en

Sovereignty growth model: from blind trust to control

Cloud Transformation
Digital Sovereignity
IT Transformations

Beyond the Binary Choice

Your company depends on software made by US companies running on hardware made in China. That seemed like a safe choice in the past, but now you're reconsidering. Just moving away isn't an option. How to progress?

Most organizations assume sovereignty is binary: you're either completely dependent on US hyperscalers or you're running your own data centers in a bunker somewhere. The reality is more nuanced. You can and should build sovereignty incrementally, based on your desired maturity level, risk tolerance and operational capabilities.
17 September 2025 minute read

Key takeaways about digital sovereignty

  • Digital sovereignty isn't binary: You can build independence incrementally rather than choosing between complete dependency or bunker-style isolation
  • Most organizations are flying blind: Unknowingly dependent with no recovery plan when geopolitical events disrupt services
  • Level 2 is the realistic short-term goal: Map dependencies, create recovery plans, and prepare for weeks of painful recovery time
  • Choose your level strategically: Base decisions on acceptable downtime, market competitiveness, technical capabilities, and regulatory requirements
  • Resilience benefits extend beyond sovereignty: Better disaster recovery, reduced vendor lock-in, and improved operational flexibility serve your business regardless of geopolitical developments


      The YaWorks Sovereignty Growth Model


      You can choose your level of sovereignty and with it the amount of time your business can keep operating despite geopolitical events. Each level has a different balance between foreign dependency risk, operational control and flexibility. Most organizations don't need to aim for the highest level; they need to choose the right level for their risk profile. 




      Level 1

      Unknown Most organizations are flying blind, often unknowingly. You're likely fully dependent on non-European cloud services with no real insight into your dependencies across the technology stack. Geopolitical events can put you out of business, with no recovery possible. The risk profile includes maximum foreign exposure.


      Level 2

      Recoverable IT At this level, dependencies are mapped and documented, including supply chains, and a clear understanding of what breaks when foreign services suddenly become unavailable. To reach this level, companies need recovery plans in place for critical business services, which crucially includes off-cloud backups of their data. For cloud native or SaaS applications (or their API-integrations), extracting data may be difficult, and would likely not be useable even then. Restarting operations is possible, but expect painful weeks of recovery. This is an achievable short-term goal for most commercial enterprises that boosts resilience without overwhelming operational complexity.

      Level 3

      Continuity Organizations at this level have capabilities in place to restart critical services either in their own data centers or European hosting services. For cloud native solutions, this requires re-architecting the solution significantly, see this article. Non-critical processes may use non-European cloud for efficiency and innovation. Recovery takes hours or days, making this the sweet spot for organizations with higher availability requirements or those needing NIS2 compliance.

      Level 4

      Cloud Independent Fortress mode: all business operations continue during loss of foreign cloud functionality. Non-European cloud services can be used strategically for capacity and innovation, never for critical operations. Recovery happens in minutes to hours. For most companies, this level only makes sense if your clients and partners are also striving for at least Level 3, otherwise, you're building fortress-level capabilities while your ecosystem remains vulnerable. This level suits high-resilience organizations and critical infrastructure operators, like governments and defense contractors. These high-resilience organizations can secure investment in a viable European alternative. This level requires accepting that all benefits of outsourced technical capabilities disappear, demanding maximum operational security responsibility. Hardware dependency on non-European vendors typically remains.

      Level 5

      Digital Sovereignty National security: critical operations use European hardware and software exclusively. Non-European services are used only for non-critical innovation. This level is currently unattainable: most hardware is designed in the US and produced in China, with insufficient production capacity in Europe. Currently only relevant for governments and national security infrastructure.
      If there’s ever a need to consider sovereignty in a stricter sense: the steps for national sovereignty are similar to the ones for European sovereignty.

      How to choose your level

      TL;DR: Most organizations should target Level 2. NIS2-regulated companies or government entities typically need Level 3. National security, intelligence services, their contractors, or critical infrastructure operators should consider Level 4 and beyond.

      Your sovereignty level should reflect the considerations below: not wishful thinking, but operational logic. Choose a level that makes sense given your constraints and capabilities.

      • Acceptable recovery time: Financial services need minutes, manufacturing can accept days, professional services might tolerate weeks
      • Competitiveness of your market: Sovereignty costs more and doesn't yield immediate benefits; commodity businesses have less margin for this investment
      • Technical capabilities: Higher levels demand more technical expertise; Level 2 needs planning, Level 4 needs operations rivaling hyperscalers in all aspects.
      • Industry ecosystem dependencies: If your supply chain runs on specific platforms, going sovereign alone creates isolation rather than independence
      • Regulatory requirements: NIS2-covered entities face specific obligations; other industries may see requirements intensify over time
      • Type of organization: If you're owned by a US company, sovereignty efforts become academic; focus on operational resilience instead


      Remember: building more resilience and flexibility benefits you beyond sovereignty concerns. Better disaster recovery, reduced vendor lock-in, and improved operational flexibility serve your business regardless of geopolitical developments.

      A future article will explore each of these considerations in detail, providing assessment frameworks and decision tools for sovereignty planning.






      Take steps to improve your resilience

      Digital sovereignty isn't about overnight transformation. It's about taking steps to increase your resilience. These steps create operational flexibility that benefits disaster recovery, vendor negotiations, and business continuity planning beyond sovereignty concerns.

      Step 1

      Immediate actions - survive the disruption

      Map every dependency across your technology stack and identify critical versus nice-to-have systems for business continuity. Critical systems invariably include DNS and identity management: single points of failure that can paralyze operations regardless of application resilience. Create detailed recovery procedures for sudden cloud functionality loss and test assumptions through tabletop exercises. Document everything with the paranoia of someone executing during crisis conditions. Timeline: 30-90 days for initial assessment.

      Step 2

      Strategic positioning - choose your level

      Assess acceptable recovery timeframes for different business functions and evaluate your technical capabilities honestly. Align with regulatory requirements while building a business case that weighs capability investment against dependency risks. Define measurable success criteria for your target sovereignty level that extend beyond compliance to operational effectiveness. Timeline: 2-4 months for strategic planning.

      Step 3

      Systematic progression - execute the roadmap

      Begin with non-critical systems to build experience with European alternatives without risking core operations. Build internal expertise through partnerships or direct investment, recognizing that higher sovereignty levels demand exponentially more technical competence. Create hybrid architectures that maintain resilience during transitions and integrate sovereignty considerations into all procurement and architecture decisions. Continuously reassess and adjust based on geopolitical conditions and implementation lessons. Timeline: 12-36 months for meaningful progression.


      Ready to assess your digital sovereignty?  


      Don't wait for the next geopolitical crisis to test your resilience. Call us to discover where your organization stands on the sovereignty maturity model, and determine a fitting risk profile for you.




        Maarten Vervoorn CTO