Woman and man standing in front of a server with a tablet

Digital sovereignty: What is it?

How do the provider and user perspectives differ in this context? What do technological and data sovereignty mean, and what capabilities are needed to exercise digital sovereignty?

Digital sovereignty: Significance and fundamentals 

Digital sovereignty is the ability of government, public administration and business to use technologies and data independently, securely and legally. It builds trust, strengthens the capacity to act and supports self-determination in an increasingly interconnected world.

Digital sovereignty: Definition and scope 

Digital sovereignty describes the ability to design, operate and control digital systems, processes and data in a self-sovereign way. It is not a purely technical concept but brings together legal, organisational, economic and societal aspects of the information economy and information science. Digital sovereignty thus provides the overarching framework that ensures digital infrastructures and services are based on their own values, standards and legal frameworks - not on external dependencies. It is based on four central pillars – governance, technical sovereignty, operational sovereignty and data sovereignty – which together lay the foundation for a self-sovereign digital future. This future strengthens not only state sovereignty but also self-sufficiency and competitiveness across Europe.

Pillars of digital sovereignty 

The “Cloud Sovereignty Framework” of the European Commission defines eight sovereignty objectives – the so-called “Sovereignty Objectives” (SOVs) – that are relevant to the provision of cloud services in procurement procedures. Building on these objectives, four pillars of digital sovereignty can be defined:

Jurisdiction and governance 

to clarify the legal and regulatory framework. The ultimate parent company must be established in the EU/EEA, with majority European ownership and no blocking minority held by non-EU actors.

Technical sovereignty 

to ensure the independence and security of technologies. Use of open standards and open source to ensure interoperability and technical reversibility, enabling a switch of provider at any time.

Operational sovereignty 

to enable the effective and efficient use of digital systems. Infrastructure and control systems must be located entirely in Europe, and all administrators must be based and employed in Europe and be nationals of a European country.

Data sovereignty 

to ensure the control and protection of data. Strict data residency in Europe applies to all data, metadata, backups and logs, along with a legal obligation to resist and disclose foreign access requests.

These pillars enable a comprehensive understanding of the concept. The focus is on European cloud and security standards, strong digital identities and future-proof encryption, with an eye to the post-quantum era as well.

Why digital sovereignty is central to government and public administration

Digital capability increasingly determines the state’s capacity to act. For public administrations: Only those who control digital processes, data flows and technologies themselves can act securely, legally and independently. 

To meet this requirement, the Federal Government stated in the coalition agreement that digital sovereignty and information security are key prerequisites for democratic stability and economic prosperity. In it, the Federal Government commits to strengthening Germany’s digital sovereignty in a targeted way and reducing technological dependencies. 

This guiding principle forms a central part of the modernisation agenda, which aims to make the state, the economy and society more resilient and future-proof. At its core are open interfaces, open standards and the consistent use of open-source technologies. Strategic alignment of the IT budget aims to create sustainable, interoperable and trustworthy digital infrastructures. Nonetheless, dependencies remain – above all on non-European corporations and software providers. 

These dependencies entail risks: from disrupted supply chains and security vulnerabilities through to unclear legal positions under data protection law. The International Criminal Court (ICC) has since reaffirmed its decision to become less dependent on non-European providers and plans to use the German software solution openDesk in future. This underlines the need to promote and deploy trustworthy European alternatives.

Responsibility and collaboration 

Digital sovereignty is a shared responsibility that strengthens security and drives society’s capacity for innovation. The Federal Government, Federal States, municipalities and private providers must work together on secure infrastructures and interoperable solutions. At the same time, it is the role of policymakers – in particular the Federal Government – to put in place a regulatory framework that promotes innovation, information security and self-determination equally.

Industry 

  •  Develops and operates sovereign key technologies (cloud, cryptography, digital identities, interfaces)
  • Provides auditable solutions with open standards, software bills of materials (SBOMs) and clear exit strategies
  • Commits to European legal jurisdictions, transparency and security certifications 

Civil society 

  • Builds trust through participation, digital skills and independent oversight
  • Brings perspectives on data protection, inclusion and accessibility
  • Supports the development of open, public-interest services through civic tech initiatives 

Science and standardisation 

  • Conducts research into future-proof cryptography (including post-quantum cryptography), interoperability and secure architectures
  • Participates in standards and standardisation bodies to make European standards fit for practical application
  • Strengthens knowledge transfer through pilot projects, living labs and independent evaluations 

Collaboration succeeds when all stakeholders act according to shared principles: 

  • Openness
  • Interoperability
  • Clear data location
  • Option of reversibility
  • Verifiable evidence such as certifications, audits or regular security and compliance reports
  • Long-term maintenance of solutions
  • Continuous development of knowledge and skills

Sovereign and secure: solutions from the Bundesdruckerei Group 

With its digital and security expertise, the Bundesdruckerei Group, as the Federal Government’s technology company, contributes to Germany’s and Europe’s digital sovereignty. Its group companies protect data, infrastructures and digital processes, thereby laying the foundations for a sovereign and secure digital future:

Illustration of the Bundesdruckerei GmbH logo

Bundesdruckerei GmbH is developing Bdrive, a secure file-sharing and cloud solution that encrypts and fragments data and stores it exclusively on servers in Germany. This will soon enable public authorities to retain control over their sensitive information up to the VS-NfD (for official use only) classification level.

 

Read more about the file-sharing solution

Ansicht Logo von genua GmbH

genua GmbH provides BSI-approved (German Federal Office for Information Security) firewalls, a solution bundle for a VS-NfD-compliant workstation, and robust network protection, for example for public authorities and sectors subject to classified information protection, all Made in Germany to the highest security standards.

Find out more about the digital offering

Ansicht Logo von Xecuro GmbH

Xecuro GmbH enables highly secure communication of classified information in public administration for the Federal Government and the Federal States. It is responsible for establishment, operation and ongoing development of the corresponding infrastructure.

 

Discover IT solutions

Ansicht des D-Trust Logos

D-Trust GmbH helps secure, among other things, cloud platforms with its TLS certificates. Using cryptographic methods, the certificates enable secure, encrypted and authenticated communication between internal systems and cloud services, as well as users.

 

Find out more about Delos – cloud case study

Background: Post-quantum cryptography and future security technologies

With future threats in mind, post-quantum cryptography is becoming increasingly important. In the long term, quantum computers could break classical encryption schemes (e.g. RSA or ECC). It is therefore important even today to guard against the ‘store now, decrypt later’ principle. 

The Bundesdruckerei Group is actively engaged in research into and development of quantum-resistant cryptography and is a founding member of the Bundesquantenallianz. Through innovative projects and technologies, Bundesdruckerei is working to harness the potential of quantum effects for new security solutions that will remain robust even in a world with powerful quantum computers – for example in the field of quantum-secure identity documents.

Conclusion: digital autonomy is a task for the future 

Digital sovereignty is not a steady state but an ongoing process. In the coming years, public administration will increasingly rely on European cloud platforms, quantum security and AI-enabled security systems. The Federal Government aims to strengthen Germany’s digital sovereignty and thereby safeguard technological prosperity in the long term. 

Complete independence is neither realistic nor desirable. Digital sovereignty does not mean isolation, but deliberate control over critical technologies and data. Striking the right balance is crucial: Openness and interconnectedness where they foster innovation and efficiency, and targeted autonomy where information security and the state’s capacity to act are at stake.

Senior Woman and Nurse at a Computer
Article
Data Protection and Security in the Telematics Infrastructur

Patient data is highly sensitive. Protecting it appropriately is not only essential for its security but also for the success and acceptance of the telematics infrastructure in the healthcare sector. Standards for data protection and security for all healthcare data are continually being raised.

Hier geht es zum Artikel Elektronische Patientenakte: Das soll sie bringen.
Article
Electronic Patient File for All (ePA) 

The electronic patient file (ePA) is a central tool for the digitalisation of the healthcare system in Germany. For healthcare providers – such as doctors, psychotherapists, dentists, nursing staff, pharmacies, and others – it opens up new ways of delivering efficient, secure, and cross-sector healthcare as well as documentation. 

Frequently asked questions about digital sovereignty

Digital sovereignty safeguards the state’s capacity to act, upholds data protection, strengthens IT security and reduces dependencies. Only if digital infrastructures are operated in a trustworthy and auditable manner will public administration remain effective in the long term.

Through clear data classification, encrypted storage and transparent access rules. In addition, European cloud solutions and national data centres ensure control over storage location and legal framework.

They promote interoperability and transparency – key prerequisites for creating sovereign digital ecosystems. Open standards make it possible to switch systems without incurring lock-in.

Digital sovereignty and cybersecurity are mutually dependent. Only with robust cybersecurity can data, infrastructure and government and organisational interests be effectively protected. At the same time, digital sovereignty provides the strategic framework that enables reliable cybersecurity and safeguards digital self-determination in the long term.