Digital Sovereignty: A Board-Level Imperative

How boards and CIOs must secure control across clouds, models, data flows, and vendors in a fractured world.

A world map showing regional hotspots is displayed on a computer screen
Key takeaways
  • Digital sovereignty is the capacity to remain in control when the world fractures. It requires mapping and managing dependencies across the entire digital value chain from compute to cloud, software, AI models, data, and talent.
  • Technopolitics describes the intersection where technology and geopolitics collide, transforming technical parameters—cloud regions, LLM architectures, data flows, and API terms—into instruments of political strategy.
  • Structured transparency and proactive resilience are now fiduciary responsibilities.
  • Boards and CIOs must together understand the organisational exposure inherent in their digital architecture and ensure scenario-tested continuity.

Digital sovereignty has become one of the most circulated terms in policy, boardrooms, and industry events. Yet its meaning is often flattened into a discussion about compliance, data localisation or cloud choices. The reality is far more consequential.

For CIOs today, it means the ability to maintain control over your critical digital dependencies and keep operating under adverse, unexpected, or politically driven conditions.

In conversations with CIOs across Europe, Asia, and the Middle East, one pattern repeatedly emerges. Leaders understand that geopolitics is changing. They follow sanctions, trade tensions, export controls, and the US–China rivalry. Yet they rarely connect these shifts to their technology stack, cloud architecture, software supply chain, or AI model exposure.

This disconnect can be traced back to the belief that technology is neutral—a perspective shaped by the relative stability of the 1990s, when globalization and trade were expected to spread democratic values across markets. That era is over. Technology has become power, leverage, and geopolitical terrain.

For CIOs, the implications are immediate.

Between geopolitical realities and technological dependence

Global tensions, sanctions, and extraterritorial laws no longer influence only government affairs. They affect the availability of chips, cloud regions, digitisation programs, enterprise software, and AI models.

A Gartner survey of over 2,500 CIOs and technology leaders outside the U.S. reveals that 50% of CIOs outside the US expect changes to vendor relationships based on political factors.1

“Leaders should stop assuming that technology is neutral. It isn’t. Cloud regions, LLM architectures, vendor jurisdictions, data flows, and API terms now function as geopolitical instruments. Digital sovereignty is the discipline of understanding which of these levers matter—and securing control over them before someone else does.”

Damien Kopp

To navigate this landscape, we first need a new lens for understanding the world ahead. New fault lines are emerging among the major technopolitical power blocs. Technological dependencies are being weaponized; at the same time there is increased symbiosis between technology giants and governments driving national agendas and foreign policies; splintering the globe in different technology blocs—the United States, the European Union, and China—as well as within the Global South, the Gulf states, Japan, and South Korea, each exerting growing influence through technology consumption and capital access.

Diplomacy and trade have shifted from governments alone to an intertwined system of states and platforms, which is now the primary source of enterprise exposure.

This evolving balance of power makes decision-making increasingly complex for global enterprises operating across these spheres.

In this environment, senior executives can no longer treat digital procurement as an operational decision. Every dependency is now a political exposure. Digital sovereignty begins with understanding the upstream bottlenecks that determine who can compute, who can train, and who can scale.

As AI systems increasingly mediate how organisations see the world and automate decision making, sovereignty must also cover control over the narrative filters that shape strategic decisions.

Hence, critical technology decisions must be elevated to the board level. Only then can directors fulfill their fiduciary duty with a clear understanding of the risks involved and define effective de-risking strategies.

Finally, technology leaders must develop technopolitical literacy so they are better equipped to design and execute practical action plans—with measurable goals, clear accountability, and tangible results—to safeguard digital assets and ensure business continuity.

These priorities form the foundation for the sections that follow.

Mapping the digital dependency stack

Many organizations are only partially aware of their technological dependencies. They accumulate through years of proprietary interfaces, escalating usage-based pricing, opaque AI model behaviour, and jurisdictional ambiguity.

In this context, digital sovereignty does not imply total independence. That is unrealistic and undesirable. It means conscious, managed, and reversible interdependence.

A rigorous, technopolitically aware dependency assessment must look across six interconnected layers.

It starts with the physical and compute infrastructure, examining where workloads run, which jurisdictions govern them, and which suppliers control upstream levers such as chips, energy, or data centres. It then evaluates the cloud architecture, including data residency, contractual terms, exposure to extraterritorial laws, and whether multi-cloud or sovereign alternatives are viable.

The software and application layer requires scrutiny of licensing constraints, enterprise dependencies, Software Bill of Material (SBOM) transparency, and compliance with fast-evolving regulations.

Data flows and lineage must be mapped to understand where information travels, who can legally access or subpoena it, how it is encrypted, and under what conditions it is processed.

AI models introduce their own exposures: organisations need clarity on model governance, alignment policies, training data provenance, the jurisdiction of the model provider, and the feasibility or cost of reproducing similar capabilities in-house.

Importantly, Generative AI adds a new category of vulnerability: cognitive dependence. Because with Large Language Models, organisations do not simply rely on a vendor’s technology, but also on that vendor’s values, assumptions, and embedded worldview. At that point, sovereignty becomes a political and organisational question as much as a technical one.

Finally, talent and operations remain a critical layer, as reliance on globally distributed expertise or vendor-operated support can create operational fragility if access is disrupted.

Taken together, these layers form a technopolitical map rather than a purely technical one. This matters because the pressures are already visible.

New frameworks are emerging to support this evaluation process, including the European Commission’s Cloud Sovereignty Framework (EC CSF) and the ASEAN New Digital Economy Framework. Together, they aim to help enterprises and governments better assess the degree of sovereignty within their ecosystems.

By 2025, Gartner expects 60% of critical software to require SBOM transparency, compared with less than 20% only three years earlier. This trend reflects a growing demand for transparency within the technology stack and a deeper understanding of hidden dependencies.2

From uncertainty to actionability

CIOs today face a paradox. They are responsible for continuity, resilience, and digital growth, yet many operate within supply chains whose fragilities are both hidden and politically exposed.

Uncertainty is now the primary operational risk.

The solution lies in structured transparency, supported by three pillars:

  1. Create visibility: Perform a detailed mapping of suppliers, cloud regions, AI models, data processors, contractual exposures, and cross-border data flows; as previously covered.
  2. Play through prospective scenarios: Simulate what happens if a provider loses export licenses or a cloud region becomes inaccessible or a major AI API changes terms, pricing, or permissible content or a country enforces a sudden data-localisation mandate? Scenario planning must move from compliance to operational continuity thinking.
  3. Build options: Strategic diversification, whether through multi-cloud approaches, open-source components, or regional backup systems. But this does not mean redundancy everywhere, which in turn creates more dependencies. It means options where it matters: workloads, models, data, and vendors that can be shifted, replaced, or internalised without prolonged disruption.

Achieving digital sovereignty requires a nuanced approach and critical trade-offs that must be understood and managed with care:

  • Data localization vs. resilience: Storing data within national borders can strengthen control but may limit access to globally distributed, more robust infrastructure.
  • Talent concentration vs. global expertise: Relying exclusively on domestic talent can foster strong local ecosystems yet restrict access to diverse international skills and specialized capabilities.
  • Local support vs. continuous availability: In-country support can offer tailored service, but often struggles to maintain actual 24/7 operations without a global presence.
  • Network security vs. flexibility: National security protocols can enhance protection but may constrain interoperability and slow the adoption of new technologies.

A recent example underscores the consequences of neglecting such a balance. In 2025, a data center fire in South Korea caused nationwide digital paralysis, disrupting 647 government services and resulting in the permanent loss of 858 terabytes of public-sector data due to the absence of off-site backups.3 This demonstrates how a single-jurisdiction dependency can trigger nationwide paralysis and the irreversible loss of public-sector data. At the same time, regulatory divergence across major blocs means that an AI model pipeline deemed compliant in one region may be constrained or prohibited in another.

Ultimately, digital sovereignty is not about isolation but adaptability. A pragmatic strategy—grounded in transparency, foresight, and flexibility—is essential to build a resilient, secure, and sovereign digital future.

Digital resilience as a leadership priority

Digital sovereignty is not a purely technical project, but rather a part of corporate governance. CIOs should actively raise the issue with the board of directors, not as a threat, but as a strategic investment in resilience and the ability to act.

Boards must understand not only the risks but the mechanisms by which dependencies can turn into vulnerabilities.

A pragmatic approach is to focus the dialogue with the management and supervisory boards on three questions:

  • Which dependencies threaten our continued existence as a business?
  • How transparent is our risk portfolio?
  • How can we act today to avoid being unprepared tomorrow?

These questions compel us to connect technology decisions with geopolitical and economic developments—a crucial step in shaping our digital future independently.

Although 66% of CIOs regularly participate in board-level discussions, they hold only around 5% of board seats among Global 500 companies.4 This imbalance highlights both a gap and an opportunity: technology leaders can strengthen their influence by positioning digital resilience as a core element of the corporate strategy.

The World Economic Forum has even proposed introducing a new leadership role—the Chief Geopolitical Officer—tasked with integrating geopolitical intelligence directly into business decision-making.5 Such a role would complement the CIO’s mandate and ensure that strategic technology choices are grounded in a deeper understanding of global dynamics.

At the same time, boards and executive teams must reinforce their Governance, Risk Management, and Compliance activities to reflect this new reality of digital resilience. This begins during the planning and design phases, when appropriate requirements should be embedded early, and extends into implementation and operations, where ongoing oversight is essential to prevent the expansion of the organization’s risk surface.

Control is the new competitive advantage

The coming months will reveal which companies cannot only identify technological dependencies but also actively manage them. In a time of growing uncertainty, control is becoming a decisive competitive factor.

CIOs who create structured transparency and address dependency risks today not only secure their company’s digital sovereignty, but they also reduce their personal risk as decision-makers.

Digital sovereignty is not a defensive stance, but an expression of leadership strength: creating clarity before others ask the difficult questions.

Conclusion

Addressing digital sovereignty is no longer a mere buzzword; it has become a critical imperative for board-level attention. Geopolitical dynamics are increasingly shaping digital infrastructure, requiring a proactive approach that goes beyond mere compliance.

Current gaps in understanding among technology leaders and the difficulty in translating risks into actionable plans highlight the urgent need to elevate this discussion to the highest levels of governance.

By adopting emerging best practices for mapping and assessing dependencies, and committing to immediate, structured action, organizations can equip their boards with the insights needed to fulfill fiduciary responsibilities and build resilience against future disruptions.

Digital sovereignty is not a defensive posture but a demonstration of leadership: creating clarity and securing control before difficult questions arise. Digital sovereignty is ultimately a growth strategy. It is what allows an organisation to innovate, scale, and operate globally without being blindsided by forces outside its control.

The time to implement these critical mitigation strategies is now.

Sources
  1. Gartner Survey presented at Gartner IT Symposium/Xpo, October 2025
  2. LMG Security, “Do You Have an SBOM Strategy?” 2023
  3. Government Technology, “How much government data was lost in a data center fire in South Korea?” 2025
  4. DigitalDefynd, “50 Fascinating Facts & Statistics About CIOs (Chief Information Officers),” 2025
  5. The World Economic Forum, “Why every company now needs a Chief Geopolitical Officer,” 2025

Cover image: Martin Sanchez on Unsplash

Disclaimer: The information provided in this article is solely the author’s opinion and not investment advice—it is provided for educational purposes only. By using this, you agree that the information does not constitute any investment or financial instructions. Do conduct your own research and reach out to financial advisors before making any investment decisions.

Tags
Damien Kopp
Damien Kopp

Damien has held executive roles in technology for 20+ years across Europe, North America, and Asia. As Managing Director of RebootUp, he drives AI integration and technopolitics for Fortune 500 companies and innovation leaders, navigating Asia’s strategic and global risks.