Public sector sovereignty requirements

This is a preview article from my upcoming book: 

Digital Sovereignty in Europe - Architecture and Strategies for Technological Independence


In the public sector, sovereignty is a practical necessity. When governments depend on digital systems they do not control, they risk losing the ability to function, protect citizens, and maintain the rule of law. This chapter covers five connected areas: democratic accountability, continuity of services, data privacy, national security, and public procurement.

Democratic accountability

Democratic power comes with responsibility, and responsibility requires control. When a public organization hands control of critical IT systems to a foreign third party, accountability does not transfer with it. Ministers and elected officials remain responsible to parliament, the courts, and the public for how systems work, how data is handled, and anything that goes wrong.

A government can outsource the running of a system, but it cannot outsource the consequences if that system fails. If a cloud provider goes offline, if a foreign government forces a vendor to hand over data, or if a vendor simply stops offering a service, the political responsibility falls on the public institution. This means governments must maintain real operational and legal sovereignty over critical digital infrastructure – not just rights written into a contract.

The obligation to keep services running

Public sector organizations cannot pause or shut down services when things get difficult. Their duty to deliver services is written into law. Benefits must be paid, emergency services must respond, courts must operate, hospitals must treat patients, and public records must stay accessible.

Keeping services running is a legal requirement. A vendor outage, a contract dispute, a cyberattack, or a disruption caused by a foreign supplier can quickly become a political crisis. Citizens who cannot access services they are legally entitled to do not distinguish between a government IT failure and a government policy failure. To the public, they are the same thing. The reputational and political damage can be serious, and the level of acceptable risk is much lower than in any commercial setting.

Protecting privacy as a public duty

Public institutions hold large amounts of sensitive personal data, including tax records, health information, social benefit histories, immigration status, and court records. Strict laws govern how this data is handled – including national legislation and, across Europe, the General Data Protection Regulation (GDPR).

But beyond legal compliance, there is a deeper point. The public sector exists to serve and protect citizens, and that includes protecting their privacy. Sovereign control over data infrastructure is essential to this. When data is processed by foreign cloud providers or software vendors, governments may lose sight of where it is stored, who can access it, and under what conditions foreign authorities can compel its disclosure. Some countries have laws that allow their governments to access data held by their companies – regardless of where the servers are physically located.

Protecting defense secrets

For defense ministries and security agencies, sovereignty over data is extremely important. Military operations, intelligence reports, strategic plans, personnel files, and weapons data all need strong protection. They must be kept safe from spying, interception, and unauthorized access. If this data is exposed, people can die, alliances can be damaged, and a country can lose its advantage in a conflict.

This means the security standards must be very high. Defense systems need complete data separation: the infrastructure must run only within national or allied borders, controlled by trusted staff, and meet strict security classifications that commercial cloud services often cannot provide.

Using foreign technology creates serious risks. It can open the door to spying through hidden backdoors built into the technology, legal pressure on foreign companies to hand over data, or attacks on the supply chain.


This entry was posted on Thursday 09 July 2026

Earlier articles

Public sector sovereignty requirements

The definition of Digital Sovereignty

The digital sovereignty model

Infrastructure documentation

FinOps

Go live scenarios

Configuration management tools

Commonly used IaC languages

Edge computing

Cloud computing and Infrastructure

What is IT architecture?

Infrastructure as Code pipelines

Quantum computing

Security at cloud providers not getting better because of government regulation

The cloud is as insecure as its configuration

Infrastructure as code

DevOps for infrastructure

Infrastructure as a Service (IaaS)

(Hyper) Converged Infrastructure

Object storage

Software Defined Networking (SDN) and Network Function Virtualization (NFV)

Software Defined Storage (SDS)

What's the point of using Docker containers?

Identity and Access Management

Using user profiles to determine infrastructure load

Public wireless networks

Stakeholder management

Desktop virtualization

Supercomputer architecture

x86 platform architecture

Midrange systems architecture

Mainframe Architecture

The first computers

Open group ITAC /Open CA Certification

Software Defined Data Center - SDDC

The Virtualization Model

What are concurrent users?

Performance and availability monitoring in levels

UX/UI has no business rules

Technical debt: a time related issue

Solution shaping workshops

Architecture life cycle

Project managers and architects

Using ArchiMate for describing infrastructures

Kruchten’s 4+1 views for solution architecture

The SEI stack of solution architecture frameworks

TOGAF and infrastructure architecture

How to handle a Distributed Denial of Service (DDoS) attack

The Zachman framework

An introduction to architecture frameworks

Architecture Principles

Views and viewpoints explained

Stakeholders and their concerns

Skills of a solution architect architect

Solution architects versus enterprise architects

Definition of IT Architecture

IP Protocol (IPv4) classes and subnets

Infrastructure Architecture - Course materials

Purchasing of IT infrastructure technologies and services

What is Cloud computing and IaaS?

What is Big Data?

How to make your IT "Greener"

IDS/IPS systems

Introduction to Bring Your Own Device (BYOD)

Fire prevention in the datacenter

Where to build your datacenter

Availability - Fall-back, hot site, warm site

Reliabilty of infrastructure components

Human factors in availability of systems

Business Continuity Management (BCM) and Disaster Recovery Plan (DRP)

Performance - Design for use

Performance concepts - Load balancing

Performance concepts - Scaling

Performance concept - Caching

Perceived performance

Ethical hacking


Recommended links

Ruth Malan
Gaudi site
Esther Barthel's site on virtualization
Eltjo Poort's site on architecture


Feeds

 
XML: RSS Feed 
XML: Atom Feed 


Disclaimer

The postings on this site are my opinions and do not necessarily represent CGI’s strategies, views or opinions.

 

Copyright Sjaak Laan