For companies

A practical framework to evaluate sovereign solutions

Digital Preparedness

29 Jan 2026 — 4 min read

As geopolitical tensions, sanctions, and legal extraterritoriality increasingly affect digital infrastructure, the concept of software sovereignty has moved from theory to operational necessity. Organizations are no longer asking only whether a tool is secure or compliant, but whether they will retain access and control under all circumstances.

This questionnaire proposes a structured framework to evaluate software solutions claiming to be sovereign.

1. Jurisdiction and legal exposure: Who can legally compel the software vendor?
2. Data location and control: Where is the data stored, and who truly controls it?
3. Ownership and governance: Who controls the company’s strategic decisions?
4. Transparency and auditability: Can the vendor’s claims be verified?
5. Security and encryption: Is data protected even under legal or political pressure?
6. Technological dependencies: Is the solution sovereign all the way down?
7. Resilience and crisis readiness: What happens during sanctions, outages, or geopolitical disruptions?
8. Sovereignty as a strategic commitment: Is sovereignty a core principle or a marketing slogan?

1. Jurisdiction and legal exposure: Who can legally compel the software vendor?

Jurisdiction is the cornerstone of software sovereignty. The location of a company’s headquarters determines which legal systems can impose obligations, including data access requests or service suspensions.

A critical distinction must be made between European companies and European subsidiaries of non-European groups. The latter are typically subject to non-EU legal obligations and should not be considered sovereign.

Evaluation questionnaire:

In which country is the legal headquarters located?
Under which jurisdiction(s) is the company incorporated?
Is the company subject to non-EU extraterritorial laws (e.g. US Cloud Act, FISA, or equivalent)?
Is the company a subsidiary or affiliate of a non-EU entity? If yes, please describe the ownership structure.
Which legal framework governs customer contracts?
Can the company legally refuse data access or service suspension requests from non-EU authorities?

7. Banking, finance, and financial continuity

Two days after the Shock, the CTO declared the infrastructure stabilized. Core services were limping along on a regional provider. Customer data had been restored from offline backups. For the first time, the leadership team exhaled. But the panic was still real in the finance departement. Six months earlier, the

8. Legal, compliance, and corporate control

The Shock happened thirty-six hours ago. The infrastructure team has stabilized the core systems. A few services are responding again. Leadership exhales. Then the CFO calls. Payroll is due in two days. The finance team has moved to a backup system and can technically process payments. But the bank is

6. Infrastructure exit strategy

Twenty-four hours after the Shock, the mood briefly shifts. Against all odds, the IT team had made real progress. A regional provider was identified. Accounts were opened. Networks recreated. Containers pulled. One by one, core services start responding again. It is slower than before, rougher, missing pieces - but alive.

5. Data preparedness

The IT team has not gone home. They worked through the night, sleeping in turns, living on bad coffee and adrenaline. By morning, the situation looks finally better. Many systems respond again. Then people start opening applications. The ERP loads, no error. But it’s impossible not to notice it’