The digital sovereignty spectrum: an intro

Digital sovereignty: a concept that sparks heated debates in boardrooms, political circles, and around conference tables, has become more relevant than ever in our globally connected, yet deeply fractured digital world. But what does it actually mean for businesses, especially those operating on international markets? More importantly, where does your company fit in on the spectrum of control? From being completely sovereign to entirely reliant on external forces, there’s a broad range of possibilities.

This blog series will explore digital sovereignty, breaking down what it is, why it matters, and how companies like yours can assess where they stand on this critical spectrum. The funny (and ironic) part? As the co-founder & CEO of Vates, a French company championing open-source virtualization solutions, I've seen our largest growth come not from our home turf of France or even Europe, but from across the Atlantic—in the U.S., of all places! Yes, even in sectors like defense, healthcare, and finance, where you'd expect digital sovereignty to be a prime concern, the U.S. market seems far more receptive to what we’re offering.

Meanwhile, back in France, where digital sovereignty should be a top priority, we often encounter skepticism, criticism, and defeatism. The market here is slower to take off, and the critiques we hear from French industry are often the most biting. Ironically, we find ourselves being told why digital sovereignty doesn't matter—by the very people who should arguably care about it the most.

But let's be clear: digital sovereignty isn't just a European or French issue. It’s relevant wherever your business operates. In this series, we'll focus on sovereignty at the company level. Sure, working with a local partner might reduce certain risks, but it’s just one small piece of the puzzle. Understanding where your company stands on the spectrum of sovereignty—and how to improve that position—is where the real power lies.

In this first part of the series, we’re going to take a closer look at what digital sovereignty really means at the company level. Spoiler alert: it’s more than just about who you do business with.

Definitions

In the IT world, you'd think everything is binary—after all, we're talking about computing, right? Ones and zeroes, on and off. But when it comes to digital sovereignty, it's anything but binary. We hear buzzwords like "digital autonomy" and "sovereignty" tossed around, often bent out of shape by marketing. So, what does it really mean?

From my experience, digital sovereignty isn’t as black and white as we'd like to believe. It’s a spectrum that runs through the entire IT stack, from the hardware and microcode at the bottom to the software and services at the top, including SaaS solutions.

In France, there’s an ongoing debate about why we always seem to be lagging behind American or Chinese software vendors. The usual responses range from defeatism ("The battle’s already lost") to avoidance ("Let’s just focus on our core business and ignore sovereignty"). But these arguments are often flawed or oversimplified, which is why I felt the need to step in and offer my perspective. So here we are—let’s dive into what digital sovereignty really means, beyond the marketing spin.

Digital sovereignty

When most people hear "digital sovereignty," they immediately think of governments or economic zones, and indeed, the European Union has plenty to say on the topic. But I’m not here to talk about Brussels. Instead, I want to focus on something closer to home—something you, the reader, can actually influence: digital sovereignty within your company.

I came across a definition that aligns perfectly with what we'll be discussing here:

"Digital sovereignty describes a party’s right and ability to control its own digital data. It includes control over a company’s digital environment, including customer and employee data, software, hardware, and other digital assets."

As you can see, digital sovereignty covers a lot of ground—especially if you’re familiar with the intricacies of IT infrastructure. The challenge is that we can visualize this concept along a spectrum: on one end, there’s the perfectly sovereign company (a mythical creature, if you ask me), and on the other end, a company that has surrendered all control over its digital environment (unfortunately, this one is all too real). In this series, we’ll explore how companies can assess and improve their position along this spectrum.

The spectrum

You’ll notice that I use a lot of analogies throughout this series. They may not be perfect, but they help convey complex ideas more quickly and spare us the need for a 500-page deep dive. So, let’s talk about the concept of a spectrum and why it’s such a useful analogy for digital sovereignty.

According to Wiktionary, a spectrum is defined as:

A range; a continuous, infinite, one-dimensional set, possibly bounded by extremes. Near-synonym: sliding scale.

For me, this is the perfect word to describe the nuances of digital sovereignty. Things are rarely black and white, and a spectrum captures the complexity of the issue while anchoring it between two extremes. By keeping it in a single dimension, we avoid unnecessary complexity while still acknowledging the range of possibilities a company might navigate.

We’ll use this spectrum to compare different situations relative to each other, because, let’s be honest, there’s no absolute way to measure digital sovereignty. And even if there were, it would likely be far too complex to calculate accurately. So instead, we’ll rely on this sliding scale to help us think through where various companies might stand.

The Digital Sovereignty Spectrum

At its core, the digital sovereignty spectrum merges two key ideas: digital sovereignty and the spectrum itself. Digital sovereignty is about a company’s ability to control its digital environment—everything from data to software, hardware, and beyond. The spectrum, on the other hand, provides a way to visualize this control on a sliding scale, with companies ranging from fully sovereign to entirely dependent on external forces.

In many ways, this is similar to a classical risk assessment, but with a specific focus on external dependencies. The spectrum offers a neutral, factual way to evaluate how much control a company has over its digital landscape. From there, it’s up to you to decide where you want to be on that scale. Just like in risk management, it’s perfectly valid to accept a certain level of dependency—as long as you’re aware of it. What’s more dangerous is being unaware of the risks you face and finding yourself unprepared when they materialize.

This framework-based approach has always resonated with me, likely due to my background in risk assessment. Fifteen years ago, I wrote my master's thesis on risk frameworks like EBIOS. That experience shaped my perspective, pushing me to use frameworks to help understand where we stand—even if we choose not to act on them immediately.

But why?

Why should you care about controlling your digital environment? It’s not just about protecting your organization from obvious vulnerabilities—it’s about understanding where you’re dependent on external forces, often without even realizing it. And sometimes, that’s perfectly fine—if you’ve consciously considered and accepted those dependencies. But the most dangerous situation is when you haven’t. The Broadcom-VMware debacle showed us that many companies hadn’t even acknowledged the risk of dependency, and when it hit, they were caught completely off guard. Let’s explore some more examples of why digital sovereignty matters:

The Broadcom-VMware takeover, a brutal reality check: when Broadcom acquired VMware, the market was rocked by sudden and severe changes. I’ve seen firsthand the panic this decision caused. Broadcom swiftly dismantled existing partnerships that many vendors relied on to resell VMware licenses. These vendors had built entire business models around VMware, and suddenly, their revenue streams were cut off. The result? Chaos, as companies scrambled to adapt. Even more troubling were the countless customers left in a bind. They couldn’t renew their licenses under the new, drastically higher pricing, and were given very little time to migrate to alternative solutions—an incredibly complex task that couldn’t be achieved overnight.

In France and Europe, this risk was almost universally ignored. VMware was seen as the market leader, the safe bet. Many organizations assumed that relying on such a dominant player meant they were secure. But when Broadcom stepped in, that assumption crumbled. The acquisition served as a harsh reality check: even the biggest names in the industry are not immune to disruptive changes, and companies dependent on them need to be prepared for sudden shifts.

• Cloud service lock-in: you’ve invested heavily in a cloud service provider, utilizing their proprietary tools and infrastructure. Over time, migrating to another provider becomes virtually impossible due to the technical complexity and cost. Suddenly, you’re locked into their ecosystem, entirely dependent on their pricing, their updates, and their decisions, with no realistic escape plan.
• Supplier failure: you rely on a third-party vendor for a critical component of your infrastructure—whether it’s hardware, software, or a service. One day, that vendor goes out of business, or simply stops supporting the product. Without control over that key part of your operation, you’re forced into a last-minute scramble to find an alternative, potentially disrupting your entire business.
• Intellectual property ownership issues: you partner with a SaaS provider to run a key part of your business. Over time, your customer data and even proprietary algorithms are processed through their system. But what happens if that provider claims some level of ownership or rights over the data and IP? Without proper control or legal safeguards, your business could be jeopardized.
• Unilateral terms of service changes: your SaaS provider updates its terms of service, and now suddenly restricts access to certain features you’ve built your business around. Maybe they increase fees or change data usage policies. Because you’re not in control, you’re forced to either adapt—often at great cost—or completely rework your infrastructure.
• Sudden changes in external services: a third-party API or service you depend on gets deprecated or undergoes a sudden architectural change, forcing you to rebuild parts of your product on short notice. If your system is heavily tied to external services without fallback options, even seemingly small changes can cause massive operational disruptions.
• Legal and regulatory shifts: changes in local or international law can affect your ability to continue using certain services. Imagine if a new regulation was affecting your SaaS provider to change their data retention policy, suddenly limiting your access to historical data crucial to your business. If you lack control, you could be at the mercy of external forces that don't align with your company's needs.

Ultimately, the goal isn’t necessarily to eliminate all external dependencies—that would be both impractical and inefficient. Sometimes, it’s absolutely fine to rely on a third party. The key is to make those decisions with your eyes wide open, understanding the trade-offs and risks involved. Being on the extreme "unsovereign" end of the spectrum is only a problem if you’ve gotten there by accident. By taking the time to assess where you stand, you can be better prepared for whatever challenges come your way.

Looking ahead

As we've explored in this introduction, the digital sovereignty spectrum offers a way to think about your company's control over its digital environment. It’s not about striving for complete autonomy in every aspect—that’s often unrealistic. Instead, it’s about awareness and making informed decisions about where and how you rely on external entities. The key takeaway is this: knowing where you stand on the spectrum allows you to consciously choose the level of dependency that makes sense for your business, rather than being blindsided by risks you didn’t even know existed.

In the next article, we’ll dive deeper with real-world examples—starting with our own journey at Vates—and showcase how some of our customers have evolved their thinking around dependency. We’ll also begin to draw “zones” within the spectrum, which will give you a clearer idea of where your company stands today and where you might want to be in the future.

And that’s not all. We’ll also be discussing different IT architectures, including SaaS, public cloud, on-premises, and hybrid setups—plus many other configurations from the thousands of real-world architectures we’ve seen at Vates. Our goal is to share this valuable experience to help you make better decisions for your own company’s digital environment.

Finally, in a future post, we’ll take a closer look at some of the false claims and common tropes around digital sovereignty. You’ll get plenty of good examples of how certain vendors or players try to spin the narrative, and how to avoid falling into those traps. Believe me, there’s no shortage of material to cover there.

Stay tuned—things are about to get practical.