Digital Sovereignty as a Continuous Capability: A Pragmatic Action Framework Instead of Autarky Illusion

Executive Summary

Digital sovereignty is not the possession of all technology levels of an architecture, but the ability of an organization to make informed decisions about its digital operating model and maintain them under pressure. The guest commentary argues against the illusion of absolute technological independence and advocates instead for a risk-based framework: organizations must identify their critical processes, qualify dependencies, and systematically plan scenarios ranging from cyberattacks to geopolitical escalation. Technical controls (data residency, key management), organizational measures (governance, emergency processes), and contractual safeguards (audit rights, data portability) should define protection levels according to actual need. Sovereignty requires continuous renewal, not one-time securing.

People

• Marc Holitscher (National Technology Officer, Microsoft Switzerland)

Topics

• Digital Sovereignty
• Technological Independence
• Risk Management
• Governance and Compliance

Clarus Lead

Geopolitical tensions have placed digital sovereignty at the center of strategic discussions – yet the current debate often fails due to unrealistic expectations. The article positions sovereignty not as a technical either-or, but as an organizational competency of controlled dependency: decision-makers in administration and industry must learn to weigh what is technically feasible, legally relevant, and economically justifiable – without falling into costly autarky illusions. This reframing perspective refutes the myth that digital sovereignty is achievable through individual product decisions.

Detailed Summary

The author argues that Switzerland has practiced a model in classical areas such as banking and diplomacy for decades: deep global networking while consciously safeguarding critical interests on its own terms. This pragmatic approach is transferable to the digital sphere. Instead of pursuing absolute independence, organizations should build a risk-based impact framework that answers three questions: Which processes are essential for continuity? Which data are existentially critical? Which scenarios – cyberattacks, geopolitical escalation, regulatory failure – must be planned for?

The solution combines three control levels. Technically, measures such as data residency, customer-managed encryption keys, and differentiated access models can be implemented. For extremely sensitive environments, complete decoupling from the global Internet is also possible – an option that prevents extraterritorial access (such as under the Cloud Act) and ensures business continuity if digital services fail. Organizationally, clear responsibilities, documented emergency processes, and robust governance structures are needed. Contractually, transparency obligations, audit rights, availability commitments, and immediate data portability are central.

What matters is not the origin of technology providers (local or global), but whether controls are actually available, verifiable, and enforceable. The Swiss ecosystem offers a diverse spectrum: local providers, open-source initiatives, specialized service providers, and international corporations with local presence. Holitscher emphasizes that sovereignty is not a property to be achieved once, but a capability to be continuously renewed – a process, not an end state.

Key Messages

• Digital sovereignty = ability to make informed decisions under pressure, not ownership of all technology levels
• Absolute technological independence is illusory and economically counterproductive
• Risk-based framework with technical, organizational, and contractual controls instead of ideological autarky
• Continuous renewal and monitoring required – not one-time implementation

Critical Questions

1. Evidence/Data Quality: The text refers to "pragmatic self-determination" of Switzerland in banking and diplomacy – which documented cases show that this approach also works in the digital context? Are empirical examples of successful sovereignty implementations missing?

2. Conflicts of Interest: Holitscher is National Technology Officer at Microsoft – to what extent could this position influence his argument against national technology autarky? Are the business interests of multinational cloud providers considered in the analysis?

3. Causality/Alternatives: The text argues that "controls must be available and verifiable" – how realistic is this verifiability actually in proprietary systems of global tech corporations? Which alternative scenarios (stronger state infrastructure, European alternatives) are excluded and why?

4. Feasibility/Risks: What concrete costs arise from the proposed risk-based framework with three control levels? Which SMEs and smaller authorities can actually build such a governance system?

5. Measurability: How can "continuous renewal" of sovereignty as a capability be operationalized and verified? Are concrete KPIs or audit standards missing?

6. Geopolitical Assumptions: The text mentions "Cloud Act" and cyberattacks as scenarios – how realistic is the decoupling of "particularly sensitive environments" from the Internet in a hyper-networked economy?

Source Directory

Primary Source: Digital Sovereignty is a Capability, Not a State – Neue Zürcher Zeitung, Guest Commentary by Marc Holitscher, 27.03.2026

Verification Status: ✓ 27.03.2026

This text was created with the support of an AI model.
Editorial responsibility: clarus.news | Fact-checking: 27.03.2026