Lessons from my conversation with Gabriel Gaura — Head of Infrastructure, Security & Risk, T-Systems International (Cloud Professional Services) on CloudNative.FM Podcast
TL;DR: Digital sovereignty has exploded from a policy conversation into an operational and strategic problem for enterprises largely because geopolitical moves (tariffs, legal reach) suddenly turned vendor choice into a business-risk calculation. The shocks landed hardest on heavy public-cloud and SaaS adopters whose workloads and operations were tightly coupled to non-local vendors. Gabriel outlines a pragmatic, three-pillar view of sovereignty (Data, Operational, Technological) and a stepwise roadmap (exposure analysis → classification → pragmatic roadmap → contingency) that balances control with innovation. Read the full story here
Why “digital sovereignty” re-entered the lexicon — tariffs, reaction, and risk
Over the past year, the phrase digital sovereignty stopped being an academic/policy term and became boardroom material. Gabriel traced that shift to geopolitical actions, tariffs and regulatory pressure that produced immediate business consequences and second-order reactions (for example, talk of reciprocal measures in Europe). The point isn’t just ideology: it’s plain economics. If software and platform licensing suddenly become subject to tariffs or legal restrictions, companies face material increases in cost and legal exposure.
Two key mechanics drove the jump in attention:
Direct shocks tariffs, export restrictions, or sanctions that make access to certain vendors or services suddenly constrained.
Reciprocal policy talk and legal reach, laws (and legal precedents) that create uncertainty about who can access data, where it can be processed, and under which jurisdiction.
When your cloud provider or a critical SaaS vendor becomes a geopolitical lever, sovereignty is no longer optional; it’s part of risk management.
Which sectors got surprised — and why
Gabriel highlighted that the sectors most shaken were those that had embraced public cloud and vendor-managed services without contingency plans:
- Finance and banking: heavy reliance on global clouds, strict regulation, and low tolerance for service interruption made banks especially vulnerable (he referenced a widely discussed case of a bank denied access to its cloud resources after sanctions).
- Large SaaS consumers & companies using embedded managed services: organizations that embedded vendor PaaS/serverless services into app code found portability and contingency extremely costly.
- Organizations outsourcing critical operations: those who outsourced runbooks, ops, or platform management were exposed operationally and politically.
In short, the more you rely on third-party, cross-border platforms, especially where core logic is embedded in vendor services, the larger your sovereignty exposure.
Practical checkpoints & short wins for teams
- Run the exposure analysis this quarter. Map your top 50 mission-critical services and where they live.
- Classify risk appetite. Board and supervisory committees must understand the “what-if” scenarios.
- Favor open source for critical control planes where it reduces lock-in risk, but remember open source alone doesn’t immunize you from geopolitical service risks.
- Create a sovereignty scorecard (financial / operational / technological dimensions) for leadership reporting.
- Start small: identify one or two workloads where moving to a local or alternative platform yields high risk reduction for modest cost.
Innovation vs. sovereignty — a false tradeoff
A key line in our discussion: innovation often happens under constraint. Moving away from a single-vendor comfort zone can spark creative alternatives, confidential computing, interoperable container patterns, and edge-continuum initiatives. Gabriel argues that while being forced to leave a comfort zone is disruptive, it can reignite platform innovation rather than stifle it, as long as organizations plan pragmatically and avoid blanket “rip and replace” strategies.
Questions for readers (help shape episode two)
Which area should we deep-dive next? Tell us in the comments or via CloudNativeFM:
A) Data residency & compliance playbooks (GDPR, DORA, sector rules)
B) Migration patterns & portability (how to untangle PaaS/serverless lock-in)
C) Procurement & vendor governance (contract tweaks, exit clauses, audits)
D) Building a “sovereignty playbook” templates, scorecards, tabletop exercises
Final thought
Digital sovereignty is not a binary state; it’s a pragmatic, cross-functional journey. The choice facing enterprises isn’t “sovereignty or innovation” but “how much control do we need where, and at what cost?” Gabriel’s framework: exposure first, classification second, pragmatic roadmap third, gives organizations a realistic path that reduces catastrophic risks while preserving the ability to build and innovate.
If you found this helpful, drop your pick from the reader questions above, and we’ll use it to plan episode two with Gabriel on CloudNative.FM Podcast
Top comments (0)