By Janus Boye
Mathias Bolt Lesniak from the TYPO3 project as seen on stage at CMS Kickoff 25
Data sovereignty has become a big topic recently and it’s all about getting control of the data you generate, including where it can be stored, who can access it, and how it can be used.
In a recent members’ call, we heard from Mathias Bolt Lesniak, Oslo-based Project Ambassador at open source CMS TYPO3, who zoomed out from the current hype and talked about what digital sovereignty really means — the ability to act independently on all digital matters without undue influence from third parties.
What can we do as businesses and organisations and even as individuals to achieve digital sovereignty, and how big is this problem really?
Let’s start with getting the topic right.
What is digital sovereignty?
To give us an understanding of the impact, Mathias started with this timely, yet surprising question:
Was your AI trained on the King James bible?
This might sound like a silly question, but it illustrates an important point when it comes to digital sovereignty, because the King James bible is in the public domain in most countries, including the United States, but in the United Kingdom, the copyright is held by the Crown and administered by Cambridge University Press. This means that if you are doing something with a large language model trained on this material in the UK, you might get in trouble.
That’s the data part, which often gets confused with digital sovereignty these days as some vendors move quickly to try to offer European hosting, but digital sovereignty is actually about more than that. Here’s the definition that Mathias used in the call:
Digital sovereignty is the ability to act independently on all digital matters without undue influence from third parties.
This requires two pillars:
Digital governance, which is the power to regulate actions and to control digital operations, policies, and infrastructure.
Data sovereignty is control of the data you generate, including where it can be stored, who can access it, and how it can be used.
As Mathias says:
"You can’t have digital sovereignty without data sovereignty and digital governance."
Let’s put digital sovereignty in context
As a part of his presentation, Mathias also shared some interesting examples to show the impact missing sovereignty is having here and now.
We started in Denmark, with a story about how Danish libraries are paying more and more for their Microsoft licenses. According to a story in Danish IT press Version2, the Danish municipalities have seen their license costs to Microsoft go up from €42 million in 2018 to some €72 million in 2023. Despite the increase in costs, it’s not very easy to migrate away from the Microsoft services, when your digital infrastructure depends on it.
Mathias then went to his home town of Oslo, where national newspaper Aftonposten wrote about how China might be able to remotely turn off their new electric buses. This is a security risk and with a purchase of 76 electric buses, this became the source of some controversy in Oslo.
Does that sound far fetched? Mathias pointed us at this CNN article, which shows how it works: Russians plunder $5M farm vehicles from Ukraine – to find they’ve been remotely disabled.
In summary: As these real-world examples show, digital sovereignty matters on so many levels.
What’s your digital sovereignty status?
So, what are you doing about this topic? It’s a complex space with many dimensions. China's approach to digital sovereignty has long emphasised national security and control over its digital infrastructure, while in Europe we seem to be slowly waking up to this agenda. Much work remains to reduce the EU’s dependence on foreign tech companies and to foster a European-led digital transformation.
To begin tackling data sovereignty, Mathias recommended to start with assessing your existing tech stack and getting an overview of your dependencies and options. It’s a different way to look at risk and might put additional costs in perspective.
You might want to also look into the current controversy with EU-US data transfers. Look at Schrems III: Gauging the Validity of the GDPR Adequacy Decision for the United States.
Learn more about digital sovereignty
The conversation about this emerging topic naturally continues in our groups and at our conferences.
You can also download the slides (PDF) or even lean back and enjoy the entire recording from the call.