{"id":5391,"date":"2026-07-01T13:46:50","date_gmt":"2026-07-01T11:46:50","guid":{"rendered":"https:\/\/www.manage-now.de\/?p=5391"},"modified":"2026-07-01T13:50:11","modified_gmt":"2026-07-01T11:50:11","slug":"digital-sovereignty-2026-from-an-it-decision-to-a-strategic-leadership-responsibility","status":"publish","type":"post","link":"https:\/\/www.manage-now.de\/en\/blog\/digital-sovereignty-2026-from-an-it-decision-to-a-strategic-leadership-responsibility\/","title":{"rendered":"Digital Sovereignty 2026: From an IT Decision to a Strategic Leadership Responsibility"},"content":{"rendered":"<section class=\"page-content\"\n         data-header=\"dark\">\n    <div class=\"container\">\n                    <div class=\"details-text-content\">\n                                <p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><em>Digital sovereignty has arrived in boardrooms, but not yet in budgets and architecture decisions. And the situation is clear: with <span style=\"text-decoration: underline\"><a href=\"https:\/\/www.manage-now.de\/en\/blog\/nis2-in-practice\/\">NIS2<\/a><\/span>, the EU Data Act, and a geopolitically fragile global dependence on IT, companies no longer have a choice about whether to engage with the topic. The only question is whether they do so reactively or strategically.<\/em><\/p>\n<p><em>This article shows what digital sovereignty will concretely mean in 2026, where the biggest misunderstandings lie, and how IT decision-makers can develop a strategy that is neither too risky nor too expensive<\/em>.<\/p>\n<p><em> <\/em><\/p>\n<p>&nbsp;<\/p>\n                    <\/div>\n        \n    <\/div>\n<\/section><section class=\"page-content\"\n         data-header=\"dark\">\n    <div class=\"container\">\n                    <div class=\"details-text-content\">\n                                <h2>What is digital sovereignty, and why data residency alone isn\u2019t enough?<\/h2><p>Digital sovereignty describes a company\u2019s ability to independently control its IT infrastructure, data, and processes\u2014regardless of external influences from vendors, authorities, or geopolitical developments.<\/p>\n<p>The key misunderstanding: sovereignty is not the same as data residency. The fact that a server is physically located in Frankfurt does not protect against access if the cloud provider is subject to US law. The US CLOUD Act obliges US companies to hand over data on official request\u2014regardless of which country the servers are located in.  <\/p>\n<p>That this is not a theoretical risk was confirmed by Microsoft itself in June 2025: Microsoft France\u2019s Chief Legal Officer stated under oath before the French Senate that Microsoft cannot guarantee that data of European customers\u2014even if stored in EU data centers\u2014will not be passed on to US authorities. It\u2019s hard to imagine a clearer statement of the situation. <\/p>\n<p>For IT decision-makers, this means: the provider\u2019s jurisdiction is what matters, not the data center\u2019s ZIP code.<br \/>\nThat\u2019s why several dimensions of digital sovereignty are distinguished (defined in the EU Cloud Sovereignty Framework), all of which must be taken into account:<\/p>\n<table style=\"height: 575px\" width=\"1073\">\n<tbody>\n<tr>\n<td width=\"213\"><strong>Dimension<\/strong><\/td>\n<td width=\"213\"><strong>Key question<\/strong><\/td>\n<td width=\"213\"><strong>Typical risk<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Strategic Sovereignty<\/strong><\/td>\n<td width=\"213\">How easy is it to switch providers?<\/td>\n<td width=\"213\">Dependence on non-EU providers (financial and functional)<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Legal &#038; Jurisdictional Sovereignty<\/strong><\/td>\n<td width=\"213\">Which laws apply to data and providers?<\/td>\n<td width=\"213\">Access by foreign authorities<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Data &#038; AI Sovereignty<\/strong><\/td>\n<td width=\"213\">How is data processed and used?<\/td>\n<td width=\"213\">Opaque AI models (&#8220;black box&#8221;)<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Operational Sovereignty (incl. operations sovereignty)<\/strong><\/td>\n<td width=\"213\">Who operates the systems and has access?<\/td>\n<td width=\"213\">Access from third countries \/ global support structures<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Supply Chain Sovereignty<\/strong><\/td>\n<td width=\"213\">How transparent is the supply chain?<\/td>\n<td width=\"213\">Dependence on individual global vendors<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Technology Sovereignty (incl. software sovereignty)<\/strong><\/td>\n<td width=\"213\">How dependent is the software stack?<\/td>\n<td width=\"213\">Vendor lock-in through proprietary technologies<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Security &#038; Compliance<br \/>\nSovereignty<\/strong><\/td>\n<td width=\"213\">How are security and compliance ensured?<\/td>\n<td width=\"213\">Lack of auditability or external control<\/td>\n<\/tr>\n<tr>\n<td width=\"213\"><strong>Environmental Sustainability<\/strong><\/td>\n<td width=\"213\">How efficient and sustainable is the infrastructure?<\/td>\n<td width=\"213\">Inefficient data centers<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Only when all dimensions are addressed can we speak of true digital sovereignty.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n                    <\/div>\n        \n    <\/div>\n<\/section>\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<section class=\"page-content\"\n         data-header=\"dark\">\n    <div class=\"container\">\n                    <div class=\"details-text-content\">\n                                <h2>Why 2026 is a turning point: the regulatory drivers<\/h2><p>The pressure on companies to design their cloud strategy in a sovereign way doesn\u2019t come from abstract IT considerations. It comes from regulation\u2014and it has increased significantly over the past 18 months. <\/p>\n<p><strong><a href=\"https:\/\/www.manage-now.de\/en\/blog\/nis2-in-practice\/\"><span style=\"text-decoration: underline\">NIS2<\/span><\/a> (in force since December 2025): <\/strong>The NIS2 implementation act obliges around 30,000 companies in Germany to demonstrably implement cybersecurity measures, including requirements for <span style=\"text-decoration: underline\"><a href=\"https:\/\/www.manage-now.de\/en\/blog\/harvest-now-decrypt-later-why-migration-to-post-quantum-cryptography-must-begin-today-not-only-once-quantum-computers-are-operational\/\">cryptography<\/a><\/span>, data protection, and supply chain security. Anyone running critical workloads with a provider without European jurisdiction has a structural compliance problem. More on NIS2: <span style=\"text-decoration: underline\"> <a href=\"https:\/\/www.manage-now.de\/en\/blog\/nis2-in-practice\/\">NIS2 in practice: Personal liability, obligation to provide evidence, and what managing directors need to do now &#8211; Manage Now<\/a><\/span>  <\/p>\n<p><strong>EU Cloud Sovereignty Framework (<\/strong><strong>since October 29, 2025)<\/strong><\/p>\n<p>The Cloud Sovereignty Framework serves as a standardized assessment framework for cloud sovereignty. The framework defines eight sovereignty objectives (SOV-1 to SOV-8) covering strategic, legal, operational, technological, data and AI sovereignty, as well as sustainability and supply chain resilience. For assessment, a five-level system called Sovereignty Effective Assurance Levels (SEAL 0-4) is used. Cloud providers must meet defined minimum levels to be considered in tenders<br \/>\nIn addition, a Sovereignty Score is calculated that evaluates the provider\u2019s quality and integration into the EU ecosystem, including ownership structure, governance, investments, and legal exposure to third countries such as the US CLOUD Act   <\/p>\n<p><strong>EU Data Act (since September 12, 2025): <\/strong>The EU Data Act regulates who may access data under which conditions and strengthens the right to data portability. For companies storing data in proprietary cloud environments, new obligations to provide evidence and potential switching barriers arise. <\/p>\n<p><strong>DORA (since January 2025): <\/strong>For the financial sector, the Digital Operational Resilience Act also applies, setting explicit requirements for the resilience of IT service providers and cloud providers, including exit strategies and rights of control.<\/p>\n<p><strong>Geopolitical fragmentation: <\/strong>Beyond regulation, the geopolitical risk landscape has changed. IT decision-makers who have concentrated their entire critical infrastructure with a single hyperscaler from a third country face a risk that was still theoretical three years ago. <\/p>\n<p>&nbsp;<\/p>\n                    <\/div>\n        \n    <\/div>\n<\/section>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<section class=\"page-content\"\n         data-header=\"dark\">\n    <div class=\"container\">\n                    <div class=\"details-text-content\">\n                                <h2>Hyperscaler, Sovereign Cloud, or hybrid: what\u2019s the right architecture?<\/h2><p>There is no universally correct answer. But there is a correct methodology. The decision depends on which workloads are how sensitive and which regulatory requirements apply in concrete terms.  <\/p>\n<p>Not all data requires the same level of protection. A pragmatic classification provides the foundation for a differentiated architecture: <\/p>\n<table style=\"height: 346px\" width=\"968\">\n<tbody>\n<tr>\n<td width=\"173\"><strong>Data category<\/strong><\/td>\n<td width=\"240\"><strong>Examples<\/strong><\/td>\n<td width=\"188\"><strong>Recommended environment<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"173\">Highly sensitive \/ regulated<\/td>\n<td width=\"240\">HR data, health data, critical production data, M&#038;A information<\/td>\n<td width=\"188\">Sovereign Cloud under EU jurisdiction<\/td>\n<\/tr>\n<tr>\n<td width=\"173\">Business-critical<\/td>\n<td width=\"240\">ERP, CRM, financial systems<\/td>\n<td width=\"188\">Hybrid: Sovereign or private cloud with strict access management<\/td>\n<\/tr>\n<tr>\n<td width=\"173\">Operational \/ low sensitivity<\/td>\n<td width=\"240\">Development environments, marketing tools, collaboration platforms<\/td>\n<td width=\"188\">Hyperscaler possible, with conscious risk acceptance<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>This approach\u2014known in practice as workload classification\u2014is the first step of any viable sovereignty strategy. It avoids two typical mistakes: complete hyperscaler dependence without risk assessment on the one hand, and an unrealistic total exit on the other. <\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal\" data-sourcepos=\"57:1-57:244;3008-3251\">Crypto agility and vendor lock-in: regardless of the model chosen, companies should prefer architectures based on open standards that enable switching providers without a complete rebuild. Proprietary services create dependencies that accumulate over years and become expensive in an emergency <\/p>\n<p data-sourcepos=\"57:1-57:244;3008-3251\">\n                    <\/div>\n        \n    <\/div>\n<\/section>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<section class=\"page-content\"\n         data-header=\"dark\">\n    <div class=\"container\">\n                    <div class=\"details-text-content\">\n                                <h2>A 4-step path to a Sovereign Cloud strategy: what IT decision-makers need to do now<\/h2><p>A sovereignty strategy doesn\u2019t emerge in a workshop. It requires a structured approach: <\/p>\n<p><strong>Step 1: Create a workload and data inventory<\/strong><\/p>\n<p>Which systems run where? Which data is particularly sensitive? Which regulatory requirements (NIS2, DORA, GDPR, industry-specific) apply in concrete terms? Without this inventory, all further decisions are speculative.   <\/p>\n<p><strong>Step 2: Evaluate providers across the eight sovereignty dimensions<\/strong><\/p>\n<p>Review infrastructure, operations, software\u2014check all dimensions per provider. The result is typically sobering: in most companies, the actual dependence on non-European structures is greater than assumed. <\/p>\n<p><strong>Step 3: Develop a migration strategy\u2014prioritized, not radical<\/strong><\/p>\n<p>An abrupt, complete exit from hyperscaler environments is neither technically nor economically sensible. What makes sense is a risk-based migration path: set up new projects sovereign from the start, migrate existing critical workloads by priority, and leave non-critical systems in place with conscious risk acceptance. <\/p>\n<p><strong>Step 4: Plan for crypto agility and an exit strategy<\/strong><\/p>\n<p>Regardless of the provider chosen: design architectures so that switching remains possible. That means open standards, documented dependencies, and a defined exit strategy\u2014an obligation DORA already mandates for the financial sector and one that makes sense for all companies. <\/p>\n<p>&nbsp;<\/p>\n                    <\/div>\n        \n    <\/div>\n<\/section>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<section class=\"page-content\"\n         data-header=\"dark\">\n    <div class=\"container\">\n                    <div class=\"details-text-content\">\n                                <h2>Conclusion: Digital sovereignty is not a project, but an architectural principle<\/h2><p>Digital sovereignty is not a one-off measure. It is an architectural principle that must feed into every cloud decision\u2014from selecting new SaaS tools to designing critical infrastructure. <\/p>\n<p>The good news: in 2026, the European market for sovereign cloud infrastructure is mature enough to offer viable alternatives. The bad news: in most companies, the gap between regulatory pressure and actual implementation is still large. <\/p>\n<p><strong>Those who start today have the chance of an orderly transition. Those who wait will migrate under pressure. <\/strong><\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal\" data-sourcepos=\"145:1-145:194;11118-11311\">\n<p data-sourcepos=\"145:1-145:194;11118-11311\">\n<p style=\"text-align: center\"><strong>The first step is always the same: an honest picture of your own dependencies. Manage Now supports IT decision-makers in analyzing existing cloud infrastructures and developing a viable Sovereign Cloud strategy. <\/strong><\/p>\n<p style=\"text-align: center\" data-sourcepos=\"145:1-145:194;11118-11311\"><strong><span style=\"text-decoration: underline\"><a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/www.manage-now.de\/en\/products\/managed-sovereign-cloud\/\">Talk to our experts \u2192<\/a><\/span><\/strong><\/p>\n                    <\/div>\n        \n    <\/div>\n<\/section>\n<div style=\"height:45px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<section class=\"section email-form\" data-header=\"dark\">\n        <div class=\"container\">\n            <div class=\"email-form-wrapper\">\n                <div class=\"email-form-content refs-form\">\n                                        <h2 class=\"email-form-title\">Join Our Community!<\/h2>\n                                                                                    <div class=\"email-form-description\"><p>Subscribe to our newsletter to receive regular updates, invitations to our events, and exclusive IT insights.<\/p>\n<\/div>\n                                                            \n<div class=\"wpcf7 no-js\" id=\"wpcf7-f4748-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"4748\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/5391#wpcf7-f4748-o1\" method=\"post\" class=\"wpcf7-form init email-form-form\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"4748\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.6\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f4748-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<div class=\"email-form-fields\">\n\t\t<div class=\"email-form-field input-wrap\">\n <span class=\"wpcf7-form-control-wrap\" data-name=\"Email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" autocomplete=\"email\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Email*\" value=\"\" type=\"email\" name=\"Email\" \/><\/span>\n<span id=\"wpcf7-6a58f6578966d-wrapper\" class=\"wpcf7-form-control-wrap website_url-wrap\" data-cf7apps-honeypot=\"website_url\" style=\"display: block;\n\t\t    width: 0px;\n\t\t    height: 0px;\n\t\t    padding: 0px;\n\t\t    border: 1px solid transparent;\n\t\t    display: block;\n\t\t    overflow: hidden;\n\t\t    \"><input type=\"hidden\" name=\"website_url-random-hash\" value=\"57025031\"><label\n\t\t    for=\"wpcf7-6a58f6578966d-field\"\n\t\t    class=\"hp-message\"\n        >Please leave this field empty.<\/label><input\n\t    id=\"wpcf7-6a58f6578966d-field\"\n\t    \n\t    class=\"wpcf7-form-control wpcf7-text\"\n\t    type=\"text\"\n\t    name=\"ah6fwasz65oz\"\n\t    value=\"\"\n\t    size=\"40\"\n\t    autocomplete=\"new-password\"\n\t    tabindex=\"1000\"\n    \/><\/span>\n\t\t<\/div>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"EN\" type=\"hidden\" name=\"Sprache__c\" \/>\n\t\t<button type=\"submit\" class=\"btn wpcf7-submit btn--grey btn--active\"><span>Subscribe<\/span><i class=\"icon icon-btn-arrow\"><\/i><\/button>\n<\/div>\n\n\n<div class=\"email-form-agreement checkbox-wrap\">\n\t\t\n\t\t<label for=\"Marketing_Opt_In__c\">I would like to receive relevant information about services and events, as well as other content from Manage Now GmbH. I can unsubscribe at any time.<\/label>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"Marketing_Opt_In__c\"><span class=\"wpcf7-form-control wpcf7-checkbox\" id=\"newsletter\"><span class=\"wpcf7-list-item first last\"><input type=\"checkbox\" name=\"Marketing_Opt_In__c[]\" value=\"Yes\" \/><span class=\"wpcf7-list-item-label\">Yes<\/span><\/span><\/span><\/span>\n<\/div>\n\n<div class=\"email-form-agreement checkbox-wrap\">\n\t\t<label for=\"Datenschutz__c\"><span> Manage Now GmbH collects, processes, and uses your above-mentioned personal data to handle your request. Further information can be found in<a href=\"\/en\/data-protection\/\"> our data protection policy*<\/a><\/span><\/label>\n\t\t<span class=\"wpcf7-form-control-wrap\" data-name=\"Datenschutz__c\"><span class=\"wpcf7-form-control wpcf7-checkbox wpcf7-validates-as-required\"><span class=\"wpcf7-list-item first last\"><input type=\"checkbox\" name=\"Datenschutz__c[]\" value=\"agreement\" \/><span class=\"wpcf7-list-item-label\">agreement<\/span><\/span><\/span><\/span>\n\n\n<\/div><input type='hidden' class='wpcf7-pum' value='{\"closepopup\":false,\"closedelay\":0,\"openpopup\":false,\"openpopup_id\":0}' \/><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n                <\/div>\n            <\/div>\n        <\/div>\n<\/section>\n<script>\n    (function ($) {\n        let node_form = $('.refs-form form');\n        if( node_form.length ) {\n            node_form.find('input[type=\"checkbox\"]').each(function () {\n                let parent_node = $(this).parents('.email-form-agreement'),\n                    input_node = $(this),\n                    input_name = input_node.attr('name').replace('[]', ''),\n                    label_node = parent_node.find('label[for=\"' + input_name + '\"]');\n\n                    input_node.attr('name',input_name);\n                    input_node.attr('id',input_name);\n                    input_node.siblings().remove();\n                    input_node.after(label_node);\n            });\n        }\n    })(jQuery)\n<\/script>","protected":false},"excerpt":{"rendered":"","protected":false},"author":6,"featured_media":5416,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":"","_wp_rev_ctl_limit":""},"categories":[69],"arts":[79],"branche":[],"post_folder":[],"class_list":["post-5391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","arts-managed-sovereign-cloud"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/posts\/5391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/comments?post=5391"}],"version-history":[{"count":2,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/posts\/5391\/revisions"}],"predecessor-version":[{"id":5419,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/posts\/5391\/revisions\/5419"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/media\/5416"}],"wp:attachment":[{"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/media?parent=5391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/categories?post=5391"},{"taxonomy":"arts","embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/arts?post=5391"},{"taxonomy":"branche","embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/branche?post=5391"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/www.manage-now.de\/en\/wp-json\/wp\/v2\/post_folder?post=5391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}