By Janus Boye

Digital sovereignty has moved from slogan to strategy. In 2026, it is no longer about abstract positioning, but about deliberate choices in procurement, governance, cost, and collaboration.

Across our government and higher education peer group outside the US, this shift is now visible in day-to-day decisions. The same applies in parts of the private sector, particularly in banking and other regulated industries, where questions of control, risk, and compliance are already shaping technology choices.

The practical challenge is replacing dependency with sustainable control in practice. That does not come from isolation, but from more deliberate procurement and management decisions across platforms, vendors, and internal teams. These choices increasingly involve trade-offs between cost, capability, and control.

In a recent member call, Mathias Bolt Lesniak, Project Ambassador at TYPO3, and Jeffrey “Jam” McGuire, Partner at Open Strategy Partners, explored what it takes to turn principle into practice. Drawing on their experience across open source, public sector technology, and digital strategy, they described digital sovereignty as something assembled over time through a series of decisions.

This builds on last year’s conversation about bringing data back to Europe. Even then, both speakers made it clear that data location alone is not enough. The past year has confirmed that in practice.

The current focus on digital sovereignty is a response to how most organisations have built their digital landscapes over the past decade. Dependencies did not appear overnight. They were created through a series of reasonable decisions to move faster, reduce complexity, and operate under constant pressure to reduce costs.

In some cases, the consequences have been difficult to ignore and over time, those decisions accumulated into something harder to control.

The convenience trap and its consequences

To understand the current situation, it helps to look at how these environments were built. For more than a decade, many organisations optimised for speed, simplicity, and cost. Procurement became easier, onboarding faster, and systems more integrated. A credit card and a login were often enough to get started. These choices were not accidental. They reflected constant pressure to deliver quickly while keeping budgets under control.

Over time, this shaped how digital landscapes were built. Solutions were selected because they worked immediately, reduced operational complexity, and could be justified on cost. The result was a gradual shift towards externally managed services, bundled platforms, and standardised tooling, often with limited visibility into how they actually operated.

This is what was described in the session as a convenience trap. Decisions that made sense in isolation accumulated into a structure that is now difficult to change. Dependencies formed around a small number of providers. Data flows became harder to trace. The ability to respond when conditions change became constrained by contractual and technical lock-in.

The consequences are now becoming more visible. Pricing models shift. Service conditions change. Access can become conditional in ways that organisations cannot influence. These are not isolated incidents, but outcomes of how control is organised across the ecosystem.

This is where the discussion often stops. Organisations recognise the dependency, but still frame the problem primarily in terms of data: where it is stored, and who can access it. The limitation of that view is now becoming clear.

Digital sovereignty is not just about data

Focusing on data is a natural starting point. Questions about location, access, and jurisdiction are visible, measurable, and often tied to regulatory requirements. They are also easier to address in isolation, for example through hosting decisions or contractual safeguards.

The discussion in the session makes a broader point. Data sovereignty addresses where data sits and who can access it. Digital governance addresses how systems are operated, how decisions are made, and how control is exercised across infrastructure. Without governance, data sovereignty remains partial.

In practice, this distinction becomes visible when organisations attempt to respond to change. Knowing where data is stored does not necessarily provide influence over how services behave, how vendors prioritise changes, or how dependencies evolve over time. Control is shaped by operating models, contracts, and the ability to intervene, not only by location.

This shifts responsibility beyond infrastructure teams. Procurement defines what is possible. Leadership defines priorities. Governance structures determine how decisions are made and enforced. Digital sovereignty, in this sense, depends as much on organisational capability as on technical architecture.

Dependence as a structural risk

The concentration of digital infrastructure around a small number of providers is not new, but its implications are becoming clearer. Many organisations rely on the same platforms for communication, storage, and core operational services. This creates efficiency, but also introduces structural risk.

The asymmetry is difficult to avoid. Organisations depend on platforms, while platforms do not depend on any single organisation. This limits the ability to influence pricing, service conditions, or strategic direction. Changes introduced by providers can propagate quickly across entire sectors.

This is not primarily a technical issue. It is a consequence of how ecosystems are structured. Decisions about procurement, standardisation, and outsourcing have gradually concentrated both capability and control outside the organisation.

Reducing this dependency does not mean eliminating it. It means understanding where it matters, and how it can be managed over time.

Sovereignty without isolation: why open source changes the model

Discussions about digital sovereignty often raise concerns about isolation. Efforts to regain control can be interpreted as attempts to withdraw from global ecosystems or to replace one dominant provider with another.

The session offered a different perspective. Open source provides a model where independence and cooperation are not in tension. Transparency allows organisations to understand and adapt systems, while shared development distributes effort across communities rather than concentrating it in a single vendor.

This changes the structure of the ecosystem. Instead of relying on closed systems controlled by individual providers, organisations participate in shared platforms where both responsibility and capability are distributed. Control becomes a function of visibility and participation rather than ownership.

Adopting open source therefore introduces a different relationship between organisations and the systems they use. Instead of acting solely as buyers, organisations can influence the direction of the tools they depend on. This influence may take the form of contributions, funding, feedback, or participation in governance structures.

Participation is not limited to developers. Product owners, procurement teams, and business stakeholders all shape how systems evolve. The strength of the ecosystem depends on the diversity and continuity of that participation.

Over time, this creates resilience. Improvements are shared. Knowledge is distributed. Dependency on individual vendors is reduced. Control becomes tied to the health of the ecosystem rather than to contractual ownership of a product.

The implications are not only technical. Open source shifts where capability develops and where economic value accumulates. It supports local ecosystems of suppliers, contributors, and users, while remaining connected to international collaboration.

This is also where long-term capability becomes critical. Building and sustaining participation requires investment, continuity, and organisational commitment, often in tension with short-term delivery pressures. Sovereignty, in this sense, emerges through networks rather than through isolation.

Procurement is where sovereignty becomes real

While architecture and tooling are visible expressions of digital strategy, the underlying decisions are often made earlier. Procurement determines which systems are selected, which vendors are engaged, and which constraints are accepted. It is also where trade-offs between cost, control, and capability are made explicit.

Reframing procurement therefore becomes central to digital sovereignty. This involves shifting the starting point of conversations with suppliers. Instead of focusing primarily on features and pricing, organisations need to begin with questions of control and independence.

In the session, Jam emphasised a set of practical questions to reframe these conversations:

• What sovereignty capabilities can suppliers actually provide?

• Are dependencies, integrations, and data flows transparent and documented?

• Do suppliers support long-term control, not just short-term delivery?

• Can the organisation operate and adapt the system independently if needed?

These questions move procurement from selecting solutions to evaluating how control is structured over time.

It also changes how relationships with suppliers are evaluated. Short-term alignment on delivery is no longer sufficient. Organisations need to understand whether suppliers share long-term concerns about control and sustainability, and whether they are able to contribute to reducing dependency rather than reinforcing it.

Some organisations are beginning to formalise this through sovereignty-related requirements in tenders and evaluations. This can include expectations around transparency, auditability, and the ability to operate systems independently where needed. These are not additional constraints layered on top of procurement, but part of redefining what “fit for purpose” means.

Examples from public sector procurement, including in the UK, illustrate how these choices can reshape entire ecosystems. Opening contracts to a broader range of suppliers and prioritising open solutions can redistribute both opportunity and capability. Over time, this reduces concentration and increases resilience.

Procurement, in this context, becomes a strategic instrument rather than a transactional function.

Organising for sovereignty inside the organisation

External choices need to be matched by internal alignment. Moving towards greater control requires coordination across procurement, IT, leadership, and business functions. Each of these areas influences how decisions are made and how systems are operated.

The session outlined a sequence of steps: identifying partners, assessing current dependencies, defining requirements, supporting selected solutions, educating the organisation, and managing change over time. None of these steps are complex in isolation, but they require consistency and commitment.

Digital sovereignty does not emerge from a single initiative. It develops through the accumulation of decisions and the alignment of responsibilities across the organisation.

Pragmatism over perfection

A recurring tension in the discussion is the gap between ideal solutions and available alternatives. Fully sovereign systems are difficult to achieve, particularly for organisations operating within global ecosystems.

The practical approach is incremental. Each decision can move an organisation towards greater control, even if it does not eliminate dependency entirely. This requires accepting trade-offs and balancing short-term constraints with long-term objectives.

Perspectives from other regions, including Canada, underline this reality. Sovereignty involves trade-offs between independence, capability, and cost. It is not an absolute state, but a direction shaped by priorities and constraints.

The conversation continues

Digital sovereignty is no longer an abstract ambition. It is shaped by everyday decisions about systems, vendors, and priorities.

The tools already exist. Open source ecosystems, procurement frameworks, and governance models provide viable paths forward. At the same time, the constraints are real. Cost, capability, and organisational complexity continue to shape what is possible.

What is emerging is a more pragmatic approach. Not everything needs to be sovereign, but some things clearly do. The challenge is knowing where control matters most, and making deliberate choices accordingly.

If reading and being a part of an online call is not enough, you’re very welcome to join us more actively. Our community is built around learning together, comparing notes, and exploring how theory meets practice across roles, industries and regions.

You can also:

• read the 2025 post: Digital sovereignty - bringing data back to Europe is not enough

• reflect on this from The Globe and Mail from March: Can Canada ever have true digital sovereignty?

• lean back and enjoy the recording from the call

• join our free, regular member conference calls

• find a peer group that matches your role and challenges

• attend our unique conferences, designed for deep discussion rather than surface-level inspiration

However you choose to engage, we’re glad you’re here and part of the journey.