure is located in Europe – and in some cases directly on our clients’ premises,” explains Fabrice Aresu. “Our most demanding clients, particularly in the military and aerospace sectors, choose on-premises solutions deployed directly within their own data centres.” This shift reflects a broader market trend, as data location, usage and protection have become decisive selection criteria in calls for tenders.

Controlling hardware and software infrastructure

Another aspect of digital sovereignty relates to the continuity and resilience of IT infrastructure. For system-critical organisations, it is no longer just a question of performance. An interruption caused by a key supplier would pose a critical risk and have an immediate impact on operations, as seen during the global AWS outage on 20 October 2025.

Infrastructure must therefore be designed with redundancy mechanisms and built around Business Continuity Plans to ensure uninterrupted service availability. This requirement extends beyond physical hardware to the entire technology stack, including cloud environments, software components and third-party services. In software development, where reliance on external components or third-party libraries is standard practice, this need for governance is particularly critical.

But this dependency goes beyond technical considerations. All it takes is one software component, library or cloud service controlled by a foreign entity. Although an ally today, they could become restrictive or even hostile tomorrow, as international power dynamics shift. Which raises the question: what happens if access to a critical service is revoked for political or economic reasons?

Past incidents have shown that this risk is very real. Software libraries must be updated regularly to avoid exposure to critical vulnerabilities or failed updates, such as those experienced by Log4J in 2021 and CrowdStrike in 2024,” Fabrice reminds us. This is precisely why Europe is re-examining the need for European technology stacks that combine hardware and software within a coherent, fully controlled ecosystem. The aim is to reduce dependence on non-European providers and retain control over the most sensitive components.

However, independence does not mean self-sufficiency,” Fabrice points out. “For most organisations, achieving 100% sovereignty is neither financially nor technically realistic. The real challenge is adopting a risk management mindset and understanding how much of the chain can fail without bringing the entire service down.

This has been our approach for many years. For critical components, especially in security-sensitive areas, we prioritise European partners renowned for their reliability and compliance with local requirements. This reduces dependence on non-European providers who may fall under foreign legal frameworks.

A coherent regulatory framework

Digital sovereignty also relies on a clear, coherent European regulatory framework that ensures organisations retain control over their data and digital infrastructure.

After the Privacy Shield was repealed in 2020, the EU had to rethink mechanisms governing data transfers to the United States. In response, the EU-U.S. Data Privacy Framework was introduced in 2023 to replace the Privacy Shield and allow transatlantic data transfers while safeguarding the rights of EU citizens.

This framework aims to strengthen personal data protection while facilitating transatlantic data flows. However, questions remain about its effectiveness in protecting against US government surveillance practices, such as those permitted under the Cloud Act.

In practice, a provider subject to US law cannot ignore government orders. To prove that its technologies are not being used by an entity under embargo, it must retain some degree of access or control over the data flows it hosts. With so much regulation, many countries question whether the EU can effectively regulate technologies that are not yet fully developed within its own borders, particularly in fields such as artificial intelligence. Could excessive regulation undermine innovation and agility?

New regulations such as the AI Act strengthen requirements around data protection and technology governance, but may also create additional barriers for European technology providers and their partners. While the objective of  guaranteeing digital sovereignty is clear, the real challenge lies in striking the right balance between data protection and innovation capacity.

LuxTrust and digital sovereignty: building Europe’s autonomy

Digital sovereignty should not be viewed solely through the lens of data management. It should also be viewed as a competitive advantage – both for protecting companies’ ever-growing digital capital and for strengthening end-user trust. “Digital sovereignty is fundamentally about resilience, trust and control,” as our CEO, Fabrice Aresu, points out.

As European businesses and governments become increasingly dependent on foreign providers, we have developed sovereign digital solutions designed to meet the challenges of today and tomorrow.