EU IT sovereignty

- A 3-step guide
René DalsgaardRené Dalsgaard

René Dalsgaard

CEO at Orbit Online A/S
Published

Independence is crucial as it allows individuals, organisations, and even nations to operate according to their core values and strategic priorities, free from excessive external control or restrictive dependencies. Without independence, businesses risk being subjected to external economic pressures, shifting regulations, or unexpected service changes that could disrupt operations.

It has recently become blatantly apparent that the United States is no longer the reliable ally we thought it was and that the European Union must learn to stand on its own - and quickly.

This shift will not happen overnight: It will take years, even decades, making it all more critical to start today.

This article provides a simple three-step guide to getting started, and we hope it will inspire other companies and organisations to begin this essential transition.

Vendor independence

Recent developments highlight the risks of vendor dependence. Rising prices, tariffs, and even threats of service shutdowns as part of geopolitical negotiations are just a few examples.

This creates an environment where businesses feel compelled to accept unfavourable terms due to a lack of viable alternatives. A notable example is the increasing cost of Microsoft cloud services, which has forced many European firms and public organisations to re-evaluate their reliance on US-based tech giants.

Moreover, the ability of Big Tech providers to potentially “weaponise” technology - by enforcing their terms or imposing unilateral changes - further illustrates the importance of independence.

We recently witnessed how catastrophic this could be when a faulty upgrade pushed by CrowdStrike caused widespread outages, taking down a massive number of Windows servers. As a consequence, airports, online banking systems, hospitals, emergency services, and broadcasting companies worldwide were severely disrupted.

Although this was an accident, and all involved parties worked tirelessly to resolve the issue ASAP, the estimated cost of the outage was around $10 billion USD. If such an event had been intentional and no viable recovery plan was in place, the consequences would have been devastating - not just financially but also in terms of critical infrastructure and public safety.

Independence as a strategy

At Orbit, independence has always been a core strategic pillar.

The Schrems II ruling in 2020 underscored the importance of IT independence, particularly in data governance. This ruling invalidated the Privacy Shield framework, which many organisations relied on for legally transferring personal data from the EU to the US. As a result, companies faced uncertainty in ensuring compliance with GDPR, prompting many to reassess their data hosting strategies. Businesses that had proactively sought independence - by using EU-based infrastructure - found themselves in a stronger legal and operational position.

Thus, in 2020, we put our provider independence commitment to the test by migrating the majority of our servers from Amazon Web Services (AWS) to EU-based providers with guaranteed local jurisdiction. This move was driven by concerns over data sovereignty, regulatory risks, and increasing reliance on US-based tech giants. Given recent developments, we are now in the process of further securing our independence by migrating the remainder of our infrastructure to EU-based solutions.

This freedom extends to data governance, privacy practices, and the capacity to switch providers or solutions when necessary.

How can organisations take on the challenging task of reducing their dependence on US-based vendors?

Below, we outline our three-step method to help you get started on the path to greater independence.

1 - Analyse

First of all, to implement a concrete action plan, you need an overview - specifically, a list of all your IT vendors, their legal ownership country, their role in your organisation, and possibly additional data points such as how you are using them.

Remember to take chain liability into account. Just because a vendor claims to be based in Europe, in terms of ownership and hosting, does not mean the backbone of the product is not reliant on Microsoft SharePoint or hosted on AWS servers in Europe. In both cases, the legal ownership remains in the US.

In our case, we settled on the following data points:

  • Name of vendor
  • Vendor homepage URL
  • Legal country (chain liability)
  • Function description
  • Users

When describing the function, keep the scope minimal. If one vendor contributes to multiple functions, divide them into two or more rows in the list, as each individual function might require different actions and prioritisation.

2 - Assess

With a clear and simple overview, it is now easier to assess risk. There are many ways to do this, one of which is the traditional probability/impact risk assessment. However, to keep things simple, we chose to focus on impact. Since our strategy is to remain independent, probability was not a key factor for us.

We also chose to evaluate impact in relation to our core business, focusing on customers, revenue, and potential contract breaches, should a vendor fail.

We defined the following priorities based on our needs, but you should define your own according to your specific context:

  • Priority 1:
    The vendor provides components that are critical to direct customer operations and/or involve the processing of GDPR or company-sensitive data.
  • Priority 2:
    The vendor provides components that are supplementary to customer operations and related key functions.
  • Priority 3:
    The vendor provides components that are supplementary to customer operations but not related to key functions.
  • Priority 4:
    The vendor provides components related to direct or indirect sales and marketing.
  • Priority 5:
    The vendor provides components used purely as an internal tool.

For example, we identified LinkedIn as Priority 4, whereas Google Drive was classified as Priority 5.

3 – Act

Now, with a clear overview and relevant prioritisation, it is time to plan concrete actions.

Start with the easiest and most urgent vendors, then work your way through the list - at least for Priority 1. Actions do not need to be immediately implementable, as they may also serve as awareness initiatives or even long-term strategic elements.

There are many possible steps toward achieving greater independence, depending on your specific setup. However, remember that this is an ongoing process, and total independence is not necessarily the goal. The aim is simply to achieve a level of independence that frees you from economic pressure and vendor-imposed denial of service.

Here are some possible actions:

Substitution

Replace the vendor with another that provides identical or similar functions.
Example: Use LibreOffice instead of Microsoft Office, or the French AI alternative Mistral instead of OpenAI. There are resources listing EU alternatives to many well-known US vendors: https://european-alternatives.eu

Self-hosting

Some vendors allow self-hosting as an alternative to their cloud services. At the very least, investigate whether this is possible and assess the costs.
Example: Many expert systems, such as 3D modelling and calculation tools, offer standard cloud storage options. If you do not need specific cloud features, consider hosting the files yourself instead.

Backup

Ensure that your data remains accessible even if your vendor is unable to deliver the service or function.
Example: Download your Google Docs in MS Office format and maintain regular backups of all important files.

Accept the risk (for now)

Some vendors are simply too expensive to substitute or back up effectively, leaving "do nothing for now" as the only viable option.
Example: Economic and ERP systems are difficult to replace and maintain functional backups for, but keep this in mind when selecting a new system in the future.

Conclusion

Achieving vendor independence is neither easy nor cheap, but taking the first steps now is essential. The key is due diligence - by thoroughly assessing your vendors, identifying risks, and planning strategic actions, you can reduce costs, mitigate risks, and prevent potential disruptions in the future.

Vendor dependence may not seem like an urgent issue today, but sudden changes - such as price increases, service discontinuations, or regulatory challenges - can have significant consequences. By proactively evaluating your vendors, securing backups, and considering alternative solutions, you ensure greater resilience and flexibility for your organisation.

Remember, vendor independence is not about cutting all ties but about achieving the level of control necessary to avoid economic pressure, vendor-imposed denial of service, or unforeseen disruptions. Even small steps - such as substituting critical tools with EU-based alternatives, exploring self-hosting, or ensuring data backups - can make a meaningful difference in the long run.

Start today - your future business continuity depends on it.

Maybe you would also like

The Four Stages Of BPM

blogpostsguides

Level-Up Your Business Process Management - Orbit Online

In this article, you will find a complete step-by-step guide on how to implement a new business process that lasts in the long run. Start your BPM project here

CRM and project management combined

blogpostsguides

CRM And Project Management Combined - Orbit Online

Improve collaboration among departments to keep your clients happy and run a smooth project execution. Read about all the benefits and how to get startet her.

how to improve team effectiveness

blogpostsguides

9 Strategies On How To Improve Team Effectiveness - Orbit Online

Do you want to streamline your team and strengthen the collaboration? Orbit Online guides you to lead your team towards the same goal.

Let us keep in touch on LinkedIn

Get news from Orbit, feature tips, and much more

Follow Us