The urgency for digital sovereignty
“The greatest danger in times of turbulence is not the turbulence; it is to act with yesterday’s logic.”
— Peter Drucker
The institutional order built after 1945 is fraying. I did not expect to be writing in 2026 about digital infrastructure as a matter of national security, yet the critical systems of Western democracies now sit concentrated in foreign jurisdictions—vulnerable precisely when stability matters most.
It seems to me that digital sovereignty has moved quickly from a legal abstraction to a practical necessity. States, and the societies they serve, can no longer afford to ignore who controls their infrastructure.
The foundation: data sovereignty
At the core of digital sovereignty is data sovereignty: the principle that data is subject to the laws of the jurisdiction where it originates or is processed. This is distinct from physical location: a country can assert legal authority over its citizens’ data even if it sits on servers in Dublin or Virginia, as the EU does under the GDPR.
For decades, this arrangement rested on trust. The largest technology companies were built in the United States, and governments in Europe, Canada, and elsewhere accepted this reality—assuming that transatlantic partnerships would ensure reliability, stability, and legal alignment. The U.S. favoured global data flows, while Europe treated data protection as a fundamental right. The balance worked as long as those partnerships remained durable.
How did we get here?
American technological dominance was not accidental. Silicon Valley emerged from decades of U.S. defense spending, public research funding, and a regulatory environment that favoured rapid experimentation and growth at massive scale. Over time, U.S. companies came to define global standards: operating systems, cloud infrastructure, productivity software.
Europe and other parts of the world adopted American technology out of pragmatism. It worked. It was cheaper than building domestic alternatives. The economies of scale were impossible to match. Canada—geographically, economically, and institutionally intertwined with the United States—had even fewer incentives to build parallel systems. Why spend billions recreating AWS when you could simply use it?
This arrangement made sense as long as Western democracies appeared permanently aligned.
Things fall apart
In recent years, those assumptions have weakened. Trade tensions, strained intelligence-sharing arrangements, withdrawal from multilateral frameworks, and rising volatility in U.S. politics and foreign policy have altered the landscape. The regulatory architecture governing data flows—Privacy Shield, adequacy decisions, bilateral agreements—was designed for a world that no longer exists.
2026 started with high‑profile international events — including military action in Venezuela and rhetoric over territorial claims in Greenland — have highlighted how quickly geopolitical assumptions can shift, even among long‑standing partners. These events do not by themselves define future trajectories, but they underscore the central point I’m trying to make: we must build technological infrastructure that can withstand more than technical failure modes, but also rapid geopolitical change.
The vulnerability now appears mainly in two ways:
- Surveillance. Section 702 of FISA authorizes the NSA to access foreign data transiting U.S. infrastructure without a warrant. European data, government communications, and critical infrastructure information can be swept into a foreign intelligence apparatus whose authorities shift with each election cycle.
- Access limitations. The United States, could compel American technology companies to stop serving specific nations. Gmail inaccessible. AWS shut down. Microsoft 365 suspended. A decision in Washington could disrupt government operations, healthcare systems, and private-sector activity within hours. Although unlikely, it is not impossible: dependence on foreign infrastructure is leverage. What once seemed unthinkable is now plausible.
Dependency != Collaboration
Cooperation between democracies remains essential, but dependency is not the same as collaboration. Strategic autonomy requires systems that function even when partners reverse course. Intelligence agencies must operate when diplomatic relations sour. Healthcare must continue when cloud providers receive conflicting directives. Fundamental rights cannot hinge on another nation’s political stability.
Lessons from recent history
COVID-19 exposed what happens when critical resources are concentrated in a single jurisdiction. Western nations suddenly discovered that medical supply chains were dependent on Chinese manufacturing. Masks, ventilators, PPE—once abundant—became scarce.
Russia’s weaponization of gas dependency revealed the same dynamic: economic interdependence can be repurposed as political leverage. Pipelines that once symbolized shared prosperity became instruments of coercion.
More recently, rumours that American military aircraft might contain remote “killswitches” prompted European governments to reconsider procurement plans—concerned that advanced fighter jets could be rendered inoperable by a foreign power in a time of conflict. The rumors are almost certainly false, but plausibility alone is enough to raise strategic concern.
Digital infrastructure follows the same pattern. For example, when European healthcare systems run on AWS, intelligence workflows on Microsoft infrastructure, government services on Google Cloud—all exposed to surveillance and access denial. Decisions made abroad could disrupt essential operations overnight.
The cost of inaction
Supply chains for N95 masks can be rebuilt in months. Energy suppliers can be diversified in years. Military procurement can redirect over a decade. Digital infrastructure is different. It is deeply layered, slow to replace, and grows harder to substitute with each passing year.
Legal frameworks help, but they cannot fully substitute for direct control over infrastructure. The GDPR asserts European legal authority over data wherever it travels, strengthening privacy protections. The collapse of Privacy Shield reinforced those protections, but also highlighted a different reality: when critical systems sit outside domestic jurisdiction, legal safeguards cannot guarantee operational continuity. Political compromise can address some gaps, but cannot fully remove the underlying dependency risk.
Maintaining cooperation while preparing
Europe’s sovereign cloud initiatives—Gaia-X and various national projects—face the challenge of coordinating 27 member states with divergent priorities while remaining cost-competitive. Canada faces different constraints: trade agreements restrict data localization, the recent inability to keep high-skilled migrants in the country, and economic integration creates dependencies that are slow to unwind.
The core problem is timing. Building resilient infrastructure requires sustained multi-year investment while global competitors offer immediate, cheaper solutions. Sovereignty costs manifest now; dependency costs remain theoretical until they materialize abruptly. This asymmetry explains why inertia persists despite the risk. I like to believe that some countries, especially in Europe, are starting to wake up to this realization, but they have a long way to go.
Designing for continuity
The age of naive optimism is over. Democratic nations must prepare for scenarios previously unthinkable: alliances fracturing, partners becoming unreliable, frameworks collapsing. Collaboration remains crucial, but essential functions must remain operational even when cooperation falters.
For us in tech, the message is clear: build systems that respect sovereignty without sacrificing interoperability. Open standards, federated architectures, encryption, portability—these are foundational requirements for infrastructure that can withstand shifts in political alignment.