Digital sovereignty has to start somewhere

Frederik Kirial

Frederik Kirial

Product Owner at Orbit Online A/S

Published

29. januar 2026

Digital sovereignty is no longer an abstract ideal. It is a business-critical necessity. Rising costs, geopolitical uncertainty, and technological dependence have made it clear that we in the EU must take greater ownership of our digital infrastructure and data.

This is a major project and certainly not something that can be implemented overnight. However, that does not mean we are powerless to act.

We hope this article will inspire you to take the first step towards full digital sovereignty.

Here is a simple three-step guide

There are many paths to independence, depending on your specific setup. Be careful not to become too rigid in your strategy, and view independence as an ongoing process. Define your purpose for the initiative.

For example: to achieve a level of independence that frees you from financial pressure and the risk of supplier-imposed service shutdowns affecting your business.

The first step is to map your IT landscape

First and foremost, you need a clear overview to create a concrete action plan. Create a list of all your IT suppliers, their legal country of ownership, their role in your organisation, and any additional details, such as how you use them.

Remember to include chain responsibility. Just because a supplier claims to be based in Europe, both in terms of ownership and hosting, does not necessarily mean that the product itself is not dependent on Microsoft SharePoint or hosted on AWS servers in Europe. In both cases, the legal ownership is still in the United States.

At a practical level, you can create a spreadsheet where you note:

1. Supplier name
2. Supplier website URL
3. Legal country (chain responsibility)
4. Functional description

If one supplier supports multiple functions, it can be helpful to split them into two or more rows in the list, as each function may require different actions and priorities.

Assessing critical systems

With a clear and simple overview in place, it is now easier to assess risk. There are several ways to do this, such as the traditional likelihood/impact risk assessment. To keep it simple, a better approach may be to focus on impact.

How the different priorities should be defined may vary from organisation to organisation. However, here is a suggested prioritisation structure you can use as a starting point.

Priority 1:

The supplier provides components that are critical to direct customer operations and/or involve the processing of GDPR- or company-sensitive data.

Priority 2:

The supplier provides components that support customer operations and related key functions.

Priority 3:

The supplier provides components that support customer operations, but are not related to key functions.

Priority 4:

The supplier provides components related to direct or indirect sales and marketing.

Priority 5:

The supplier provides components used exclusively as an internal tool.

Turn your overview into action

Now, with a well-defined overview and a relevant prioritisation in place, it is time to plan concrete actions.

Start with the easiest and most urgent suppliers, and then work your way through the list. Actions do not have to be immediately achievable; they can also serve as information-gathering efforts or longer-term strategic initiatives.

Make your inboxes digitally sovereign

One place we can help you get started today is by securing your inboxes and the important documentation you generate through email.

Approvals, contracts, project changes, and collaboration agreements are sent and answered by email every day. If this knowledge is scattered across inboxes or stored on servers owned by companies outside the EU, you put your data in a vulnerable position. Outlook itself is not a critical email client to use. What you should focus on is where your emails are stored.

MARS is a Danish-developed and Danish-owned Outlook plugin that stores your emails on 100% EU-owned servers.

This is your guarantee that important documentation is not vulnerable to third-party legislation.