In July 2024, a faulty software update from the US security firm CrowdStrike brought millions of Windows systems worldwide to a standstill. Flights were cancelled, hospitals had to postpone operations and alter their procedures, and government agencies were only able to operate at limited capacity for hours.
The inability to act was not caused by a targeted cyberattack, but by a total reliance on a foreign software provider. This incident has suddenly brought a key question into sharp focus:
Who actually controls our digital systems?
This is precisely where digital sovereignty comes into play. For public authorities, law enforcement agencies, and organizations with security responsibilities like police or firefighters, and operators of critical infrastructure, it has become an operational necessity. Digital sovereignty is not a luxury, but a matter of the ability to act in an emergency, of compliance, of protecting sensitive data, and ultimately of national sovereignty.
What does digital sovereignty mean? A definition.
Digital sovereignty refers to the ability of organizations and states to control their digital systems, data, and communication processes independently – without reliance on foreign providers, technologies, or legal systems.
It is not just about technology, but about a combination of:
- Technological sovereignty: control over software, hardware, and infrastructure
- Data sovereignty: control over the storage and processing of data
- Legal sovereignty: compliance with European laws and standards
- Operational autonomy: the ability to act in crisis situations
For organizations in regulated sectors in particular, digital sovereignty is no longer an optional competitive advantage, but a strategic necessity.
US providers may be legally obliged to grant US authorities access to data – even if it is stored on European servers. Key terms include the US CLOUD Act, FISA, and the USA PATRIOT Act, to name just a few relevant US laws. Digital sovereignty means addressing this risk at a structural level and minimizing it.
For further in-depth insights, please see our guide to EU data sovereignty, which you can download free of charge.
Digital sovereignty, data sovereignty, and EU data sovereignty: the differences
The three terms are often used interchangeably, but differ in their scope:
For regulated organizations, this distinction has practical implications: a solution may offer data sovereignty, but still create digital dependencies if the provider itself is subject to a foreign legal system.
An example:
Companies can use Microsoft 365 and host the software within the EU. This means that the servers are located in Europe and the data is stored and processed here. Nevertheless, data can be requested by US authorities at any time, as Microsoft’s parent company is a US firm and therefore subject to US law. Digital sovereignty is therefore not guaranteed.
Why is digital sovereignty particularly relevant for public safety, public authorities, and critical infrastructure?
Law enforcement agencies, public authorities, and operators of critical infrastructure face a different risk profile than ordinary businesses. A data breach during a police operation, the compromise of patient data, or a communication failure at an energy supplier during a crisis can have immediate consequences for public safety.
Regulatory pressure is mounting
The NIS-2 Directive, the IT Security Act 2.0, and sector-specific requirements like DORA significantly tighten the requirements for digital sovereignty. Organizations that operate critical infrastructure must be able to demonstrate that their IT systems and communication channels are resilient, controllable, and protected against unauthorized access.
Shadow IT and consumer apps as a security risk
In practice, employees often resort to unauthorized communication tools, such as WhatsApp, personal email accounts, or other consumer messaging apps. This shadow IT systematically undermines any strategy for digital sovereignty: data ends up on foreign servers, metadata is analyzed, and the organization loses all control over its communication data.
Vendor lock-in: The underestimated dependency
In addition to direct data access by third countries, vendor lock-in poses a further structural risk. Relying entirely on a single provider for critical communication processes results in a loss of bargaining power, increases costs in the long term, and – as the CrowdStrike incident has shown – creates a single point of failure. Digital sovereignty, therefore, also means: manageable dependencies, clear exit strategies, and the preferred use of open standards.
Reliability in crises and major incidents
Digital sovereignty also means remaining capable of acting in an emergency. Cloud services from third countries with server locations in Europe or without an on-premises option offer no guarantee of availability in crisis situations. Public authorities and operators of critical infrastructure require solutions that continue to function even with limited internet connectivity or during targeted cyberattacks. The aim is to establish a communication structure that is decoupled from the rest of the IT infrastructure and is sovereign.
Digital sovereignty: specific requirements for communications infrastructure
The BSI (Bundesamt für Sicherheit in der Informationstechnik or Federal Office for Information Security) classifies sectors such as energy, water, healthcare, transport, and law enforcement agencies as critical infrastructure. Their communication solutions are subject to specific requirements that directly contribute to digital sovereignty:
- Complete, modern encryption: The content of communications must be readable only by the sender and the recipient. Solutions that decrypt metadata or content on the provider’s central servers do not meet this requirement.
- Zero-trust architecture: There is no implicit trust in network participants. Every request is verified – regardless of whether it originates from the internal network or not.
- Audit-proof archiving: Communication must be stored to ensure traceability and protection against tampering.
- On-premises option: For the most sensitive use cases, the entire infrastructure must run on your own servers.
- Certifications: ISO 27001 and BSI C5 (Cloud Computing Compliance Criteria Catalog) are the relevant certifications for secure cloud infrastructures in Germany.
You may also be interested in our guide “Communication in a state of emergency”.
Digital sovereignty in practice: public authorities, law enforcement, and critical infrastructure
The requirements for digital sovereignty vary considerably across sectors. Three types of organization are of particular focus here:
Government bodies and public administration
Digital sovereignty is the foundation for public trust in government institutions. Typical use cases include secure coordination processes between public authorities, the protection of sensitive personal data, and crisis communication in disaster management.
Public authorities and organizations responsible for security
Secure communication is vital for the police, fire departments, and emergency services. Every second counts during an emergency: real-time coordination of operations, the secure transmission of operational data, alerting procedures, and on-site communication during major incidents must function reliably even under extreme conditions, and must not leave any data traces on foreign servers.
Critical infrastructure companies and organizations
Energy suppliers, healthcare facilities, telecommunications providers, and water utilities rely on resilient communication systems. For them, digital sovereignty means, in practical terms: business continuity management, the protection of sensitive operational and patient data, and the ability to maintain coordination in the event of a cyberattack – without relying on third-party providers who may have been compromised.
Secure government communications in practice: the example of the police
Hardly any other scenario illustrates the requirements of digital sovereignty as clearly as police operational communications. During operations, officers need:
- Immediate, reliable contact with all units
- Secure transfer of photo and video footage from the field
- Real-time location data for coordinating units
- Alert functions for critical situations
- Guaranteed data sovereignty – no communication data stored on US servers
Today, over half of all German police forces use Teamwire as a secure communication platform. This has significantly improved operational communication – from faster success in manhunts to seamless coordination during major events such as the 2024 European Football Championship in Germany.
The example shows:
Digital sovereignty is not an end in itself. It is the foundation for efficient, secure, and legally compliant communication in critical situations.
You can gain a more detailed insight into how the police use Teamwire in our success story, which was produced in collaboration with the Bavarian Police.
GDPR-compliant communication as a minimum standard
GDPR compliance is a fundamental requirement for any communication solution in the public sector – but it is no guarantee of true digital sovereignty. A solution may be formally GDPR-compliant yet still problematic if:
- The provider, which is owned by a US parent company, is subject to (Cloud Act risk).
- Metadata (who communicates with whom and when?) is stored and analyzed on the provider’s servers.
- There is no comprehensive, modern encryption in place, only transport encryption.
- Although the data is technically stored in Europe, it can be accessed from third countries.
Public authorities and operators of critical infrastructure should therefore look beyond GDPR compliance and choose solutions that offer technical data sovereignty – not just legal compliance.
Implementing digital sovereignty: A framework for decision-makers
Implementing digital sovereignty is not a one-off project, but an ongoing process. The following four steps have proven effective in practice:
1. Taking stock: Which tools does your organization actually use?
There is often a significant gap between officially approved communication tools and those actually in use. The first step is to carry out an inventory of the applications in use – including shadow IT.
2. Risk assessment by data category
Not all data requires the same level of protection. Organizations should distinguish between different types of data: Which communications contain sensitive operational data? Where is a standard cloud solution sufficient? This categorization enables targeted investment decisions.
3. Choice of technology: European suppliers with proven certifications
When selecting communication solutions, decision-makers should consider the following criteria:
- Servers located exclusively in Germany or the EU
- No dependence on US parent companies
- ISO 27001 and BSI C5 certification of the cloud infrastructure
- Genuine, modern encryption (including metadata, etc.)
- Zero-trust security architecture
- On-premises option for sensitive applications
4. Ensure acceptance through user-friendliness
Even the best security solution is of little use if employees bypass it because it is too complex. Digital sovereignty can only be achieved if secure tools are intuitive to use and are faster than – or at least as fast as – their insecure alternatives. Training and clear communication guidelines are just as important as the technical solution itself.
The future of digital sovereignty in Europe
Geopolitical developments in recent years have significantly heightened awareness of digital dependencies. European institutions and national authorities are stepping up their investment in sovereign technologies. Initiatives such as GAIA-X, the European cloud infrastructure, and the BSI’s concept of digital sovereignty are setting strategic guidelines.
For operators of critical infrastructure and (security) authorities, this means:
Regulatory pressure to achieve digital sovereignty will increase. Organizations that act now and establish sovereign communications infrastructures will be better positioned – both to meet future compliance requirements and to cope with emergencies.
At the same time, technology continues to evolve: AI-powered threat detection, advanced real-time communication features (such as augmented reality for operational coordination) and deeper integration capabilities with existing IT infrastructure are making sophisticated solutions increasingly powerful.
Digital sovereignty is the key to Europe’s ability to act
Digital sovereignty is far more than just a technical concept. It is a strategic prerequisite for security, resilience, and independence. The CrowdStrike outage in 2024, the US Cloud Act, and growing geopolitical tensions demonstrate that:
Digital dependencies are real risks.
The following applies to public authorities, law enforcement agencies, and operators of critical infrastructure:
Those who invest now in robust IT infrastructures and secure communication solutions are not only strengthening their own resilience but are also making a tangible contribution to Europe’s digital independence.
The good news is:
Digital sovereignty and efficiency are not mutually exclusive. Modern, certified platforms such as Teamwire demonstrate that the highest security standards, full data sovereignty and intuitive user-friendliness can be achieved simultaneously – and have been in use for years by over half of Germany’s police forces, numerous critical infrastructure companies and local authorities.
Why not expand your knowledge with our guide Data Sovereignty Instead of Digital Dependence, which we have published in collaboration with our partner IONOS.
Global uncertainty, cyber threats, and US legislation show that:
Local data centers or encryption alone are not enough. Data sovereignty requires an understanding of the risks and a willingness to adapt – this is the only way for public authorities, critical infrastructure operators, law enforcement agencies, and the healthcare sector to protect their data in the long term.
In this comprehensive document, which you can download for free, we explore:
- What are the differences between data sovereignty, data residency, data protection, and data security?
- What risks are associated with US providers such as Microsoft 365, WhatsApp, and Slack?
- What impact does this have on compliance, audits and certifications (e.g. ISO 27001, BSI C5)?
- What specific recommendations are there for switching to European solutions?
- How are European providers already offering high-performance alternatives today?
You can also try Teamwire for free at any time or book a personalized demo.
What is digital sovereignty?
Digital sovereignty refers to the ability of organizations and states to independently control digital systems, data, and communication processes – without reliance on foreign providers, technologies, or legal systems. For public authorities, this includes, in particular, control over communication data, independence from US hyperscalers, and the ability to remain operational in the event of a crisis.
Why is digital sovereignty mandatory for operators of critical infrastructure?
Under the IT Security Act 2.0 and the NIS 2 Directive, operators of critical infrastructure are subject to strict requirements regarding the resilience and security of their IT infrastructure. Digital sovereignty is not an option here, but a prerequisite: communication systems must be controllable, fail-safe, and protected against external access – including by foreign authorities.
What is the US CLOUD Act, and why is it relevant to European authorities and companies?
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) requires US companies to grant US authorities access to stored data upon request, regardless of whether that data is hosted on European servers. For authorities and operators of critical infrastructure, this means that any communication solution provided by a US provider or a US subsidiary is potentially subject to access by foreign authorities – even if it is formally GDPR-compliant.
What is the difference between data sovereignty and digital sovereignty?
Data sovereignty is one aspect of digital sovereignty. It refers to having complete control over where data is stored, who can access it, and how long it is retained. Digital sovereignty goes further and also encompasses technological independence, cloud sovereignty, and the ability to operate digital infrastructures independently.
Is WhatsApp GDPR-compliant for public authorities?
No. WhatsApp is a consumer app developed by Meta, a US-based company. In addition to the fundamental GDPR risk posed by the transfer of metadata to US servers, Meta is subject to the US CLOUD Act, which allows US authorities to access stored data. WhatsApp is therefore unsuitable for official communications.
What does Zero Trust mean for secure communication?
Zero Trust is a security concept that does not automatically trust any network user – whether internal or external. Every communication request is verified, access rights are granted on a minimal basis, and are continuously reviewed. For your communications, this means that even a compromised device within the network cannot gain unauthorized access to sensitive communication data.
What certifications should a secure communications solution for public authorities have?
The minimum standards are ISO 27001 (the international standard for information security management systems) and BSI C5 (the Cloud Computing Compliance Criteria Catalogue published by the Federal Office for Information Security). BSI C5 is particularly relevant for use by German public authorities, as it is tailored to the requirements of sovereign cloud use in Germany. In addition, the NIS 2 Directive should be complied with.
What is the difference between on-premises and private cloud solutions in terms of digital sovereignty?
With an on-premises solution, the entire software infrastructure runs on the organisation’s own servers – offering maximum control but also maximum operational overhead. A private cloud (dedicated, self-hosted) combines the advantages of a cloud infrastructure with the data sovereignty of an on-premises solution: data remains on dedicated servers in Germany, without the organisation having to bear the full operational overhead.
