Digital sovereignty must define itself before it can succeed
- Reference: 1771234270
- News link: https://www.theregister.co.uk/2026/02/16/digital_sovereignty/
- Source link:
There was and is method to it. Type approval means that the device won't kill you, won't jam your airwaves, won't burst into flames, and other desirable negatives. If a business buys approved equipment, it won't invalidate its insurance, and many other legal protections and permissions flow. When the system stops working, which it does when individual consumers can buy cheap stuff directly from overseas, [1]fiery death can follow .
There hasn't been an equivalent concept in software, at least not in general. Life-critical systems with software in, yes, and lots of industry codes and compliance incantations, but never national guarantees of software or service behavior. Now there are good and growing needs for this to change. There are dangerous aspects of design and implementation common to many different classes of product, invisible to users, and no way of knowing what is safe.
[2]
Fortunately, organizations, nation-states, and entire blocs can and do recognize what's happening, and are beginning to react. If you use a service or software that stores your data or identity in a place or with people with no legal protection against state interference, you have no privacy or protection from being locked out.
[3]
[4]
Which is why, of course, digital sovereignty is so desirable. The bigger you are, the more practicable it is to realize, although it is very far from easy. Technologies, standards, procurement policies, implementations, user bases, support hierarchies – all manner of things have to be moved and coordinated. The whole thing must make practical, economic, and sustainable sense. We're seeing this happen, especially in Europe.
Matrix is a good example. A longstanding open messaging protocol with a coherent and sensibly stratified FOSS/commercial client roadmap, it is becoming the [5]underpinning of choice for the digisov desirous , from the EU down. It's no guarantee of goodness, but if you want to go that way, it's a great component.
[6]
Or look at the [7]European Payment Initiative (EPI). This isn't an EU initiative, but a project of European payment service providers (PSPs). The clue's in the name: PSPs are the entities that handle electronic transactions between customers and suppliers. Visa and Mastercard manage around two-thirds of all EU-based transactions and neither is European. There is no one European PSP, no one name to go to.
[8]The Linux mid-life crisis that's an opportunity for Tux-led transformation
[9]Infrastructure cyberattacks are suddenly in fashion. We can buck the trend
[10]Just the Browser is just the beginning: Why breaking free means building small
[11]Open source's new mission: Rebuild a continent's tech stack
Last week, PSPs from Norway, Spain, Portugal, and Italy signed up to the EPI, sharing a common Europe-based transactional hub and letting customers in 17 countries use their existing payment providers interoperably. This isn't about open source. It isn't about EU-level political decisions. It creates a sovereign digital service just the same. It also demonstrates that digisov does not need to map onto political boundaries. Norway isn't in the EU, and other non-EU and non-Eurozone countries can join. They just need to have compatible regulatory and legal regimes.
It is thus entirely possible to see an EU definition of alignment that would grant membership of the European digital sovereign entity. Don't let the users get burned, then you get to use the regulatory mark. You get access to sectors and markets where alignment is either mandatory or very highly desirable.
Such services and products could be bundled into platforms, markets, and product categories. If it's possible, barely, for a savvy, motivated, focused organization to build its IT with some degree of digisov, think how far away the concept of a European consumer alternative in packaged services and products is to Apple, Google, or Microsoft. How would anyone begin to find AWS or Azure-free services online? Add a compliance mark, and the impossible becomes possible. No changes in law, no international treaties, just a single recognizable symbol that says that this will not catch fire and burn you.
Armed with that, anyone can join forces. You could build a Linux distro. You could align your existing Swiss-based secure email service, or your German datacenter company, or anything that's useful and follows the rules.
[12]
All it needs, at heart, is a definition of what qualifies a service, product, component, or entity as aligned. In other words, what the concept means in practice. What rights are guaranteed to users, their identity, and their data, not just in terms of what the organization promises but that the promises can be kept no matter what. That means operating in regimes without overweening laws or exemptions to individual rights. One could even call such a definition a constitution.
There's no need for anyone so minded to wait for permission to start this process. Find fellow travelers and talk to them. A rough consensus will do for starters, alongside honesty, and fearsome commitment. If the concept's good and the timing is right, it will catch fire – in the right way. You can't rally to the flag if there is no flag. If there is, nobody can stop you. ®
Get our [13]Tech Resources
[1] https://www.london-fire.gov.uk/safety/lithium-batteries/the-dangers-of-electric-scooter-and-electric-bicycle-batteries/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZL4z-QwGnFUsOJROngP3AAAABQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZL4z-QwGnFUsOJROngP3AAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZL4z-QwGnFUsOJROngP3AAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/02/09/matrix_element_secure_chat/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZL4z-QwGnFUsOJROngP3AAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://epicompany.eu/
[8] https://www.theregister.com/2026/02/09/the_linux_midlife_crisis_thats/
[9] https://www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/
[10] https://www.theregister.com/2026/01/26/just_the_browser_opinion/
[11] https://www.theregister.com/2026/01/19/open_sources_new_mission_rebuild/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZL4z-QwGnFUsOJROngP3AAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Re: Dream On!
I stopped dreaming when I discovered a VERY OLD CONCEPT called "air gap"!
....otherwise known as "private sovereignty"!!!!!
Re: Dream On!
Sovereignty, at least from the state view, be that country or bloc such as the EU it means that the service provider is subject only to the laws of that area to which it's sovereign. That means it has to be operated by an entity, be that a company, a government department or whatever, constituted in the area, under the area's legislation with an ownership chain entirely within the area and with the law of the area applying to the contracts for services and without interference from any entity outside the area.
Outside of the US that excludes Google, Meta and other US service providers. So they can't slurp what they don't see and they can't see what they don't get their hands on. If they want to continue providing sovereign services in that situation they need to find a partner who meets those requirements and set up a franchise with contracts which are suitably arm's length. Perhaps even more than the slurping is ensuring an outside entity can't arbitrarily tell the service provider to stop providing a service.
I appreciate that this is a concept some people find difficult to get their head round but there are such things as sovereign states which make their own laws and rather resent the US's extra-terrioriality
Re: Dream On!
@Doctor_Syntax
Quote: ".....subject only to the laws of that area....."
Yup.....laws like environmental laws.....and our rivers are full of sewage! ....and OFWAT DOES NOTHING!!
Yup.....laws like GDPR......and millions of medical records are handed over to Google/DeepMind......and no one gave consent.....and the regulator DID NOTHING!!
Wake up! Laws MEAN NOTHING when there is NO ENFORCEMENT.
......and laws MEAN NOTHING in places like Fort Meade!
Look in the mirror and repeat after me...."Dream On!"
Rubber stamp
> How would anyone begin to find AWS or Azure-free services online? Add a compliance mark, and the impossible becomes possible.
This is the politicians approach. When something bad is uncovered they consider their only duty is to pass a law to make it illegal (or to tax it, so only the rich can partake). Job done. Problem solved.
However, we all know this is just papering over the problem. Just as standards marks can be faked. As quality compliance can be forged. Marketing statements exaggerated or completely fictionalised.
In reality the only path to digital sovereignty is to give each person, corporation or government absolute control over the data they own. Of course, this is entirely impractical as it would require everyone on the planet to understand how to do this and to be engaged enough to manage their information.
So possibly the best we could hope for would be to delegate those responsibilities and duties to a third party. Much as we do, in theory at least, by charging the security and police forces with our physical safety - for better or for worse. Which then leads to the questions of who would pay to "protect" personal data that so many people simply do not value, and what supervision would these data guardians be subject to?
I would not expect the bar to be very high on either account. And that many supposed enforcers would still limbo under it.
"If you use a service or software that stores your data or identity in a place or with people with no legal protection against state interference, you have no privacy or protection from being locked out."
This sentence entangles several different concepts.
For a non-governmental service, server provider access could be demanded by an arm of the state - in civilised societies that would require a search warrant or similar. That's always been the case if you're talking about written on paper. Even for servers running on-prem the same applies. That means that sovereignty below state level is limited but state interference can be restricted to the local state by using a provider which meets the requirements below.
Services provided for a government department is not so likely to be subject to search warrant although there may be circumstances where it could happen - suspected corruption, for instance. For governments the concern is interference from a foreign government, either access to data or sanctions terminating the service. That requires what I outlined in a previous comment: ... it has to be operated by an entity, be that a company, a government department or whatever, constituted in the area, under the area's legislation with an ownership chain entirely within the area and with the law of the area applying to the contracts for services and without interference from any entity outside the area.
While I take the point about quality of software and regulatory requirements I think that's a different matter to provision of sovereign services. The significant issue for software for sovereign services is whether the software can be run in a manner that meets those requirements. It has to be hosted by a provider which fails to meet them, then its unsuitable. Software from a local commercial software house (including bespoke software) could be suitable but the biggest source of suitable software would be FOSS. Note also that any software support provider needs to meet the requirements.
Dream On!
Quote: "...digital sovereignty is so desirable..."
Really? Moving your provider for "digital sovereignty" just moves the target for hackers!
Do you really think that Google, Meta and the others are going to stop slurping?
....or that screw ups like the JLR fiasco will be prevented if "the cloud" happens to be in the UK or the EU?
Dream on!