Digital sovereignty after Davos 2026: How data, cloud and AI control shape global resilience

Discussions at Davos 2026 pointed to a structural shift in how governments and enterprises view digital infrastructure: digital sovereignty is increasingly being treated as a question of strategic control, resilience and competitiveness, not only compliance or data location. Data sovereignty, once treated as a regulatory or privacy topic, has become a strategic concern tied to resilience, technological competitiveness, and geopolitical stability. The debate did not point toward technological decoupling, but toward de-risking and rebalancing digital dependencies.

For many years, digital sovereignty was primarily associated with privacy regulation or data residency requirements. Today, however, the conversation has widened significantly. Leaders increasingly recognize that the real issue is not simply where data is stored, but who ultimately controls the systems that process, analyze, and generate value from that data. This includes cloud infrastructure, AI models, data flows, software platforms, and the legal jurisdictions that govern them. As a result, sovereignty discussions now extend across the entire digital stack, from compute capacity and model training to governance, access rights, and operational continuity. That change is happening against a backdrop of rapidly rising AI investment, with WEF and Bain projecting annual AI infrastructure spending to exceed $400 billion by 2030.

At Davos and in parallel policy debates in Europe and beyond, the focus has therefore shifted away from simplistic narratives of technological decoupling. Instead, governments and enterprises are searching for ways to remain integrated in global technology ecosystems while reducing systemic dependency risks. Recent WEF and Bain work frames the goal less as full self-sufficiency and more as strategic interdependence, where openness is preserved but critical dependencies are managed more deliberately.

The emerging consensus suggests that digital sovereignty is not about isolation. It is about ensuring that openness and global connectivity remain compatible with resilience, legal clarity, and the ability to retain decision-making authority when conditions change.
In this article, we distill the Davos signals and outline what they mean for cloud and AI decision-making without falling into the false binary of “decouple vs depend.”

Davos 2026 and the shift to governable openness

What changed after Davos was not the existence of the sovereignty debate, but its operating logic: the discussion moved from abstract principle to design questions around jurisdiction, interoperability, continuity and shared control across borders. The question is no longer framed narrowly around privacy or compliance. It is increasingly about whether governments and enterprises can remain open to global technology ecosystems without becoming overly exposed to legal, political, or operational dependencies they do not fully control.

This shift also revealed a real tension, but not a contradiction. Policymakers are pressing for greater assurance over jurisdiction, security, and accountability, while business leaders remain cautious about responses that could weaken innovation, scale, or access to global markets.

The issue is less foreign technology in itself than unmanaged dependence that becomes harder to navigate when geopolitical conditions tighten, or concentration risk starts to affect continuity and bargaining power. The WEF’s “Digital Embassies for Sovereign AI” discussion illustrate that shift well: the focus was on how nations can extend digital infrastructure across borders while still retaining control over data, compute and governance through legal clarity and operational safeguards.

What emerged after Davos was a more pragmatic consensus. Leaders are trying to preserve the benefits of cross-border data flows, digital trade, and shared technology platforms while defining the conditions under which those flows remain trusted, auditable, and resilient.

Digital sovereignty is now a strategic capability

Digital sovereignty has become a strategic capability because cloud infrastructure, data systems, and AI are now embedded in the core of economic activity, public services, and institutional resilience. What once sat in the background as enabling technology now shapes competitiveness, continuity, and decision-making across sectors. The scale of adoption underlines why this has become a strategic issue: in 2025, 52.7% of EU enterprises used paid cloud services and 20.0% used AI technologies.

For many organizations, the digital model of the last decade was built for efficiency, speed, and scale. Consolidating around a small number of global providers accelerated transformation, but it also concentrated control over infrastructure, compute, and service evolution. In stable conditions, these dependencies can remain almost invisible. Under regulatory conflict, sanctions, cyber disruption, or supply-chain stress, they become much more visible. That is the point at which efficiency-led concentration stops looking like a sourcing choice and starts looking like a resilience issue.

This is why digital sovereignty is increasingly understood not as a political slogan, but as the ability to retain room to act. Can an organization continue operating without losing control over critical functions? Can a country remain connected to global technology ecosystems without surrendering legal clarity, operational flexibility, or strategic choice? That is the capability now coming into view. For leadership teams, the practical question is not whether all dependencies can be removed, but which digital capabilities must remain available, auditable, and reversible under stress.

Digital Sovereignty is no longer just about where data sits

Data residency still matters, but it is only one layer of control; legal reach, support access, interoperability, auditability and switching options often matter just as much in practice. For years, digital sovereignty was often reduced to one narrow question: where is the data stored? A workload can sit in Europe and still remain exposed to foreign legal reach, opaque service dependencies, restricted portability, or technology choices that are difficult to unwind once an organization is deeply locked in.

Europe’s own rulebook shows how much the meaning of sovereignty has widened. The Data Act, applicable since 12 September 2025, explicitly pushes interoperability and switching between data processing service providers. NIS2 broadened cybersecurity governance across critical sectors. DORA brought operational resilience deeper into financial services.

The AI Act added lifecycle governance to the conversation, with its first rules beginning to apply on 2 February 2025. Taken together, GDPR, the Data Governance Act, the Data Act, NIS2, DORA, and the AI Act suggest that Europe is translating sovereignty into portability, accountability, auditability, cyber resilience, and lifecycle governance, not merely local hosting.

This is why the old binary of “open versus closed” is losing explanatory power. Davos discussions around digital embassies for sovereign AI are a good example. The idea accepts that infrastructure, computing, and data relationships may remain cross-border, but insists that governance, legal clarity, and operational safeguards cannot disappear when systems cross borders. In other words, geography still matters, but governability matters more. That is why cross-border arrangements are increasingly judged by governance conditions and control points, not geography alone.

Perpetual crisis and digital sovereignty: How physical and digital risks now converge

One of the clearest lessons from the wider resilience debate is that dependence is no longer only digital. It is physical, logistical, infrastructural, electromagnetic, legal, and software-defined at the same time. That is why sovereignty now sits so close to resilience.

Recent European incidents illustrate how different categories of disruption can converge in continuity planning. In January 2026, a fire on a cable bridge in southwest Berlin disrupted power for around 45,000 households and 2,200 commercial customers. In October 2025, drone sightings forced restrictions and temporary suspensions at Munich Airport. EASA has also warned about increased GNSS jamming and spoofing since February 2022, including in the Baltic Sea and Arctic regions.

These incidents are different in origin and effect, but together they show why continuity planning now spans physical infrastructure, low-cost aerial disruption, signal integrity, cyber exposure and legal dependency at the same time.
That is where the phrase perpetual crisis becomes useful. It does not mean that every country or company is always in emergency mode. It means the interval between disruptions is shrinking, and the forms of disruption are blending together. One event affects operations, another affects trust, another affects legal exposure, another affects the ability to navigate, communicate, or recover. Under those conditions, sovereignty stops being an ideological ambition and starts looking like a question of retained room to act.

Bitkom’s 2025 Economic Security Study estimated annual damage from data theft, industrial espionage and sabotage to the German economy at €289.2 billion, with 87% of companies saying they had been affected in the previous 12 months. For business readers, the point is not that every disruption has the same cause, but that the room for operational improvisation is shrinking. Once losses of that size are mixed with infrastructure disruption, regulatory liability, and supply-chain interruption, the sovereignty question becomes less abstract: who still has decision rights, visibility, and exit options when pressure arrives from several directions at once?

Digital sovereignty in 2026: Staying open without becoming exposed

So, what is digital sovereignty in 2026? It is not simply a campaign for domestic technology. It is not only a privacy discussion. And it is not a rejection of global digital flows. The stronger interpretation now emerging from Davos, from Europe’s regulatory direction, and from the realities of perpetual crisis is more subtle than that. For boards, that means asking where dependence is acceptable, where control must be retained and where exit options have to remain credible even after scaling on third-party platforms.

A more useful distinction is between systems that remain governable under stress and systems that do not. Can data move without legal clarity evaporating? Can cloud scale without turning concentration into bargaining risk? Can AI accelerate without making accountability thinner at exactly the moment societies are becoming more dependent on it? Can a state, a regulated industry, or a major enterprise remain connected to global platforms without surrendering continuity, visibility, or meaningful exit?

That is why digital sovereignty has become such a powerful idea. It speaks to a world that still wants openness, innovation, and collaboration, but no longer believes that openness without conditions is neutral. In the decade ahead, that may be the most important shift of all.

Europe’s digital sovereignty model: GDPR, NIS2, DORA, the Data Act and the AI Act
Europe matters in this debate because it is trying to make sovereignty operational through law. GDPR has applied since 25 May 2018. The Data Governance Act entered into application on 24 September 2023. The Data Act became applicable on 12 September 2025. NIS2 came into force in January 2023, with Member States required to transpose it by 17 October 2024. DORA has applied since 17 January 2025. The AI Act entered into force on 1 August 2024, and the first rules began applying in February 2025.

Taken individually, these laws do different things. Taken together, they create a distinct European theory of digital order. GDPR is about data protection and trust. The Data Governance Act is about trusted sharing. The Data Act is about access, portability, and interoperability. NIS2 is about sector-wide cyber governance and incident responsibility. DORA is about operational resilience in finance. The AI Act is about acceptable, governable AI. The result is not simply “more regulation.” It is a much broader attempt to define the conditions under which digital dependence remains acceptable inside a rules-based market.

This is why Europe often appears stricter than other regions. The continent is not only asking whether digital systems are useful or innovative. It is also asking whether they are explainable, interruptible, portable, auditable, and legally coherent. That is a different standard of admissibility. At the same time, Europe is not only tightening rules; it is also building capability.

In October 2025, the European Commission said the AI Factories network had expanded to 19 sites across 16 Member States, showing that the European approach combines regulation with industrial capacity building. For enterprises, the common thread across these instruments is practical: portability, third-party risk control, cyber resilience, auditability and accountable AI governance are becoming expected operating disciplines, not optional extras.

Why Germany and France matter in the European digital sovereignty debate

Germany and France are especially important because they show how sovereignty is moving from political language into assurance language. In Germany, BSI President Claudia Plattner argued in 2025 that cybersecurity sits at the center of protecting prosperity and values because technology increasingly shapes economic, political, and social power. That assurance logic can also be seen in the continued relevance of C5:2020, the publication of a C5:2025 community draft and the entry into force of Germany’s NIS2 implementation law on 6 December 2025.

France has taken a more explicit public-sector position on trusted cloud conditions. Its state “Cloud au centre” doctrine places cloud at the heart of public digital transformation, while the logic around SecNumCloud qualification includes protection against extra-European law as part of what makes a service trustworthy for sensitive use cases. ANSSI’s guidance is especially relevant here because it treats trusted cloud not only as a cybersecurity issue, but also as a question of protection against extraterritorial legal exposure for sensitive systems. This is important because it shows that sovereignty in France is not treated as a slogan about national preference alone. It is treated as a legal and operational property of the service itself.

The Franco-German link is also growing more explicit. In November 2025, ANSSI and BSI jointly committed to develop cloud sovereignty criteria based on the EU Cloud Sovereignty Framework and a methodology to assess them, including cases where failing to meet the criteria would be disqualifying. That is a notable development. It suggests that in Europe, the sovereignty debate is moving beyond broad political aspiration toward shared evaluative criteria for real procurement and platform decisions. For cloud buyers, the significance is practical: sovereignty criteria are starting to influence qualification, procurement language and assurance expectations, especially for regulated and sensitive workloads.

AI Sovereignty: Why control has moved from data to the full stack

AI raises the stakes because it turns sovereignty into a full-stack issue. Data matters, of course. But so do compute access, model hosting, training data provenance, update rights, safety policies, identity controls, downstream application governance, talent availability, and the ability to inspect or replace critical dependencies over time. Once AI is embedded in operations, sovereignty is no longer just about where information rests. It becomes about who shapes the learning, the outputs, the rules, and the ability to intervene. In enterprise terms, this means AI governance can no longer stop at data location; it must also cover compute access, model provenance, update rights, support access, safety settings, identity controls and exit pathways.

The World Economic Forum’s recent work with Bain defines AI sovereignty as the ability of economies to shape, deploy, and govern AI ecosystems in line with their own values while ensuring strategic and operational control, flexibility, and resilience through a combination of localized investment and trusted international collaboration. That definition is revealing. Even at Davos, where sovereignty has clearly risen up the agenda, the most credible version of the argument is not autarky. It is selective control over the points of dependency that become hardest to reverse later.

This is also where the debate becomes more global. Not every country can own the whole AI stack. Not every enterprise can build sovereign compute, sovereign models, sovereign tooling, and sovereign talent pipelines all at once. But many actors are now trying to avoid something more dangerous than dependence itself: irreversibility. That is the deeper shift. Sovereignty increasingly means retaining the ability to choose, negotiate, switch, or constrain later, even after scaling now. For leaders making cloud and AI decisions now, three questions matter early: which layers must be controlled directly, which can be shared with trusted partners, and which must remain portable if the legal, commercial or security context changes.

What this means for enterprise cloud and AI decisions

For enterprises, the sovereignty debate becomes useful only when it changes decisions. The key issue is not whether every workload needs the same level of control, but which workloads, data flows and AI use cases would create unacceptable legal, operational or commercial exposure if a provider relationship became constrained.

A practical starting point is to separate three categories: capabilities that must remain directly controlled, capabilities that can be shared with trusted partners under clear guardrails, and capabilities that must stay portable so they can be switched, replicated or constrained later.

That makes provider due diligence more specific. Leaders should ask which jurisdictions affect data, metadata, logs and support access; how portable the workload, interfaces and models really are; what audit and notification rights exist; and how quickly critical services can be recovered, relocated or exited if the operating context changes.

Conclusion

Digital sovereignty is becoming less about drawing harder borders and more about designing digital systems that remain governable when conditions change. For governments and enterprises alike, the strategic task is not to remove dependence altogether, but to decide where dependence is acceptable, where control must be retained and where reversibility is non-negotiable. The organizations that navigate this well will not be those that withdraw from global technology ecosystems, but those that stay open while building the legal, technical and operational capacity to adapt under stress.

FAQs: Digital sovereignty, cloud sovereignty and AI sovereignty

What is digital sovereignty in 2026?

Digital sovereignty in 2026 is less about data location alone and more about whether governments and enterprises retain decision rights, legal clarity and operational continuity across the critical layers of the digital stack.

Is digital sovereignty the same as data localization?

No. Data localization may address where data is stored, but sovereignty also depends on legal reach, provider control, interoperability, auditability and exit options.

What is cloud sovereignty?

Cloud sovereignty refers to the ability to use cloud services while retaining sufficient control over jurisdiction, access, portability, assurance and continuity for sensitive or critical workloads.

What is AI sovereignty?

AI sovereignty extends the question further up the stack to compute, models, training data, update rights, governance and the ability to intervene or switch when necessary.

Can organizations stay open to global providers and still reduce dependency risk?

Yes, but only if they actively manage concentration, portability, contractual rights, technical guardrails and recovery options instead of treating openness as risk-free by default.

How do GDPR, NIS2, DORA, the Data Act and the AI Act affect cloud and AI decisions?

Taken together, these instruments make portability, cyber resilience, third-party risk control, accountability and lifecycle governance more material in cloud and AI choices.