Digital Sovereignty

We encounter calls for digital sovereignty at many levels of German and European politics, in party programs, strategy papers from ministries, in the EU Commission, the Council of Europe, in security authorities, among internet activists and in business associations. However, as ubiquitous as the term may be, its actual meaning usually remains unclear. Actors from the domains of politics, industry and civil society are calling for different, sometimes even contradictory measures under the banner of digital sovereignty. Apparently, we are dealing with a political high-value word . Digital sovereignty is an undisputed consensus term: No matter which digital policy one advocates, no one can say that they don’t care about digital sovereignty. Those who call for it can rhetorically enhance their policy agenda and link it to higher ideals without making concrete, verifiable promises. At times, high-value words are used in such an inflationary way and in so many contexts that they are in danger of being completely stripped of their meaning and becoming meaningless empty phrases.

Even in research, a uniform definition of the term does not exist . In general, the demand for digital sovereignty involves an idea of more autonomy, freedom of choice, co-determination and control over “the digital” . Let’s try to concretize this vague idea. We can do this by defining the object of sovereignty (“what do we want to become sovereign over?”) and the corresponding actor (“who is supposed to become sovereign here?”) more precisely.

What exactly “the digital” is that we want more sovereignty over can vary greatly, depending on whether we are talking about resource dependencies, skills shortages, digital education or platform regulation, for example. In somewhat simplified terms, digital technologies and infrastructures can be represented on three layers, which together form the technology bundle: the physical layer, the code layer and the data layer . Virtually every digital application we use is based on a combination of IT components on these three layers.

To write an email, we need several devices (physical layer). We compose it via a user interface, behind which there are a number of programmed software components (code level) and finally send it by routing the message to the recipient via various servers and internet nodes using defined standards and protocols (data level).

Digital sovereignty can be conceived at each of these layers by asking to what extent they can be shaped in a self-determined or at least fairly independent manner. At each technology layer, the desired freedom of choice and design extends across the entire service chain, that is, from research and development through production, marketing and operation to self-determined and secure usage .

However, it is neither possible nor sensible to become “self-sufficient” (completely independent) in all these areas. Rather, it may be sufficient to create scope for decision-making so that there is a choice between several alternatives. In any case, certain dependencies cannot be avoided. In Europe, for example, there are no significant deposits of the rare earths needed for the production of important technological components. Dependence on the import of such resources is therefore inevitable. There are also dependencies that are not inevitable but have simply grown over many years, such as the dominance of U.S. companies in cloud computing. Efforts to free oneself from such dependencies or to reduce them are also referred to as “acts of resistance” to digital forms of hegemony . After all, the struggle for digital sovereignty also reveals the continuation of a race for economic, political and military dominance in the world. In addition to physical territories such as land, water, air and space, digital space has become another arena for geostrategic power struggles .

There is a lack of clarity in the discourse on digital sovereignty, particularly with regard to the question of whose sovereignty should be strengthened. The circle of “sovereign actors” is often interpreted very broadly in political and academic discourse. For example, it can refer to the digital sovereignty of individual countries or groups of countries, such as Germany , the EU or the Global South . The focus is also often placed on social sub-sectors or organizations, be it public administration , academia , private companies , civil society or individuals . We will return to these actor groups in the third chapter because political measures to increase digital sovereignty are usually aimed at specific actor groups and each group has different ways of expanding and utilizing its scopes of action for shaping the digital space.

However, the wide variety of actors discussed today has only grown over time. When the term sovereignty was first used in the digital context around 30 years ago, its meaning was still very much based on the understanding of state theory, which clearly focused on the state as the sovereign actor. This understanding is expressed in the Charter of the United Nations. By signing the Charter, the now 193 member states have committed themselves to respect the sovereignty of other states. In this regard, the UN Charter deals with two essential concepts of sovereignty; namely, internal sovereignty and external sovereignty.

In the mid-1990s, this was referred to as “cyberspace sovereignty” by the technical community and in the academic and journalistic debate. The dominant narrative was that cyberspace was a new sphere of human activity that was fundamentally different in nature from everything that had gone before. People were convinced that it would be difficult or even impossible to regulate or control it with existing legal instruments. Laws, it was commonly assumed, were only valid within defined territorial boundaries–outside these boundaries they were neither enforceable nor did they have legitimacy . One of the most daring claims was that cyberspace, with its cross-border, global networking and decentralized organization, was so exceptional that it needed its own sovereignty, similar to a separate nation state. This vision of cyberspace as an independent space with decentralized government is embodied by internet pioneer John Perry Barlow. In 1996, he wrote the “Declaration of Independence of Cyberspace,” which is most impressively presented by himself.

Jonathan Zittrain illustrates the effects of commercialization on this creative freedom with a comparison of the Apple II from 1977 with the first iPhone, which came onto the market 30 years later. Similar to the internet, the Apple II was also a changeable platform that virtually invited hobby programmers but also companies to develop new programs and functions. Any individual contribution that complied with a basic set of rules (such as a programming language or certain internet protocols) was generally acceptable and was shared and developed further as desired. Many of the programs created in this way contributed greatly to the market success of Macintosh computers.

The iPhone, on the other hand, symbolizes the advance of the digital in the form of “sterile,” pre-programmed devices and services. It is no longer possible to change view or even change the program code. Programs to be installed are pre-selected in app stores or installed directly on the smartphone by default. Security updates for older devices are discontinued at will. While the computer and internet revolution was once driven by innovative design freedom, the proprietary version of the digital world is now an aesthetic world of “walled gardens” . This world may be easy to use, well-designed and convenient, but it is woven into a network of commercial control and restriction. This version of the digital goes hand in hand with a severe loss of digital self-determination and significantly restricts creative freedom. In light of this, industry associations such as the Open Source Business Alliance (OSBA) have been arguing for years that the path to digital sovereignty will increasingly be paved by the use and further development of open source software and open standards, especially in public administration .

The accelerating commercialization of the internet since the late 1990s has provided compelling reasons to view the digital ecosystem as a challenge to state sovereignty. For many years, the U.S. tech giants–above all Alphabet, Amazon, Meta, Apple and Microsoft–were able to build up almost unrivaled power. As platform companies, they gradually integrated more and more applications and services into a core platform. Their infrastructures became ubiquitous communication and organizational tools in everyday private life as well as in countless companies and in public administration . The platforms often benefited from the “network effect” , the principle whereby a network becomes more valuable the more members it has. For example, once a social network has reached a critical mass of members, the number of users increases exponentially until competitors can hardly compete and a monopoly almost inevitably forms.

Platform companies offer essential technical infrastructures and services on the internet that private individuals, companies and public services rely on. They provide content and communication channels, shape public spaces and operate marketplaces over whose competitive conditions they have a decisive influence. This means that a small number of large American companies have far-reaching scopes of action and regulatory competence, not only over technical infrastructures but also over the socioeconomic conditions and processes that take place within them . Platform companies are therefore often referred to as being “quasi-sovereign” in the digital space .

The dominance of platforms poses a market risk for Europe because it threatens to distort competition and jeopardize economic stability and innovation . Platform companies have more or less exclusive access to the enormous amounts of data produced within their structures. This data gives them a direct advantage over their competitors. However, large amounts of data are also a prerequisite for developing key technologies such as artificial intelligence . On a regular basis, the disadvantages that arise for European companies due to the dominance of platform companies are seen as a restriction of their scope of action and thus their digital sovereignty .

The NSA affair also showed that one task of the secret services was to conduct industrial espionage. This became known as early as 2001, when a committee of the European Parliament looked into “Echelon,” a global interception system of the , which intercepted global satellite communications . The committee’s report suggested that the intelligence network was specifically eavesdropping on the communications of companies. Foreign companies were spied on in order to give American companies a competitive advantage. With the information obtained, U.S. companies were able, for example, to beat their European competitors to patent applications , or outmaneuver them in negotiations . The Snowden leaks show that industrial espionage was still one of the NSA’s strategic missions 10 years later . In addition to Russia and China, Germany and France were also among the NSA’s target countries. The mission was to prevent any advance in critical technologies that would give these countries military, economic or political advantages.

NSA documents also describe years of systematic and targeted eavesdropping on top politicians–including Angela Merkel –and political institutions. The political targets reportedly included the headquarters of the United Nations , the International Atomic Energy Agency and, by means of a cyberattack on the Belgian company Belgacom, presumably also the European Commission, the European Council, the European Parliament and NATO .

In authoritarian states such as China or Russia, the advance of networked communication was perceived as a threat to the existing political order . China was one of the first countries to respond with a strategy of maximum technical isolation and control. Russia followed suit a few years later. In doing so, the Chinese government relied on its typical interpretation of national sovereignty as a non-interference principle. In essence, no other country should interfere in Chinese affairs, and China would not interfere in the affairs of other states (for example, in armed conflicts). This sovereignty rhetoric was already used by China in the early 2000s. After the NSA affair in 2013, it was applied more to the digital context and became a further interpretation of digital sovereignty, which in its radical implementation is far removed from the European understanding. In this context, digital (or cyber-) sovereignty means subjecting data flows and digital infrastructures as completely as possible to national control.

Microchips–electronic components based on –are a particularly essential component of digital infrastructures. They provide the basis for a wide range of modern devices, from smartphones to computers, televisions, cars, industrial robots, weapons systems and medical devices.

The semiconductor industry in particular is characterized by extraordinary dependencies. After all, the astonishing advances in microelectronics have only been possible because companies have become extremely specialized over time. Instead of offering all steps from circuit design to testing and assembly from a single source, it made more and more economic sense to specialize in a core business, which was then scaled accordingly. In Silicon Valley, companies such as AMD, Broadcomm and Qualcomm increasingly focused on high-margin work steps such as the design of blueprints and circuit designs. Large contract manufacturers emerged in Taiwan, such as TSMC, the world market leader in the production of logic and high-performance chips, which are used, for example, in artificial intelligence . Microchips are based on globally distributed, fragmented supply chains and highly complex production processes. Thousands of work steps are meticulously intertwined, refined and specialized over decades. No country in the world would currently be able to develop and manufacture a sufficient amount of microchips on its own.

Decades of technology-driven globalization have created complex risk cascades . If the availability of even one essential component fails, entire industry branches threaten to collapse. It would take decades and enormous investments to rebuild production capacities in one’s own country. From a pure economical perspective, this would be illogical and inefficient. Yet, in the semiconductor industry, market-based logics have long lost their impact because trade relations have politicized over the years.

Governments have recognized that it is specifically the reliance on foreign-sourced microchips that makes them vulnerable. Semiconductor products are essential for many industries and products, and their availability is already uncertain due to fragile supply chains without fall-out options. In addition, there have been several supply disruptions in recent years, some with dramatic consequences; for example, when an unexpectedly high demand for computers collided with border closures and lock-downs during the Covid-19 pandemic. Efforts to free oneself from these dependencies are seen as a path to digital sovereignty .

The global semiconductor industry has become the arena of international geopolitics and an instrument for exerting targeted influence on other states . There has long been a power struggle between the U.S. and China for political, economic and military supremacy in the world, which has plunged the two nations into an open trade war. Of course, there are similar efforts in Europe, they just have not been particularly successful so far. The USA and China are competing with each other in key technologies such as artificial intelligence, autonomous weapons systems, and quantum computers – all fields of technology in which high-performance chips are used. In the chip industry, competition developed for patents, manufacturing equipment and skilled workers. Both countries massively subsidize their domestic semiconductor industry. At the same time, they increasingly sanctioned each other with import tariffs and export restrictions in order to gain economic advantages and prevent knowledge transfer. But the semiconductor industry just cannot be relocated quickly. American high-performance chips are still predominantly manufactured in Taiwan, which is why the U.S. is particularly concerned by China’s ambitions to take over the Taiwanese peninsula. This could give China not only insights into production processes but potentially even control over the export of microchips to the US.

Ideally, digitization should meet the needs of society across all actor groups . Therefore, the EU strategically aims to orient its digital policy towards “European values” and to create technological and regulatory structures that uphold these values.

Margrethe Vestager, who initiated numerous judicial proceedings against U.S. tech giants as EU trade commissioner, emphasizes the goals of the European digital strategy .

Three things become clear here: First, competitiveness is a key concern of the EU, and it clearly pursues its own economic interests with its digital policy. Second, Vestager cites the security and fundamental rights of EU citizens as guiding principles of the European digital agenda, but also emphasizes that regulations are only employed where these values are threatened. This can be understood as a distinction from the sovereignty ambitions of authoritarian states, which often seek to enforce greater control over their own society in the digital realm (see chapter 2.5).

Thirdly, Vestager mentions that European standards have worldwide implications. She thereby alludes to the “Brussels Effect.” Given the considerable size and attractiveness of the European market, EU regulatory measures often have a strong impact on companies and governments outside the EU. They have an incentive to follow European regulatory approaches if they want to do business in the EU . It is also argued that the EU, in its role as a “global regulatory hegemon ”, intervenes in the sovereignty of other countries.

But which control options do the EU and the German federal government actually utilize to strengthen digital sovereignty? What leeway do civil society, organizations, and institutions themselves have at their disposal to expand their respective scopes of action? We start with the foundations of digital sovereignty, which are of systemic relevance across all actor groups and technology layers: Sufficient education and participation of civil society, comprehensive cybersecurity and development of key technologies. We will then consider the most important options for action along the three layers of the technology bundle: data layer, code layer, and physical layer.

Digital sovereignty can only be built upon a digitally sovereign civil society. “Only digitally empowered and capable citizens […] can be the masters of their own destiny, confident and assertive in their means, value and choices,” emphasizes the EU Commission . What is frequently referred to as individual digital sovereignty in scholarly literature encompasses digital competency and participation. Digital literacy and competences enable civil society to “act and decide in a conscious, deliberate, and independent manner” . Meanwhile, opportunities for participation empower civil society to engage in digital policy discourse and decisions, as well as directly in the shaping of technology.

Let’s start with the question of what skills are actually needed to make deliberate and independent decisions in the digital space and thus become somewhat digitally sovereign. Digital literacy encompasses knowledge and skills across all layers of the technology bundle.

As the second basic condition for digital sovereignty, strong emphasis is placed on the of digital infrastructures . Cybersecurity is considered a fundamental requirement for societal life, economic processes, and the protection of critical infrastructure . Strategies and measures to enhance IT security are formulated at both the European and national levels in response to a high level of threat. At the end of 2020, the European Commission presented the new EU Cybersecurity Strategy . Central to this is the plan to address cyber threats across borders, in a coordinated manner, and in close collaboration. The package of measures aims to enforce a uniformly high level of security and resilience of digital infrastructures across the EU. In addition to specific requirements for national cybersecurity strategies and governmental structures, cooperation groups facilitate strategic collaboration on cybersecurity in Europe. National points of EU countries and act as clear points of contact. In the event of acute crisis situations, they should be able to coordinate operational responses quickly, effectively, and across borders.

Simultaneously, better encryption systems and stronger defense against surveillance , as well as increased use of (see chapter 3.4.), are seen as technical means to improve cybersecurity. The introduction of trusted security certificates could lead to greater transparency and increased security awareness among users . Targeted government support for research and development in the field of cybersecurity is an effective measure to strengthen IT security in the long term and reduce dependencies in this area as well .

Long-term and forward-looking government support for research and development is not only relevant in the field of cybersecurity. Rather, the promotion of key technologies can be understood as another condition for digital sovereignty, which is significant across all actor groups and technology levels. The EU views key technologies as pillars of future economic value creation. Therefore, many EU measures aim to firmly orient the domestic research and business landscape towards the development of artificial intelligence, quantum technologies, cloud technologies, and semiconductor technologies . This is done partly to reduce economic dependencies in the medium term and strengthen the domestic industry, and partly to shape technologies in line with European values . Concrete measures in recent years have often aimed not only at direct financial support but also at improving the competitive conditions for European providers and lowering market entry barriers , for example, by specifically supporting start-up ecosystems . At the same time, research and development partnerships can be strategically expanded both between EU Member States and between private companies and states .

In other regulatory approaches of the EU, a more private-sector, growth-oriented data policy is evident. The European Data Strategy aims to develop a functioning European single market for data while ensuring a high level of data protection. The strategy is primarily based on the Data Governance Act (DGA) 2022 and the Data Act 2024. The DGA lays the groundwork for a trustworthy data exchange model that simplifies data-based collaborations between businesses, academia, public institutions, and civil society. The regulation envisions the establishment of independent, transparent, and trustworthy data marketplaces where data suppliers and buyers can come together. Data can thus easier and more transparently be shared between different sectors. The DGA also aims to encourage altruistic data donations: data donations are facilitated and the access and reuse of donated data is organized in a more unambiguous and transparent manner. The Data Act, on the other hand, stipulates that users must be given access to all data generated by their IoT devices and that this data must also be made available to third parties at the request of the user . At best, this means that European companies will also be able to access larger volumes of data from which they can create value.

As part of the “Gaia-X” project, announced in 2019 by the German and French ministries of economics, existing data infrastructures from various sectors will be interconnected to create a common European data ecosystem . The project aims to facilitate cross-sectoral data exchange and integration. Many previously separate data spaces are thus to be linked together. The task is to formulate appropriate rules and standards for cooperative data exchange and compliant data usage, as well as to define and implement the technical requirements for this new data space. The European Commission emphasizes that its data strategy will make the EU more internationally competitive and contribute to stronger economic growth: Big Tech platforms have “a high degree of market power, as they control large amounts of data,” and the European data strategy aims to counteract the dominance of these platform companies over data spaces. The Gaia-X project in particular began with the goal of combating the data hegemony of U.S. and Chinese corporations and strengthening Europe’s own competitiveness based on “sovereign data exchange” . Meanwhile, partners and members of technical working groups of the Gaia-X organization also include major corporations such as Microsoft, Alibaba, Amazon, Google, and Palantir . As providers of cloud services, they will not only be connected to the created data spaces but also contribute their expertise to the development of these infrastructures. However, they have recently faced criticism for deliberately slowing down the project’s workflows .

In terms of hardware, the discourse at the EU reduces economic dependencies by expanding domestic production capacities and developing strategic partnerships in procurement. The term “strategic autonomy,” frequently used in EU institutions, illustrates that the core ambition is not mere protectionism or even autarky. Rather, it is to create fallback options and choices, at least for essential hardware components. With the European Chip Act, the EU has launched some of the most extensive economic support programs of its digital policy. The Act entails investments in research and development as well as in production facilities within the EU . This strengthens the competitiveness of European providers in this market and ensures the reduction of economic dependencies .