Women are increasingly shaping the IT industry – at valantic, we create opportunities together and promote talent so that diversity becomes a strength.
Women are increasingly shaping the IT industry – at valantic, we create opportunities together and promote talent so that diversity becomes a strength.
Executive Vice President Strategic Alliance Management
valantic
Annariina Komljenovic is Executive Vice President Strategic Alliance Management at valantic, one of Europe’s fastest-growing digital consulting firms. She oversees global partnerships with AWS, Google Cloud, Microsoft, NVIDIA, Snowflake, Databricks and Stripe. Previously, she held senior leadership roles at AWS EMEA and Deutsche Börse Group. She is a co-author or a forthcoming book on cross-generational leadership in the age of AI (to be published in 2026) and is an active mentor for women leaders in the technology industry.
Anyone following the Munich Security Conference or the accompanying Munich Cyber Security Conference could hardly miss a fundamental shift: digital dependencies and cyberattacks are no longer treated as specialist technical concerns. They are now central security and economic policy risks. Cloud infrastructures, AI platforms and semiconductors sit on the same agenda as energy supply and alliance defence.
BSI President Claudia Plattner put it in terms that cut to the heart of the entire sovereignty debate: “Anyone who wants to be sovereign must master technology.” Not own it. Not wall it off. Master it. She went further: “The protection of our society depends on our digital capabilities, and on how well we can defend the digital domain.” Technology, Plattner warned, is increasingly shaping global power dynamics. If Germany and Europe do not push back forcefully now, the wheel will keep turning without us.
In this context, “digital sovereignty” has become a defining term, though one that carries different meanings for different people. For some, it is primarily about data residency within the EU. For others, it means technological self-sufficiency. For others still, it centres on regulatory agency. If a political catchphrase is to become a credible strategy, it requires a sober assessment.
Not Self-Sufficiency, but Clear Capacity to Act
Complete digital self-sufficiency is neither realistic nor desirable for open economies. European states and enterprises are embedded in global innovation and supply chains, particularly in cloud services, AI platforms and semiconductors. Any attempt to decouple entirely from non-European providers would slow innovation, significantly raise costs and still fail to eliminate dependencies.
At the same time, recent years have demonstrated that legal and technological dependencies can be exploited geopolitically, through export controls, sanctions and extraterritorial legislation such as the US CLOUD Act or comparable frameworks in other countries. These laws may oblige providers to hand over data or grant access, even when data centres are physically located in Europe and operated by European entities. There is no such thing as complete immunity from these access mechanisms. Anyone suggesting otherwise is raising false expectations.
Sovereignty in the 21st century therefore does not mean isolation. It means the capacity to act: the ability to understand risks, to contain them and to have viable alternatives available when crisis strikes.
Three Threat Levels: A Sober Assessment
At the Munich Security Conference, the BSI introduced a framework that is useful for understanding the landscape. Germany and Europe face sustained pressure from three categories of threat. Cyber Crime: financially motivated offences in the digital domain. Cyber Conflict: state-directed attacks with political or military objectives. And Cyber Dominance: the exertion of influence through digital products that grant their manufacturers access to information and functionality.
This third category deserves particular attention. It describes precisely what is often dismissed as an abstract risk in the sovereignty debate: the structural dependence on technology providers that are not subject to European law. When a country’s national cybersecurity authority places this dependence in the same category as state-sponsored cyberattacks, the sovereignty debate is no longer a political phantom. It is a security-policy reality.
Concrete Paths to Sovereignty in Europe
Several recent developments demonstrate that digital sovereignty is more than a debate conducted from conference stages.
France has announced it will migrate 2.5 million civil servants away from US video-conferencing services and onto its own platform, Visio, hosted on a SecNumCloud-certified sovereign infrastructure, by 2027. CNRS alone is transitioning 34,000 staff and 120,000 affiliated researchers from Zoom to Visio by the end of March 2026. This is not a pilot project. It is a deliberate, far-reaching sovereignty measure in a clearly defined use case.
In Germany, the BSI announced a strategic partnership with a German cloud provider at the Munich Security Conference, aimed at developing sovereign cloud solutions for public administration. The agreement covers operating models up to the “VS-NfD” (restricted) classification level. In parallel, the state of Schleswig-Holstein has migrated 44,000 email accounts from Microsoft to open-source alternatives. The signal is clear: for its most sensitive functions, the state is beginning to build its own digital room for manoeuvre.
At the same time, international hyperscalers are developing sovereignty models for Europe, ranging from physically and logically isolated operating environments backed by billions in investment, to customer-controlled encryption and dedicated European legal entities. European providers, in turn, are positioning themselves with their own sovereign cloud offerings, frequently built on open-source technologies and with clear regional roots.
What all these approaches share is this: they can reduce legal and operational risks, but they cannot eliminate them entirely. That is precisely why transparency about architecture, responsibilities, supply chains and legal jurisdiction matters more than any promise of “absolute” sovereignty.
Regulation as Orientation, Not a Substitute for Governance
At the European level, the EU Cloud Sovereignty Framework is creating, for the first time, a coherent set of criteria defining what evidence providers must furnish for different sovereignty objectives, from strategic and legal sovereignty through data and AI sovereignty to security, compliance and supply chains. While this framework initially serves EU institutional procurement, it is already shaping national strategies and public tenders.
In parallel, the European Commission is preparing the Cloud and AI Development Act, the first binding regulation for sovereign cloud and AI infrastructures, scheduled for the first quarter of 2026. Unlike earlier initiatives, this legislation is designed as a regulation with direct effect across all member states. What will matter most is that such rules open realistic, technology-neutral pathways and do not create the impression that digital sovereignty can be decreed into existence.
Regulation can provide direction and enforce minimum standards. But it does not replace the corporate task of designing sovereign architectures, supplier strategies and operating models.
Sovereignty as Portfolio Management
From the perspective of enterprises and public organisations, digital sovereignty is above all a question of portfolio management.
Not every application, not every database is equally critical. HR administration, internal collaboration, production-critical control systems and defence-related applications differ fundamentally in their requirements for confidentiality, availability and legal control. Treating everything the same inevitably means over-managing or under-managing risk.
Organisations that tie their entire value chain to a single global provider make themselves vulnerable, regardless of whether that provider is based in the US, in Europe or elsewhere. Multi-cloud and hybrid approaches are not merely operational strategies. They are increasingly sovereignty strategies: enabling workload portability, alternative pathways in times of crisis and the preservation of negotiating power.
Encryption, key ownership, supply chain hardening and strict access governance reduce the attack surface. But they do not replace the need for clear contracts, defined responsibilities and a security and compliance management practice that is genuinely lived, not just documented. Sovereignty is not a single product feature. It is the result of a comprehensive set of measures.
The Real Scarcity: Capabilities, Not Data Centres
In the political debate, digital sovereignty is frequently framed as an infrastructure question. Do we have enough data centres? Do we have enough of our own chips? Are we supporting enough European providers? These questions matter. But they easily obscure the real bottleneck.
My experience working with enterprises across eight major technology partnerships reveals a recurring pattern: roughly 80 percent of transformation projects fail not primarily because of the technology, but because of people, processes and change management. This holds true for conventional cloud migrations just as it does for AI adoption. And it holds true in particular for sovereignty strategies.
Annariina Komljenovic, valantic
”Anyone seriously pursuing digital sovereignty needs, above all else, qualified professionals who can make and be accountable for complex architectural and security decisions.“
Cloud architects, security specialists, data and AI engineers, product and service owners in both government and enterprise. Without this competence, even the most ambitious strategy remains a toothless tiger.
Germany’s sovereignty debate at times has the character of a grand philosophical discussion that nobody actually operationalises. France is migrating 2.5 million public-sector employees. Schleswig-Holstein is converting 44,000 mailboxes. The BSI is entering a strategic partnership with a German cloud provider. And large parts of the German Mittelstand are still debating whether to start at all.
Acting Sovereign Rather Than Feeling Absolutely Secure
One hundred percent digital sovereignty does not exist, any more than one hundred percent cybersecurity does. The ambitious but realistic goal for Europe should therefore be framed differently: understand risks, reduce dependencies, build alternatives and retain the capacity to act when it matters, technically, legally and organisationally.
This requires capable European providers alongside trustworthy partnerships with global players, clear regulatory guardrails and, above all, investment in people and competences. Pushing back, as Plattner urges, does not mean building walls. It means building capabilities.
Sovereignty is not a state of being. It is a practice. And it does not begin in the data centre. It begins in the mind.
Don't miss a thing. Subscribe to our latest blog articles.
Turn your vision into reality: Female Digital Impact
