From dependency to conscious control    Digital sovereignty:

Geopolitical tensions, debates around extraterritorial legislation and the dominant position of American hyperscalers: in a short space of time, digital sovereignty has evolved from a niche term into a strategic priority in many boardrooms. But reducing it to anti‑American sentiment misses the point, according to Conclusion. “Digital sovereignty is about understanding your dependencies and accepting the risks that come with them.”

Organisations that have confidently moved workloads to the cloud over the past decade are increasingly asking themselves uncomfortable questions. What happens if access is suddenly restricted? What if prices rise significantly? And what if data ends up in the wrong hands — or organisations can no longer access their own data?

At its core, the issue is straightforward, says Lucas Jellema, CTO of Conclusion: do you know what your dependencies are? And do you understand and accept the risks that result from those dependencies? “The current geopolitical context has made the topic more visible, but the underlying discussion is not new. You could almost say we should thank Trump — not for what he does, but for forcing organisations to rethink their dependencies on suppliers, technology, partners, resources, locations and even people. IT architects have been highlighting dependencies and risks for years, but they were not always heard at board level. With NIS2, geopolitical tensions and concrete incidents, risk awareness has finally landed in the boardroom.”

Nowhere is the urgency of digital sovereignty more tangible than in environments where processes simply cannot fail. Within Conclusion Mission Critical, CTO Jochem van Lierop works daily with digital environments in which continuity is not an abstract concept, but a hard prerequisite. “For us, mission critical means processes that cannot be allowed to stop,” he explains. “Think of NS trains no longer running, Eneco being unable to supply electricity, or Rijkswaterstaat losing connectivity to bridges, tunnels and locks. If those systems fail, the consequences are felt immediately.” 

According to Van Lierop, this demands architectural choices in which continuity is structurally built in: multiple physically separated data centres, or a combination of private and public cloud; geographically separated locations; redundant network connections; and fully developed failover scenarios. “You design for the scenario you hope will never occur. Two servers in the same room is not redundancy — not even two servers in the same building. At the same time, you have to remain realistic. You can always imagine a more extreme scenario, but the question is what is proportionate. You answer that by mapping dependencies, analysing what can fail and what the impact would be, and then determining which residual risks are acceptable.”

Sovereignty adds an additional dimension to this discussion. According to Van Lierop, it is not only about technical availability, but also about who ultimately has control. “If you place everything in one cloud environment, you are making a choice. That choice may be defensible, but you must be aware that it introduces a dependency that can affect continuity, pricing and legal control.”  

For Conclusion, the discussion does not stop at analysis. The organisation has long had building blocks in place that now take on added meaning in the context of sovereignty. Conclusion offers private cloud environments that operate entirely on Dutch soil, spread across multiple data centres. These environments fall under Dutch jurisdiction and Dutch ownership, Van Lierop emphasises. “That means you are not subject to extraterritorial legislation enforced outside the Netherlands. For organisations with an elevated duty of care — such as healthcare institutions, financial organisations and operators of critical infrastructure — this is not a legal nuance, but a fundamental requirement. They must be able to demonstrate that data remains available, protected and under control, even when geopolitical relationships shift.” 

Sovereignty does not end with infrastructure or jurisdiction. The question of who really has control only becomes clear in day‑to‑day operations: who manages the environment, who responds when incidents occur, and how short the lines are when things get critical. Within the broader Conclusion ecosystem, Conclusion Enablement focuses on managed services, cloud and workplace solutions, and the continuous improvement and management of IT environments. Here too, sovereignty takes on practical meaning, emphasises CTO Marcel Stangenberger. 
 
“Consider the growing demand for local service centres. The choice for local presence is not just about language; it is about direct accessibility, familiarity with the local organisation and processes, and speed of decision‑making. In critical situations, organisations do not want handovers across multiple time zones, but short lines with people who know the environment inside out and understand what the systems mean for the organisation — and who can therefore immediately assess the impact of disruptions.” 

The same logic applies to SaaS environments, where dependencies are often less visible but no less real. Conclusion helps organisations maintain control over their data — not by avoiding SaaS, but by putting additional measures in place.  “A backup alone is not sufficient,” Stangenberger explains. “You need to secure your data very frequently and be able to restore it in a usable format, so that you can continue operating if access is restricted. Our distinguishing strength as a group does not lie in a single product or service, but in the combination of architecture, infrastructure and operations — and in the ability to find the right balance for each workload, chain, process or dataset between innovative capacity, control, cost and the effort required for transition.” 

According to the three CTOs, sovereignty is emphatically not a rejection of hyperscalers. The innovative power of companies such as Microsoft and AWS is beyond dispute, Van Lierop stresses. “Their platforms offer scale and functionality that are essential for many organisations. Ignoring that would be unwise. But if you build your core processes entirely on one cloud platform, you are creating a strategic dependency. The key is to make those dependencies — and the associated risks — explicit and to accept them consciously.” 

This applies not only to cloud infrastructure, but increasingly to AI as well. The pace at which organisations embed AI services into their processes introduces new dependencies with a familiar pattern: speed and convenience take precedence over careful architectural considerations. The risk is not just downtime, but also unexpected price increases, changing model behaviour or the withdrawal of a supplier. “Mission‑critical processes are never designed around a single supplier, technology or platform,” says Van Lierop. “So why would you do that with your AI foundation?” Stangenberger places this in a broader perspective: “Ultimately, sovereignty comes down to one question: can you continue operating when it really matters? That requires control over your data, your environment and your people.”  

Whether public attention for sovereignty fades again in the coming years is less relevant than the structural shift the topic is currently driving. It forces organisations to re‑examine their digital foundations — not from fear, but from a clear analysis of dependencies and risks. Digital sovereignty is about knowing where you are dependent, and where you do not want to be, Jellema emphasises. “If you are clear on that, innovation and control can coexist perfectly well.”