20 February 2026
Why digital sovereignty matters, and why most organisations aren't ready
Most EU/UK businesses are more exposed to US surveillance law than they realise. Here's what changed, why it matters, and what you can actually do about it.
Catenary Ltd
831 words · 5 min read
In July 2020, the Court of Justice of the European Union struck down Privacy Shield, the legal framework that thousands of UK and EU businesses were relying on to transfer personal data to the United States. The ruling, known as Schrems II, was based on a simple and uncomfortable finding: US surveillance law gives American intelligence agencies broad access to data held by US companies, regardless of where that data physically sits.
This wasn't a technicality. It was a fundamental incompatibility between European data protection law and US national security law — and it meant that a huge proportion of organisations were, overnight, transferring data in ways that were no longer legal.
Four years on, most organisations still haven't fully reckoned with it.
What the problem actually is
If your organisation uses Google Workspace, Microsoft 365, Slack, Zoom, Salesforce, or dozens of other American cloud services, your data is subject to US law. That's true even if the servers are physically located in Ireland or Germany. The companies operating those services are incorporated in the US, which means they can be compelled by US courts and intelligence agencies to hand over data, many cases without being able to tell you they've done so.
The UK's post-Brexit data protection framework (UK GDPR) hasn't resolved this. The UK has an adequacy decision with the EU, but the underlying question of US surveillance access remains. Standard Contractual Clauses are technically valid, but they require organisations to perform a transfer impact assessment, which most organisations have never done.
The honest answer is that a lot of data transfers are happening on shaky legal ground, and most organisations are hoping nobody looks too closely.
The second problem: dependency
A separate, but by no means less important issue is: What happens when things go wrong?
When your organisation relies on a handful of tech companies for everything — email, documents, video calls, customer records, file storage, you've created a single point of failure. Not failure in the technical sense (these services are extremely reliable), but failure in other ways:
- Pricing. Google and Microsoft have been steadily raising prices for Workspace and 365. If you're fully dependent, you don't have much leverage.
- Policy changes. Terms of service change all the time. Features disappear. Products get discontinued. Google has killed over 200 products in the past few years.
- Acquisitions. The tools you depend on can be bought by companies with very different priorities.
- Account suspension. Getting locked out of a Cloud Account, even temporarily and incorrectly, can be devastating if your whole operation runs through it.
None of these should be reasons to panic. They're reasons to think carefully about how dependent you really want to be.
What digital sovereignty actually means in practice
Digital sovereignty doesn't mean running everything yourself in a basement. For most organisations, it means something more modest:
Know what you've got. What data do you hold? Where does it live? Who has access to it? Most organisations can't answer these questions confidently. A simple data audit is a useful starting point — and often reveals surprises.
Diversify your critical infrastructure. Moving your email off a US cloud provider is a significant undertaking, but it's very much doable and the alternatives are good. Organisations like Nextcloud, swiss based Proton or EU based Fastmail offer practical alternatives with European data residency and no US legal exposure.
Apply the sovereignty lens to new decisions. You don't need to migrate everything immediately. But when you're next choosing a new tool, make "where does this data go?" a standard question.
Have an exit plan. Even if you stay with your current provider, know how you'd get your data out and where you'd take it. This is good practice regardless of sovereignty concerns.
What it costs and what it doesn't
The honest answer is that moving away from Big Tech involves some cost. It takes time, it takes attention and it takes money. Open-source and EU-hosted alternatives are good, but they're not always identical to what you're replacing.
What they often don't cost is as much as people fear. Self-hosted infrastructure has become significantly more accessible. EU-hosted providers are competitive. And the ongoing costs of Big Tech dependency, such as rising subscription fees, lack of leverage, compliance exposure — are real costs too, even if they're less visible.
We work with organisations through this transition. We're not ideologues about it — if a US cloud service genuinely makes sense for a particular use case, we'll say so. But we do think most organisations would be better served by understanding their exposure and making conscious choices, rather than just defaulting to whatever's easiest.
If you'd like to talk through what this might look like for your organisation, we're easy to reach.