Aller au contenu
NNextHop
Learn

Digital sovereignty, explained.

The ability of an organisation or a state to control its infrastructure, its data and its technological dependencies. Neither a political mantra nor a commercial label: a reading grid in six dimensions, structured by ten years of European policy.

In brief

Digital sovereignty describes the ability of a state, an organisation or an individual to control its infrastructure, its data and its technological dependencies.
It does not boil down to the nationality of a provider, but combines at least six dimensions: jurisdiction, immunity to foreign laws, technology, data, certifications and openness.
The European Union has made it a structural political axis since 2019, with GAIA-X, the DMA, the Data Act, the upcoming EUCS and the Cloud Sovereignty Framework announced in 2025.
For an organisation, digital sovereignty is a dynamic posture that is measured, steered and strengthened over time.

Definition

What are we talking about?

Digital sovereignty describes the ability of an actor (state, organisation, individual) to autonomously decide on the use of its digital infrastructure, to protect its data and to retain control over its technological choices over time. The term is built in opposition to situations of imposed dependency: foreign regulatory pressure, proprietary lock-in, geopolitical unavailability of a service.

The public debate often conflates sovereignty and nationality. A service hosted in France may be controlled from abroad via the capital chain. Conversely, a service operated by a European subsidiary of a non-European group may benefit from strong contractual guarantees. It is the combination of dimensions, not the simple flag, that determines the real sovereign posture.

For an organisation, digital sovereignty is therefore a continuous process. It is measured (dependency mapping), steered (procurement and architecture governance) and strengthened (tested reversibility, increased certification).

Analytical framework

The 6 dimensions of the NextHop scoring

Each dimension answers a concrete question. Combined, they form a stable reading, comparable from one provider to another.

Jurisdiction

The law applicable to the contract, the operating entity and the parent company. Determines which authorities may issue injunctions over the service and its data.

Immunity

The service's ability to resist extraterritorial laws (CLOUD Act, FISA 702, secondary sanctions). Includes shareholder identity and internal organisation.

Technology

The degree of autonomy over the technical chain: hardware, hypervisor, key management, monitoring. The more the stack is mastered, the lower the dependency.

Data

The physical location of primary data, replicas, logs and metadata. Without a clear flow schema, the advertised residency is not verifiable.

Certifications

Qualifications matching the sensitivity level: ISO 27001 as the baseline, HDS for health, SecNumCloud for sensitive state data, EUCS tomorrow for Europe.

Openness

Reversibility, open formats and absence of proprietary lock-in. Guarantees the ability to leave, hence freedom of choice over time.

Timeline

European policy, step by step

October 2019Announcement of the GAIA-X project by the French and German economy ministers, aiming to federate a European cloud infrastructure around common standards.
December 2020Presentation of the Digital Markets Act and the Digital Services Act by the European Commission. Adopted in 2022, progressive application since 2023.
May 2021French "cloud au centre" doctrine that makes SecNumCloud mandatory for sensitive state data.
2022-2024ENISA work on the European Cybersecurity Certification Scheme for Cloud Services (EUCS). The High level concentrates debates on immunity to extraterritorial laws.
January 2024The Data Act enters progressive application. It facilitates data portability between providers and frames exit costs.
June 2025European Commission announcement of a Cloud Sovereignty Framework, structuring requirements for European public procurement.

Actors

Institutional voices to follow

ANSSI

French national agency, operates SecNumCloud and publishes the reference technical doctrine.

ENISA

European cybersecurity agency, leads the work on the future EUCS scheme.

European Commission, DG CNECT

Drives EU digital policy: Data Act, EUCS, Cloud Sovereignty Framework.

DINUM

French interministerial digital directorate, runs the cloud-au-centre doctrine.

Cigref

Network of large companies and public administrations. Regular publications on sovereign requirements.

Frequently asked

Five questions to clarify

What is digital sovereignty?

It is the ability of an actor (state, organisation, individual) to autonomously decide on the use of its digital infrastructure, to protect its data and to retain control over its technological choices over time.

Are digital sovereignty and nationality the same thing?

No. The nationality of a provider does not suffice to guarantee sovereignty. A service hosted in France may be controlled from abroad via the capital chain. Conversely, a European subsidiary of a non-European group can offer strong guarantees depending on its organisation.

What are the 6 dimensions of the NextHop scoring?

Jurisdiction (applicable law), Immunity (resistance to extraterritorial laws), Technology (autonomy of the stack), Data (effective location), Certifications (independent qualifications), Openness (reversibility and standards). Details are public on the Methodology page.

Why has Europe been talking about this so much since 2019?

Several triggers converge: post-Snowden awareness, dependency on US hyperscalers revealed during the pandemic, rising geopolitical tensions, and political will to organise a coordinated response. GAIA-X (2019), DMA, Data Act and EUCS structure this dynamic.

How to measure the digital sovereignty of an organisation?

Through a mapping of dependencies (providers, services, data), a legal audit of contracts and a review of architectural choices. NextHop offers a quick self-assessment at /auto-evaluation and in-depth independent audits on request.

Sources and references

Further reading

EU digital strategy overview (digital-strategy.ec.europa.eu)
GAIA-X Association, project overview (gaia-x.eu)
ANSSI, doctrine and reference frameworks (cyber.gouv.fr)
ENISA, EUCS Candidate Scheme draft
Data Act Regulation (EU) 2023/2854 (eur-lex.europa.eu)
Digital Markets Act (EU) 2022/1925 (eur-lex.europa.eu)
Cigref, publications on digital sovereignty (cigref.fr)

On NextHop

Go further

Operational observatory (in French)The NextHop scoring applies these 6 dimensions to over 200 cloud and SaaS providers. Filtering, ranking, detailed profiles.Sovereign digital hygiene (in French)The 6 reflexes to integrate into the purchasing and operations cycle to progress level by level.Understand the CLOUD Act and FISA 702The two US mechanisms that structure the "immunity" dimension of the analysis.
Open observatory (in French)Request an audit (in French)