A growing number of European companies have come to a sobering realization: their data-one of their most valuable assets-is often subject to jurisdictions, risks, and dependencies far beyond their control. The dominance of global cloud providers, many headquartered outside Europe, has exposed businesses to geopolitical uncertainties and regulatory complexities that can directly affect their operations.
This shift in awareness is driving a fundamental change in mindset. Digital sovereignty is no longer a niche concern-it is a strategic necessity. It sits at the intersection of competitiveness, innovation, and security, and it begins with a simple principle: my data, my rules.
The below reflects key insights and opinions shared during a session at Thales Cybersecurity Day in Sofia, held on March 18th at Grand Hotel Millennium Sofia, which was attended by Prof. Daniela Ilieva, Defne Halil, Mihaela Froloshka and Viktor Yanev as representatives of the Law and Internet Foundation.
The Three Pillars of Digital Sovereignty
As presented by Thales’ representatives during the event, to understand what digital sovereignty really means in practice, it helps to break it down into three core pillars:
- Data sovereignty-ensuring control over where data is stored, processed, and accessed
- Technological sovereignty-reducing dependency on external technologies and providers
- Operational sovereignty-maintaining the ability to operate independently of geopolitical disruptions
Among these, data sovereignty stands out as the foundation. Without control over data, the other two pillars become fragile.
Why Data Sovereignty Matters More Than Ever
As concluded during the event, data sovereignty is about self-determined control over data- knowing where it resides, who can access it, and under which legal framework it is governed.
For companies operating in a borderless digital environment, this raises a critical question:
How can we ensure our business remains operational, secure, and compliant-regardless of geopolitical developments?
The answer lies in adopting a proactive approach to data security and governance.
The Key Challenges
Achieving data sovereignty is not without obstacles, as concluded during the event. Organizations today face several interconnected challenges:
- Lack of control and transparency-Many companies rely on complex cloud ecosystems where visibility into data flows and processing is limited.
- Operational complexity-Managing data across multiple environments, often with limited internal resources, creates fragmentation and risk.
- Evolving cyber threats-From ransomware and malware to advanced bot attacks - and the emerging risks posed by AI and quantum computing-the threat landscape is intensifying.
The Three Foundations of Data Security
To address these challenges, organizations should focus on three essential building blocks:
1. Discover-Identify, classify, and continuously monitor data across systems.
2. Protect-Apply strong encryption and robust key management practices.
3. Control-Implementstrict identity and access management mechanisms.
These foundations provide the structure needed to regain control over data in complex digital environments.
Encryption: The Gold Standard
Experts during the event emphasized that at the heart of data sovereignty lies encryption-widely recognized as the gold standard for data protection.
Strong encryption enables organizations to:
- Protect sensitive and business-critical data
- Enforce access control and separation of duties
- Ensure data integrity
- Meet regulatory requirements
However, encryption is only as strong as its weakest link.
Why Key Management is Critical
A common misconception is that encryption alone guarantees security. In reality:
Encryption is only as strong as the protection of the keys.
Best practices for encryption key management include:
- Separating key storage and generation from the data itself
- Centralizing key lifecycle management
- Enforcing strict access control and separation of duties
- Maintaining detailed logging and reporting
It is important to note that, in the specific context of France, a representative of Microsoft acknowledged that full data sovereignty cannot be guaranteed when encryption keys remain under the provider’s control — a position reflected in public reporting on the issue (Microsoft exec admits it 'cannot guarantee' data sovereignty • The Register ) True sovereignty means retaining control over your own keys.
Securing Data in a Borderless Cloud
Operating in the cloud does not eliminate the possibility of sovereignty-but it requires deliberate design choices, as highlighted during the Thales event.
Key principles include:
- Decoupling data and encryption keys
- Ensuring keys are never stored in plaintext
- Using secure, non-vulnerable systems for key storage
- Implementing dual control and separation of duties
- Applying split knowledge (no single person has full access)
- Continuous monitoring systems and access
- Using strong, future-proof cryptographic algorithms
These measures help ensure that even in distributed environments, control remains firmly in the hands of the organization.
A Proactive Approach to Sovereignty
The most important takeaway from the event is this:
Data sovereignty is not a passive state-it is an ongoing process.
It requires continuous assessment, adaptation, and investment. Waiting for providers or regulators to solve the problem is not an option. As digital ecosystems become increasingly complex and geopolitical dynamics continue to evolve, organizations must take ownership of their data strategy.
Digital sovereignty is no longer just about compliance-it is about resilience, trust, and long-term competitiveness.
In a world where data is power, the principle is clear:
If you do not control your data, someone else does.
