Blog Post






               When the US, the EU and UK enacted sanctions against Russian entities in spring 2022, the ripple effects
               were catastrophic for ATB. Despite ATB being fully compliant with Dutch and EU laws, service providers,
               again being respectful with the same laws and sanctions, were obliged to abruptly terminate critical
               cloud services, including email and core banking operations. Without access to cloud-based workspaces
               and business software suites, ATB lost the ability to communicate internally or with customers, leading
               to its sudden collapse.

               While the sanctions against Alfa Bank have been implemented in a different context this case
               nevertheless underscores a critical distinction when it comes to the question of sovereignty: Own
               compliance does not guarantee autonomy. Even legally sovereign organisations can fail if they lack
               operational resilience. ATB’s total dependence on their service providers left it defenceless when they
               withdrew support, a stark warning against vendor lock-in.

               While “digital sovereignty” refers to government-mandated control, such as GDPR or data localisation
               laws, “digital autonomy” is about an organisation’s ability to operate independently, regardless of
               whether disruptions originate at the geopolitical or vendor level. This distinction has now been officially
               defined in the Netherlands by the Dutch government.

               ATB was sovereign (regulated under Dutch law) but not autonomous, so when its cloud providers pulled
               the plug, it had no backup plan. And, of course, ATB is not alone, in Australia another major hyperscaler
               accidentally deleted superannuation fund UniSuper’s online account. Thankfully for UniSuper and its
               half a million members, they had taken the wise step of having a third party back-up.


               Building true autonomy takes a strategic approach

               To avoid ATB’s fate, organisations need to take proactive steps towards technology and systems
               resilience. First, they should eliminate single points of failure by adopting multi-cloud or hybrid cloud
               strategies including on-premise solutions, reducing reliance on any single provider. Open source
               solutions, such as Red Hat OpenShift, offer portability across environments, helping businesses avoid
               lock-in to a single vendor’s ecosystem, and providing customers with the flexibility, privacy and
               portability required to adapt to future regulations and sovereign requirements. In addition to this,
               specific technologies such as Confidential Computing can help you to continue using  your current
               investments in cloud technologies while protecting your data from third party operations. Open source
               software, being a neutral decentralised way to develop software, delivers access and transparency while
               not relying on a single vendor, instead leaning on the decentralised community as the real back up.

               Next, organisations must control their exit strategy, for a smooth migration of data and applications if
               vendors change policies or face geopolitical restrictions. Lastly, they should invest in community-driven
               resilience that can provide an additional safety net. The CVE database, a cornerstone of global