Europe seems to be on a mission toward digital sovereignty. The German government, for example, has launched several initiatives to give back control to its citizens and the companies they work for. The German Ministry of Economics compiled a report listing requirements and recommendations for digital sovereignty.
More recently, the German government announced that digital sovereignty of the public administration will be a focal point for the federal Ministry of Interior. Minister of Interior Horst Seehofer says: “In order to guarantee our digital sovereignty, we want to reduce dependencies on individual IT providers. In addition, we are examining alternative programs in order to replace certain software. This will be done in close cooperation with the federal states and the EU.”
French Gendarmerie Taking a Stance
The French police force (Gendarmerie) is another example of a large governmental organization that has chosen a strategy of digital sovereignty. It has been using open source technologies since 2001, now including LibreOffice, Firefox and a for the Gendarmerie adapted version of Ubuntu: ‘GendBuntu’.
In a podcast that aired at the beginning of September, Lieutenant Colonel Stéphane Dumond, head of the Gendarmerie IT department, stated that the ability to be in control of their information and to remain independent from suppliers was very important in the choice to use open source. They want to have the freedom to change vendors in situations where they no longer agree with the direction a particular supplier is taking.
The Gendarmerie is not alone in its quest to become technologically independent. The French National Assembly and the French Army Ministry chose to let go of Google in favor of the French-German, privacy-first search engine Qwant.
Catalonia for Independence
In 2018, the city of Barcelona announced they planned to spend at least 70% of their IT budget on open-source software. The reasons for the city’s decision to transition to open source were to minimize the budget spent on license-based software and to reduce its dependency on closed-source suppliers. Worth mentioning here is that software developed by the city itself is made public through Github so other organizations can reuse the code.
How To Achieve Digital Sovereignty
It’s clear that in the public sector in Europe, the way choices for software and other IT systems are being made is changing. Governments (but also companies and private persons) are becoming increasingly aware of the importance of data ownership.
If you’re considering joining the ‘movement’ and want to bring digital sovereignty to your company, there are a few things that you need to take care of. The categories used in the layer model referred to earlier provide a good starting point. If you look up a certain category in the table you can check where you are on the digital sovereignty scale and decide whether you need or want to work towards a higher level.
DEGREE OF SOVEREIGNTY
CATEGORIES |
LOW
(= HIGH DEPENDENCY) |
MEDIUM | HIGH
(= NO DEPENDENCY) |
Data | The provider and not the user decides which data is at the disposal of whom and how he uses them. | The organization has complete control over who has access to data and can delete them at any time. | Data can be stored, read, changed and deleted, independently of the software solution that is used. |
APIs | No or only proprietary APIs available | Support of a high number of open standards and APIs. | Access to all data and functions via open, freely usable APIs with open source reference implementation |
Source code | Source code not available | Source code testable/source code available in case of manufacturer’s failure (“Escrow”) | Source code changeable/usable modified |
Hardware | Must be purchased completely | Existing solutions can extended with own hardware. | All hardware components can be produced and influenced by the organization itself. |
Diversity | The solution is only available from a single vendor, there are no control or migration options. | Important parts can be controlled and migrated to other suppliers, the structure of a solution operated by the organization itself is possible. | User organization operates solution itself, has control over all components (source code, hardware, …) and may change / replace them. |
Skills | No understanding of processes and data use, no skills to make adjustments available | Understanding of data and processes is present, possibilities for adjustments are limited. | Skills for changing data, program code and processes are available. |
Jurisdiction | Provider is subject to non-EU law. | Provider is subject to non-EU law, but there are reliable contracts in place that ensure compliance with European standards. | The provider is located in Germany or in the European Union and is subject exclusively to this jurisdiction. |
Data
First and foremost, you need to make sure you have full control over your company data. You may be wondering how important data control is if you don’t have to worry about things like intellectual property. But it’s not just about short-term commercial risks. It’s also about the possible future implications of leaving your data in the hands of others. For example, do you know what happens if your supplier goes bankrupt? Or when they decide to change their business model? Is it easy to switch to another supplier? Or are you bound to keep dancing to their tune?
APIs
Open standards and open APIs are also very important when it comes to digital sovereignty as they enable a smooth transition to alternative solutions. An open API gives your developers easy access to data used by an application, without offering a lot of limitations. Another good thing about open APIs is that they are often based on open standards and protocols such as OpenID Connect for identity management. By choosing software vendors that rely on open standards and open APIs, you can be certain that you can retrieve your data at any time, in a format that the other applications you use can recognize.
Source code
In an ideal, digitally sovereign world, all the software your company uses is open source. In this way, you (can) know precisely what happens to your data and be certain there are no backdoors built in the software you are using. Open-source software also allows you to modify the code so you can easily change it to your needs. This may come in handy if, for example, you plan to switch vendors and need to replace one piece of software with another. With open-source software, you can make sure the new software integrates easily in your existing software stack.
Hardware
Yes, hardware. This is a tough one since, if you’d want to keep full control over your hardware, you’d have to build your hardware yourself. Usually, this is not really an option. Open-source hardware does exist but is far from being as mainstream as open-source software. So what then? Whenever possible, purchase hardware that is produced in the European Union. In that way, you at least know your producer is bound to the laws of the GDPR. This gives you a little bit more control over your IT than using hardware that is produced in, for example, China or the United States. Just think about what happened with Huawei and the US trade ban and with the backdoors in Cisco software…
Control
Control is what digital sovereignty is all about. It’s not about you sitting on your knowledge, but about you being the owner of your data, because your data is your knowledge. It’s about knowing where your data is at all times and what happens to it at this very moment. And it’s about the freedom to make changes and, for whatever reason, to choose a different solution. It’s about knowing that your sensitive information is safe with the software vendors that process your data for you.
Skills
All of the above is just talk if you do not have the right skills in-house. If you want to change code or customize and integrate different applications, you need people who can do that. We never said becoming digitally sovereign is easy.
Jurisdiction
What counts for hardware is true for every technology. Make sure that your supplier is located in the European Union and is subject to this jurisdiction only. In this way, you will be supported by governments that put the privacy of their citizens first.
Contribute To A World Independent Of Tech Giants
Becoming 100% digital sovereign is quite a challenge, if not impossible. But if you’re determined to succeed, know that by making the right choices in the areas described above, you’re definitely moving in the right direction.
Want to learn how we can help you become technologically independent? Contact us and we’ll get back to you as soon as we can!