Digital Sovereignty Is in the Fine Print

PARIS—Many policymakers now recognize that digital sovereignty has become a precondition for democratic self-government in the 21st century. The problem is that most countries rely on cloud infrastructure and software platforms owned by a handful of powerful tech firms, largely based in the United States, leaving governments at the mercy of foreign corporate behemoths.

A dramatic example of this dependency came after Russia severely damaged Ukraine’s telecom infrastructure in 2022, forcing the country to use Starlink, the mobile satellite-internet system operated by Elon Musk’s SpaceX, for defense purposes. But later reporting revealed the risks inherent in entrusting sensitive state functions to tech billionaires: Musk rejected a request to extend connectivity over Crimea.

It’s not just defense. Big Tech’s increasingly dominant role in the provision of core government services extends from health care and education to banking supervision and tax administration. These firms control not only the servers but also the software stack, the identity layer, and the encryption keys. And under the 2018 CLOUD Act, US authorities can compel American companies to hand over the data they hold, regardless of where it is located.

To address this vulnerability, the European Union, India, the Gulf countries, China, and other governments have tried to build their own digital industries and infrastructure, though only China has successfully moved away from American tech. The EU has also tried to regulate the digital sphere. After the Court of Justice of the European Union found in its 2020 Schrems II ruling that EU citizens had no effective judicial remedy against US surveillance, the EU passed the Data Act with the aim of blocking this kind of access.

Still, the dependency deepens. Routine data leaks and service outages compound the costs of Big Tech’s continued dominance: democratic processes can be influenced, sensitive records can be exposed, and essential services can be disrupted.

Given all this, the European Commission’s recent deal with OpenAI to access its frontier model for the purpose of detecting vulnerabilities in critical infrastructure is baffling. This arrangement effectively hands over to a prominent US defense contractor a systematic map of the weak points in European hospitals, universities, energy grids, and transport systems—precisely the types of information that the Data Act, the General Data Protection Regulation, and the NIS2 Directive were enacted to protect.

To be sure, AI has made it easier to detect and exploit security flaws, with IBM’s X-Force Threat Intelligence Index 2026 documenting a 44% year-on-year surge in attacks on public-facing applications. But a vulnerability map generated through a single system subject to the CLOUD Act does not shrink that attack surface; it concentrates exposure at one legally accessible point.

The same dynamic is playing out elsewhere. Latin American ministries sign cloud contracts they cannot exit. African health systems run on foreign platforms whose service-level agreements are governed by laws over which they have no control. Southeast Asian financial supervisors depend on dashboards built abroad to monitor their own markets. And once such a system is built around a particular provider, migration to a competitor is extremely difficult and expensive.

Government officials must confront the reality of their technological dependence and, accepting that few countries will ever host a hyperscaler, determine what kind of relationship they want with the existing ones. For starters, that means establishing a clear picture of which services are being used, and on which infrastructure, as well as the applicable law and jurisdiction, and any fallback options. Most governments cannot answer these simple questions about their own systems. Until they can, digital sovereignty will remain a slogan.

Second, policymakers must overhaul how they negotiate contracts with tech firms. Currently, most governments use lightly adapted vendor templates. They should instead regard contracts as instruments of public law that specify data residency in enforceable terms, prohibit onward transfer, require operational continuity in case of sanctions or political disputes, mandate portable exit, and impose meaningful penalties when these terms are breached. A contract that cannot be enforced against an extraterritorial statute is not a contract; it is optimism.

Another underused instrument of digital policy is public procurement. Governments purchase enormous quantities of digital services. Every euro, real, rupee, or peso spent should be conditioned on interoperability, open standards, source-code escrow for critical systems, audit rights, and an obligation to host certain classes of data in jurisdictions of the buyer’s choosing.

Fourth, officials must pursue large-scale investment in domestic and regional capacity. Not every country needs a sovereign cloud, but every region should have some. The northern German state of Schleswig-Holstein has shown that migrating government workloads off foreign platforms is operationally feasible. The «EuroStack» initiative, India’s sovereign-cloud push, the African Union’s data-policy framework, and the Association of Southeast Asian Nations’ cross-border arrangements all point in the same direction. The cost of building such capacity seems high, but with so many essential services and functions at risk, the potential cost of inaction is much higher.

Lastly, building coalitions—regional blocs, groups of midsize democracies, even ad hoc procurement clubs—can reduce the asymmetry of bargaining power between individual governments and hyperscalers. Shared technical standards, joint audit regimes, and common red lines are not glamorous, but they are how power is rebalanced. If 20 countries demand the same enforceable clauses, those clauses become the market.

With digital sovereignty becoming a priority for governments, we must move from the «what» to the «how.» While US tech firms are not going away anytime soon, policymakers have options to push back—namely, through contract terms. Having taken part in these decisions, we have seen speed prevail over due care, simply because the tool is good, the vendor is friendly, or the deadline is short. But officials do have leverage; using it requires paying attention to the fine print.

Gabriela Ramos, Co-Chair of the Task Force on Inequalities and Social-Related Financial Disclosures, is a former assistant director-general for social and human sciences at UNESCO, where she oversaw the development of the Recommendation on the Ethics of AI, and a former OECD chief of staff and sherpa to the G20, G7, and APEC.

Emilija Stojmenova Duh, Associate Professor of Electrical Engineering at the University of Ljubljana, is a member of the Globethics Board of Foundation and a former minister of digital transformation of Slovenia.