Digital Sovereignty: Europe’s Strategy for Tech, Data and Regulation

• Introduction
• Chapter 1 Defining Digital Sovereignty
• Chapter 2 The EU’s Policy Toolbox
• Chapter 3 From GDPR to the Data Act: Evolving Data Governance
• Chapter 4 Building Common European Data Spaces
• Chapter 5 Cloud Sovereignty and Federated Architectures
• Chapter 6 Governing AI: The EU AI Act and Beyond
• Chapter 7 Competition Policy in the Platform Economy
• Chapter 8 The Digital Markets Act: Gatekeepers and Interoperability
• Chapter 9 The Digital Services Act: Safety, Speech and Accountability
• Chapter 10 Cybersecurity, NIS2 and Critical Infrastructure
• Chapter 11 Connectivity, 5G/6G and Network Resilience
• Chapter 12 Standards, Certification and Conformity Assessment
• Chapter 13 Industrial Policy: Chips, Hardware and Supply Chains
• Chapter 14 Open Source, Open Standards and Innovation
• Chapter 15 Public Sector Tech and Sovereign Procurement
• Chapter 16 Digital Identity, eIDAS and Trust Services
• Chapter 17 Cross-Border Data Flows and Trade Agreements
• Chapter 18 Lawful Access, Encryption and Security Dilemmas
• Chapter 19 Platform Governance, Media Pluralism and Democracy
• Chapter 20 Balancing Competition and Innovation: Sandboxes and Pilots
• Chapter 21 Financing European Tech: Capital, Scaling and State Aid
• Chapter 22 SMEs and Startups: Compliance by Design
• Chapter 23 Green Digital: Sustainability, Energy and Data Centers
• Chapter 24 Geopolitics: The US, China and the Global South
• Chapter 25 Implementation, Enforcement and the Road Ahead

Europe’s quest for digital sovereignty is not a call for isolation; it is a strategy for agency. In an era where software, data and compute shape prosperity and security, the European Union and its member states are articulating how to protect fundamental rights, foster competitive markets and secure strategic capabilities—without closing themselves off from global innovation. This book offers a clear, accessible primer on the policy debates at the heart of that project, explaining what is at stake and how different legislative options can align innovation with public interest.

Digital sovereignty has many dimensions. It is about who sets the rules for data access and reuse, who controls essential infrastructure like cloud, chips and connectivity, and how platforms are held accountable to democratic norms. It is also about the capacity to participate in and influence global standards while safeguarding privacy, security and fair competition at home. Throughout these pages, we move beyond slogans to examine the concrete instruments the EU is deploying—from competition remedies and safety obligations to industrial policy and public procurement—and how they interact.

For technologists, product leaders and founders, regulation can feel like a maze. This book translates legal and policy constructs into practical frameworks: how to operationalize privacy by design, build trustworthy AI governance, plan for interoperability, design compliance roadmaps and engage productively with regulators and standardization bodies. For policymakers and regulators, it highlights the technical trade-offs embedded in rules, the incentives that shape market behavior, and the conditions under which interventions actually improve outcomes for consumers, businesses and society.

Geopolitics runs through every chapter. Concentration in global supply chains, tensions over cross‑border data flows, dependencies in advanced semiconductors and cloud services, and diverging approaches to platform accountability all influence Europe’s strategic choices. We assess how alliances with like‑minded partners can reinforce resilience, where risk diversification is essential, and how Europe can exercise rule‑making power without fragmenting the open internet or undermining innovation.

The book is organized to move from first principles to application. We begin by defining digital sovereignty and surveying the EU’s policy toolbox. We then explore data governance, competition policy, AI regulation and platform accountability, before turning to infrastructure, standards and industrial capacity. Subsequent chapters address cross‑border data transfers, cybersecurity, identity and trust services, and the role of the public sector as a demand shaper. We conclude with financing and scale‑up challenges, sustainability imperatives, and the realities of enforcement and implementation.

Readers will find decision frameworks that weigh innovation benefits against rights and risks; checklists for compliance‑by‑design; and case‑based discussions of how obligations like interoperability, transparency and risk management can be implemented in practice. We underscore the importance of proportionality, outcomes‑based regulation and regulatory sandboxes that let new ideas be tested safely while preserving strong safeguards for privacy and competition.

Ultimately, Europe’s strategy for tech, data and regulation will succeed if it delivers three things at once: vibrant innovation ecosystems, credible protections for individuals and democratic institutions, and resilience in the face of geopolitical shocks. Digital sovereignty, rightly understood, is the capacity to choose—based on European values and interests—how technology is built, governed and deployed. This book equips you to navigate that choice with clarity and confidence.

The phrase "digital sovereignty" has a certain ring to it, doesn't it? It sounds grand, perhaps a little intimidating, and certainly very important. But what exactly does it mean? Is it about building digital fortresses around national borders, or is it a more nuanced pursuit of control and influence in the global digital realm? For Europe, it's decidedly the latter. The concept isn't about retreating from the interconnected world; rather, it's about actively shaping it, ensuring that European values, laws, and interests are reflected in the technologies that increasingly govern our lives.

At its core, digital sovereignty is about agency. It's the capacity for individuals, businesses, and governments to make choices about their digital future without undue influence or dependence on external actors. Think of it like this: if you're constantly relying on a single, dominant provider for your essential services – be it cloud storage, operating systems, or social media platforms – you might find your options limited when that provider changes its terms, raises prices, or even, in more extreme scenarios, faces political pressure from its home government. Digital sovereignty seeks to mitigate these vulnerabilities by fostering diverse, resilient, and trustworthy digital ecosystems.

The discussion around digital sovereignty didn't just appear out of thin air. It's a response to a series of evolving realities in the digital landscape. For years, the internet was largely seen as a borderless realm, a utopian space where information flowed freely and innovation blossomed without the constraints of traditional geopolitics. While many of those ideals remain, the practicalities of the digital age have introduced new complexities. The rise of a few dominant global tech companies, often headquartered outside of Europe, has led to concerns about market concentration, data exploitation, and the potential for foreign laws to impact European citizens and businesses.

Consider the sheer volume of data being generated, processed, and stored daily. Every click, every search, every interaction online contributes to a vast digital footprint. Who owns that data? Who can access it? And under what legal frameworks? These aren't abstract academic questions; they have very real implications for privacy, economic competitiveness, and national security. Europe, with its strong tradition of data protection, particularly since the implementation of the General Data Protection Regulation (GDPR), has been at the forefront of these debates, advocating for robust safeguards and individual control over personal information.

Beyond data, digital sovereignty also touches upon critical infrastructure. Imagine a scenario where the digital backbone of a nation – its telecommunications networks, its cloud computing services, its industrial control systems – is overwhelmingly reliant on technology and services provided by a handful of non-European companies. This creates a significant point of dependency, raising questions about resilience in the face of cyberattacks, supply chain disruptions, or even geopolitical tensions. Diversification and the development of indigenous capabilities become paramount in such a landscape.

Furthermore, the very algorithms that power our search engines, curate our social media feeds, and even inform critical decisions in areas like healthcare and finance, are often developed and controlled by a limited number of actors. These algorithms, while seemingly neutral, can embed biases, shape public discourse, and influence economic outcomes. Digital sovereignty, in this context, is about ensuring transparency, fairness, and accountability in these algorithmic systems, preventing their opaque operation from undermining democratic processes or perpetuating discrimination.

It's also crucial to understand what digital sovereignty is not. It's not a protectionist impulse designed to shut out foreign innovation or create a "splinternet." Europe's economy thrives on international trade and collaboration, and its scientific and technological progress benefits immensely from global exchanges. Instead, digital sovereignty is about ensuring a level playing field, fostering genuine competition, and establishing robust governance frameworks that apply to all actors, regardless of their origin. It’s about setting the rules, rather than simply having them imposed.

The European Union's approach is often described as "regulatory sovereignty." This means leveraging its significant market power and its commitment to fundamental rights to establish standards that can have a global reach. Just as the GDPR has influenced data protection laws around the world, the EU aims to export its values and regulatory philosophy through its digital policies. This isn't about imposing European dogma, but rather offering a credible and attractive alternative to other models of digital governance, particularly those that prioritize state control or unchecked corporate power.

The concept is inherently dynamic, constantly evolving as technology advances and new challenges emerge. What constitutes "digital independence" in one era might be entirely different in the next. Fifty years ago, it might have meant controlling domestic telecommunications networks. Today, it encompasses everything from microchips and quantum computing to ethical AI and secure cloud infrastructure. This constant adaptation requires foresight, agility, and a willingness to engage in continuous policy innovation.

One of the key drivers behind Europe’s pursuit of digital sovereignty is the recognition of technology as a geopolitical tool. In an increasingly multipolar world, technological leadership translates directly into economic power, strategic influence, and even military advantage. The competition for dominance in areas like artificial intelligence, 5G, and semiconductors is not merely commercial; it has profound implications for global power dynamics. Europe's strategy is, in part, a response to this reality, a proactive effort to secure its place as a technological leader and ensure it is not merely a consumer of technologies developed elsewhere.

This isn't to say the path to digital sovereignty is straightforward or without its dilemmas. There are inherent tensions to navigate. How do you foster innovation while simultaneously regulating powerful tech giants? How do you promote open markets while building indigenous capabilities? How do you protect privacy without stifling data-driven economic growth? These are the complex questions that European policymakers grapple with, seeking solutions that balance competing interests and achieve long-term strategic goals.

Ultimately, defining digital sovereignty for Europe means understanding it as a multi-faceted endeavor. It's about data governance that empowers individuals, competition policy that levels the playing field, infrastructure resilience that safeguards against disruptions, and ethical frameworks that ensure technology serves humanity. It’s about nurturing a vibrant European tech ecosystem, attracting investment, and retaining talent, while simultaneously asserting regulatory leadership on the global stage. This is the ambitious project that underpins Europe's digital strategy, and it is the foundation upon which the subsequent chapters of this book will build.

Understanding Europe’s pursuit of digital sovereignty requires a look into the unique toolkit the European Union has at its disposal. Unlike a single nation-state, the EU is a complex tapestry of 27 member states, each with its own history, legal traditions, and economic priorities. Yet, it operates as a unified market with a common legal framework, making it a formidable regulatory power. This chapter will unpack the key instruments and approaches the EU employs to shape its digital future, demonstrating how it translates ambition into concrete policy.

The European Union’s legislative process is often described as slow, deliberate, and sometimes a little bit like watching paint dry. However, this methodical approach also lends its policies considerable weight and longevity. When the EU legislates, it’s not just for a single country, but for a market of nearly 450 million people, making its rules impactful far beyond its geographical borders. This "Brussels effect" means that companies wishing to operate in the EU often adopt EU standards globally, simply for the sake of efficiency and consistency.

One of the most potent tools in the EU's arsenal is its ability to enact regulations. Unlike directives, which set goals for member states to achieve and allow them some flexibility in how they do so, regulations are directly applicable and binding in all member states once they enter into force. This ensures a uniform application of the law across the Union, creating a level playing field and preventing regulatory arbitrage. When the EU wants to make a clear, consistent statement on a digital issue, a regulation is often the instrument of choice.

A prime example of this regulatory power is the General Data Protection Regulation (GDPR), which we’ll delve into in more detail in Chapter 3. The GDPR didn’t just set a new global benchmark for data privacy; it reshaped how businesses worldwide handle personal data, demonstrating the EU’s capacity to project its values through law. Its direct applicability meant that companies operating in France, Germany, or Ireland all faced the exact same legal obligations, simplifying compliance for businesses while strengthening protections for individuals.

Beyond regulations, the EU also uses directives to achieve its policy objectives. While directives require member states to transpose them into national law, they still provide a powerful framework for harmonizing laws across the Union. This approach is often used when a degree of national flexibility is deemed beneficial, allowing member states to tailor implementation to their specific legal systems while still working towards a common European goal. Directives can be particularly useful in areas where national legal traditions vary significantly.

For instance, early cybersecurity efforts often involved directives, allowing member states to adapt their national strategies while aligning with overarching EU objectives. This nuanced approach acknowledges that while the overall goal of enhanced cybersecurity is shared, the precise methods of achieving it might differ based on national infrastructure and existing legal frameworks. The interplay between regulations and directives showcases the EU’s ability to balance uniformity with national specificities.

Another critical component of the EU’s policy toolbox is its competition law. For decades, the European Commission has been a global leader in enforcing antitrust rules, preventing monopolies and cartels, and promoting fair competition. In the digital age, this has translated into scrutinizing the market power of large tech platforms, particularly those that act as "gatekeepers" to significant user bases or essential services. The EU believes that robust competition is essential not only for economic dynamism but also for fostering innovation and preventing undue influence.

The Commission, armed with powers to investigate, impose fines, and even demand structural remedies, has not shied away from challenging dominant digital players. Its investigations into practices like self-preferencing, tying, and exclusionary conduct have sent clear signals that the EU intends to keep digital markets open and contestable. These actions are a cornerstone of the EU’s strategy to prevent a few powerful companies from controlling the entire digital ecosystem, thereby undermining digital sovereignty.

Beyond formal legislation, the EU also leverages its significant funding programs to steer technological development and build European capabilities. Research and innovation programs like Horizon Europe provide substantial grants for projects in areas deemed strategically important, such as artificial intelligence, quantum computing, and next-generation connectivity. These investments aim to foster European excellence, reduce dependence on external technologies, and create a vibrant ecosystem of startups and innovators.

These funding initiatives are not just about research; they are about building capacity. By directing resources towards specific technological domains, the EU is actively shaping the future landscape of European tech. This strategic investment is a proactive measure to ensure that Europe is not just a consumer of technology, but also a producer and innovator, capable of developing its own sovereign digital solutions. It's a long-term play, but one that is crucial for sustained digital autonomy.

Standardization also plays a vital, though often overlooked, role in the EU’s policy toolbox. Technical standards—the agreed-upon ways that technologies work and communicate—are the invisible threads that weave together the digital world. By actively participating in and influencing global standardization bodies, the EU ensures that its values and requirements, such as privacy-by-design and cybersecurity, are baked into the very architecture of emerging technologies. This proactive engagement is a subtle yet powerful form of digital diplomacy.

Think of it this way: if Europe can help shape the standards for 5G networks, for artificial intelligence, or for cloud interoperability, it can embed its principles into the global technological fabric. This is a more effective strategy than trying to retroactively regulate technologies after they have already been widely adopted and their standards set by others. The EU’s commitment to open standards and international cooperation in this area is a testament to its understanding of the long-term strategic value of this work.

Furthermore, public procurement, often seen as a bureaucratic exercise, is another potent lever for the EU. The collective purchasing power of EU member states and institutions is immense. By setting specific requirements in public tenders for digital solutions – for example, demanding high cybersecurity standards, adherence to open-source principles, or data portability – the EU can drive market demand for more sovereign, secure, and privacy-friendly technologies. This creates a market signal that encourages developers and providers to align with European values.

When public sector entities prioritize solutions that offer greater data control or are developed with transparency in mind, they effectively create a market for such offerings. This isn't just about the public sector itself; it influences the broader market by demonstrating the viability and demand for certain types of digital products and services. Public procurement, therefore, becomes a tool for market shaping, pushing innovation in directions that align with Europe’s digital sovereignty agenda.

Beyond these formal tools, the EU also relies on its significant diplomatic presence and its ability to forge international alliances. Digital policy is increasingly intertwined with geopolitics, and the EU actively engages with like-minded partners, particularly the United States, to promote shared values and address global challenges like cybersecurity threats and the spread of disinformation. This international cooperation is essential for tackling issues that transcend national borders and require a coordinated global response.

The EU's efforts to build "tech alliances" with countries that share its democratic values and commitment to an open, free, and secure internet are a key part of its strategy. These alliances can focus on areas like research collaboration, supply chain diversification, and the development of common approaches to regulating emerging technologies. It's about building a coalition of the willing to ensure that the future of the internet reflects a diversity of perspectives, not just those of a few dominant players.

The concept of "regulatory sandboxes" and pilot projects is also gaining traction within the EU’s policy approach. Recognizing that new technologies evolve rapidly and that overly rigid regulation can stifle innovation, the EU is exploring ways to allow novel ideas to be tested in a controlled environment. These sandboxes provide a space for innovators to experiment with new products and services under regulatory supervision, allowing regulators to learn and adapt their approaches in real-time.

This agile approach to regulation aims to strike a balance between fostering innovation and ensuring adequate safeguards for individuals and society. It acknowledges that the EU cannot predict every technological development, but it can create frameworks that are adaptable and responsive. By allowing for experimentation, the EU can gather valuable insights that inform future legislation, ensuring that its policies remain relevant and effective in a fast-changing digital world.

Finally, the EU's commitment to fundamental rights, enshrined in its treaties and the Charter of Fundamental Rights, underpins its entire policy framework. Privacy, freedom of expression, non-discrimination, and data protection are not mere afterthoughts; they are core principles that guide the development and implementation of all digital policies. This rights-based approach differentiates the EU’s strategy from those that prioritize economic growth or state control above all else.

This unwavering commitment to fundamental rights provides a moral compass for the EU’s digital sovereignty journey. It means that when policies are debated, the impact on individuals' rights is a primary consideration. This emphasis on human-centric technology is a defining characteristic of the European approach, aiming to build a digital future that empowers individuals and respects their dignity. This overarching principle informs every decision, from data governance to AI regulation.

In essence, the EU’s policy toolbox is a sophisticated blend of legislative power, economic influence, diplomatic engagement, and a foundational commitment to values. It’s not just about wielding a big stick; it’s about strategically shaping markets, fostering innovation, and building international consensus around a vision of a human-centric digital future. This multifaceted approach is what makes Europe a unique and powerful player in the global digital arena, and it is the foundation upon which its quest for digital sovereignty is built.

The European Union's journey in data governance has been a remarkable and often pioneering one, setting global benchmarks for privacy and individual rights in the digital age. It began not with a bang, but with a foundational directive in 1995, long before the internet became the ubiquitous force it is today. This early step, the Data Protection Directive, aimed to regulate the processing of personal data across member states, a prescient move given the digital revolution that was to come.

However, the Directive, adopted when the internet was still in its infancy, struggled to keep pace with the rapid technological advancements and the explosion of data generation. Each member state had to transpose the Directive into its own national laws, leading to a patchwork of differing interpretations and compliance requirements across the EU. This fragmented landscape created significant challenges for businesses operating across borders and a less-than-harmonized level of protection for individuals.

The need for a more unified and robust approach became increasingly apparent as smartphones, social media, and cloud computing transformed how data was collected, used, and shared. The digital economy was booming, but the regulatory framework designed for a bygone era was creaking under the strain. It was clear that a more comprehensive and directly applicable law was needed to truly harmonize data protection across the Union.

Enter the General Data Protection Regulation (GDPR), adopted in 2016 and enforceable from May 25, 2018. The GDPR was a seismic shift, replacing the outdated Directive with a single, directly applicable regulation for all EU member states. This move aimed to eliminate the previous fragmentation and provide a consistent legal framework for data protection across a market of nearly 450 million people. The GDPR quickly became a global standard, influencing data protection laws far beyond Europe's borders due to its extraterritorial reach.

The GDPR's core is built around seven key principles for data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles dictate how organizations must handle personal data, ensuring that it is collected for specific, legitimate purposes, kept accurate, and stored no longer than necessary. Furthermore, organizations are required to implement robust security measures to protect data integrity and confidentiality.

Accountability is a particularly significant aspect, placing the onus on data controllers to demonstrate compliance with all GDPR principles. This means not only adhering to the rules but also being able to prove it, often through detailed record-keeping and impact assessments. The GDPR also significantly strengthened individual rights, granting "data subjects" greater control over their personal data. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure (the "right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object.

A crucial element of GDPR compliance is obtaining explicit consent for collecting personal data. This consent must be "freely given, specific, informed and unambiguous," and individuals must be able to withdraw it at any time. Organizations processing large amounts of sensitive data may also need to appoint a Data Protection Officer (DPO) and implement specific data protection measures like encryption and anonymization.

The enforcement of the GDPR falls primarily to national data protection authorities (DPAs) in each member state, with the European Data Protection Board (EDPB) playing a crucial coordinating role. The EDPB, an independent body composed of representatives from national DPAs and the European Data Protection Supervisor (EDPS), ensures consistent application of the GDPR across the EU. It issues guidelines, recommendations, and binding decisions to clarify the GDPR's interpretation and promote cooperation among national authorities.

Despite the GDPR's robust framework, the evolving digital landscape presented new challenges, particularly concerning cross-border data transfers. A landmark ruling in July 2020 by the Court of Justice of the European Union (CJEU), known as Schrems II, significantly impacted how data could be transferred outside the EU. The court invalidated the EU-US Privacy Shield, a mechanism previously used for transatlantic data transfers, due to concerns about US surveillance laws and the lack of judicial redress for EU citizens.

The Schrems II decision underscored the EU's commitment to ensuring that personal data of EU citizens receives an "essentially equivalent" level of protection regardless of where it is transferred globally. While the court upheld the use of Standard Contractual Clauses (SCCs), it mandated that organizations conduct thorough assessments of the third country's laws to ensure adequate protection, often requiring "supplementary measures." This ruling sent shockwaves through the global tech industry, prompting a re-evaluation of international data transfer mechanisms.

The European Commission, recognizing the need to further evolve its data governance strategy, launched the European Data Strategy in 2020. This ambitious strategy aimed to create a single market for data within the EU, fostering greater data availability and reuse while maintaining high standards of privacy and security. The strategy highlighted the immense potential of data for economic growth, innovation, and addressing societal challenges.

To realize this vision, the EU introduced a suite of new legislative instruments, including the Data Governance Act (DGA) and the Data Act. These regulations represent a significant expansion of Europe’s data policy beyond the realm of purely personal data, venturing into the broader landscape of non-personal and industrial data. They complement the GDPR, forming a more comprehensive framework for Europe’s data economy.

The Data Governance Act (DGA), which became applicable in September 2023, focuses on fostering trust in data sharing and promoting the reuse of publicly held data. It establishes a framework to facilitate the voluntary sharing of data by businesses and individuals, ensuring robust protections for privacy and security. The DGA introduces the concept of "data intermediaries," neutral organizations designed to facilitate data-sharing services under trustworthy conditions. It also encourages "data altruism," allowing individuals and organizations to share data for public interest research and societal benefit.

The DGA also plays a crucial role in supporting the development of Common European Data Spaces, which are sector-specific or cross-sectoral frameworks for data exchange. These spaces aim to make more data available for use in various sectors, from health and agriculture to energy and manufacturing, while keeping data generators in control. While the DGA doesn't mandate data sharing, it establishes the conditions and safeguards for the reuse of protected public sector data, including technical requirements and fee structures. Importantly, the GDPR still prevails whenever personal data is processed under the DGA.

The Data Act, which entered into force in January 2024 and becomes applicable in September 2025, is another cornerstone of the European data strategy. Its primary objective is to regulate access to and use of data generated by connected products and related services, particularly industrial data. The Data Act aims to unlock the value of this often-untapped resource by strengthening user rights and promoting fair data sharing between businesses.

Under the Data Act, users of connected products, whether individuals or businesses, gain greater control over the data they generate. This means manufacturers and service providers, or "data holders," must make product data readily available to users and, when chosen by users, to third parties. The Act also addresses switching between cloud service providers, aiming to prevent vendor lock-in by regulating requirements for data interoperability. The European Commission is even tasked with developing model contractual terms for data access and use to facilitate these processes.

While both the Data Act and the GDPR concern data, their objectives diverge: the GDPR safeguards personal data and individual privacy, while the Data Act promotes data sharing and reuse, especially of non-personal and mixed data, to stimulate innovation and competition. The Data Act acknowledges the GDPR's primacy when personal data is involved, but it also contains specific provisions that apply to personal data, such as user data access requests. Companies operating with connected products or mixed datasets will need to carefully navigate both regulatory regimes, ensuring proper data classification and lawful processing.

The Data Act also includes safeguards against unlawful third-country government access to non-personal data held within the EU, mirroring the GDPR's protections for personal data. This demonstrates a consistent approach by the EU to protect data sovereignty, whether the data is personal or non-personal, from external governmental interference. These measures enhance transparency and legal certainty regarding the conditions under which non-EU government bodies can access or transfer such data.

The evolution from the Data Protection Directive to the GDPR, and now to the Data Governance Act and the Data Act, showcases Europe's ongoing commitment to shaping a robust and human-centric data economy. This journey reflects a proactive approach to regulating technology, ensuring that data, a critical resource of the digital age, is governed in a way that protects fundamental rights, fosters innovation, and underpins Europe's strategic independence. This intricate web of regulations highlights the EU's determination to set the rules for the digital world, influencing global standards and promoting a vision of digital sovereignty where individuals and businesses have agency over their data.