Perspectives

Q: Dr. Palmas, your work spans a broad range of topics (from XR, AI, innovation and product development to technology strategy and operational risk). Before we dive into the substance, can you give readers a clearer sense of the background and experience that shape your perspective on digital sovereignty?

A: Certainly. Over the past decade, I have worked extensively with large corporations and mid-sized businesses across Europe, focusing on the development of innovative products and projects as well as advising on innovation, technology strategy, and operational risk.

In recent years, my work has increasingly focused on questions of technology dependency and strategic resilience.

In my current role at XIBIX Solutions GmbH, we have conducted multiple sovereignty assessments for organisations across Germany. The perspectives I share here (particularly around cost structures and implementation timelines) are grounded in that practical experience rather than theoretical models.

Q: “Digital sovereignty” has become a favourite phrase these days. But what does it actually mean in practice for a German company today?

A: Let me be clear from the start: digital sovereignty is not about cutting ties with the world’s best technology providers. The large global cloud platforms offer remarkable capabilities, and many German companies, including world-class industrial names, use them to great effect. The question is not whether to use them. The question is whether you use them consciously and on terms that protect your business.

In practical terms, this means three things. First, knowing exactly which data sits where and under which legal jurisdiction. Second, ensuring your contracts give you the right to move workloads if circumstances change, including specific clauses around data portability, termination notice periods, and pricing change protections. Third, having tested how your operations would function if a critical vendor became unavailable or significantly changed its terms, not just having theorised about it.

These are not abstract governance questions. They are operational ones, and the answers have direct consequences for business continuity, regulatory compliance and competitive resilience. Companies that treat them seriously do not do so out of anxiety, they do so because it is what sound management requires.

Q; The geopolitical landscape has shifted sharply in recent years. How should German executives read these signals without overreacting?

A: Read the signals clearly, but do not panic. Several specific developments deserve sustained attention.

The tightening of technology export controls between the United States and China has already materially affected semiconductor supply chains and is beginning to shape the decisions German companies face around software licensing and cloud infrastructure access. The EU Data Act entered into force in 2024, with its obligations being phased in through 2025 and beyond, giving organisations time to adapt but requiring that preparation begin now rather than at the point of compliance deadlines. The EU AI Act similarly introduces a tiered compliance framework being phased in over the period from 2024 to 2027, with different requirements applying to different risk categories on different timelines. For German companies, the direction is clear even where the details are still settling.

I want to be honest about the limits of citing specific legislation in a conversation like this. Regulatory frameworks evolve, and the provisions I mention today may be amended or supplemented, as we are currently seeing with the Digital Omnibus proposal from the European Commission. It is also worth acknowledging that, while the concept of digital sovereignty is widely recognised, it has yet to be defined at the EU level. In particular, the criteria for qualifying digitally sovereign products and services may still evolve. What will not change is the direction of travel.

For German executives, the task is not to predict every regulatory or geopolitical turn, but to ensure their organisation is built to absorb them, through systems that can be migrated if needed, contracts with defined exit terms, and leadership with enough technical literacy to understand what is actually being decided. That is well within reach, and it is the most useful framing of digital sovereignty in the German context today.

Q: Germany’s mid-sized and smaller businesses are the backbone of the economy, yet most lack the resources of the country’s largest corporations. How should they approach this topic?

A: With pragmatism and with a clear sense of priority. Smaller companies often have a genuine structural advantage, they are more agile, their systems are less deeply entangled and their leadership can make and implement decisions quickly. But they also have limited capacity, which means the sequencing of effort matters as much as the effort itself.

The starting point is a focused assessment, not a sweeping transformation. Identify your two or three most sensitive data categories like customer data, production data and proprietary process information. Map where those sit today, which vendors hold them and what your contracts actually say about portability and termination. Based on our firm’s work across more than forty engagements, this exercise typically takes four to six weeks with existing internal resources, and it surfaces areas of genuine exposure reliably.

What companies consistently find is that the risk is concentrated rather than dispersed. Two or three vendor relationships account for the vast majority of the exposure. Targeted action on those three vendors can substantially reduce risk without requiring large capital investment. Options include renegotiating specific contractual clauses where the vendor relationship permits, establishing a secondary supplier relationship, or moving a particular workload to a more favourable contractual environment.

On cost: a focused assessment of this kind varies depending on three factors. These are the number of vendors reviewed, the complexity of existing agreements, and whether architectural changes are required. It is typically conducted with internal resources and supported by external legal review of the relevant contracts. This perspective is drawn from our own engagement experience across mid-sized businesses in Germany, Austria, Switzerland and the Netherlands over recent years. It reflects observed patterns rather than a universal prediction and organisations with more complex environments should expect costs at the higher end of what is typically encountered or beyond.

I also want to acknowledge a harder reality that is sometimes glossed over. Not every mid-sized business will find that renegotiation is straightforwardly possible. Some vendor agreements, particularly with the largest global platforms, offer limited room for negotiation on core terms. Where that is the case, the primary value of the assessment lies not in changing the contract but in understanding precisely what you have agreed to, making an informed decision about whether that exposure is acceptable, and taking whatever mitigating steps are available, including architectural ones, with a clear view of their cost and timeline.

Q: For large corporations with complex global operations and supplier networks, what are the real strategic pressure points you see most often?

A: Three things come up consistently, and they interact with each other in ways that make the overall picture more complex than any one of them suggests in isolation.

1. Concentration risk: Many large corporations have, quite sensibly, standardised on a small number of major technology platforms. The efficiency gains are real and well documented. But concentration creates fragility that is often invisible until it becomes a crisis. In our work with large industrial organisations, boards rarely have a quantified picture of what operational disruption to a single critical platform would actually cost them like the revenue at risk per day of downtime, the affected business units, the realistic recovery timeline. Producing that analysis is uncomfortable. It is also essential, because it transforms the conversation from abstract risk to concrete business impact and allows the board to make genuinely informed investment decisions about resilience. Without that quantification, the default tends to be inaction, because the cost of preparation feels tangible while the cost of disruption remains hypothetical.
2. Supplier network exposure: The digitization of supply chains has extended a manufacturer’s operational data footprint far beyond its own systems. Production schedules, quality data, logistics information, and increasingly design and engineering data flow through dozens of external platforms, each with its own security posture, legal jurisdiction, and contractual terms. A breach or operational disruption at a tier two or tier three supplier can propagate upstream in ways that were not anticipated when the digital integration was originally designed. Addressing this requires both, a technical response mapping the architecture of those data flow and a contractual one ensuring that supplier agreements include appropriate security standards, audit rights and incident notification obligations. It also requires honest acknowledgement that in complex global supply chains full visibility is an aspiration rather than an immediately achievable state. The goal is progressive improvement in visibility and contractual protection, not perfection.
3. Regulatory complexity: The compliance environment in Europe is becoming more demanding, and the trajectory is clearly toward greater stringency. Companies operating across multiple jurisdictions increasingly need teams that can bridge technology decisions and legal implications, not treat them as separate workstreams managed by separate functions. The organisations that struggle most are those where the technology leadership, the legal and compliance function, and government relations are not in regular, structured conversation about these questions. Bringing those conversations together at board level, with adequate frequency and properly prepared information, is one of the highest-leverage governance changes a large organisation can make. It is also, in our experience, one of the most consistently resisted, because it requires these functions to operate outside their traditional boundaries.

Q: If you could give German business leaders one clear directive for the next twelve months, what would it be?

A: Conduct a sovereignty audit and treat it as a board-level exercise from the outset! I want to address directly why the board specifically, what the process involves, what it realistically costs, and where it most commonly fails. All four questions matter and all four are often left unanswered. I would also add one parallel discipline: follow closely how the policy markers of digital sovereignty are codified by regulation in the period ahead. An audit that does not track that direction risks being incomplete, or even outdated, within a couple of years.”

• Why the board? The decisions that emerge from a sovereignty audit are strategic, not technical. Renegotiating a major vendor contract, investing in a secondary supplier relationship, or restructuring a critical piece of technology architecture all have material financial and operational implications that require board-level authority and accountability. Technology leadership should drive the analysis. The board should set the mandate, review the findings and own the resulting decisions. Without that board mandate these programmes consistently stall at the point where they require either significant investment or difficult conversations with major vendors. That is not a technology problem. It is a governance one and it can only be resolved at the level where strategic resource allocation decisions are made.
• What the process involves? The audit has four stages. The first is a data and system inventory mapping where your most sensitive and operationally critical data sits, which vendors hold it, and under which contractual and jurisdictional terms. The second is a contract review assessing whether your current agreements provide genuine flexibility, including data portability rights, termination provisions with defined timelines and cost structures, pricing change protections, and audit rights. The third is a scenario analysis working through, in operational and financial terms, what a disruption to each of your two or three most critical technology relationships would actually mean for the business, expressed in days of downtime, revenue at risk, and recovery cost. The fourth is a prioritised action plan identifying the specific renegotiations, secondary supplier relationships or architectural adjustments that address the highest-priority vulnerabilities with realistic timelines, cost estimates, and named ownership.
• Where it most commonly fails? In our experience the most frequent reason these programs stall is not technical complexity or vendor intransigence, it is internal prioritisation. Leadership understands the risk, accepts the analysis and then does not act because competing investment demands, internal politics or organisational inertia take precedence. The programs that succeed share two characteristics, a specific boardlevel owner who is accountable for progress and a clear connection between the scenario analysis findings and metrics the board already tracks, whether that is business continuity risk, insurance exposure, or regulatory compliance status. Without those two elements, even well designed programs tend to lose momentum after the initial assessment phase.

On contingency planning i want to be more direct than this topic usually receives. For some critical technology dependencies, particularly where a vendor’s platform is deeply embedded in core operations, a fully operational fallback does not exist at acceptable cost or within an acceptable timeframe. That is a real constraint, and it should be named rather than resolved with reassuring language about flexibility. What is always achievable, however, is a graduated response across three levels. The contractual level: ensuring your agreements provide maximum notice periods, clear data extraction rights, and financial protections in the event of unilateral change by the vendor. The architectural level: designing systems, where feasible, to reduce the depth of embedding over time, even where a complete alternative is not viable today. The relational level: maintaining active relationships with alternative providers so that the option to move, even if it cannot be exercised immediately, can be developed when needed. Achieving a clear and honestly assessed position at each of these three levels is within reach of any organisation. It is also, increasingly, what regulators, insurers, and sophisticated counterparties expect to see evidenced, not just asserted.

Working with the world’s leading technology providers remains a genuine and significant advantage. The capabilities they offer are unmatched, and the right response to the current environment is not to retreat from them. It is to engage with them on fully understood, well-negotiated, and regularly reviewed terms, and to maintain the organisational readiness, the contractual protections, and the honest assessment of alternatives that allow you to act decisively when circumstances require it.

——

Dr. Fabrizio Palmas is the Head of Business Development and Business Unit Lead at XIBIX Solutions GmbH