Digital sovereignty: How the struggle for data control has become a full-fledged geopolitical confrontation

Simply put, digital sovereignty is the ability of a state to control the data it creates and decide who has access to it. The International Data Corporation (IDC) categorizes digital sovereignty into three main components:

• Data sovereignty: IaaS data storage, PaaS, data security.
• Operational sovereignty: networks, systems and services management, security analytics.
• Technical sovereignty: integrated infrastructure and hardware, system software infrastructure, security hardware.

Total hegemony of GAFAM

In recent decades, the excessive market power of a few large technology companies, limited choice for consumers and governments in digital services, and the concentration of user data in private hands have been major sources of concern among states and supranational entities regarding control over sensitive data.

Growing geopolitical instability has added to tensions in relations even among states that have partnerships and sometimes alliances. In particular, the American retreat from the role of the "world policeman" under the current Trump administration has prompted many US allies to reconsider their relations with the States. There are fears that excessive dependence on the services of the five American tech giants (Google, Apple, Facebook (Meta), Amazon and Microsoft) poses a serious risk to states that use their services for data storage. And this fear is not unfounded, since the precedent occurred long before Trump's first term.

In December 2013, the US government told Microsoft to hand over emails belonging to some suspects in a drug trafficking case to the FBI. And all was well, except that the emails were on Microsoft servers in Ireland. The company argued that the US government had no sovereign authority over foreign territory, and the US government argued otherwise, citing a 1986 law that allowed for extraterritorial powers and gave it the power to instruct any service provider to access data, no matter where it was located. In response to the legal complexities of this case, in 2018, the US Congress passed the Clarification of Lawful Use of Data Abroad (CLOUD) Act. CLOUD authorizes US law enforcement agencies to request access to data stored by US companies abroad. In essence, CLOUD has untied the hands of the US government, which can now exercise its powers of digital sovereignty even outside its territory, using the dominant position of American big tech companies.

Open source and data localization

In response, governments in many countries are introducing regulations on data protection, competition, and infrastructure to restore autonomy, privacy, and competitive innovation.

An important, albeit slow, transition to open source software has begun. For example, 96% of German federal institutions use Microsoft Office and Windows. That means they are almost completely dependent on the American digital service provider. Last April, the federal state of Schleswig-Holstein transferred 30,000 of its employees' computers from Microsoft solutions to open source software — LibreOffice. The Germans explained their actions not only by financial benefits, because LibreOffice is completely free, but also by the desire to set an example for others to follow — how to get rid of dependence on the tech giant.

Europe’s dependence on US digital services could be comparable to its dependence on Russian energy by 2022. According to a study by Synergy Research Group, European demand for cloud services has quadrupled since 2017, generating quarterly revenue of €7.3 billion. According to this data, European companies’ share of the cloud computing market fell by more than 10% between 2017 and 2022, from 27% to 16%. The European company with the largest share, Deutsche Telekom, only holds around 2% of the market, while Amazon, Google and Microsoft hold 72%. 45.2% of EU businesses purchased cloud computing services in 2023, mainly for hosting email systems, electronic file storage and office software. 75.3% of these businesses purchased complex cloud services.

In 2019, Europeans created Gaia-X, a federal digital ecosystem based on open source principles that allows all participants to share data while ensuring that data owners retain full sovereignty over it. The prospect of Gaia-X was appealing: a unified European cloud platform large enough to challenge the market dominance of American hyperscalers and meet business needs for data sovereignty. Rather than starting from scratch and trying to build their own AWS, Gaia-X’s architects in the French and German governments decided to pool the resources of various smaller companies in the market to create a catalog of comparable products on a single platform.

“You could choose the services you need and bundle them together. So, you buy storage from the French company OVHcloud, computing power from the German cloud firm Ionos, and payment services from another provider, and then bundle them together,” explained Nextcloud CEO Frank Karlicek about how Gaia-X works.

However, the Gaia-X idea deviated from the initial vision. There was a lot of disagreement among the 350 companies participating in the initiative, so the main voice went to the biggest players, who gradually shifted the emphasis from capacity building to the implementation of standards. According to some experts, Gaia-X got bogged down in excessive European bureaucracy.

Most importantly, governments have begun to build their own data centers, independent of American companies. Proponents of data center localization argue that investing in local servers and data centers can stimulate local economies and provide employment opportunities for citizens. Another European project, virt8ra, launched in early 2025, aims to create a sovereign European cloud infrastructure based on open source technology.

Additionally, countries are developing legislation to regulate the use of their citizens’ data by foreign companies. The European Union has developed the General Data Protection Regulation (GDPR). Under the terms of the GDPR, any organization, regardless of its location, must comply with a set of data management rules if it wants to trade with customers within the EU. These rules give individuals more control over how their data can be used. Fines for violating GDPR rules can reach hundreds of millions of euros. The EU recently fined China’s TikTok €530 million for illegally transferring European users’ data to China. Meta has previously violated the regulation several times, the most notorious of which resulted in a €1.2 billion fine in May 2023. Amazon was fined €746 million in 2021.

In March 2021, leaders of four European countries wrote a joint letter to European Commission President Ursula von der Leyen with proposals for accelerating the achievement of European digital sovereignty. Since then, the EU has adopted the Digital Markets Act (DMA), the Digital Services Act (DSA) and the Artificial Intelligence Act (AI Act), which together aim to regulate the digital economy and new technologies within the bloc.

Digital totalitarianism

The best example of the most stringent digital sovereignty is the People’s Republic of China. Ever since the global launch of the Internet, China has been slow to embrace new technological marvels, viewing them as “digital Trojan horses.” Party leaders quickly realized that the idea of ​​a borderless cyberworld, where information would flow freely around the world without state interference, was very similar to the Western practice of distributing opium among the Chinese population in the 19th century, which ultimately led to the decline of the state and subsequent military intervention. Given Europe’s dependence on American “digital” opium, China was not wrong in its decision.

You’ve probably heard of the “Great Firewall of China,” designed to restrict access to certain information in China. To gain access to the multibillion-dollar Chinese market, most Western tech companies have agreed to the communist government’s terms and created special censored versions of their digital products that don’t violate local law. China has an equivalent of the American CLOUD, the Cybersecurity Act of 2017, which grants the same powers, including the ability to requisition data from Chinese companies’ servers, regardless of the country in which they are located. However, unlike the Americans, who have at least managed to register such requests made to American companies through the courts, the Chinese do not need a court order to gain access to data.

China’s policy is to exercise a strong version of digital sovereignty with strict data localization rules. Xi Jinping once said: “Whoever controls big data technology will control the resources for development and will have an advantage.” At this point, the PRC is the most closed digital state in the world.

Digitally (in)dependent Ukraine

The main law of Ukraine on data protection is the Law “ On the Protection of Personal Data ” (2010), which was revised in November last year to comply with the GDPR. A week before the start of the full-scale war in Ukraine, the Law “On Cloud Services” was adopted, which laid the foundation for the development of information and communication technology platforms based on cloud computing and the implementation of the principle of cloud first. However, with the start of the full-scale Russian invasion, the government allowed state data to be placed abroad or in clouds on the territory of other states. American and European technology companies have helped Ukraine move vital services to the cloud abroad. So far, more than 100 state registries and other information systems have been moved to the cloud. The new regulation will allow data to be left abroad in the cloud and not transferred to Ukraine after the war ends. And here begins the biggest problem, since returning the data back to Ukraine will be a difficult task.

According to De Novo data provided by the company to dev.ua , the estimated volume of the IaaS/PaaS market in 2024 is from $110 to $120 million with the total share of three hyperscalers (AWS, MS Azure, Google) not exceeding $90 million. That is, the share of American providers is approximately 75%. The growth dynamics of Ukrainian providers lags behind the indicators of foreign competitors by almost half. It is important to note here that we are not lagging behind our allies in this regard. The UK spent 7 billion pounds on government cloud services in 2019, and AWS received the lion's share — 229 million. Since 2013, Germany's spending on IT infrastructure has amounted to 13.6 billion euros, 4.6 billion of which went to the American Oracle.

In an interview with dev.ua, the co-founder of one of the largest cloud providers in Ukraine — GigaCloud — Maksym Kurochko said that the state may find itself in a vendor lock-in situation, when switching to an alternative service provider is accompanied by significant losses. According to Kurochko, the Law "On Cloud Services" has not yet fully worked, and the public sector does not practice the priority of using cloud services to provide their IT infrastructure as opposed to purchasing expensive server equipment. After all, they have neither the appropriate regulatory procedure for this, nor the necessary personnel — enough qualified specialists.

Other Ukrainian "cloud companies" are also sounding the alarm. The CEO of the Ukrainian data center De Novo Maksym Ageyev drew attention to the fact that the Center for Innovation and Development of Defense Technologies of the Ministry of Defense of Ukraine spent UAH 15 million to purchase Microsoft Azure services, and he called the statement of Microsoft Regional Director Oleksandr Krakovetsky about more than $500 million in aid to support the Ukrainian IT infrastructure unfounded.

To raise the importance of the topic, Ukrainian cloud developers created the Digital Sovereignty Alliance, which was joined by cloud providers GigaCloud, De Novo, and the PARKOVY data center.

The goal of the initiative is to strengthen Ukraine's digital sovereignty — the full placement and processing of critical data (state, medical, financial, defense) within the country in accordance with national legislation.

The Alliance is ready to cooperate with the state on a strategy for the return of digital data to the territory of Ukraine. The Alliance's areas of work include auditing the existing digital infrastructure, developing common standards for providers, and creating conditions for:

• scaling the national cloud infrastructure;
• free and secure data transfer between providers without dependence on foreign platforms;
• guaranteeing data protection even in times of crisis or attack.

The idea of ​​the Alliance is similar to the aforementioned European initiative Gaia-X, only from the private sector. The question is whether it will really have a voice that will be heard in the Ministry of Digital Affairs and other government offices.

Read the country's main IT news in our Telegram

On the topic

Read the country's main IT news in our Telegram

"Ukrainian databases, including state confidential information, may go beyond the territory of Ukraine and settle in data centers under the jurisdiction of other states." Interview with the co-founder of GigaCloud

On the topic

"Ukrainian databases, including state confidential information, may go beyond the territory of Ukraine and settle in data centers under the jurisdiction of other states." Interview with the co-founder of GigaCloud

“This is not a human factor or a cyberattack.” So what happened at the De Novo data center?

On the topic

“This is not a human factor or a cyberattack.” So what happened at the De Novo data center?

There are Star Wars, and there are cloud wars. So, the first episode has started in Ukraine. Have you heard about this? We tell you in detail

On the topic

There are Star Wars, and there are cloud wars. So, the first episode has started in Ukraine. Have you heard about this? We tell you in detail