Skip to main content
Perspective:
Perspective
21 Apr 2026
9 minute read

Digital Sovereignty

Dr. Till Contzen
Daniel Bader
Procuring Sovereign IT in Enterprises: Legally Compliant Planning and Implementation

Digital sovereignty is no longer an abstract guiding principle for enterprises. It has become a concrete response to the risks that arise when sourcing, operating, and switching digital solutions. It gains practical relevance wherever geopolitical tensions, regulatory requirements, and technological dependencies directly affect the reliability of digital infrastructures, data flows, and supply sources.

A key driver of this development is the growing realization that digital services are not always equally available, controllable, or legally manageable under all circumstances. Decisive factors include the accelerated change of regulatory and political frameworks as well as increasing dependencies on specific technologies and providers.

Those who take these risks seriously must define early on where legal or operational control is indispensable - and where dependencies can be consciously accepted. 

Why Digital Sovereignty Is Becoming More Important for Enterprises

For enterprises, digital sovereignty is primarily a matter of governance. Business critical digital services must be selected, procured, and operated in a way that aligns legal requirements, economic viability, and operational controllability. Without a robust plan, companies risk significant follow on costs, new dependencies, and later implementation issues.

When assessing digital sovereignty, it is therefore not abstract promises of independence that matter, but concrete criteria. Key considerations include in particular:

  • control over data access and data location,
  • resilience against security and compliance risks,
  • verifiability and auditability of agreed requirements,
  • transparency of provider and supply structures,
  • avoidance of vendor lock‑in, and
  • the actual ability to use services in a scalable, economically viable manner with sufficient operational autonomy.

These criteria are decisive in determining whether digital infrastructures remain resilient even under changing regulatory, political, or economic conditions.

Smart Sovereignty as a Realistic Target State 

In practice, digital sovereignty rarely follows an all‑or‑nothing approach. Instead, enterprises must determine where a high degree of sovereignty is mandatory - and how these requirements can be sensibly combined with the benefits of highly scalable, cost‑efficient, and innovation‑driven standard cloud offerings.

This target state can be described as smart sovereignty: an intelligent design of sovereign solutions with regard to sustainability, cost, duration, and capacity for innovation. A very high degree of sovereignty can strengthen control and resilience but, depending on implementation, often comes with higher costs, reduced scalability, and more limited access to innovation dynamics. Conversely, standard cloud offerings provide substantial scaling and innovation potential but can deepen existing sovereignty risks.

In practice, there is much to be said for hybrid models. Certain components, data, or functions are placed in a more sovereign environment, while others deliberately remain in standard cloud services or comparable standard environments. This requires a clear distinction between mandatory and optional requirements, as well as a controllable approach that allows for change without abandoning the defined target state.

Hard requirements may arise from statutory or regulatory obligations, which can vary significantly by jurisdiction. In addition, there are softer requirements stemming from internal policies, self‑commitments, or corporate governance decisions. Failure to clearly separate these levels risks either excessive requirements with unnecessary cost and innovation drawbacks, or a target state that later cannot be contractually or operationally secured in a robust manner.

From Target Definition to Procurement Decision

Once the target state has been defined, the question arises as to the appropriate procurement approach. Typically, direct procurement and tender procedures come into consideration. Both have their justification depending on scope, volume, and risk profile.

Direct procurement is particularly attractive due to speed, lower procedural effort, and greater flexibility in provider selection. Shorter and more informal decision paths can be especially useful when requirements are clearly defined, smaller procurements are involved, or highly standardized solutions are being acquired. However, particularly for highly specialized solutions, this may be offset by lower market transparency and the risk that, due to limited competition, ongoing costs are higher or alternatives are insufficiently assessed.

Tender procedures, by contrast, place greater emphasis on comparability, competition, and transparent decision‑making processes. They increase the likelihood of procuring suitable services on sustainable terms while also strengthening compliance in the awarding process. The associated effort is significantly higher, especially if RfI, RfP, BAFO, and negotiation phases are involved. However, for large‑scale, security‑relevant, or highly customized procurements, this effort is often appropriate.

Even at this stage, it is advisable to work with robust reference frameworks. The EU Cloud Sovereignty Framework, BSI sovereignty criteria, C5 criteria, and the Sovereign Cloud Stack can help structure requirements, make offers comparable, and systematically request evidence during the selection process. While standards do not replace company‑specific assessment, they increase comparability and facilitate subsequent contractual alignment.

Especially in sovereignty‑related initiatives, it becomes clear that procurement processes must be designed holistically - from technical, operational, and legal perspectives. The more complex the requirements for data control, provider transparency, interoperability, verifiability, and exit capability, the more important it becomes to use a process with clearly documented evaluation criteria.

Contract Design, Migration, and Go‑Live

The contract is not the sole measure of digital sovereignty, but it is a central - and in practice often underestimated - governance instrument. Particularly because legal departments are not always involved early and deeply enough in technology projects, sovereignty‑relevant requirements often remain at the level of general objectives rather than being translated into enforceable performance obligations, evidence requirements, and legal consequences.

The starting point is a clear service description. Sector‑specific or company‑specific particularities, the interpretation of relevant standards, and the scope of internal policies must be defined with sufficient precision to ensure that it remains clear what is owed and how performance is measured. This is particularly relevant in hybrid or multi‑tier delivery models involving multiple providers or technical layers.

In addition, requirements apply to the provider and its subcontractors and suppliers. Depending on the risk profile, it may be relevant to disclose direct and indirect ownership or control structures, potentially down to the level of beneficial owners. For service delivery itself, requirements regarding residence and nationality, as well as security checks or certifications, may play a role where legally permissible.

However, such requirements only have practical effect if they are linked to transparency, audit, documentation, and evidence obligations. Sovereignty must not be reduced to mere assurances; it must be verifiable, documentable, and enforceable in the event of a dispute. Especially in complex operating models, a clear delineation of respective responsibilities is essential to avoid diffusion of responsibility in the event of disruptions.

Another focus lies on future viability and switching capability. Contracts should safeguard scalability, adaptability, and innovation capacity so that changing needs, legal developments, and market conditions do not immediately necessitate a new and costly procurement initiative. Equally central are mechanisms to avoid vendor lock‑in, in particular through clear termination and exit provisions, interoperability, open standards, and practicable transition paths.

This may include the ongoing provision - or provision at exit - of configurations, documentation, and customer‑specific developments, automations, and comparable project‑specific artifacts in a usable form. Cloud‑switching mechanisms may also be relevant in this context. Finally, digital sovereignty is always also an economic issue; therefore, operating costs, scaling price models, adjustment mechanisms, gain‑sharing for innovation and change, and the handling of fluctuating hardware prices should be contractually addressed with clarity.

Ultimately, digital sovereignty must also prove itself in implementation. Clear requirements for migration services are essential, explicitly including the agreed sovereignty requirements. These include, for example, heightened traceability of individual migration steps and, where possible, the avoidance of data transfers outside the target region during migration.

If agreed requirements are not met during migration, termination, withdrawal, or functionally equivalent mechanisms should be provided for. Productive operation should only commence once sovereignty‑specific criteria have been formally accepted. After completion of the migration, deletion confirmations should be sought for legacy systems.

With regard to ongoing operations, the description of sovereignty requirements should also explicitly cover the support, administration, and control‑plane levels, such as identity management, auditing, monitoring, and provisioning. It is particularly here that it becomes evident whether the provider can consistently meet these requirements in day‑to‑day operations.

How We Support Enterprises

Legal support for digitally sovereign procurement should not begin only with contract drafting. It ranges from translating regulatory and internal requirements into robust mandatory and optional criteria, through legal support in selection and negotiation processes, to the design of service, evidence, audit, exit, migration, and acceptance provisions. Where appropriate, this can be implemented together with colleagues from Deloitte T&T as part of an integrated approach that brings together legal, technical, and operational perspectives at an early stage.

To realize digital sovereignty, abstract commitments are not sufficient - a resilient chain linking target state, selection process, contract architecture, and controlled implementation is required. Those who connect these elements early create a realistically manageable and legally robust framework for digital sovereignty.

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Reach out

Dr. Till Contzen

Dr. Till Contzen

Partner | Lead Digital Law
+49 69 719188439
Daniel Bader

Daniel Bader

Senior Associate | Digital Law
+49 89 29036 6913

Recommendations

Legal Managed Services | Deloitte Legal Germany

We help you to achieve several key objectives such as efficiency, transparency and compliance through our legal managed services.
Service
12 minute read

Artificial Intelligence (AI)

As part of our tailored advisory services in the field of Artificial Intelligence (AI), we support companies both in use-case specific individual assessments to legally secure individual applications and in the development of comprehensive governance structures for the responsible use of AI. We work hand-in-hand with Deloitte's AI specialists, ensuring that our advice is closely aligned with technical realities.
Service

Data & Data Security

Data and data protection law encompass comprehensive advisory and representation services in all matters related to the protection, processing, and lawful use of data, particularly personal data. Our goal is to enable clients to comply with regulatory frameworks while minimizing legal risks in their data management practices.
Service

Digital Law: Intangibles, Data & Technology

Digitalization and technology do not only foster today's growth and jobs, but are also essential for tomorrow’s innovation and competitiveness.
Service