Digital sovereignty has long since become more than just a political buzzword. At a time of growing geopolitical tension and regulatory uncertainty, many companies are rightly asking themselves: how independent are we really when it comes to IT security, and how much room for maneuver do we actually have? Incidents like the reported blocking of the International Criminal Court chief prosecutor’s email account have made these concerns much more tangible. Time for a sober assessment.

The discussion around digital sovereignty has long since moved from the political sphere into the day-to-day reality of European businesses. The question is no longer whether technological dependencies might become a threat to an organization’s ability to act—but when.

As geopolitical tensions rise and providers such as Microsoft, Okta, or Oracle come under increasing pressure to respond to requests from U.S. authorities, uncertainty is spreading across many European organizations. What happens if these service providers themselves come under pressure—or become subject to political interests? In many cases, there are no clear answers.

At the same time, this is not just a technical debate. It is often shaped by geopolitics and commercial concerns as well. Terms like digital tariffs, reseller structures, tax avoidance, and relocation strategies are all part of the discussion. For now, however, many of these developments remain speculative.

A growing number of U.S. providers are responding with PR-driven initiatives: data centers in Frankfurt, Paris, or Zurich are meant to build trust. But while these locations may be a step in the right direction from a data protection perspective, they do not resolve the underlying issue. As long as a provider remains subject to U.S. law, access by U.S. authorities remains possible—whether visible or not.

Attempts to establish a supposedly fully European cloud location under U.S. ownership, for example in Switzerland, regularly run into the same legal gray area. The concern that sensitive data could end up caught between confidentiality and government access remains. Put simply, companies often do not know what is happening behind the scenes—and have very limited means of controlling it.

At the same time, European providers are increasingly gaining momentum. Solutions from partners such as cidaas show that European alternatives in the field of Identity & Access Management are competitive. They stand out with technical solutions that are not only GDPR-compliant, but above all fully independent of non-European regulatory mechanisms.

That said, European providers do not always match their U.S. competitors feature for feature. In areas such as CIAM, for example, both open-source solutions and European alternatives may still lag behind U.S. providers in terms of functionality, convenience, or compatibility. Which raises the question: is that really such a problem? Or is it something organizations can live with in exchange for greater peace of mind?

From our day-to-day work, we can say this much: these providers are currently seeing a noticeable increase in demand. Companies that want to make their IT strategy more sovereign over the long term are beginning to actively evaluate European solutions—and to focus their assessments on today’s essential requirements and truly necessary functions. In other words, decision-makers are developing a much stronger awareness of risk and are aiming for a level of corporate resilience that can withstand geopolitical power plays.

If organizations want to achieve greater digital sovereignty, they first need to take a clear-eyed look at their selection criteria. Any company already reviewing alternatives to global providers should ask itself the following questions:

• Where is the provider headquartered—and is it subject to European law?

• Where is data processed and stored?

• How transparent are the provider’s processes when government requests are involved?

• How mature are the solution’s feature set and integration capabilities?

• Are they sufficient to meet today’s requirements?

• Is the solution being actively developed?

• Does the vendor have sufficient capacity and long-term vision?

• Are future-relevant features already included on the roadmap?

One thing is important: European providers, too, must be measured against real-world requirements. Security, scalability, and usability all remain essential. The good news is that the European market is catching up quickly. And in certain areas—Customer Identity and Access Management, for example—we are already seeing genuinely competitive solutions today through our partners.

Very few companies can stop using providers such as Microsoft, Okta, or Oracle overnight, simply because so many of their existing local applications and infrastructures are deeply integrated into U.S.-based ecosystems. But that is precisely why it is so important not just to keep European alternatives in mind, but to evaluate them concretely and map out potential migration paths.

Companies that act wisely today increase their independence—not through short-term activism, but through long-term strategic decisions. Digital sovereignty is not a dogma; it is a tool for resilience. And in many cases, it can even lead to licensing cost savings.