In the context of the #DigitalIndependenceDay (https://di.day), I noticed discussions on whether Tool A or Service B is “sovereign enough.” But – the more I thought about it, the clearer it became: Digital sovereignty isn’t binary. What works (or is acceptable) for one person or organization might not fit another.
Over the past weeks, I’ve realized that these discussions often miss a key point: context. Not everyone aims for — or even needs — the same level of souvereignity. Some prioritize data privacy (Level 1), others focus on avoiding proprietary software (Level 6) or geopolitical risks (Level 10).
So, before are arguing about the ‘right’ level, maybe we should first clarify what the ‘right’ level is for each of us. For some a higher level is a must, for others it’s just optional. And well – it might be okay to disagree.
Below is a breakdown of 10 levels of digital sovereignty, from individual control to systemic independence. This isn’t meant to be a definitive guide — it is just my attempt to structure the problem. I also don’t claim it to be complete or universally applicable, but I found it intersting to think about the nuances. The layers are not always clearly separable and some companies & products can be found in multiple layers.
Levels of Sovereignity
The levels are structured from the most immediate and individual issues (data privacy, software choices) to systemic dependencies (infrastructure, hardware, geopolitics). It is a bottom-up approach to digital sovereignty, where early steps are more actionable for individuals / organizations, while later steps require larger-scale efforts or policy changes.
| Level | Goal | Negative Examples |
|---|---|---|
| 1 | Avoid services that use data as currency. | Meta (Facebook, Instagram, WhatsApp, …), TikTok, … |
| 2 | Control over internal data usage. | Microsoft 365, Apple iCloud, GitHub Copilot, most Free Tier Services |
| 3 | Avoid dependence on tech giants. | Google (Search, Youtube, ..), Microsoft (Windows/Office), Apple Ecosystem, Amazon |
| 4 | Reduce risks from SaaS/niche providers. | Atlassian (Jira, Confluence), Slack, Google Analytics, Paypal, Adobe |
| 5 | Protection from government data access (e.g., CLOUD Act, FATCA, or other foreign laws). | AWS (USA/CLOUD Act), Alibaba Cloud (China), Google Cloud (USA), Stripe (payments), … |
| 6 | Transparency and control over software (File formats, online registration, most SaaS solutions) | Microsoft Office, Adobe Products, Windows 11, Slack, Zoom, Google Workspace, … |
| 7 | Resilient, independent infrastructure. | AWS, GCP, Azure, Cloudflare, Akamai, Alibaba. |
| 8 | Control over hardware and supply chain. | Chipsets with closed-source firmware, Smartphones wihtout custom ROM support, … |
| 9 | Internal control over knowledge/processes. | External IT providers, knowledge monopolies, missing redundancy. |
| 10 | Reduce geopolitical hardware risks. | Only very few manufacturers for RAM, Storage, CPUs, GPUs, Risk of Oligopoly, Forced Obsolescence, Backdoors |
