What Digital Autonomy and Sovereignty Really Mean For EU Organisations
and Rob Berends, Sr. Cyber Risk Consultant
Published: 30 October 2025
How can European organisations become more independent, more autonomous, from foreign technology suppliers?
Recent developments such as the Microsoft email controversy with the International Criminal Court (ICC), the investigation into Chinese-made solar inverters with secret data transmitters, and shifts in global political alliances have ushered the topic of digital sovereignty to the forefront of conversations in Europe.
Often, organisations are urged to simply “cut the cord” with US hyperscalers or shift to solely EU-made tech. Easily said, but far less easily achieved and (more importantly) not entirely without incurring additional risks. Yet, there are steps organisations can start taking today to become more autonomous in their technology decision-making and less reliant on non-EU suppliers. Here’s a practical look at the possibilities and how they can lead to greater digital autonomy and digital sovereignty in Europe.
How Does Digital Autonomy Benefit Organisations?
At its heart, autonomy supposes the existence of another party; a foreign government, a governing power or even a supplier, whose interests may, at any time, diverge from your organisation’s interests. It boils down to the ability to maintain three core pillars:
- Agency: The capacity to do what you want with your systems and data, and critically, the ability to prevent what you don't want. This is about maintaining control over operational decisions.
- Resilience: The ability to recover, adapt, and restore. If a system breaks or is unilaterally shut down by a supplier, you must have the means to fix it or transition to an alternative solution without external dependency.
- Security: The power to control access to your information. This is ensuring that only authorised parties, parties that you have full control over, can view, modify or process your sensitive data.
However, we must acknowledge that full autonomy is an impossible goal. As long as your organisation relies on external suppliers for hardware, software, or services, whether they are US hyperscalers, emerging European providers, or even national suppliers, you are never 100% autonomous. Therefore, the goal is not to eliminate your organisation’s digital dependence. Rather, it is a strategic and conscious decision to reduce your risks by diversifying your suppliers.
What does Digital Autonomy Mean in the Cloud Era?
The main discussion point in the current geopolitical landscape revolves around services and solutions offered through cloud computing. In the current day and age, cloud computing has taken many forms but generally boils down to three main types of technology stacks: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The level of autonomy an organisation maintains is directly related to the layer of the technology stack they choose to operate on:
- IaaS: At this layer, which includes virtual machines, storage, networking etc., You control the operating system, the applications, and the data. Your autonomy is relatively high, compared to PaaS and IaaS, but nowhere near the autonomy of an on-premise solution. If a provider shuts down, the data often is relatively easy to extract and move, and the compute environment can be replicated on another service.
- PaaS: With PaaS, the provider controls the operating system, middleware, and database and container services. While you control the application code and data, migrating to a new PaaS provider is much more complex, often requiring significant refactoring of your applications due to proprietary APIs and architecture.
- SaaS: This layer offers the lowest autonomy. The provider controls the entire stack, from infrastructure to application logic. The customer only controls the data and configuration. Vendor lock-in is maximal, and data extraction/migration is most likely dependent on the provider's willingness and ability to export it in a usable format. Furthermore, the functionality of different solutions might differ, impacting processes and workflows.
So as the level of abstraction and convenience provided by the vendor increases, your organisation's digital autonomy systematically declines. While IaaS preserves maximum control over the essential software and data, the convenience of PaaS and the integrated nature of SaaS come at the cost of deep vendor dependency and increasingly high migration barriers.
Throughout the rest of this article we’ll often refer to the US when we discuss threats to digital autonomy. This is primarily because the online services that we all love and use in IaaS, PaaS and SaaS, are mostly provided by US-based companies. Furthermore, the attitude of the US government towards international collaboration has changed drastically with the start of the current administration and this magnifies some dormant threats. Keep in mind, some countries pose significantly higher risks when it comes to using online services than the U.S. That said, it's unlikely you're relying on providers from those regions.
Once an organisation understands how little autonomy it truly has across its cloud stack, the next question is: what is the danger in this? The answer lies in a set of emerging threats that extend beyond technology.
What Threatens an Organisation’s Digital Autonomy Today?
In the context of the current geopolitical tensions, we have identified four current threats to the control, or independence, an organisation has within its digital environment.
1. The "Red Button"
This is the power of a provider to unilaterally stop a service or deny access without customer consent. Such power is often embedded in standard service contracts and can become weaponised in political and legal disputes. Recent examples are rare, but it has become a scenario to be wary of. Whereas previously a supplier didn’t often have reason to suspend service for a customer, we now see political motivations come into play when governments pressure suppliers to enforce political decisions on their customers. This is a concern when your supplier operates under a different jurisdiction than your own, especially when those governments are in conflict or have opposing political agendas.
2. Confidentiality Compromise
This threat refers to foreign government entities gaining access to data stored on vendor systems without the knowledge or consent of the European data owner. Within the US, there are several laws that can be used for this:
- CLOUD Act: Allows US law enforcement to compel US-based technology companies to provide stored data, regardless of whether the data is physically located in the US or in Europe.
- Patriot Act: Grants broad powers to US authorities to search records and monitor communications beyond US borders.
- FISA 702: Permits surveillance and data collection targeting non-US persons located outside the United States.
These US laws and regulations directly undermine any European effort to legally secure data stored with US-based cloud vendors. Because these US legislative tools allow them to compel a vendor to provide access to data, often secretly and regardless of where the data is physically stored in Europe, which fundamentally bypasses the stringent legal protections and contractual obligations expected under EU law. This inherent conflict creates a legal and security gap, rendering European contractual and regulatory efforts effectively nullified by the overriding legal authority of the US government over its own corporate entities.
3. Public Image and Perception
For governments, public institutions, and organisations that serve them, the continued use of US hyperscalers presents a public image risk. As the narrative of European sovereignty grows stronger, reliance on foreign-controlled public cloud platforms can be perceived as a security and sovereignty failure, potentially leading to reputational damage and reduced public trust. This is driving a clear policy shift away from public cloud for sensitive government operations across Europe.
4. Monopoly-Driven Costs
The dominance of a few US tech giants in the cloud and enterprise software markets creates a monopoly or oligopoly environment, allowing vendors to maximise profits by leveraging vendor lock-in. For example, the recent acquisition of VMWare by Broadcom that introduced drastic changes to the VMWare licensing model. Enterprises dependent on their virtualisation technology were hit with steep increases in their service costs and service restructuring. These pricing decisions are not based on market competition but on exploiting customer dependence, turning dependence into a direct and unpredictable financial burden.
Northwave's view on the road ahead
Given these threats and realities, the following points should be considered:
- The current, heavy dependence on US hyperscalers is both strategically and economically undesirable for Europe.
- There are robust, competitive alternatives readily available in the IaaS layer, offering viable paths for diversification.
- There are "almost-as-good-as" alternatives in the PaaS layer that can be leveraged with strategic planning and development effort.
- There are currently no serious, functionally equivalent alternatives to major SaaS solutions like Microsoft 365 that are mature enough for mass enterprise adoption.
With an understanding that reliance on US hyperscalers is not merely an operational concern, but a strategic risk requiring an immediate, structured response, the next step is to take action.
So, now what?
In part two of this blog series, we will outline a step-by-step process, providing practical guidance on how to prepare and act on the threats to digital autonomy.
We are here for you