Digital sovereignty is more than just a buzzword; it's about taking control in a rapidly shifting geopolitical landscape. In this CIONET Trailblazer episode, Stef Schampaert, Country Managing Director Red Hat Belgium & Luxembourg, a leading voice in the field, dives into the practicalities of digital sovereignty. He challenges us to look beyond regulatory compliance and consider how organisations can truly own their data, technology, and digital choices. Stef explores strategies for mitigating risks, navigating trade-offs between sovereignty, agility, and cost, and building genuine vendor independence. Join us as Stef guides organisations toward a future where digital sovereignty is not just an aspiration, but a tangible reality, fostering resilience and driving innovation.
In one line: what does “digital sovereignty” mean in practice?
In practice, digital sovereignty means having control over your data, technology, and digital choices so you can operate independently and in line with local laws and values.
Beyond Regulatory Fines: What are the Critical Risks of Lacking Digital Sovereignty?
Digital sovereignty extends far beyond avoiding penalties; it's about safeguarding your organisation from existential threats. The most significant risks include: business disruption, loss of control and supply chain failure. If a cloud provider is forced to cut you off, operations can stall. For example, when the Amsterdam Trade Bank lost access to email and core apps, it was forced into bankruptcy when sanctions were imposed on its Russian parent company, Alfa Bank.
What trade-offs do leaders face between sovereignty, agility, and cost?
Leaders often grapple with a delicate balance: public clouds offer unparalleled speed and cost efficiencies, yet, for critical workloads, the inherent risks to sovereignty can outweigh these benefits. A pragmatic solution often lies in a hybrid cloud strategy combined with open-source technologies. This approach allows organisations to maintain flexibility, accelerate innovation, and optimise costs across diverse environments (cloud and on-premise), all while retaining control on their own terms.
How do you define meaningful “vendor independence” without dogma?
Meaningful vendor independence is achieved by designing for choice. This involves leveraging open standards and multiple options for technology solutions, so no single vendor can create a lock-in scenario. Multi-cloud/hybrid plus open source lets you port workloads anywhere and switch providers—or run in-house—so one company’s policies or outages can’t halt the business.
What does a credible exit strategy look like, technically, and contractually?
Which open standards or interfaces matter most for interoperability?
For true interoperability, organisations should build upon widely adopted open standards and interfaces. OCI containers and the Kubernetes API make workloads portable; open APIs for data and identity (OAuth, SAML, etc.) help prevent lock-in. Design for reusability so integrations and migrations are plug-and-play, not rewrites, enabling true hybrid, multi-vendor ops.
How should boards measure sovereignty, and what KPIs prove it works?
Boards should measure sovereignty by capping any single vendor's share of critical operations. Key Performance Indicators (KPIs) include the time required to switch a critical workload and uptime performance during external incidents. Aim for achieving zero critical findings related to data residency and security. The objective isn't merely compliance; it's about cultivating durable resilience, robust security, and inherent flexibility within the digital infrastructure.
Where have organisations gotten sovereignty wrong, and why?
Organisations often err by treating sovereignty as mere paperwork instead of operational autonomy. “Sovereign on paper” still fails if providers withdraw support and there’s no independent fallback.
How does AI (models, data, tooling) change the sovereignty playbook?
The advent of AI fundamentally expands the sovereignty playbook, extending to data, models, and the entire AI supply chain. Black-box AI services obscure provenance and decision-making, posing significant risks. Organisations should run sensitive AI on infrastructure they control, favour open source models for transparency and customisation, and proactively prepare for evolving regulations (e.g., the EU AI Act) that require explainability and strong governance.
If I’m a CIO starting now, what are the first three steps to get sovereignty right?
For a CIO embarking on the journey of digital sovereignty, the first three critical steps are:
(1) Assess & classify: Map all sensitive data/systems, identify applicable laws and regulations (such as GDPR), and thoroughly understand dependencies.
(2) Build flexibility: Proactively adopt open, hybrid/multi-cloud platforms (e.g., Kubernetes) and implement anti-lock-in policies to ensure technological agility
(3) Lock in exit paths: Negotiate clear export rights and assistance, and implement robust replication/backup strategies and containerised applications to facilitate rapid migration if needed
As Stef has shown, digital sovereignty is not merely a theoretical concept but a critical operational imperative. By prioritising control over data, embracing open-source solutions, and planning for vendor independence from day one, organisations can build a resilient and innovative digital future.
--