News \ Sovereignty & Autonomy

Sovereignty: ability to act

Jeroen de Korte & Kim van Wilgen
March 27, 2026 · 3 min read English

For years, organizations have optimized for maximum efficiency. Operating models such as just-in-time thrived because the world was largely predictable. Stable geopolitical, legal, and technological conditions allowed enterprises to design tightly integrated organizations, supply chains, and IT systems around known constants. Efficiency rewarded deep dependencies.

That predictability is gone. The assumptions that once made efficiency safe are eroding fast. Sovereignty, digital resilience, cybersecurity, regulatory fragmentation, and systemic IT risk have moved from operational concerns to strategic risks that now surface regularly in boardrooms. Even the legal and societal frameworks enterprises rely on only provide protection as long as they function as intended.

The longer critical dependencies remain invisible and untested, the more costly and in some cases irreversible it becomes to regain the ability to act under pressure.

The operating environment is changing faster than traditional structures can adapt. Leading organizations must now design for uncertainty rather than stability. This requires architectures, both organizational, operational, legal, and technological, that can absorb shocks and adapt to externally imposed change. This makes it not just an IT discussion; it is an enterprise-wide one. We have to design for just-in-case.

In this context, sovereignty has emerged as the new measure of being in control.

In a world where digital systems shape economic, political, and operational power, sovereignty determines one thing above all: ability to act when circumstances change. It is no longer primarily a matter of jurisdiction but a matter of judgment. The ability to act autonomously, whether to exit a provider, adapt to new regulation, or withstand geopolitical pressure, has become a defining test.

The question is: Can we still run our business tomorrow if the laws, platforms, or partners we depend on change suddenly or if their trajectory forces decisions on a timeline not of our choosing?

Major studies show sovereignty is rising sharply on the agenda for European enterprises. Capgemini reports that 71% of organizations expect digital sovereignty to become significantly more important in the next three years, and more than half plan to integrate sovereignty requirements into their cloud strategy within the coming year.

According to Gartner’s 2026 Strategic Technology Trends report, by 2030 more than 75% of enterprises in Europe and the Middle East are expected to have moved (‘geopatriated’) their virtual workloads to sovereign or regional-cloud environments, reflecting growing emphasis on digital sovereignty, compliance, and trust.

IDC’s global sovereignty survey finds that 37% of organizations already use sovereign cloud solutions and another 44% plan to adopt them soon, reflecting growing pressure to address regulatory, geopolitical, and digital-trust concerns.

Public authorities are now issuing similar warnings. In January 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) formally cautioned the national government that the continuity of vital public processes is increasingly at risk due to excessive dependence on a small number of non-European cloud and ICT providers. According to the Authority, this concentration creates a tangible threat to availability, integrity, and data protection, with the potential to trigger large-scale societal and economic disruption if services are interrupted. Oversight findings show that critical systems lack sufficient resilience against prolonged outages, while geopolitical developments have turned digital dependency into a strategic, no longer theoretical, risk. The Authority concludes that existing measures are insufficient and warns that, under severe disruption, core state functions could effectively “grind to a halt.”

Forrester’s 2026 European predictions indicate that, despite rising interest in digital sovereignty, European enterprises are unlikely to eliminate reliance on U.S. hyperscalers by 2026. McKinsey finds that organizations that intentionally strengthen resilience across financial, operational, organizational, and external dimensions are better positioned to navigate uncertainty and turn disruption into competitive advantage. As markets evolve, sovereignty and openness are increasingly emerging as strategic factors that may influence how companies are evaluated in the future.

For us, sovereignty is an operating principle shaped by this reality and years of experience. We plan, build and run mission-critical systems so the organization retains ability to act when conditions change. That means reducing unexamined dependencies and ensuring the enterprise can continue to decide, adapt, and operate under constraint. In that sense, sovereignty is not about isolation or ownership, but about maintaining control when predictability can no longer be assumed.

From compliance to control

Sovereignty first entered the enterprise vocabulary through compliance frameworks like GDPR, DORA, NIS2, and the Data Act. These built essential awareness, but they only defined the floor, not the ceiling. We believe sovereignty or the ability to act cannot only be certified, but it must be engineered. Regulation tells you what to protect. Engineering determines how to keep the ability to act when foundations weaken. Compliance provides assurance on paper, engineering builds ability to act in practice.

Like operational resilience, the difference is philosophical. Control is not achieved by following rules or ticking boxes, but by building systems that can stand on their own when those ‘rules’ change.

From our experience, dependency always begins with untested assumptions like jurisdiction, access, or continuity. Our design philosophy is to expose and test those assumptions before the world does.

Across Europe, we see what we call sovereignty fever. In pursuit of independence, some organizations aim for absolute control by building isolated “local-only” clouds that trade flexibility for narrow safety and shielding primarily against geopolitical risk while increasing concentration risk and dependence on a single supplier. Deloitte’s analysis shows that digital sovereignty efforts often introduce significant organizational and technical complexity. Many companies discover that achieving true sovereignty requires navigating multiple layers of control across data, infrastructure, software, and operations, demanding clearer decision-making and more mature governance than initially expected.

Academic research shows that Europe remains highly dependent on non-European infrastructure, with more than 80% of its data hosted abroad, underscoring why sovereignty initiatives are accelerating across sectors.

Market analysis shows rapid growth in the sovereign-cloud market, valued at USD 96 bn in 2024 and projected to exceed USD 600 bn by 2033, indicating strong demand for architectures that balance compliance, control, and operational resilience.

Accenture’s Sovereign Cloud analysis highlights that adopting hybrid and flexible architectures, designed to support data control, portability, and regulatory alignment, helps organizations reduce dependency risks and better manage the complexity and cost of cloud transitions.

Sovereignty, then, is not about exclusion. It is about readiness, which is the ability to adapt when external conditions shift. It is not about locking systems down but ensuring you can unlock them when needed.

This is what we call sustainable sovereignty: control through adaptability, not isolation.

Engineering the ability to act

Designing for sovereignty starts with accepting that risk no longer enters the organization only through incidents, but through dependencies that evolve over time. Cloud concentration, licensing shifts, jurisdictional reach, supply-chain fragility, and operational complexity all shape whether an organization can continue to operate, decide, and adapt when conditions change.

To assess and design organizations can rely on scenario-based analysis combined with deliberate architectural (organizational, operational, legal, and technological) choices, translating abstract sovereignty concerns into concrete, plannable outcomes.

The starting point is clarity on what actually really matters. Sovereignty discussions quickly become unfocused if everything is treated as mission-critical. That is why the first step is to define the mission-critical business processes or what we call the “crown jewels”. These are the processes whose disruption would have unacceptable operational, economic, or even societal impact. This requires a dialogue on impact over time: what happens if a process is unavailable for an hour, a day, or a week, and which mitigations or recovery capabilities already exist? By anchoring the discussion in business processes rather than underlying systems, sovereignty becomes a question of business continuity and decision-making.

Once the crown jewels are clear, attention shifts to possible strategic sovereignty scenarios. These scenarios do not assume a single failure mode but reflect different ways in which external constraints can be imposed: a cloud provider becoming unavailable in a region, a supplier acquisition changing legal control, new regulatory requirements affecting data access, or societal disruption forcing rapid changes in demand. Each scenario is assessed for its impact on the mission-critical processes, making visible where dependencies, decision bottlenecks, or single points of failure exist and where they do not or the impact is not that big.

With impact understood, organizations can make design choices for adaptability. Rather than optimizing for one assumed future, architectural and sourcing decisions are evaluated against the selected scenarios. This includes choices around portability, redundancy, supplier diversity, data location, identity and access control, and operational responsibilities across IT layers.

Sovereignty by us is treated as a full spectrum, with deliberate trade-offs between efficiency, cost, and control, aligned to the organization’s risk appetite and sourcing geography.

These design choices are then mapped explicitly to scenarios, making clear which measures address which risks. This avoids false comfort from controls that only protect against one type of disruption while increasing exposure elsewhere.

Different scenarios place fundamentally different demands on the architecture: a pandemic may primarily require rapid scalability and elastic capacity, while geopolitical disruption is far less about scale and far more about control, portability, and jurisdictional reach. By linking scenarios to concrete architectural measures, organizations can see where they are resilient by design, where capabilities are misaligned with likely stressors, and where dependencies remain concentrated or untested.

Finally, sovereignty is validated in practice through readiness and testing. Scenario walkthroughs, recoverability tests, and portability exercises demonstrate whether assumptions hold under pressure.

This step closes the loop: it shows whether the organization can actually execute decisions, restore critical services, and maintain control when external conditions change. Sovereignty, in this sense, is demonstrated over time through continuous validation and adaptation.


Human-in-the-loop governance

Technology sovereignty requires human sovereignty. Designing for sovereignty brings technical, legal, and operational expertise together, what we call the whole system in the room.

Sovereignty decisions are never made in isolation; they balance regulatory defensibility, operational continuity, and engineering feasibility. This collective accountability ensures that sovereignty remains actionable, not aspirational.

No company is sovereign alone. That’s why we extend control across the value chain, co-designing with partners, suppliers, and cloud providers.

Sovereignty fails when decision-making is centralized in systems that can’t adapt. That’s why readiness must be distributed, embedded across teams, domains, and partners. Finance, HR, and supply-chain functions must all be capable of acting autonomously when digital dependencies fail. Sovereignty is synchronized independence.

Gartner calls this the Era of Controlled Interdependence: no enterprise operates in total isolation, but the most advanced ones manage dependencies with clarity, not complacency.

By 2026, sovereignty dashboards will track:

  • Cloud, data, and jurisdictional dependencies.
  • Reversibility and exit readiness.
  • Recovery timelines and provider exposure.

Once dependencies are visible and reversible, the next test is whether intelligence inside those systems behaves predictably under pressure.

Sovereignty as strategy

Sovereignty is about the full spectrum: organization, business operations, legal, data, technology and finance. These are all factors that determine if an organization has the ability to act when unexpected circumstances happen.

Accenture finds that enterprises pursuing sovereign-cloud strategies, emphasizing recoverability, interoperability, and local control, are better able to manage supplier dependence, enhance resilience, and maintain compliance. As organizations adopt sovereignty principles, they report improved agility and stronger control across their cloud environments.

Ultimately, sovereignty determines who sets the pace of change: you, or your dependencies. We see sovereignty and resilience as two sides of the same discipline: control engineered into systems, people, and decisions.

We call this sustainable sovereignty:

  • Reversible by design.
  • Distributed by readiness.
  • Proven by continuous validation.

Because the only form of control that lasts is the one you can continuously prove. That’s why we design for the ability to act by ensuring every potential plan is executable, not theoretical.

We ask:

  • Do you have the skills to perform the exit, change, complexity?
  • Is the scenario realistic given your architecture?
  • Are the legal rights enforceable under stress?
  • Can you recover business continuity while moving?

Every positive answer builds capability; every negative one exposes dependency. This is what we mean by control by design.

As we’ve learned from two decades in mission-critical environments:

You cannot control what you cannot adapt.

You cannot adapt what you never designed to move.

And you cannot move if you never tested the way out.

Read more