Digital sovereignty: why every company must choose whom to depend on

On 8 April 2026, France marked both a symbolic and operational shift: the French government body responsible for the State’s digital strategy, the Direction Interministérielle du Numérique (DINUM), initiated the transition from Windows to Linux for public administration terminals, with the goal of reducing dependence on extra‑European suppliers in critical areas such as operating systems, collaborative tools and network infrastructure. Minister David Amiel summed up the point clearly: it is no longer acceptable for strategic data and decisions to rely on solutions whose rules, prices and risks are not under national control.

This is not an isolated move. It is a signal to anyone managing technology in a company: how many of the solutions you use every day depend on policies you did not write? Digital sovereignty does not concern only public administration. It is a matter of real control over processes, data and infrastructure.

The European context: a shared trajectory

France’s decision has a precise date, but deeper roots. On 10 June 2025, before the French Senate, Microsoft had to answer a direct question: can it guarantee that data stored in France will never be transmitted to the U.S. government? The answer was no. Not out of evasiveness, but due to legal impossibility: the CLOUD Act of 2018 requires any American company to comply with federal authorities’ access requests, regardless of where the data is physically stored. No contract with European customers can override a federal law.

For the French government, that answer closed the debate. DINUM instructed each ministry to present, by autumn, a roadmap to reduce dependence on American tools across seven pillars: operating system, collaborative tools, antivirus, artificial intelligence, databases, virtualization and network infrastructure. This is not a leap into the unknown: the Gendarmerie nationale has used Linux since 2008, with documented results. Today, the Caisse nationale d’assurance maladie is migrating 80,000 agents to sovereign tools hosted on servers certified by the French national cybersecurity agency.

France is not moving alone. Denmark is evaluating the replacement of Microsoft Office with LibreOffice in public offices. Germany is working on sovereign cloud infrastructures based on OpenStack. Paris is pushing for a European consortium dedicated to sovereign digital tools, because the game, played by a single country against platforms worth hundreds of billions, is already lost from the start.

What is emerging is not an emotional reaction to geopolitical tensions. It is the collective recognition that a long‑overlooked vulnerability—extra‑jurisdictional access to data, lock‑in on critical infrastructure, lack of real portability—has become too concrete to ignore. NIS2 and DORA are now translating that awareness into regulatory obligations, including for private companies.

Technological dependence: concrete risks for Italian SMEs

What pushed France to change course does not concern only public institutions. When dependence on a single supplier becomes structural, the consequences are not abstract: they are measured in downtime, inaccessible data, and compliance that becomes impossible to demonstrate.

The cost that does not appear in quotes

80% of European cloud spending goes to American providers, and those who want to protect their data with European jurisdictional guarantees must pay a premium to do so. “Sovereign” cloud services from hyperscalers—Azure Government, AWS European Sovereign Cloud—exist, but cost significantly more than standard offerings. Data protection has become an add‑on item in the catalog. The result is a two‑tier market: large multinationals, with proportionate IT budgets and legal structures, absorb the cost without difficulty. Manufacturing SMEs handling sensitive process data remain the most exposed, because rules designed to protect everyone end up protecting best those already equipped.

Control is measured at the moment of truth

As already seen with the CLOUD Act, when sensitive data resides on platforms the company does not govern, dependence remains invisible—until it becomes a problem. For a manufacturing producer, that moment may come in the form of inaccessible quality parameters, blocked batch traceability, or frozen machine logs. No geopolitical emergency is needed to trigger it: a unilateral policy change, a silent contractual update, or an unplanned service interruption is enough.

The CrowdStrike case of 2024—an ordinary update that crashed 8.5 million Windows devices, paralyzing airports, hospitals and production lines worldwide—showed that the domino effect is not a theoretical scenario. A single provider can simultaneously stop hundreds of organizations, without any attack and without warning.

The risks identified for those in this position are clear:

Operational blockage due to service interruptions or unilateral provider decisions.
Technological lock‑in: every passing month makes migration more expensive and riskier.
Domino effect: a provider’s compromise instantly propagates to all customers.
Compliance at risk: without real visibility into where and how data is processed, GDPR, NIS2 and DORA become obligations impossible to demonstrate.

NIS2 and DORA: from abstract requirements to operational obligations

NIS2, transposed in Italy through Legislative Decree 138/2024, extends cybersecurity obligations to sectors that until recently considered themselves outside the perimeter: manufacturing, food, chemicals, waste management. The threshold is dimensional—SMEs above 250 employees or €50 million in turnover fall under “important entities”—but the principle is broader: it is not enough to have secure systems; one must demonstrate effective governance, including the supply chain. DORA, active since January 2025 for the financial sector, sets the standard the market expects elsewhere: periodic resilience tests, documented management of third‑party ICT risks, incident notification.

Those who depend on extra‑European clouds without clauses on portability, continuity and transparency find themselves in a difficult position before supervisory authorities. Compliance is no longer a matter of documents. It has become a matter of real control over what keeps the company running.

The leap Italian companies still need to make

Italy’s manufacturing ecosystem—Lombardy, Piedmont, Veneto, Emilia‑Romagna—is among the most industrialized in Europe. But digitalization in these districts often happened out of urgency, not design: cloud tools adopted quickly, without assessing the dependencies created over time. Many companies modernized processes without gaining control over the infrastructure those processes run on. The bottleneck, in these cases, is never technical. It is the lack of visibility over who controls what, where the data that powers production resides, and what would happen if a supplier changed conditions tomorrow morning.

IBM defines digital sovereignty as the level of control an organization has over its digital assets—data, software, processes and infrastructure. It is not a geographical matter. It is an operational condition: who governs the systems, who can access them, and how that responsibility can be demonstrated continuously and verifiably.

The relevant question, therefore, is not “do I use American or European software?”. It is more uncomfortable: if the supplier raised prices tomorrow, could I exit without losing months of data? If the service shut down, what would remain in my hands? If an audit requested visibility into data flows, could I answer?

Those who have not yet answered these questions do not have a technological problem. They have a problem of understanding their own exposure.

Operational sovereignty: an architectural choice before a compliance one

IBM distinguishes between two approaches that may appear equivalent but produce very different results over time. The first adds sovereignty as a layer on top of an existing infrastructure—a contractual guarantee, a certification, a “sovereign” prefix in the service name. The second builds it by design: control is not an optional feature activated on request, but a structural characteristic of the system. For a manufacturing company, the difference is concrete. In the first case, dependence remains—it is simply more expensive to maintain. In the second, data stays where the company decides, the operating logic is transparent and modifiable, and operational control does not silently migrate to the provider.

Automating a process means entrusting a system with decisions that previously required human intervention. It is useful, often necessary. But if that system cannot be inspected, modified or moved, automation also means surrendering control. The question to ask any supplier—software, cloud or AI—is not only “does it work?”, but “three years from now, will this architecture still be mine?”.

A signal to read before it becomes an obligation

France’s move is not an isolated case. It anticipates pressure that Italian organizations will feel growing on multiple fronts simultaneously—regulatory, competitive, reputational. NIS2 and DORA are already in force. Supply‑chain security requirements will progressively extend to sectors that today consider themselves outside the perimeter. Those who wait for dependence to become a formal problem are already starting late.

The first step is not a migration project. It is a map: who provides what, where critical data resides, which dependencies cannot be interrupted without stopping production. Not to eliminate every external supplier—that would be unrealistic and counterproductive—but to understand one’s real exposure. The difference between those who manage dependence and those who suffer it is not technical. It is the difference between those who asked these questions in advance and those who face them under pressure.

Sources: