/tidal-point-20/images/tidalpoint_logo2024_hori_blk_med.png){kind=logo}
CONNECT
Sovereign Tech. Sovereign Capability.
“Sovereign Tech” is a big topic these days driven by economic, security, and other nation-level concerns. Some might feel we’re in a moment of crisis – the world is changing, and uncertainty is the word of the day. Suddenly it seems, we’re doing mental calculus around the importance of secure and private data, reliable access to the technology we need, and who really controls all of it.
Is it time to panic about access to Sovereign Tech? Or is there opportunity there waiting?
What Is Sovereign Technology?
Having Sovereign technology refers to a nation’s ability to control and manage its own digital infrastructure. This includes production, operation, securing, regulating and (yes) taxing its technology stack without undue external influence.
It’s about more than where your servers sit. It’s about who controls the data, who can access it, and under what laws. It’s about resilience, trust, and independence in the systems that underpin everything from communication and commerce to critical infrastructure.
Is Sovereign Tech Important?
We think so. Strong economies are part and parcel of happy, healthy and resilient nations. These national economies depend on secure infrastructure, domestic and foreign, and are increasingly reliant on digital infrastructure in the same way we already rely on our physical supply chains. Without dependable technology, running businesses and governments becomes more challenging than it already is. Business and bright people flock to stable environments where they can focus on the hard tasks they’ve set out to accomplish.
Traditionally governments focus on the availability of things like natural resources to build roads and homes, energy supply to keep the lights on, defence equipment, and in the case of COVID – emergency items like N95 masks and oxygen tanks. Tech platforms have the illusion of being on your phone or computer, but in reality – they are built in one country and then made available elsewhere. Just like physical goods, except that they can be modified, accessed or taken away even after you have possession of them. And the same way foreign governments can control access and configuration of goods their countries produce; they can make decisions around digital infrastructure too. As if to put a point on this, as I am writing, the US threatened China with "new export controls on critical software" in response to a trade dispute.
Sovereign tech isn’t just about foreign governments taking away technology. It can be about the security (trustability) of the technology too. The security and stability of the Internet and digital applications is invisible to most of us, which makes it difficult to get our arms around. Nevertheless, they are simultaneously critical, and non-trivial to get right. At Tidal Point, our founders spent decades in the security and intelligence community, back when “cyber” was still a niche term and “threat actors” were mostly the stuff of spy novels. That changed fast.
Several decades ago, I remember someone laughing uncontrollably when I referenced “identity theft”. There was massive misalignment between what I knew to be true, and what the lived experience of my counterpart was. The mere concept of a digital identity, let alone that it could be co-opted, was so foreign at the time it was as though I had made a joke. We are at important point in time where we need to acknowledge in appropriate detail, our dependence on digital infrastructure, and the need to understand and respond to what that means.
Recent events, ranging from global supply chain disruptions to foreign data access laws, have exposed how fragile digital sovereignty can be. The question isn’t just “is our data safe?” but “is our digital foundation resilient, reliable, and under our control?”
Who has access to our data?
Consider the United States (US) CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Passed in 2018, the legislation gives US law enforcement the authority (when granted by the judicial process) to compel US-based tech companies to provide data, even when that data is stored outside of the US. Business decisions are often made with shorthand privacy controls that read along the lines of “is the data hosted domestically, in-country?”. If the answer is yes, then the assumption is that domestic laws apply. Which they do, but this does not guarantee restriction of access by foreign governments.
In our next post, we talk in detail about the complexity of implementing sovereign technology. The reality of modern digital applications is that they are not monolithic. In other words, you don’t just install them in a datacenter and that’s that. Identity and Authentication, Data Storage, specialty AI algorithms, Desktop Applications, Operating Systems and more, all form a complex mosaic of interdependence, usually capitalizing on the scale of the Internet and ignoring geographic borders.
What Should We Be Doing?
Sovereignty isn’t about isolationism. It’s about having clarity about what is and is not critical and sensitive to your country and responding accordingly. No business network can be perfectly secured, and yet we use these networks, usually without incident. How? Like security a network, getting sovereign technology right should be about risk management. We don’t need to build every chip or line of code within our borders, but we do need to understand and manage where control lies, and where risk accumulates. Where risk does not align with national requirements, domestic capacity and trusted partnerships must fill in.
Herein lies the opportunity. Getting sovereign tech right brings into focus the time to prioritize what is important to the country. To realign and consider the importance of the technology that underpins our societies, economies, and national securities. It is also an opportunity to expect more out of technology vendors in terms of regional capability, security, and trust.
Here’s what that looks like in practice:
Invest in regional capability — not just regulation. Build and back the local capacity you want to depend on. That means encouraging domestic innovation, ensuring interoperability with trusted partners, and holding suppliers to equivalent security and privacy standards. Where this is not possible, ensure alignment with allied partners that share in the same privacy, security and regulatory standards that you have domestically.
Manage risk proportionally. Not every dependency is dangerous, but not every partner is neutral, either. Consider where critical data and capabilities depend on others and prioritize sovereignty where compromise is unacceptable.
Map the ecosystem, not just the endpoint. Don’t stop at “is my data hosted here?”. Look at the full lifecycle: how it’s processed, transmitted, governed, and shared. Visibility across your technology supply chain is the first step toward real sovereignty. Move away from having data hosted where you don’t trust the host, and towards those where you do. Expect technology to provide the ability to make this migration for you. Its not impossible, unless the vendor allows it to be so.
The Bottom Line
Investment in domestic capacity is required. Plugging along as we have thus far with digital infrastructure will lead to similar reflections in a couple decades from now, as my counterpart did in our conversation when they couldn’t believe “identity theft” was anything but funny. Except in this case, it is national security and the national economy that suffers instead of the individual.
National independence in the digital era starts with smart, secure, and sovereign technology foundations. Sovereign technology isn’t about drawing digital borders; it’s fundamentally about managing risk and building digital trust.
From an organizational standpoint, we are all familiar with compliance and evaluation. Begin to think about your ability to demonstrate sovereignty readiness to regulators, customers and partners. This isn't just about checkboxes; it helps your brand build trust and market credibility. Also ensure that you are aligning organizational policies and controls against sovereignty-relevant frameworks (e.g. GDPR adequacy, national cloud regulations, and so on). Finally, incorporate sovereignty goals into your business and technological decisions: data residency, trusted cloud, and localization being examples of consideration points.
At Tidal Point, we believe that resilience, transparency, and responsible design are the hallmarks of true sovereignty. Stay tuned for our next post, where we discuss the challenges in getting digital sovereignty right.