Digital sovereignty is an important strategic success factor, and many measures are also required by law.
Through legislation such as the Data Act, NIS-2, the Cyber Resilience Act, and the AI Act, among others, European lawmakers require companies to organize their IT systems in a way that ensures they are manageable, controllable, and accountable.
Digital sovereignty refers to the ability to use technologies and data in the digital space independently, securely, and in compliance with the law. Above all, “independently” means having options for action.
Why does the legislature mandate measures to ensure digital sovereignty?
Because geopolitical tensions make Europe’s digital sovereignty all the more urgent. And because cyberattacks are on the rise and can make our infrastructure, our economy, and our government vulnerable—or even paralyze them.
Specifically, data sovereignty means that companies must be able to determine at any time where their data is located, who has access to it, and under which legal jurisdiction that access takes place.
Companies should take a holistic approach to their various legal obligations and embed digital sovereignty within a unified governance framework.
An obligation to ensure digital sovereignty arises from the interplay of the EU’s digital laws.
The GDPR establishes control over data flows, particularly in the case of transfers to third countries. NIS-2, the Data Act, the Cyber Resilience Act, and the AI Act specify this obligation to exercise control through requirements regarding risk management, transparency, organizational responsibilities, and the technical controllability of digital systems.
Together, these sets of rules follow a consistent regulatory approach:
Digital sovereignty brings these requirements together and establishes the legal controllability of digital systems as the binding foundation for corporate IT and data responsibility.
The EU’s digital laws are interlinked and coordinated. Companies do not need to implement them in isolation; rather, they can and should manage them collectively and in a unified manner.
There are overlaps in the content of these regulatory frameworks. For example, both the Cyber Resilience Act (CRA) and NIS-2 require structured risk management. Reports of vulnerabilities under the Cyber Resilience Act may also trigger reporting obligations under NIS-2, and CRA-compliant products can serve as evidence of compliance with specific NIS-2 requirements. Supply chain security is also addressed in both regulatory frameworks.
Similar interactions exist between NIS-2 and the Data Act. While NIS-2 requires comprehensive risk management, including the management of third-party providers, the Data Act requires contractual adjustments regarding data sharing and disclosure. In practice, these obligations can be combined and implemented together.
The AI Act is also embedded in this regulatory framework. The use of AI systems must be taken into account in the risk analysis required by NIS 2. And assessments conducted under the AI Act can serve as input for overarching risk management.
For companies, this means that the EU’s digital laws enable integrated management. Companies do not have to recreate existing assessments, processes, and documentation multiple times; instead, they can use and further develop them across different regulatory frameworks.
Companies must use cloud services and structure their contracts in such a way that they can switch providers, ensure their rights of control, and prevent unauthorized access from third countries.
Cloud services are at the center of the current debate on digital sovereignty, particularly the dependence on cloud providers headquartered in third countries. Companies that use cloud infrastructures outside the EU should assess whether contractual safeguards—such as additional clauses, data localization, or EU residency models—as well as technical measures are sufficient.
Against this backdrop, separating key management from data storage takes on strategic importance. The use of encryption keys controlled by the customer—for example, via key management systems or hardware security modules (“Hold Your Own Key”)—can help ensure control over data even when using external cloud infrastructures.
In addition, lawmakers aim to prevent vendor lock-in in cloud services by making it legally and practically possible to switch providers. Therefore, the Data Act requires cloud providers to gradually eliminate fees for data transfer when switching providers and to ensure that customers can migrate their data and applications to another provider with equivalent functionality.
At the same time, the legislature requires companies to ensure, both legally and organizationally, that foreign authorities do not have access to data processed in the cloud. The Data Act requires cloud and data providers to take technical and legal measures to prevent the transfer of non-personal data to third countries if such transfers conflict with EU law.
Depending on their industry, size, and regulatory classification, companies must organize their business-critical IT systems in such a way that security, availability, and responsibilities remain manageable.
The specific legal requirements applicable to business-critical core systems depend largely on the company’s regulatory classification, in particular on whether it is considered a critical or particularly critical infrastructure operator under the NIS 2 Directive or a KRITIS operator. The scope and intensity of the obligations vary accordingly.
The failure of business-critical core systems can have a significant impact on business operations. NIS-2 addresses this risk through governance and resilience requirements for essential and important facilities; the Cyber Resilience Act supplements this with mandatory security rules for digital products. Companies must disclose which software components they use—for example, in the form of a software bill of materials—and develop and operate their products in accordance with the principles of “secure by design” and “secure by default.”
In addition, NIS-2 requires covered entities to adopt a comprehensive risk and governance approach for their business-critical systems. This includes, in particular, incident, crisis, and business continuity management; supply chain security; and the monitoring of critical third-party IT providers. Responsibility for these matters is explicitly assigned at the management and organizational levels and may entail liability risks.
However, these regulations also provide a clear framework for companies outside the immediate scope of NIS 2.
Companies must define how they will use AI, what data will be used, and who within the company is responsible for it. Otherwise, significant liability and compliance risks will arise.
The EU AI Act applies a risk-based regulatory approach to AI systems. The obligations depend on the nature of the risk and also on the company’s role as a provider or operator. Companies must document how they use AI, what role they play in this process, and what risks arise from it, so that this classification is legally possible in the first place.
All companies that use AI should establish AI governance, assign responsibilities, define AI principles, and integrate guidelines into existing compliance structures. In addition, they must assess risks and monitor the entire lifecycle of AI systems. Training, ongoing evaluations, and monitoring and reporting requirements are part of this approach.
A common practical challenge is that companies address NIS-2, the Data Act, and the AI Act in isolation as individual pieces of legislation, rather than consolidating their shared governance requirements. The real lever, however, lies elsewhere: in the ability to translate regulatory requirements into decision-making and approval processes across the entire system. One aspect that has often been underestimated in this context is internal enforceability. Digital sovereignty does not arise from additional policies, but rather from the fact that legal and governance requirements actually influence procurement, project, and approval decisions—for example, when selecting cloud providers, introducing AI applications, or outsourcing critical systems. This requires that legal departments not merely review matters at the end of the process, but be involved from the very beginning—during the development of IT, cloud, and AI strategies.
For legal departments, this means a shift in their role: The focus is no longer on interpreting individual regulations, but rather on designing decision-making frameworks that empower IT, procurement, and business departments to act while also providing them with legal protection. Those who understand digital sovereignty in this way use regulation not only to minimize risk, but also as a management tool for complex IT landscapes.
Partner
Head of Technology Law
THE SQUAIRE Am Flughafen
60549 Frankfurt am Main
Tel.: +49-69-951195770
fheynike@kpmg-law.com
KPMG Law
© 2026 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.
