The conversation about digital sovereignty has moved from the IT department to the boardroom. What was once a technical dossier has become a strategic and geopolitical necessity. But what does it mean in practice for your organization? And why does it ultimately always come down to one question: who decides who gets in?
Identity & Access Management is not a complete answer to every challenge, but it is the most concrete building block. It is the layer where sovereignty and cyber resilience come together in day-to-day practice.
Digital sovereignty is about independent control over your own digital environment. A useful way to frame it is the principle of "know your stack": understand exactly what your technological foundation consists of, and who controls it. That translates into three interconnected questions:
The three questions map directly onto the classic CIA triad, the foundation of information security. Insufficient grip on your hardware threatens the availability of your systems. Insufficient control over your software increases the risk of compromising the integrity of your processes. And insufficient visibility into who has access to your data undermines the confidentiality of sensitive information.
Within the European Union, digital sovereignty is no longer seen as a compliance checklist, but as a pursuit of self-sufficiency: building ecosystems that guarantee economic independence and national security over the long term.
Many organizations believe they are sufficiently protected as long as their data is stored on servers within the EU. That is a misconception with far-reaching consequences.
Data residency says something about location: the server is in Frankfurt, Dublin or Amsterdam. That is often sufficient for GDPR compliance. But location says nothing about control.
The core of the problem: American technology companies must comply with American law, including the US CLOUD Act. That law requires them to hand over data to US authorities on request, regardless of where that data is physically stored. Jurisdiction does not follow the server. It follows the parent company. A Dutch organization hosting its data with an American hyperscaler does not have exclusive control over that data, even if the server is located on Dutch soil.
True sovereignty means you decide where you run and who gets access, without foreign legislation being able to override that. That requires providers operating under European law.
Digital sovereignty and cyber resilience are often mentioned in the same breath, but they are not the same thing. The distinction matters, because it determines what measures you take and why.
Sovereignty is about control: do you have authority over your own digital environment, or has that control effectively been delegated to a third party? It is a structural property of how you are set up.
Cyber resilience is about continuity: can you keep functioning when your environment comes under pressure, during an attack, an incident, or the loss of a supplier?
The connection is this: cyber resilience is only real when sovereignty is the foundation. An organization that depends on systems or identity management it does not control itself has limited room to maneuver during an incident, regardless of how good its crisis plan looks on paper. Sovereignty is the precondition that makes genuine resilience possible.
Now that the traditional network perimeter has disappeared, digital identity is the only remaining boundary. IAM has transformed from an administrative tool into the foundation of Zero Trust. But to achieve genuine sovereignty and resilience, there are three layers that each play their own role.
Within a sovereign strategy, you decide where the digital identity lives. Resilient organizations choose a model in which the "Source of Truth", such as the HR system, remains under their own management. By using open standards such as SAML, OIDC and SCIM, you avoid vendor lock-in: you can switch between cloud applications without the identities of your employees being locked in with a single provider.
The identity lifecycle follows a digital identity from onboarding (Joiner), through role changes (Mover), to departure (Leaver). Linked to the HR system as the source of truth, this means that access rights are automatically adjusted whenever someone joins, changes role or leaves, without manual intervention or delay.
That has two direct consequences for resilience:
IGA is an essential building block for compliance with security frameworks such as NIS2 and ISO 27001.
Beyond geopolitical concerns, there is the hard legal reality. The Dutch Cybersecurity Act, the national implementation of the European NIS2 directive, requires organizations to ensure the security of their entire supply chain. The failure of a supplier, whether a cloud provider or a software vendor, is treated as the failure of the organization itself. Board members can be held personally accountable. That makes cyber resilience not just an IT priority, but a boardroom issue.
Resilience in the modern era does not require more cloud. It requires more control. Only by placing sovereignty over digital identity, lifecycle and governance under your own management can an organization offer genuine protection against both system failure and state-sponsored espionage.
IAM is no longer just a tool for user management. It is where sovereignty and cyber resilience converge in daily practice: the layer on which your organization is demonstrably in control, and on which you can fall back when it matters.
Platforms like Topicus KeyHub are built on exactly these principles. On-premise or via Dutch hosting, fully within your own jurisdiction. Group-based access management, automated lifecycle and a complete audit trail, without dependency on foreign hyperscalers for the identity function.
Want to know how your organization stands on digital sovereignty and IAM? Get in touch!