What is Digital Sovereign Capability?
Many years of experience and hard lessons can be summarised in one statement:
Sovereign Capability = Sovereign Control + Domestic Capability
- Sovereign Control is the ability of governments to direct resources (people, assets, capital, IP, etc) to initiate and effect outcomes with full sovereign control of all aspects of data, risk and results.
- Domestic Capability, is the in-country ability to design, to build and to operate through the combination of domestic resident assets, funding, people (skills, experience) and access to data and/or IP.
Achieving the greatest certainty of the confidentiality, availability and/or integrity (CIA) of data, both sovereign control and domestic capability are necessary to ensure sovereign capability. In the most extreme but entirely foreseeable circumstances (war, pandemics, etc.), sovereign governments not only need certainty of domestic access to capability to deliver services and outcomes independently but also the control, through direct or indirect ownership, to be able to prioritise and protect the interests of their sovereign nation, for example, to provide pandemic vaccines, to prevent foreign interference, to promote national commercial interests and importantly – to protect the data of their citizens.
Is Full Digital Sovereignty Ever Achievable?
For almost all nation-states and for almost all digital services, a 100% end-to-end sovereign supply chain capability is rarely economically achievable. Although politicians of all nations love to wrap their flag in sovereign announceables, from investments in semi-conductors FABs, to data centres, to cloud (IaaS, PaaS, SaaS) platforms, through to the user’s “app” and the AI algorithm, the underlying reality of sovereignty is different.
Despite sovereign ownership to secure control, despite the domestic physical location that provides tangible and legal comfort, despite security vetted citizen oversight, etc., supply chain complexity will usual prove insurmountable to full digital sovereignty. One or more elements of the chain will create a vulnerability and potential risk either in present circumstances or when the situational risk context alters and previously friendly nations become ambivalent or worse.
However, it doesn’t mean that risks and mitigation strategies for the CIA of your data or systems should be ignored. Whether through:
- technical attempts to encrypt and make your data inaccessible to only those possessing the precious keys (whether “unknown unknowables” or not);
- basic levels of legislation to create deterrence from compromise or reap legal vengeance (although often once it’s too late and your prized data has been made unavailable, made publicly accessible and/or amended); or,
- channelling data through sovereign-owned systems operated by “known knowable” sovereign citizens motivated by sovereign allegiance.
Notwithstanding the sovereignty washing of your current laws, supplier choices, or government policies, the above mitigations should still contribute to reducing a nation’s risk of compromise. However, the cost/ benefit of those choices are very much dependent upon the shifting sands of the global situational context, where increasing ambivalence to international law and the threatened withdrawal of access to critical technologies leaves sovereign capability often as a nation’s remaining pillar of control
Why should you or anyone care?
Data – it’s all about the data, all about the D and not simply the data at rest in the database but the data relating to it, the metadata that signals its characteristics, and the derived data generated from it – all of which can all be used to help re-engineer the original data and other attributes of value.
It’s all about the data because once your data has been compromised, it can be hidden from you, it can be made public to those you might not wish to see it or used against you to devalue your IP or even changed such that you might not even know until the catastrophic event occurs.
Notwithstanding the increasing benefits emerging from AI (large language models or machine learning algorithms), the emerging world of AI is already highlighting the significant value and related risks that happen once your data is made available to others, whether through choice, reluctance, or fraud.
Neither your sovereign law, your sovereign technical prowess, nor your sovereign supply chain will completely protect your data under every circumstance and it certainly won’t get it back with confidentiality pristine and intact. So, best be careful with your data; what you do with it and whom you share it with, because before you know it “unknown unknowables” might, for example, access your nation’s health data to build a biological weapon against your citizens’ personal DNA.
What Should You Do?
For governments and enterprises, practical steps to improve sovereignty capability and/or mitigate the risks to their [national] data and digital posture:
- Map critical data – classify sensitivity, criticality, and regulatory exposure; track data locations and transmission routes, and assess for weaknesses.
- Understand jurisdictional exposure – know which laws can compel access, and what contractual and organisational safeguards exist.
- Mandate minimum technology standards – harden approaches on customer-held or split-trust keys, ensure strong identity, immutable backups, continuous monitoring and rehearsed recovery.
- Design for optionality – avoid lock-in with portable formats, documented exit plans, and sensible workload segmentation or multi-vendor patterns.
- Grow domestic capability where it matters – in-country operations and vetted personnel for the most sensitive workloads.
Treat sovereignty as a maturity journey, not a marketing label.
About the author
Phil Dawson is a Director at Assured Digital. As a serial founder of successful sovereign cloud and cybersecurity businesses, he writes about data, sovereignty, and the practical realities of building secure, high-assurance digital services in the UK and Australia.
