For too long, digital sovereignty has been confined to a geopolitical debate within senior management, based on the idea that compliance with local regulations would hamper global innovation. In 2026, we must now give way to operational reality. For CISOs and managers, sovereignty is no longer just a legal constraint or a technology purchasing criterion: it has become the main driver of the modernization of infrastructure and public investments.
From data protection to a real industrial strategy
Until five years ago, sovereignty was above all a question of confidentiality and protection of personal data, embodied by the General Data Protection Regulation (GDPR). Today, it brings to life a clear strategy for critical infrastructure. Europe is moving from protecting personal data to preserving the fundamentals of its digital economy.
Far from being simple compliance checklists, regulations, such as the NIS2 Directive and the Cyber Resilience Act (CRA), dictate the imperatives of operational autonomy and resilience of organizations. They require critical infrastructure operators to demonstrate that they can guarantee business continuity, protect their supply chains and manage risks, regardless of external geopolitical tensions.
The recent EU Cyber Solidarity Act explicitly aims to build a “European cyber shield”. Beyond defining a legal framework, this regulation establishes the principles of an architecture that brings together a network of security operational centers (SOCs) across the continent, thus marking a transition from passive compliance to a dynamic of collective defense.
Anticipating the next wave: DNA, CSA2 and other industrial policy
The most informed players are already anticipating the sovereignty requirements that new regulations such as the Digital Networks Act (DNA) and the revision of the Cybersecurity Act (CSA2) are preparing for. DNA marks a major overhaul of infrastructure. By forcing the abandonment of traditional copper wired networks in favor of infrastructure based on 5G (and 6G) and optical fiber, it is driving demand for cybersecurity solutions capable of thwarting increasingly complex cyberattacks, without compromising performance. At the same time, CSA2 strengthens the control of supply chains in all critical sectors, with an increased requirement for transparency on the management of infrastructure, systems, data and their location.
This new regulatory impetus is driven by the Digital Europe 2025-2027 program, confirming that sovereignty is part of an industrial strategy supported by billions of public and private capital. Europe is no longer content with regulating foreign technologies, it is now financing the development of local capacities. Already, decision-makers are organizing into consortia to access these funds, developing “sovereign cloud” platforms which combine data residency in Europe and global security monitoring.
The trillion-euro opportunity
Behind the scenes of compliance reveals an often overlooked reality: sovereignty is driving a massive influx of capital into the market, with European investments in technology expected to exceed €1.5 trillion in the years to come.
This capital will not just be used to build walls, but rather to strengthen capabilities, particularly in areas such as next-generation edge computing, AI-powered threat detection and resilient connectivity.
For leaders, this radically changes the situation. Sovereignty requirements no longer constitute an obstacle to the deployment of global operations but they become an opportunity to modernize obsolete architectures, supported by public impetus.
Navigating between soft and hard sovereignty as a global actor
We must be honest about the challenges to be met: if security and resilience are framed by strict laws, there is a layer of so-called “soft” regulations which can favor local anchoring to the detriment of technical capabilities: preferences in matters of public procurement and certification schemes such as EUCS (European Union Cybersecurity Certification Scheme for Cloud Services) and national directives in France and Switzerland for example.
However, in public or private critical national infrastructures, total isolation is neither realistic nor secure. The most mature organizations favor a risk-based approach rather than a radical choice. They distinguish three areas of sovereignty:
- Data sovereignty: ensuring data is stored in specific jurisdictions (e.g. data centers located in the EU), with control over access and usage.
- Sovereignty of operations: ensuring that the fundamentals of the systems (encryption keys, administrative access, critical collaborators) can be isolated, if necessary, from any extraterritorial interference.
- Technological sovereignty: using the best global technologies while ensuring transparency, verification and control of dependencies in the supply chain.
The choice of technologies must be guided by an objective of resilience of the business function or the organization that uses them. Can we control access to encryption keys? Does the security ecosystem remain operational in the event of a crisis and can it be switched to a third-party provider? Does the organization have the capacity to detect and respond to threats and recover quickly following an incident? Does operating on a global scale encourage investment in ongoing innovation? All these engineering questions require concrete and lasting answers.
Moving forward on the strategic path of security
Sovereignty is established over the long term and, contrary to popular belief, it is not a hindrance: rather, it encourages the building of more resilient, distributed and reliable digital infrastructures. The actors who will succeed are those who will free themselves from preconceived ideas regarding the supposed constraints imposed by sovereignty. They will be able to capitalize on what has been learned and will collaborate with innovative and reliable partners to secure the functioning of our economies. To defend against AI-powered threats, local control of data remains essential, as does continued collaboration with public and private entities globally.
