Digital sovereignty is about more than technology alone. It concerns the extent to which organizations retain control over their data, systems and strategic choices.
In this blog series, we explore three pillars of digital autonomy: control, compliance and continuity. Together, they form the foundation for an organization that can consciously steer its digital future in today’s complex circumstances.
Author: Jorgen de Lange, Architecture & Tech
This blog series was developed in collaboration with Eelco Stofbergen, Lead Expert Digital Sovereignty & Cyber Resilience.
Control begins where the illusion of grip ends
Why real steering power only emerges when dependencies are made explicit
Ask a board member whether they have grip on their digital landscape and the answer is almost always the same: “Yes, of course.” There are contracts. Architecture diagrams and principles. Governance meetings. Supplier conversations. Periodic checks and reports.
But ask one uncomfortable follow-up question: What happens if your most important Cloud supplier changes the conditions tomorrow - and your certainty disappears?
Then it goes quietly. Not because board members are naive, but because our digital landscapes have become so complex that grip is often a feeling, not a fact.
The blind spot: we know less than we think
Control does not begin with dashboards, CMDBs or contract registers. Control begins with a simple, but confronting question: “Do we actually know what we have?”
Not in abstraction and mandatory reports, but concretely:
- Where is our data really located?
- Under which legal regime does it fall?
- Who can access it - directly and indirectly?
- Which sub-suppliers are hidden in our chain?
- Do we have a clear picture of where the risks are?
- And what choices do we make for those risks - accept or mitigate?
Most organizations only discover their dependencies when something goes wrong. And by then it is often too late, or it comes at the expense of business results, unnecessary stress and value.
The U.S. CLOUD Act is a good example of this. Under certain conditions, U.S. authorities can demand access to data held by American tech companies - regardless of where that data is physically located.
This means cloud choices are no longer just technical choices, but choices about sovereignty, autonomy and board-level responsibility.
From implicit to explicit: the core of real control
As long as dependencies remain implicit, control is an illusion. Real control requires the opposite: radical explicitness.
- Making the full chain visible - including sub-suppliers no one has ever spoken to
- Insight into the digital location and access rights - who can do what, where and why
- Architecture principles that safeguard freedom of choice - not building on lock-in
- Designing exit strategies before they are needed - and practising them in practice, because you do not want to experience a situation together for the first time under stress
- Weighing technological choices at board level - not only in operations
This is not a technical exercise. This is leadership.
Control is not isolation, but conscious dependency
A persistent misconception: that autonomy means you have to do everything yourself. Nonsense.
Autonomy is not about isolation, but about conscious dependency. About knowing what you outsource, why you do so and what the consequences are. About retaining the ability to change course - without a supplier dictating your strategy.
An organization that is in control works together from knowledge, freedom of choice and agility. Not from dependency and hope.
Read in Dutch