Digital Sovereignty

Digital sovereignty has a bad reputation. In internet governance circles, sovereignty is considered awkward enough to be referred to by as the "s-word." It is often associated with misguided attempts at returning to the era of national champions, like building a French search engine or a European Google, or worse with the eternal boogeyman that is the "splinternet." More often than not, digital sovereignty is found discussed in vague policy reports that have never seen the outside of a think tank and whose authors only have the fuzziest idea of how to build a digital product or service. They sprinkle an AI dataspace on top of the healthcare IoT that's in your digital wallet and you get innovation in the data economy — no one knows what that means but they seem so confident about it that it would be rude to ask.

It doesn't have to be this way. Digital sovereignty is a real problem that matters to real people and real businesses in the real world, it can be explained in concrete terms, and we can devise pragmatic strategies to improve it. To do this, I will go through the following steps:

1. First, I will briefly define sovereignty to make sure that we are on the same page, and explain how digital sovereignty is built from digital infrastructure.
2. Second, I will explain why it comes into conflict with democratic sovereignty, and how both the politics of tech companies (that have been authoritarian for a long time) and the current geopolitics make the situation particularly challenging.
3. Finally, I will offer a series of high-level strategies that can be deployed to improve digital sovereignty.

I remain relatively general here because more detailed strategies will necessarily vary between contexts. My goal is to offer a principled foundation that policymakers and politicians can rely on to promptly move to action.

⇨ A quick aside on context: I have been having many conversations on this topic over the past months, with people from the public and private sectors, and this document is primarily a write-up of presentations I've made to policymakers based on question they had. You may also be interested in:

• The original pitch report of the EuroStack initiative that was written primarily with industry experts and that frames a public/private strategy in the European context ( with Cristina Caffarra, Francesco Bonfiglio, Vittorio Bertola, Sebastiano Toffaletti, and Kai Zenner).
• A more recent report from Francesca Bria et al. that focuses strongly on lower-level, physical components of digital infrastructure as well as on European instruments of public governance and funding.
• Previously on this blog:
  • The Infrastructure Shock: how we got where we are, why there's so much digital infrastructure, and why it's a shock to society.
  • The Public Interest Internet: a more general, sprawling view of what it would take to make the internet work in the public interest.

Sovereignty and Digital Infrastructure

Sovereignty has been defined in many different and incompatible way, and there are ongoing debates about whether it even remains a useful concept or not.¹ For our purposes, we don't need to enter into those debates. We can simply define digital sovereignty as the exercise of authority or power over the digital sphere.²

It's important to keep in mind that having authority over a sphere doesn't mean running that sphere with an iron fist. It is typical of democratic systems for instance that whoever has authority will use that authority to keep the system open and to make sure that those who rely on it can act freely.

Another important point of clarification is that sovereignty does not need to be grounded in the ability to rely on violence. It is common for Big Tech-aligned people to claim that the only sovereignty is that of violence — and since they have no army, this means they have no power or authority. This is, of course, nonsense. There are many non-violent ways in which rules can be enforced, and when rules are enforced then they exist.

There are multiple components to digital sovereignty, but in the interest of focusing on what is most urgent I will discuss only one: structural power. My motivation for this approach is that 1) structural power is often ignored by most discussions of digital sovereignty but 2) if you do not have structural power then nothing else matters. This notably means that I will not be covering the following two topics:

• Data governance. Data is valuable but it is not as central to the digital economy as is often claimed. Most importantly, the value of data depends entirely on what you are able to do with it. Localising or "owning" you data while others decide how it gets processed, having the compute come to your data rather than your data go to the compute are minor gains. Data is not where the power is. If the digital sphere were a data economy, the process of enshittification described by Cory Doctorow would be impossible because forcing people into interactions they dislike makes the data you collect about them less informative (since they don't get to express truer preferences). What matters is who makes the rules according to which data is processed and actions executed.
• Standardisation or internet governance strategy. Who enforces digital standards such as those that come from the IETF or the W3C? In a few cases, it is state power (e.g. accessibility in some jurisdictions) but that's rare. In some other cases, it's market discipline: if a product doesn't work well with a popular and competitive standardised environment, then it will fail. But most of the important areas of the digital sphere have stopped being open, competitive markets over a decade ago so that the market no longer has a credible disciplining function to enforce standards. What matters is who has the structural power to deploy the standards they want to see and avoid those they dislike.

Both for data governance and standards, what matters is structural power. If you have it, you can meaningfully steer both, if you don't, you can't. I am not claiming that discussing these topics today isn't useful, it can be, but hoping that they will have transformative impact without access to structural power is wishful thinking. The urgency created by the techno-authoritarian alignment between Big Tech and the Trump regime is the driving priority: first, reclaim structural power. Once that's done, we can debate the rest.

The digital sphere is artificially built and those who operate it get to set its rules in ways that are enforced in code, which is to say that are enforced as the laws of the system itself. That is how structural power is established. Many parts of the digital landscape are presented on the surface as consumer goods (social, search) or as markets (commerce marketplaces, ride hailing, adtech networks) but rather they are private bureaucratic mechanisms of algorithmic management, “automating away markets”³ and user agency⁴.

Structural power isn't always a problem, for instance there is no reason to complain that a game designer will pick the rules of their imaginary world, but there is a large set of cases in which this structural power gives corporations "coercive powers like the state but (…) not subject to the kinds of democratic constraints and accountability that apply to the exercise of state power."⁵ This happens when those corporations govern infrastructural goods. Put differently, "the problem with such private power [is] that these firms increasingly [exercise] a kind of quasi-sovereign power, yet [are] not subject to the kinds of checks and balances that the law [imposes] on public state actors"⁶ (emphasis mine).

In order to reliably identify components of the digital sphere that create structural power with strategic influence we can use the infrastructural good test (derived from the works of Brett Frischmann⁷ and K. Sabeel Rahman^5,6). We are faced with an infrastructural good whenever the three following criteria are met:

1. Hard to replace. The component in question features high sunk costs, high barriers to entry, or increasing returns to scale notably from network effects. This makes it hard to replace it if we want a system that works differently. In traditional infrastructure, if your road system is captured by a billionaire, creating a second road system is challenging: it's very expensive and where would you put it? The same can be true of digital systems particularly because of network effects: it may be obvious that Signal is better than WhatsApp, but in order to switch your contacts have to switch too. The component tends towards monopoly.
2. Highly diverse downstream uses. Infrastructure is characterised by a high degree of diversity in downstream uses. In fact, much of the value of infrastructure stems from the high variety of applications that it enables on the demand side, leading to innovation as well as higher resilience. As Brett Frischmann classically put it, infrastructure is "shared means to many ends."⁷ This diversity of uses gives the infrastructure operator direct influence over the positive creativity of society, which they can then limit, direct, and tax. The diversity of users also makes it harder for them to coordinate in order to exert political pressure on the infrastructure operator as their needs and communities will often differ greatly.
3. Vulnerability. The good is necessary for participation in some social activity (personal, business, public, etc.) and there are negative repercussions from restricted access to it. The operator is able to impose their rules on users of the system. This makes the users of the system vulnerable to decisions made by the operator.

Infrastructural goods are strategic because of the manner in which these three properties interact. Without monopolistic tendencies, the market could correct with competition. Without the variety in downstream uses, the power of infrastructure would be narrow (and users in a narrow domain can more easily coordinate countervailing power). And without downstream vulnerability, the impact of control over infrastructure would be limited. But when all three aspects are brought together, whoever governs the system governs its users.

This situation is well-known from traditional infrastructure but it is compounded in the digital sphere because digital is the infrastructure of infrastructure.⁸ The issue of digital infrastructure is not one simply of supply chain security or just of encouraging innovation; it is the issue of sovereignty in governing people. As K. Sabeel Rahman puts it, "Note how this concept of infrastructure moves us to a much more dynamic and nuanced view of private power beyond mere 'bigness.' The issue is not necessarily firm size or market share (though these may of course be relevant factors). Rather, the inquiry encompasses questions about the essential nature of the good or service itself, as well as the capacity of the providers to exert undue influence through their control of the good."⁵

It is important to note that while people often imagine digital infrastructure to be primarily data centres and connectivity (perhaps with some cloud), applying our infrastructural good test produces a long list: search, browsers, advertising, standards, secure chat, email, open source stacks, social media, commerce platforms, operating systems, advertising networks, cloud, personal servers, app stores, payments, identity, open source component ecosystems, and more. We shouldn’t be daunted by the length of the list — it's only long because we let the situation degrade for too long. (In The Infrastructure Shock I explain why this list is so long and the problems that creates.)

To summarise: digital sovereignty is authority over the digital sphere, and that authority is almost entirely contained in the structural power of digital infrastructure. We can identify digital infrastructure by applying the infrastructural good test. Now that we know this, we can move to the next question: why does this create conflict?

Collision Course

Cyberspace and analog space aren't independent from one another, and never will be. Whoever claims that cyberspace is a separate world is simply selling a political project in which corporations make the rules that govern our lives.

Examples abound. Brick & mortar shops are found through digital means, and often have to sell through online marketplaces too — they need to submit to the rating, ranking, and arbitration rules of the platforms on which this happens, which affects their analog viability and behaviour. A degraded information environment from social media recommendations and search monoculture is interfering with democratic politics and makes it harder to solve the emergencies we face in the polycrisis, from Earth habitability to pandemics. Intense privatised taxation in app stores and adtech — often significantly higher than public taxes — depresses economic activity and increases inequality, both of which impact everything else.

The fact that the digital and the analog are interwoven is not the problem. Not only is it to be expected that all human activities connect to one another, but the mutual encroachment of different governance systems with one another is, under normal circumstances, highly desirable because it makes the resulting system polycentric.⁹ A polycentric system has multiple decision centres, which is to say that decision-making and rule-setting take place at a variety of levels. Each decision centre has limited and autonomous prerogatives, and operates under and overarching set of rules. These overarching rules often nest, and the influence of these decision centres overlap in a manner that is highly resilient. It's a governance architecture with strong democratic properties and many advantages.¹⁰ That's something which we need to remember as we fix our current problems with digital governance: it's not the mutual encroachment which we need to address.

What puts digital and analog governance on a collision course is the conjunction of two factors:

• First, our existing digital governance system is supranational and does not operate under an overarching set of rules that usefully constrains it. There is no planetary governance of tech — our existing internet governance institutions are laughably inadequate — and this unfettered planet-scale cyberlibertarian context offers no checks and balances against global digital power. So the scale of digital systems and the lack of rules binding them undermines their constructive participation in a polycentric system.
• Second, the mode of governance that Big Tech companies deploy is incompatible with democracy. If they push to maintain a cyberlibertarian governance mode for themselves (though for instance "voluntary" standards), they operate the digital sphere for others under a regime of competitive authoritarianism. As Steven Levitsky and Lucan Way define it, it is "[a] system in which parties compete (…) but the incumbent’s abuse of power tilts the playing field against the opposition."¹¹ Levitsky and Way's focus is on electoral aspects of access to power, but competitive authoritarianism exists in the market too. On the internet, competition is just a click away — all you need is a mobile operating system with a large user base and a few billion dollars to spare.

When you bring together the facts that these companies operate in a largely lawless environment (the supranational environment) that offers no checks and balances, impacting more lives than the largest democracies, and with an explicitly authoritarian mode of governance (which has been the case for years but has become harder to ignore) then you can see that their sovereignty does not bolster a polycentric, resilient, democratic system but rather openly fights it.¹²

This is a key component of the geopolitical aspect of today's digital sphere and supports the importance of digital sovereignty. It is not only that critical business and state functions have direct dependencies on foreign, increasingly hostile actors — even though that is a real problem of strategic autonomy as the blackmailing of Ukraine clearly shows — but it is also that those actors are capturing power that resides with the state and its people, such that "there develops within the State a state so powerful that the ordinary social and industrial forces existing are insufficient to cope with it."¹³

Digital sovereignty is about defending and furthering democratic power the onslaught of those who have been taking it from us. It's about "the right to freely determine and pursue one’s economic, social and cultural development, including independently choosing, developing and adopting digital technologies."² In the words of centrist MEP Stéphanie Yon-Courtin at a recent European Parliament event: "There is a digital war. Let's fight."

Insufficient Approaches

Concerns regarding digital sovereignty aren't new, even if recent events have sharpened them, and a number of existing attempts have been made at improving the situation. As we can infer from the way things are today, these prior approaches have proven insufficient. This doesn't mean that they have been useless, but that more (and different) is required. I briefly discuss a few of them here to relate them to the broader ideas of this document.

Regulation. Regulation matters and it's worth pointing out that infrastructural industries are typically regulated (e.g. as utilities). But it cannot solve the problem of digital sovereignty on its own. The reason for that is that operating digital infrastructure means making many rule-like decisions and potentially influencing operations in great detail. Regulation cannot match that level of detail, even with technical standards to back it there is only so much granularity compared to implementations and the automated rules that code makes possible. In a conflict between regulation — especially regulation with chronically underfunded enforcement — and the structural power of infrastructure, the latter wins most of the time.

On top of this, much of the digital regulatory work of the past two decades has used an unhelpful consumer goods framing. Thinking in terms of consumer goods limits the space of interventions: you will mostly consider safety concerns. But regulating structural power needs itself to be much more about creating the kind of structure that supports an open market and an effective democracy.

Innovation funding. The public funding of innovation is important, but focusing it on consumer-level products and services can prove unhelpful. Funding basic research is essential, as is funding infrastructure, capital-intensive investments, and systems that require patient capital.

The ability of funding to address digital sovereignty concerns is, once again, directly linked to its ability to address problems of structural power. To give a blunt but correct example, if Elon Musk owns all the roads and you're unhappy that he's only letting Cybertrucks and Nazis use the fast lanes, innovation funding won't help you. You can invest millions in a lab to produce better asphalt, next-generation road signage, and the coolest traffic lights ever demonstrated, at the end of that process… that guy still owns all the roads and your innovations have no outlet.

Succeeding with innovative products in a world of captured infrastructure is an uphill battle. Open infrastructure has, throughout history, been a key driver of innovation.

Open source & interoperability. I'm terrified every time I hear someone state that "open source/open standards/interoperability will solve this." I've worked in open source & standards for almost thirty years and there is a lot of wonder in these worlds. But we have to be honest: they're also graveyards. Most open source projects fail, many open standards fail too — and take over five years to do so.

My point isn't that we shouldn't be supporting open source and open standards, but we should be a lot more deliberate and realistic about them. They are in no way magical. A good rule is that if you don't have a way to making your project successful as closed source, then you don't know how to make it successful and hoping that open-sourcing it will change anything is just wishful thinking.

Again, structural power matters. To have an impact on the world, a system needs to be deployed and funded. Open sourcing the sewage system won’t flush the toilet. Open sourcing a search engine doesn't create a search competitor.

National champions. A typical, but often ineffective, approach to digital sovereignty is to use public funds to develop a national alternative (e.g. "let's make a European browser or search engine"). There are cases in which this can work, for instance for components that are close to state functions already (such as identity or payments) but even for those you will need an adoption strategy. Is the goal to mandate them or to make them more usable than the private options? The former is heavier-handed than most are comfortable with. The latter is challenging and will need a sustainability model if you don't want future governments to gut it. Even if it is better than the private alternatives, the relevant markets are often captured because the infrastructure that sets the rules for them is captured — and this alone will make success near-impossible.

Physical infrastructure. Another temptation is to focus exclusively on physical infrastructure, like networking and data centres. Part of that stems from a mistaken, largely academic, understanding of "digital infrastructure" as being first and foremost physical. (It is also often understood as being limited to identity, payments, and dataspaces — which is just as wrong.) These are useful components, but by focusing only on those you're still missing most of digital infrastructure, and notably most of the value and power.

Local only. Localising the physical parts of digital infrastructure inside of your territory can also be a step that helps (notably with jurisdictional questions) but it is very far from sufficient. Big tech will happily invest billions in exchange for land, electricity, water, and sweetheart deals, and will even let you call it "sovereign" while they own and operate the place. I am increasingly concerned that most of the work surrounding Digital Public Infrastructure (DPI) is primarily the same techno-authoritarians with a thin sovereign coat of paint on top.

Strategies

When sovereignty is the topic, it is normal to turn first to public actors. Infrastructure is public in nature even when it isn't publicly owned and operated. However, while public actors have a key role to play, I believe that a successful digital sovereignty strategy will overall end up relying more on private and commons actors. The first role that public actors have here is to disperse power and to help coordinate the emergence of shared infrastructure that is governed by its stakeholders rather than directed top-down. We need to focus "on promoting public values not through a reliance on superhuman, technocratic regulators to oversee all aspects of these complex industries from the top-down, instead focusing regulation on underlying economic and political structures*."⁵

What I list here is a high-level and incomplete set of suggested strategies. They of course need to be considered in the relevant local context in which they are to be deployed.

Frame the problem in its full complexity. The list of digital infrastructure components is overwhelmingly long, and for each part it is important to figure out the full stack, which is to say not just the technology but also its funding and governance. That is daunting work, but it is important to align on this bird's eye view in order to develop a sense of just how much of society is affected, what needs to be done, which parts can reuse solutions from one another and so forth. The point is not to go into great detail (the original pitch report of the EuroStack initiative is only a few pages long) but rather to develop a clearer overview of the scope of the problem. Meaningfully improving digital sovereignty, let alone reaching a satisfactory level, is a major endeavour.

Break the problem into manageable chunks. Once the full view is known, for each segment of digital infrastructure it is worth breaking it down further into smaller, more manageable components. This essentially unbundles infrastructure services to make them governable.

A great example is the work that Bluesky has done on the architecture of the AT Protocol. If you consider the "social media" part of digital infrastructure as a monolithic box, it seems unsolvable. It's too big to govern well, it's unclear how to build anything — are you supposed to build your own Facebook/Instagram/Twitter/etc., all the way up to the consumer experience? Evidently not.

What they did instead, as shown in the diagram below, is break open the architecture of social media and describe a protocol for it so that independent entities can operate different components and those different components can be subject to distinct (and very manageable) modes of governance. This is not the place to go into greater detail, but this approach is already working for social media and can be repeated in other domains.

(From Bluesky and the AT Protocol: Usable Decentralized Social Media.)

Fund infrastructure that can enable or liberate innovation. As a simplistic starting point, the model in which public actors fund infrastructure (or the bootstrapping of infrastructure through private-sector coordination and patient capital) and private actors fund innovation in products and services on top of that infrastructure is a good one. The point is to make markets, not necessarily run them. It's common for startups that work from innovation grants to just develop grantware: software that's good enough to get a grant and to claim that it was delivered upon successfully, but that has no real customers — and never will. (I've seen this first-hand.)

Deploy OTNs. One particularly thorny issue in digital infrastructure is that of n-sided marketplaces (e.g. Amazon e-commerce, adtech networks, ride-hailing platforms). That kind of marketplace tends to hold huge power over a large number of participants, and to thrive in opacity. A great solution for these are Open Transaction Networks (OTNs), of which the Beckn Protocol is a great example. An OTN like Beckn (which can be used independently from other so-called "India Stack" systems) is a generic commercial transaction protocol that can be specialised for different markets and then makes it possible to set up transaction networks that are governed by their stakeholders. It's a very effective way to put governance and power where it should be, and to make the system safe, privacy-respecting, and transparent that can be applied to many problems that we have. A great recent example of an OTN is DEG, which applies this approach to the energy sector.

Encourage cooperation in industry. After two decades of authoritarian rule, many companies can have a limited understanding of how to make their own decisions in digital infrastructure and how to cooperate with one another on solving shared problems. There are also often anti-trust concerns in collaborating on shared infrastructure, even so doing so is typically pro-social. Offering template coordination organisations to share governance, IP, workload can help bootstrap communities that will then solve problems themselves.

Follow the STF/STA model. Germany's Sovereign Tech Agency (STA, formerly STF) is an excellent example of how important infrastructure work can be, no matter how unglamorous it may be. Their approach in which they've developed in-depth expertise of the open source ecosystem and are able to target funding in ways that keeps us all safe and keep the world running, with very limited funds, is a model that should be emulated and then coordinated globally.

Adoption-First Approach. There is no need to reinvent everything. For most sectors of digital infrastructure, solutions exist. In many cases, they will be imperfect and insufficient. They might have technology but no clear governance and a weak funding model. Federating existing successful systems and targeting demand and usage rather than innovation is a lot less glamorous, but it's also a lot more effective. Every decision, every strategy, every solution must answer a this question and answer it credibly: what is the path to adoption? Anything that lacks a crisp answer to this question is just vapourware.

Build for real products. Tech policy is full of solutions in search of a problem. These can typically be identified by the fact that they are described in terms that don't involve any concrete product that you could produce a detailed, meaningful interface for. They all sound like this: "Alice goes through her healthcare IoT, which her digital wallet uploads to the dataspace automatically. Bob invokes his federated agent to load Alice's privacy-preserving profile into the decentralised AI factory, thereby giving Alice personalised sustainable mobility." As a rule, you're much more likely to deliver something of real value if it's driven by an actual real-world product (or series of products) than if you have to imagine a product to give it a raison d'être.

Speaking of real products, you'll note that I don't discuss AI much. There are genuine strategic concerns with AI, but they are less strategic than the hype would indicate. Focusing entirely on AI to the detriment of less fashionable digital infrastructure (as essentially every think tank under the sun is doing today) is a path to failure. The best AI in the world will achieve nothing in a world of captured infrastructure.

Mobilising Revenue. One way to prioritise digital infrastructure work is simple: money. Digital infrastructure requires a lot of funding, and identifying revenue flows from which to make infrastructure sustainable is key. We cannot realistically expect the state to fund all or even most public infrastructure, certainly not in perpetuity. One example infrastructure to go after with revenue sustainability in mind is adtech networks. (I briefly discuss how to approach this elsewhere.)

Regulate user agents. All technical architecture have bottlenecks: components that, if you control them, allow you to control everything. People cannot interact directly with protocols, they need to go through specialised software that represents them in the digital world like browsers and operating systems. The technical name for this kind of component is user agent. Because they are an unavoidable point of capture, they need to be regulated to prevent the misuse of that power. How to do that is a longer topic than I can cover here, instead I refer you to The Fiduciary Duties of User Agents. (For the EU, the DFA would be a logical vehicle for this.)

Begin work on post-voluntary standards. There is growing consensus that the so-called multistakeholder model of internet governance, grounded in voluntary standards, is failing us. But defining what comes next that isn't simply a return to state-led standards, which would be generally undesirable, is challenging. This is a complex issue of multi-scale governance that needs principles capable of articulating subsidiarity and interoperability — it won't be solved overnight. But, while this cannot be on the critical path to tech sovereignty, it's important to start thinking about how it could work now because it's a problem that needs solving.

Set up international cooperation. If you've read this far, you know that this is a hard problem. There's no need for every single freedom-loving country to come up with its own plan entirely on its own. There is tremendous sovereignty in chosen collaboration. Many people the world around are working on solving this issue — at the very least, discussing ideas and approaches can only be positive.

Onwards

This barely offers an overview of the problem and how to approach it, but hopefully it is enough to help you assess and prioritise actions. More important than anything else is to get started. It is hard to overestimate just how much power is vested in the digital sphere and just how thoroughly it is capture by authoritarian groups.

If you have feedback, or if you're working on digital sovereignty and would like to discuss, please reach out. I will keep this document updated based on feedback.