Digital Sovereignty: The Strategic Priority for Corporate Business

The rapid technological evolution of recent years has driven companies toward a massive adoption of the cloud—a journey that has guaranteed speed and innovation but today demands deeper reflection. While in the recent past the main question for corporate governance revolved around where to place cloud infrastructure, the current scenario presents a much more complex and urgent question: how much control do we really have over our data, our infrastructure, and the artificial intelligence models we use?

To shed light on this scenario and understand the real impact of digital sovereignty, we had a chat with Franco Geraci, Head of Engineering at Bitrock, during a recent episode of Bitrock Tech Radio. In this interview, Franco helps us debunk the false myths surrounding this topic and understand why digital sovereignty is not merely a technicality, but a true lever for competitiveness and business risk management.

What does the concept of “Digital Sovereignty” concretely consist of, and why should a company address it right now?

To answer this question, it is necessary to overturn the traditional perspective. For a long time, attention was focused exclusively on cloud migration, without questioning the level of actual autonomy. Today, achieving digital sovereignty means having real and, above all, verifiable control over one’s technological assets. The first major misunderstanding to clear up is that it is not an on/off switch, but rather a spectrum measured and structured across four fundamental levels.

The first level concerns pure data, meaning its physical location, protection methods, and the identity of those who can access it.

The second level is linked to operations, namely who concretely manages and maintains the systems and from which geographical area they do so.

Next, we find the technology level, which analyzes the degree of dependence on a single vendor or a specific tech stack, measuring the company’s real freedom to switch partners without experiencing lock-in.

Finally, the last pillar is jurisdiction, meaning which legislative framework ultimately governs the data and services.

This multi-level approach often generates unsettling situations. A company may be convinced it is sovereign because its servers are physically located in Italy, but if the provider managing that data center answers to non-European legislation, that sovereignty becomes merely apparent. The simple residency of data is no longer enough. Precisely because an organization can be covered on one level and totally exposed on another, today it is crucial to move step by step, mindfully analyzing how much control is truly needed and in which strategic areas.

Is this an exclusively technical topic or does it hold strategic interest from a business perspective?

This topic has definitively ceased to be a purely technical matter or the exclusive domain of the IT department. It has become, to all intents and purposes, a strategic issue concerning business, risk, and market competitiveness, driven by three main forces acting in synergy.

The first force is linked to the heavy concentration of the global technology market in the hands of a very few large US providers. This asymmetry generates both economic and technological dependence—the so-called lock-in phenomenon—which reduces companies’ room for maneuver.

The second push comes from the current geopolitical climate. In an international landscape characterized by trade tensions, tariffs, and rapidly shifting alliances, critical digital supplies can turn into tools of geopolitical pressure. No corporate executive wants to find themselves managing a sudden shutdown of their systems at the wrong time.

The third one lies in the action of the European Union, which is pushing hard for its own strategic autonomy, leading clients to demand clear guarantees on costs, compliance, data, and access—particularly for so-called regulated clients.

Control can no longer be just a declaration of intent written in a corporate presentation; it must be demonstrable through facts. For this reason, digital sovereignty belongs in boardroom discussions. It directly touches upon business continuity, risk management, and, in a very practical way, the company’s actual ability to sell and remain on the market. Today, in procurement specifications and tenders, those who can demonstrate real control win, while those who cannot risk exclusion.

We mentioned “regulated clients”; for these players, is sovereignty no longer an arbitrary choice?

Exactly. For many organizations, digital sovereignty does not represent an option or a strategic preference, but constitutes a strict legal obligation. If we look at the Italian Public Administration, for instance, the National Cybersecurity Agency classifies data into ordinary, critical, and strategic. The regulations mandate that critical and strategic data must reside exclusively on qualified infrastructure or on the National Strategic Pole (Polo Strategico Nazionale).

This rigid scenario also extends to the regulated private sector. In the financial and banking world, the DORA regulation requires institutions not to depend on a single technology provider and to always guarantee an exit strategy for critical infrastructure. Similar logics apply to the energy, transport, healthcare, and telecommunications sectors through the NIS2 directive. Furthermore, across all sectors horizontally, the constraints of the GDPR apply for personal data protection, along with the dictates of the newly established AI Act, which introduces extremely precise and stringent obligations for anyone using artificial intelligence systems in contexts considered high-risk.

To better visualize this complexity, we can think of the structure of a hospital. A patient’s medical records must necessarily reside in Italy. Email communications and confidential contracts can be hosted within European territory. The hospital’s public website, however, can theoretically be positioned anywhere. In regulated contexts, the law shows the way and precedes corporate strategy.

To conclude, it is essential to understand that adopting digital sovereignty does not mean isolating oneself from the world or giving up the benefits of global innovation. On the contrary, it means moving with deep awareness, learning to place each corporate asset in the right position to protect the value of the enterprise without slowing down its growth.

We thank Franco for this introduction to the concept of digital sovereignty and look forward to continuing our deep dive to address other related topics, as well as to learn more about the approach that Bitrock and the Fortitude Group intend to adopt to support their clients toward achieving conscious and strategically relevant digital sovereignty.

Stay tuned!

Do you want to know more about our services? Fill in the form and schedule a meeting with our team!