Why the EU Should Stop Talking About Digital Sovereignty

Over the past decade, digital sovereignty discourses have permeated the EU government and gained traction in various policy areas, including cybersecurity. EU policy makers appear to believe that Europe can only be secure in the digital space if it is sovereign. The recent communication published in November 2022 on the EU Cyber Defense, for example, lays out a plan for the EU to create a coordinated response mechanism to major cyberattacks, with technological and digital sovereignty identified as a key component of this effort. When European institutions discuss “digital sovereignty,” what they are talking about is achieving technological independence from foreign suppliers and the ability to assert control over data and digital assets. Digital sovereignty, however, exposes the EU’s lack of an advanced technology sector and could lead to the exclusion of important entities from the cybersecurity process. Instead of pursuing digital sovereignty, the EU should adopt the concept of digital responsibility, which emphasizes fostering cybersecurity partnerships with trusted organizations outside of government based on their good behavior in the digital realm and compliance with existing regulations.

Subsidiarity governs cybersecurity

Emerging as a reaction to the dominance of American companies and Chinese technological advancement in the digital world, digital sovereignty has become a leitmotif in EU discourse. While this idea is in principal attractive, especially in times of uncertainty and geopolitical tensions, there are some practical considerations that EU leaders have to grapple with. Both from a European law perspective and from a cybersecurity governance perspective there is no room for the term digital sovereignty in the EU’s cybersecurity policy architecture.

First, cybersecurity policy and related legislative acts are guided by subsidiarity, the idea that the central authority should perform only those tasks which cannot be performed effectively at a local, regional, or national level and, therefore, wherever possible, the Union should act at the lowest level of governance. EU cybersecurity examinations often involve entities at every level of government, emphasizing the importance of subsidiarity in EU cybersecurity regulations.

Second, the European cybersecurity posture is rooted in a multistakeholder governance model, characterized by mechanisms facilitating collaboration and coordination among public and private actors, both domestic and foreign. However, as a recent study explains, digital sovereignty discourses are currently affecting such public-private cooperation in the EU. Geopolitical concerns have led politicians to perceive some foreign companies as unreliable, and could lead companies to isolate those companies from partners in government and deterring much needed cooperation. When a government decides to ban or stop the delivery of cybersecurity services provided by a foreign company due to geopolitical concerns, this decision can put the community or society at risk (because of high interdependencies). To sum up, subsidiarity and multistakeholderism governs cybersecurity in the EU: two concepts that have little to do with the term “sovereignty.”

Digital dependencies are immense and independence is unreachable

Putting aside legislative arguments for a moment, the truth is achieving a greater degree of independence will be a very difficult, long-term, and uncertain process. A recent study commissioned by the Konrad Adenauer Stiftung has shown the extent to which European countries depend on foreign digital technologies through the “Digital Dependence Index.” According to the authors, “Europe has barely recognized the consequences of its digital dependency.” China, South Korea, and the United States have all developed more robust domestic technology sectors than the EU, affording them greater digital independence. The EU’s digital dependence includes software products, such as browsers, search engines, and major operating systems, most of which are developed outside the EU. Digital sovereignty messaging has a large effect on the EU because of the tension it raises between foreign companies and EU governments; this breakdown in cooperation is made more acute by the high levels of digital dependency in the EU.

Cybersecurity needs a cooperative approach  

The notion of digital sovereignty emphasizes a closed ecosystem as the solution to the loss of control over data and technology. In contrast, the concept of digital responsibility creates a path for trustworthy actors to engage with governments in a system with partnerships and cooperation at its core.

Whether in the field of threat intelligence, standardization and certification, or critical infrastructure protection, cooperation between a variety of organizations is imperative. Linked with this idea that cybersecurity needs a cooperative approach, adopting digital responsibility would mean underlining the importance of those partnerships, and, at the same time, encouraging organizations should go beyond what is legally required of them and be proactive, rather than reactive.

There are several ways organizations could seek to be proactive on cybersecurity policy. An example of digitally responsible behaviour is the implementation of two factor authentication as a standard security measure, even where it is not required by law. Under digital responsibility, companies would also conduct regular cybersecurity trainings for the employees. Finally, digitally responsible companies would develop a comprehensive approach to managing risks stemming from the wider industry connections, such as third parties, suppliers and partners.

Organizations should also seek to follow works like the Digital Responsibility Goals and the principle that cybersecurity is a strategic business risk, rather than only an information technology issue. In short, the concept of digital responsibility should prevail in the EU discourse, as it emphasizes the idea of inclusiveness and cooperation in the digital realm, while putting corporate responsibility at its center.

Sovereignty and responsibility to protect

Digital sovereignty, as currently used, draws out or creates too many weaknesses of the EU, including high levels of digital dependencies, and a reduction in cooperation between companies and governments. Clearly, this idea of “us” vs. “the other” cannot serve the broader goal of promoting “a free, open, safe, and secure cyberspace.” The concept and the justifications behind this term are in contrast with the basic idea that we all have the responsibility to protect our digital societies, infrastructure, and users: in this view, there is no room for a division between “us” and “the other”–but we are all responsible for protecting each other. Speaking of “digital responsibility” rather than “digital sovereignty,” will allow the EU to emphasize the need for a responsible and cooperative approach in the digital realm.

Simona Autolitano is a doctoral student at the Center for Advanced Security, Strategic and Integration Studies (CASSIS) in Bonn, Germany, and a fellow at the European Cyber Conflict Research Initiative.