Digital sovereignty - a personal view by Dietmar Wiesinger

1. Sovereignty is not self-sufficiency

What strikes me in conversations with many managers is that many associate digital sovereignty with the image of complete independence - technologically, organisationally and economically. But this idea is dangerously misleading. Ultimately, we must not fall prey to the misconception that sovereignty means self-sufficiency. Self-sufficiency is more of a myth than an achievable goal because the global digital ecosystems are extremely intertwined. On many levels - from infrastructure to cloud platforms to AI components - there are few European alternatives worth mentioning. We must honestly recognise this reality.

Digital sovereignty therefore does not mean doing everything ourselves or owning all the technologies ourselves. Rather, it means consciously shaping and understanding dependencies and reducing them where it is strategically important.

2. Consciously analysing risks - not just "keeping data local"

A recurring mistake is the assumption that data is automatically secure if it is "in your own data centre". This is too short-sighted: sovereignty does not depend on the storage location, but on control and governance. Just leaving data in a compartmentalised chamber does not mean that you are sovereign in the face of cyber threats or regulatory requirements. Rather, we need to understand what data is critical, how it is used and how its use can be tracked and controlled.

Every organisation, whether large or small, must therefore carry out a deep risk and threat analysis - and then define clear measures to deal with these risks. In doing so, it may well make sense to work with trusted partners who provide expertise and infrastructure that cannot be mapped internally in this depth.

3. Define protection requirements and company context

Digital sovereignty is not a one-size-fits-all product that is the same for all companies. What is essential for an operator of critical infrastructure may be oversized for a service provider with lower risks. Classifying what is really critical is therefore a key point. Data is worth protecting in different ways, processes are business-critical in different ways. This differentiation should be at the beginning of every sovereignty strategy.

4. Don't isolate Europe - use it smartly

One topic that is particularly close to my heart is Europe's role in the global technology environment. It is an illusion to believe that Europe can build the entire technology stack - such as large AI models - without cooperating with global players. Instead, I see the opportunity in positioning Europe as an "application world champion": If European companies use AI and other digital technologies in a targeted way to create real productivity and competitive advantages, this will strengthen both their market position and Europe as a technology location.

I am convinced that specialised models and applications in particular - where specific industry or domain knowledge is required - can be an area in which Europe can achieve great impact with less effort.

5. Concrete steps to strengthen digital sovereignty

In conclusion, I would like to share three practical recommendations that apply to companies of all sizes:

• Systematic risk analysis: determine your own risk and threat profile, not just theoretically, but along your actual business processes.
• Data and process classification: Not all data is equally important - classify and protect according to criticality, not just storage location.
• Conscious selection of partners: Rely on the expertise of external specialists where you cannot map the depth internally - this is a key factor, especially in the area of security and governance.

For me, digital sovereignty is not a place that you reach, but a process that you shape - with a clear focus on risk, benefit and strategic control.

Digital sovereignty in practice - concrete examples from everyday business life

The discussion surrounding digital sovereignty often remains at the conceptual level. In practice, however, it very quickly becomes clear that very specific decisions and considerations are involved. From my experience, I can recognise typical use cases that illustrate how digital sovereignty can actually be put into practice.

Example 1: Controlled cloud use instead of "all or nothing"

A medium-sized production company was faced with the decision of whether to outsource sensitive operating and development data to the cloud. The original impulse was to operate everything exclusively on-premises for security reasons. However, the analysis showed that not all data had the same protection requirements.

In practice, a hybrid model was implemented:
Business-critical design data remained in a highly secure environment with clear access rules, while less critical workloads were deliberately operated in a cloud environment. The decisive factor was not the storage location, but transparent control over who accesses which data, how it is processed and which exit scenarios exist. This is where digital sovereignty begins.

Example 2: Data classification as the basis for sovereignty

A service company had formally high security standards, but treated almost all data in the same way. This led to unnecessary complexity, high costs and slow processes. Together, a data and process classification was first carried out.

The result:
Only a small proportion of the data was actually highly critical. This differentiation meant that protective measures could be used in a targeted manner without blocking innovation. Digital sovereignty was not demonstrated here through maximum compartmentalisation, but through clear prioritisation and conscious control.

Example 3: AI deployment with clear governance

A company wanted to use AI tools to increase efficiency, particularly in knowledge management and customer service. There was great concern that sensitive information could end up in external systems in an uncontrolled manner.

The solution was not to ban AI, but to define clear governance rules:
Which data may be used?
Which models are permitted?
How is access documented?

These rules enabled AI to be used productively without losing control over data and processes. In this case, digital sovereignty meant enabling innovation without taking blind risks.

Example 4: Managing conscious dependencies

An international company was heavily dependent on individual technology providers without realising it. Only a structured analysis revealed where real dependencies existed and where alternatives were possible.

In practice, exit strategies, contractual clauses and technical alternatives were defined - not with the aim of switching immediately, but in order to remain capable of acting. Sovereignty is demonstrated precisely in this ability: not having to avoid every dependency, but being able to understand and control every dependency.

Example 5: Collaboration with specialised partners

Many companies reach their limits internally, particularly in the area of security and compliance. One company made a conscious decision not to map everything itself, but to work with specialised partners.

In this case, digital sovereignty did not mean a loss of control, but rather the opposite:
Thanks to clear roles, transparent processes and defined responsibilities, strategic control remained within the company, while operational excellence was supplemented externally.

What these examples show

Digital sovereignty is not created through ideological decisions or rigid principles. It is created through:

• conscious risk assessment
• clear classification of data and processes
• controlled use of external technologies
• transparent governance instead of blanket bans

In practice, the aim is not to be as independent as possible, but to remain as capable of acting as possible - today and in the future.