European digital sovereignty: Storage, surveillance concerns to overcome

Control and govern

According to Geopol, digital sovereignty refers to a country’s ability to control and govern its own digital infrastructure, data and technologies in alignment with national laws, values and interests. “In simple terms, it’s about who owns, controls and protects data and digital systems within a given territory,” it says.

This has been present for many years, with China’s tactic to inspect web traffic passing through its networks well documented. An article on the Comparitech web site claims China “will first demand that a western tech company comply with its surveillance or censorship demands in order to continue operating in the country. This constant surveillance leads to what it calls “an atmosphere of distrust, and has a chilling effect on freedoms of speech, expression, movement and assembly.”

In the past few months, though, especially since the second US presidency of Donald Trump, there has been increased searches of electronic devices at ports of entry, while Greg Nojeim, director of the Security and Surveillance Project at the Center for Democracy & Technology, told Reuters there was an increased concern by Europeans about the US government accessing their data, whether stored on devices or in the cloud.

“Not only does US law permit the government to search devices of anyone entering the country, it can compel disclosure of data that Europeans outside the US store or transmit through US communications service providers,” said Nojeim.

This is leading to a concept of digital sovereignty for Europe, with providers seeking more local hosting and cloud-based storage, as well as using more non-US services. For example, use in Europe of Swiss-based ProtonMail rose 11.7% year-on-year, and Germany’s new government has committed to make more use of open-source data formats and locally based cloud infrastructure.

Realistic option

So, all of a sudden, it seems that the US is the bad guy? With American companies still dominating the cloud market, is digital sovereignty a realistic option? Brian Honan, CEO of BH Consulting, says that with the current uncertainty around the geopolitical environment, organisations need to acknowledge that digital sovereignty is no longer an abstract concept, but a very real issue that could impact them.

“We are already witnessing organisations taking proactive steps to reduce their dependence on US-based technology providers, such as the municipality of Aarhus in Denmark, which has recently announced its plans to phase out Microsoft products due to concerns over control and long-term resilience,” he says.

“Similarly, in the Netherlands, government agencies have raised serious questions about the compatibility of US cloud services with EU [European Union] data protection laws such as the EU General Data Protection Regulation [GDPR] and the EU Artificial Intelligence Act.”

Honan says that organisations need to review the risk associated with their dependency on systems and services that are provided by suppliers outside their jurisdiction, and the potential impact on their business should one, or all, of those suppliers restrict access to their services.

“The cost of disruption, regulatory exposure and data loss will far outweigh the perceived convenience of doing nothing,” he says. “Now is the time for organisations to assess their digital supply chain, understand their exposure and put appropriate remediation measures in place. Hopefully, the measures may never be needed, but it is better to be prepared than to react to a crisis."

Taking action

That move by the Danish government came at a time when the concept of digital sovereignty increased, and more European governments took action against more suspicious applications. For example, Czechia banned DeepSeek in July 2025, following a similar move in January by Italy, over cyber security concerns, when Czech prime minister Petr Fiala said the government acted after receiving a warning about the threat of unauthorised access to users’ data.

Research published in mid-June 2025 by cloud computing services supplier Civo said 83% of UK-based IT decision-makers worry about the impact of international developments on data sovereignty, with 61% of UK IT leaders now considering data sovereignty a strategic priority as 35% of survey respondents have complete knowledge of the location and jurisdiction in which their organisation’s data is hosted.

One company making efforts to enable European organisations is Zscaler, whose Zero Trust Exchange is designed to securely connect users, devices and applications while upholding the highest standards of privacy, security and operational resilience. Announced in June, the company said its platform meets these challenges with a commitment to privacy by design and privacy by default.

Casper Klynge, vice-president and head of EMEA government partnerships at Zscaler, said it was focused on helping its customers navigate complex compliance requirements, and empowering them to modernise securely, innovate confidently and maintain control over their most sensitive data.

Speaking to Computer Weekly, Klynge says there is a global trend to seek digital sovereignty, but the European motivation is where there are concerns about dependencies, and retaining Europe’s global competitiveness.

“What we’ve seen in the last four to five months in terms of the change of mindsets, the psychology on the European side, is in my view unprecedented,” he says. “It’s a massive change and it goes back to the question about trust, and therefore, there are some hesitations of using non-European technology.”

Klynge also claims it is “absurd to talk about digital sovereignty, without cyber security” and that the best way to ensure a competitive European market and enable European companies is to have responsible companies coming in and providing that peace of mind.

Questions and criticism

Another factor of digital sovereignty that Klynge raised was around giving control to customers, as well as protecting the organisation, and not only protecting against criminal networks, but also protecting against government access.

He says that common customer conversations will follow a trend of “how do you make sure if we buy your product that you can protect us against anything from the outside, can you ensure service continuity, and can we have full control over the technology so that we decide who sees what and where will our data set go?”

As an American headquartered company, has there been any kind of kickback at all to suggest they are being anti-American and going against “principles of freedom” by controlling European user data?

Klynge says there has been “nothing that we’ve heard of”, but as Zscaler was founded on principles that today has become mainstream, so its enabling of European companies is not about caving into their requirements, “that’s what we’ve been doing all along, now we’re building additional functionality that goes just that extra mile.

“It has nothing to do with the views in the universe versus the views in Europe,” he says. “As I said before, we think these are global trends and global phenomena. All customers would want to go in this direction. We want to be ahead of the curve, and we think that’s the right way to do it.”

Klynge makes a key point that it’s impossible to define digital solvency, as “you get at least 27 versions” or explanations. Zscaler’s official line is that it translates into the need to keep data within the EU or national borders to ensure legal compliance and mitigate risk.

It said that maintaining control over where and how sensitive data is stored and processed is increasingly viewed as a core element of strategic cyber security and risk management, and critical to data confidentiality, integrity and availability.

The Civo research found 54% of its surveyed organisations have implemented digital migration strategies in the past year, suggesting many firms are already rethinking their digital infrastructure to account for sovereign concerns and future regulatory demands.

With greater enforcement of the US Cloud Act, and China notably surveilling its own citizens, there is a great opportunity for those companies who can offer sovereignty guarantees to European companies at this time. What response they receive over their patriotism will be for them to determine over time.