Think your country’s got its digital act together? The Digital Sovereignty Index might have a few surprises for you.
Digital sovereignty isn’t quite the keyphrase of the hour yet, but it’s getting there. While the US resists the idea in the name of laissez-faire capitalism and hands-off law enforcement, in the rest of the world the practice is gaining momentum. Especially in Europe, which pretty much invented it.
The term originally focused on the idea that data collected in a particular region or country should stay there, a “what happens in Vegas stays in Vegas” approach to managing consumer data. The EU has been mandating it in increasing degrees since before there was a term to describe it. Lately though, the definition has been expanding beyond mere data retention to include the entirety of a country or region’s ability to regulate its digital infrastructure or tech policies, independently and without influence or interference from out-of-country.
“To be sovereign you need control on your data, on your operations, and on the technology that you use,” Thomas di Giacomo, the Chief Technology and Product Officer at Germany-based SUSE, told me in an interview three or four weeks ago. “A lot of the focus is on data — where is the data hosted, GDPR, and all of that. There’s also a focus on technology. Where is the technology coming from? The last one is operations. And it is about where you get support from, where you get your interactions with your suppliers from as well.”
Although the EU has traditionally been the epicenter for digital sovereignty, the concept has lately been going global, with China, Russia, and India — along with Brazil and Argentina on this side of the Atlantic — also developing their own forms of digital sovereignty with their own data storage and other regulatory policies.
“I was looking at some of the customer references in terms of sovereignty which goes back decades,” di Giacomo said. “It’s not only in Europe. We have sovereign solutions that are for Asia; we have sovereign solutions in North America. There’s a business called Rancher Government Solutions, that’s actually a SUSE partner, where we provide SUSE Rancher for the US public sector, including high security clearance domains in the US. So based on open source, based on SUSE’s expertise, the way we build, deploy, deliver support and software, we can do sovereign solutions in different parts of the world.”
Rancher Government Solutions is something of an outlier. While many if not most digital sovereignty efforts around the globe are focused on protecting against intrusions by US business — and the increasing overreach of American law enforcement — RGS is a semi-autonomous unit of SUSE that specifically helps bring digital sovereignty to US government and military missions — in other words, protecting US government data from those who are protecting their own data from the US.
Nextcloud and the Digital Sovereignty Index
As di Giacomo pointed out, these days digital sovereignty is no longer only about where you store data and how you get it there, it’s also concerned with the technology you use. That’s partially because the nature of the technology that enterprises and governments use to create and process on-premises has been constantly changing. Ten years ago, for example, most office software was installed either on the workstations being used or on a server located on‑premises. These days it’s likely being delivered as a cloud-based SaaS offering.
“While the debate is global, the actual state of digital sovereignty varies widely between countries,” Nextcloud’s senior communications manager Christoph Weissthaner wrote in a blog on Thursday. “Policies may exist, but how much infrastructure is really running locally, instead of the cloud? What choices do people make? And how does this compare to the policy of the public sector?”
The blog was to introduce something that Nextcloud is calling a Digital Sovereignty Index — a country‑by‑country look at the tools in use through a sovereignty lens. This is naturally of interest to Nextcloud, since its self‑hosted cloud platform lets organizations control both their data and the software that manages it. The study illustrates the amount of self-hosted collaboration applications in use in nearly 60 countries.
“We selected 50 of the most relevant self-hosted tools for digital collaboration and communication,” he said. “These include platforms for file sharing, video conferencing, groupware, notes, project management, and more. We then measured their real-world usage by counting the number of identifiable server instances per country.”
In the Index, each country’s score reflects how many of these relevant self-hosted tools are in use relative to that country’s population, with higher numbers suggesting greater potential capacity for digital sovereignty. Nextcloud would be the first to admit that this isn’t a definitive ranking of national digital sovereignty, but rather a gauge of how well‑positioned a country is to achieve it, if that’s the goal.
Germany and Finland Top the List
Looking at the most recent data from this project, it becomes easy to see why two tech companies with deep roots in Germany — SUSE and Nextcloud — are central players in the digital sovereignty arena. It seems that from the perspective of the DSI, if the EU is the epicenter of digital sovereignty, Germany and Finland are at ground zero — being the only two countries on the world map to be shaded in green, which indicates the highest position on Nextcloud’s list.
For various reasons, it’s not such a surprise seeing Germany top this list. For starters, Schleswig‑Holstein is shifting its public administration entirely to open source software to strengthen data protection and ensure digital sovereignty. Also, ZenDiS — the federal Centre for Digital Sovereignty — develops open source tools to bring open standards and secure, interoperable solutions to public sector IT, and the Sovereign Tech Fund finances open‑source projects to promote resilience and independence for Germany’s national IT systems.
There’s more. Lots more.
What is surprising is how much of Europe looked like the third-world from a digital sovereignty perspective, as was noted by Weissthaner in his blog:
“The results of the first Digital Sovereignty Index show significant differences in the adoption of self-hosted infrastructure across Europe and beyond. While the public debate around digital sovereignty has gained momentum in recent years, actual usage of sovereign digital tools remains fragmented – and in many places surprisingly low.”
The DSI map displays a gradient of colors that move from various shades of green — the color with the highest DSI numbers — through yellow and brown and ending with red — with the lowest numbers representing the most unprepared countries. Outside of Germany and Finland — with scores of 53.70 and 64.30 respectively — I count 14 European countries in the brown area, with DSI scores ranging from 25.09 for France to 13.33 for Slovenia, with all other countries in the lowest red zone.
Interestingly, the US — in which only a couple of states have legislation that might bring digital sovereignty into play — doesn’t fare so poorly in this index, coming in with a DSI of 13.49, which puts it in the same ballpark as Hungary, and way out front of the UK, Italy, and Iberia.
One thing to keep in mind: even though Europe is all over the place as far as readiness is concerned, overall it’s still way ahead of the pack from a global perspective.
SUSE’s Latest Digital Sovereignty Offering
When I interviewed di Giacomo last month, it was about the launch of SUSE Sovereign Premium Support, a new support program designed specifically to meet European digital sovereignty needs. While the support is important for EU-based companies, di Giacomo pointed out that being compliant with EU digital sovereignty regulations isn’t just important for companies located in the EU.
“It’s also key for global companies outside the EU who’re doing business in the EU, because they have to also comply with EU regulation and current trends,” he said. “Digital sovereignty is not new, but the past few months have been quite intense in terms of geopolitical changes, and it triggered a lot of discussion in Europe around our need to be in control of our IT.”
An interesting component of SUSE’s new support package is that it helps companies assure that key people, such as premium support engineers and service delivery managers are EU-based, and that related customer support data is stored on EU-located networks and servers.
Di Giacomo said that this is a necessary component of practicing effective digital sovereignty.
“If you cannot control where they’re coming from, how can you trust that?” he asked. “They will provide you with patches. They will provide you with configuration recommendations. They will have an impact on your systems and potentially your data.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment