8/8/25, 10:48 AM                           Digital Sovereignty is far more than compliance | Web Release
         In addition to geopolitical concerns, regulatory pressure is also mounting, with regulations like DORA (Digital
        Operational Resilience Act) and NIS2 in Europe requiring financial institutions and critical infrastructure providers to

        ensure operational resilience.


         While it is true that geopolitical dynamics have put digital sovereignty into the spotlight, it would be a misconception to
        think of this as a fresh challenge, as at its core digital sovereignty is about resilience and autonomy. Organisations need

        to prove they can operate independently, even when global political shifts or vendor decisions disrupt their operations.


        Prepare for unintended consequences


        In April 2022, the Amsterdam Trade Bank (ATB), a financially stable Dutch institution, was forced into bankruptcy. This
        wasn’t due to poor management or insolvency, but rather because of sanctions imposed on its Russian parent company,

        Alfa Bank.


         When the US, the EU and UK enacted sanctions against Russian entities in spring 2022, the ripple effects were
        catastrophic for ATB. Despite ATB being fully compliant with Dutch and EU laws, service providers, again being

        respectful with the same laws and sanctions, were obliged to abruptly terminate critical cloud services, including email
        and core banking operations. Without access to cloud-based workspaces and business software suites, ATB lost the
        ability to communicate internally or with customers, leading to its sudden collapse.


         While the sanctions against Alfa Bank have been implemented in a different context this case nevertheless underscores

        a critical distinction when it comes to the question of sovereignty: Own compliance does not guarantee autonomy. Even
        legally sovereign organisations can fail if they lack operational resilience. ATB’s total dependence on their service

        providers left it defenceless when they withdrew support, a stark warning against vendor lock-in.


         While “digital sovereignty” refers to government-mandated control, such as GDPR or data localisation laws, “digital
        autonomy” is about an organisation’s ability to operate independently, regardless of whether disruptions originate at the

        geopolitical or vendor level. This distinction has now been officially defined in the Netherlands by the Dutch
        government.


         ATB was sovereign (regulated under Dutch law) but not autonomous, so when its cloud providers pulled the plug, it had

        no backup plan. And, of course, ATB is not alone, in Australia another major hyperscaler accidentally deleted
        superannuation fund UniSuper’s online account. Thankfully for UniSuper and its half a million members, they had taken
        the wise step of having a third party back-up.


        Building true autonomy takes a strategic approach



        To avoid ATB’s fate, organisations need to take proactive steps towards technology and systems resilience. First, they
        should eliminate single points of failure by adopting multi-cloud or hybrid cloud strategies including on-premise

        solutions, reducing reliance on any single provider. Open source solutions, such as Red Hat OpenShift, offer portability


      https://web-release.com/digital-sovereignty-is-far-more-than-compliance/                                      2/3