Digital Sovereignty: The Foundation for NIS2 and GDPR Compliance for SMEs

Loss of Control in Europe: Why Companies Must Become Independent

The figures are alarming: According to Bitkom , 9 out of 10 German companies are digitally dependent on external platforms. That's why the business community is currently addressing the question of how companies can strengthen their digital sovereignty.  

The recent conflict over Greenland has shown how quickly trust in US technology companies, and thus in the IT infrastructure of many European companies, can erode. According to a report in Handelsblatt , digital sovereignty was therefore a topic of discussion at the World Economic Forum in Davos.  

This is how business, administration, and politics are reacting to the increasing technological dependence:

• SAP is investing 20 billion euros in digital sovereignty. SAP board member Thomas Saueressig reported in Davos on "massively increased demand" for sovereign cloud solutions and concluded: "This is not a hype; it's here to stay."  

• German and French authorities are switching from US providers like Microsoft to open-source solutions or government services.  

• The EU Parliament demands more digital sovereignty as a key for democratic resilience. Because dependence on non-European tech corporations endangers not only companies but also the state's ability to act.

The question is no longer whether, but how companies achieve digital sovereignty and thereby ensure their compliance and contribute to a strong Europe.

What is digital sovereignty and why is it a compliance prerequisite?

For companies, digital sovereignty means retaining control over their own IT infrastructure, business data, and technological decisions, and remaining as independent as possible from external providers and their legal jurisdictions.  

Digital sovereignty rests on three pillars, which simultaneously form a solid foundation for your compliance.

1. Data sovereignty: Demonstrating GDPR compliance through federated structures

Data sovereignty is the control over one's own data and data entrusted by customers. The GDPR requires companies to know at all times where personal data is located, who can access it, and which law applies.

🚨 No data sovereignty, no GDPR compliance

A "cloud in Germany" is not automatically a "German cloud." If your customer data is stored on a server in Frankfurt, the US government can still access it if the cloud provider has a US parent company. This is due to the Cloud Act, which allows US authorities to access data hosted by US providers outside the USA.

However, the GDPR prohibits the direct transfer of data secured within the EU to authorities in third countries without a mutual legal assistance treaty (Art. 48 GDPR). While the US has had an adequacy decision with the EU-US Data Privacy Framework since July 2023, it does not have a mutual legal assistance treaty. The Cloud Act is thus in direct conflict with the GDPR.

2. Technological Sovereignty: Demonstrating NIS2 and DORA Resilience in the Supply Chain

Technological sovereignty means being independent of hardware, software, and cloud infrastructure. In reality, however, German companies are far from achieving this: 90 percent are dependent on digital technologies from the USA and China, and 63 percent of the global cloud market is shared among the three major hyperscalers: Amazon, Microsoft, and Google.

🚨 No NIS2/DORA Compliance Without Technological Sovereignty:

NIS2 and Digital Operational Resilience Act (DORA) demand demonstrable digital resilience across the entire supply chain. Companies in Europe must be able to quickly manage incidents and maintain operations. The NIS2 directive explicitly requires a supply chain security concept that governs relationships with direct suppliers and service providers.

Many cloud services, however, use proprietary technologies. Those who rely on Microsoft 365, SharePoint, or AWS-specific services fall into a Vendor Lock-in. While switching providers due to changed terms and conditions or market exit is possible, it usually costs a lot of time and money.

3. Digital Agility: Ensuring Auditability Across Multiple Entities

Digital agility is the ability to understand your IT landscape, react quickly to compliance requirements, and make technological decisions autonomously, without being entirely dependent on external service providers.

🚨 No digital operational capability, no compliance responsiveness:

In the event of NIS2 incidents, companies must inform authorities within 24 hours, provide transparent documentation for ISO 27001 audits, and be able to provide information for official inquiries. Those who don't know which cloud services are used by which entities, which service providers are involved, and where data is stored, cannot meet these requirements.

Examples of IT Dependency in German Companies

If you're wondering whether digital sovereignty is even relevant for your company, the answer is almost always: yes. Most German companies use technologies and digital services that make them dependent on US providers or on manufacturers subject to Chinese cybersecurity laws.

For example, many companies in Germany use Microsoft products deeply integrated into their workflows. For corporate communication, video tools like Zoom or Teams are common, cameras and mobile phones often come from China, and many marketing teams use platforms like Salesforce or HubSpot.  

How Can SMEs Achieve Digital Sovereignty? 3 Concrete Solutions

The EU has raised the bar for IT compliance in 2026. It's no longer enough to have security concepts gathering dust or to manage processing records in Excel. Those who want to reliably comply with NIS2, DORA, and similar regulations must prioritize transparency, independence, and open systems.

Achieve Digital Sovereignty with Expert Support

Digital sovereignty - and therefore NIS2 compliance - isn't just an IT responsibility — it demands executive commitment and understanding. As a business leader, you need to understand the risks, the regulatory requirements, and your personal liability under NIS2. Proliance's specialized executive training equips you with the knowledge to lead your organization through digital sovereignty challenges, ensure supply chain resilience, and demonstrate regulatory compliance to authorities.

Enroll in Executive NIS2 Training

The following solutions illustrate what SMEs can do now.

Solution 1: Create Transparency Regarding Data Flows and Processing

Digital sovereignty begins with knowledge. Gain an overview of data flows, users, and tools within your IT infrastructure and your tools:  

• Which cloud services do you use?  

• Where are the servers located?  

• What laws are they subject to?  

In doing so, prioritize particularly critical data processing activities:  

• Which ones require a record of processing activities (RoPA)?  

• Which ones concern trade secrets or R&D data?  

• Which ones would jeopardize business operations if lost?

Create a central documentation platform that covers all departments and entities, enabling you to react quickly during audits and provide consolidated evidence.

Solution Approach 2: Strategically avoid vendor lock-in with cloud services

For your IT and tool landscape, focus on diversification instead of single-vendor dependency. Utilize multiple providers to avoid single points of failure.  

Critical data should remain on-premise or migrate to certified sovereign clouds, ideally operated by providers with the German Federal Ministry for Economic Affairs' Trusted Cloud certification.

During contract negotiations, pay attention to exit options:

• Is data portability guaranteed?

• In what format will data be handed over upon termination?

• How long are the notice periods?

• Do you have audit rights with the cloud provider?

For companies seeking ISO 27001 certification: Document all supplier relationships according to ISO 27001, Annex A (Supplier relationships).

Solution Approach 3: Evaluate open-source alternatives for critical processes

Open-source solutions give you back a degree of control. This is particularly relevant for critical processes, strict audit requirements, and complex interconnected structures.  

Open source, in this context, doesn't primarily mean free, but rather controllable. The advantages for your digital sovereignty are clear: You can inspect the code (or have it inspected), know exactly where data resides, and are not dependent on proprietary interfaces.

Important to note: For critical support services, rely on local IT service providers. These are subject to German jurisdiction, react faster to security issues, and can develop customized solutions for your company.  

Efficiently and Verifiably Achieve Digital Sovereignty with Proliance

Full digital sovereignty is unrealistic for many SMEs. Sovereign cloud solutions from European providers are often more expensive than those from hyperscalers, in-house servers incur high maintenance costs, and open-source solutions require qualified personnel or external service providers.  

Prioritize sovereignty where compliance risks and business criticality are highest. To do this, first gain a consolidated overview of your data processing activities, service providers, and IT systems across all entities, and then identify your risks.  

This is where the Compliance Platform Proliance 360, which enables centralized asset management, risk analyses, and clear documentation. And for all questions and concerns regarding your company's digital sovereignty, experienced compliance experts are available to answer your questions.