Public sector sovereignty requirements
This is a preview article from my upcoming book:
Digital Sovereignty in Europe - Architecture and Strategies for Technological Independence
In the public sector, sovereignty is a practical necessity. When governments depend on digital systems they do not control, they risk losing the ability to function, protect citizens, and maintain the rule of law. This chapter covers five connected areas: democratic accountability, continuity of services, data privacy, national security, and public procurement.
Democratic accountability
Democratic power comes with responsibility, and responsibility requires control. When a public organization hands control of critical IT systems to a foreign third party, accountability does not transfer with it. Ministers and elected officials remain responsible to parliament, the courts, and the public for how systems work, how data is handled, and anything that goes wrong.
A government can outsource the running of a system, but it cannot outsource the consequences if that system fails. If a cloud provider goes offline, if a foreign government forces a vendor to hand over data, or if a vendor simply stops offering a service, the political responsibility falls on the public institution. This means governments must maintain real operational and legal sovereignty over critical digital infrastructure – not just rights written into a contract.
The obligation to keep services running
Public sector organizations cannot pause or shut down services when things get difficult. Their duty to deliver services is written into law. Benefits must be paid, emergency services must respond, courts must operate, hospitals must treat patients, and public records must stay accessible.
Keeping services running is a legal requirement. A vendor outage, a contract dispute, a cyberattack, or a disruption caused by a foreign supplier can quickly become a political crisis. Citizens who cannot access services they are legally entitled to do not distinguish between a government IT failure and a government policy failure. To the public, they are the same thing. The reputational and political damage can be serious, and the level of acceptable risk is much lower than in any commercial setting.
Protecting privacy as a public duty
Public institutions hold large amounts of sensitive personal data, including tax records, health information, social benefit histories, immigration status, and court records. Strict laws govern how this data is handled – including national legislation and, across Europe, the General Data Protection Regulation (GDPR).
But beyond legal compliance, there is a deeper point. The public sector exists to serve and protect citizens, and that includes protecting their privacy. Sovereign control over data infrastructure is essential to this. When data is processed by foreign cloud providers or software vendors, governments may lose sight of where it is stored, who can access it, and under what conditions foreign authorities can compel its disclosure. Some countries have laws that allow their governments to access data held by their companies – regardless of where the servers are physically located.
Protecting defense secrets
For defense ministries and security agencies, sovereignty over data is extremely important. Military operations, intelligence reports, strategic plans, personnel files, and weapons data all need strong protection. They must be kept safe from spying, interception, and unauthorized access. If this data is exposed, people can die, alliances can be damaged, and a country can lose its advantage in a conflict.
This means the security standards must be very high. Defense systems need complete data separation: the infrastructure must run only within national or allied borders, controlled by trusted staff, and meet strict security classifications that commercial cloud services often cannot provide.
Using foreign technology creates serious risks. It can open the door to spying through hidden backdoors built into the technology, legal pressure on foreign companies to hand over data, or attacks on the supply chain.
This entry was posted on Thursday 09 July 2026
Dutch