Digital Sovereignty and EU Legislation

Digital Sovereignty and EU Legislation 

Digital sovereignty is a relatively new concept that has emerged particularly due to the EU's dependence on third-country technologies under monopoly-like conditions. Digital sovereignty concerns having control over one's own digital future, which encompasses the data, software, and hardware upon which society depends. 

In this article, we will examine the relationship between digital sovereignty and the EU framework legislation that companies and authorities must comply with today, and which specifically requires protection of society's digital infrastructure and our personal civil liberties in a digitalised world. 

Digital sovereignty 

Technological development is progressing rapidly, and large parts of society benefit from this: private individuals, companies, and public authorities. However, this development also leads to dependence on IT suppliers, who are always subject to the political framework and legislation that takes place in their home countries. When using suppliers in third countries, there will be risks that vary with the political landscape in the individual countries. This can lead to risks for the delivery of critical services in the EU, from hospital operations to payment for goods in shops. 

It is widely known that several of the world's largest companies are American, and that their services constitute a significant part of the digital infrastructure for EU member states. If these companies choose to raise prices or shut down a service, this can have serious consequences for individual companies. From an EU perspective, this would have enormous consequences across all countries, and not just for individual companies, authorities, and private individuals. 

This is also the reason why the societal debate around digital sovereignty has been increasing as EU countries have become more digitalised and dependent on these suppliers. 

From politics to reality 

Digital sovereignty is typically used in a geopolitical context, which concerns freeing oneself from these digital dependencies on third countries. However, such political objectives only become real when companies and authorities organise their operations accordingly. This already appears to be happening through the requirements that the EU's digital framework legislation places on companies and authorities. 

What is the relationship between digital sovereignty and digital framework legislation? 

The purpose of framework legislation such as GDPR, NIS2, the Data Governance Act, DORA, and others is to ensure the sovereignty of citizens and the production apparatus, as well as a well-functioning market in the EU, which is therefore in accordance with the idea of digital sovereignty. 

By complying with this digital framework legislation, one contributes to ensuring digital sovereignty, which we will examine more closely in the following sections. 

GDPR 

The GDPR rules as a whole support the idea of digital sovereignty, but in the following we will examine some of the GDPR requirements that are more directly linked to digital sovereignty. 

Transfers to Third Countries 

The GDPR rules aim to ensure that EU citizens' civil liberties are protected wherever their data is processed, including when it is transferred to a third country. If a third-country transfer is assessed as unable to comply with this requirement, it will be in breach of the GDPR rules. 

This was, for example, the case with the Schrems II judgment, where the Court of Justice of the European Union ruled that American legislation was not compatible with the secure processing of EU citizens' personal data, which therefore made any transfer of personal data to the USA difficult for a period until a new transfer mechanism was established with the USA. 

Use of Data Processors 

When using data processors, one must ensure that they process one's personal data securely and in a manner that corresponds to one's risk assessment. Furthermore, one must always have a data processing agreement that meets the formal and security requirements in the GDPR rules, as well as supervise that the agreement is complied with in practice. These requirements aim to secure the entire value chain in the processing of EU citizens' personal data, so that their civil liberties are not compromised. 

NIS2 

NIS2 requires that organisations, delivering critical services to society, protect themselves against cyber threats, so that they can continuously deliver these services to end users. Overall, this means that the covered organisations are able to ensure security of supply, which is therefore closely linked to the debate about digital sovereignty. 

Supply Chain 

NIS2 also introduces a specific requirement that you must secure your own supply chain, including security-related aspects concerning the relationship between the individual entity and its direct suppliers or service providers. This requires that you conduct risk assessments of your supplier relationships, so that you can assess whether additional security measures should be introduced to ensure security of supply, or whether you should choose a different supplier. Such a risk assessment should also include any political circumstances, which may lead to increased risks for the delivery of the critical service. 

Data Governance Act 

The Data Governance Act covers both personal data and other types of data, with the purpose of giving users and companies better control over the data that is created through the use of products and services. 

Data Sharing 

The Data Governance Act establishes rules for the use of data that is created by users themselves when, for example, using IoT devices. The rules provide increased control over your own data, as well as access to this data and the possibility of sharing this data with third parties. This strengthens the ability, for companies and private individuals, to control their own data, their autonomy, and business opportunities. 

Third Countries 

Similar to the requirement in the GDPR rules concerning the transfer of personal data to third countries, the Data Governance Act also sets requirements for the transfer of non-personal data, as there may be risks associated with this. 

Supplier Switching 

The Data Governance Act also makes it easier to switch from one cloud service to another, which therefore reduces the dependency relationship with your suppliers. This strengthens digital sovereignty by facilitating increased choice, for example, when terminating an existing contract or when there is an urgent need to switch data processors. 

DORA 

The Digital Operational Resilience Act aims to strengthen the resilience of the financial sector and also supports the idea of digital sovereignty. 

Financial companies must, for example, limit the risk when using suppliers, such as IT suppliers, so that it does not put their financial service at risk. Furthermore, risks associated with the use of suppliers in third countries must be taken into account. 

What does this mean for your company? 

For your company, this means that you must actively assess and document whether your IT suppliers pose a risk to your operations and security. This ensures that you have an easier opportunity to switch suppliers if it becomes necessary. At the same time, you must have control over the rules for data transfer to third countries and be able to document to authorities that you work risk-based, as the legislation requires. By following the EU's digital framework legislation, you are therefore helping to strengthen your company's and society's digital sovereignty. 

Conclusion 

Digital sovereignty is a political debate that requires political decisions, but in practice this becomes reality when all companies and authorities in the EU actively relate to the topic in their daily operations. When you ensure your company's digital compliance and take a risk-based approach to your operations and IT security, you are also helping to strengthen digital robustness and sovereignty.