stein@opensky

Everyone is talking about sovereignty these days – and companies as well as countries are implementing or planning “sovereign clouds”, “sovereign AI factories” etc. In Europe (and also elsewhere) this has been amplified after the ongoing global trade wars and all the recent moves by the Trump administration in the USA. Some examples include Telenor, Deutsche Telekom, Orange, Telefónica, TIM, and Vodafone, SKT Telecom, Softbank, the Canadian operators and many more.

Personally, I remember my discussions some years ago around Chinese vendors and “supply chain security” for mobile operators. This issue has moved on since then, but one topic was that “many vendors and Governments might have or require backdoors, but some are better because we are allies”. This might no longer be true – thus the current concern about sovereignty.

The issue is very difficult to handle, especially in smaller countries, since most companies including also local authorities in Europe are heavily dependent on (mostly) American big tech companies. These days everything is stored in the cloud and “cloud native” is a standard term in the telco community providing critical infrastructure. Further: Who does not use Microsoft Office? Who does not use Amazon cloud services? Who does not use Google search? Who does not use Facebook or Instagram? ChatGPT is getting widespread … and the story goes on …

What does sovereignty mean?

A fundamental question to start with, however, is: What does sovereignty mean? According to GSMA Intelligence, they have defined sovereignty (with a focus on AI however) into four layers. The first one is 1) Data sovereignty (where is data located). Then there is 2) Infrastructure sovereignty (i.e. where does the processing take place). Next is 3) Model sovereignty (i.e. Large Language Models etc) – and finally 4) Control or governance sovereignty.

Also at MWC26 in Barcelona there were several conference sessions on it and I tried to attend one or two of them to get an update on the topic (see e.g. my MWC26 update) and maybe learn some more – but no. Thus, this article. During MWC, the satellite community also referred to “Mobile Satellite Services (MSS) as important for sovereignty”. In my mind this is good but more related to resilience and backup rather than sovereignty as such.

Irrespective of AI, sovereignty relates to data, processing and who is in control of it.

Many reports, articles and publications about digital sovereignty have been written and I am not going to refer to any of these. Below I have put together some personal thoughts on the topic, however.

The importance of being local

Having been a mobile operator (MNO) and engaged with the mobile industry for most of my life, I can recall many concerns over the years around “Over The Top (OTT)” players eating into operators’ business with their apps and centralized servers in California – which offers a lot of benefits with centralized development, governance and bug fixing – but, on the other hand, it may have challenges with data transport and latency. For MNOs, one of their key strategic assets is that they are local, with local market knowledge and under local regulatory frameworks. However, to date they have not been able to capitalize on it (i.e. versus OTTs / hyperscalers).

With 5G in the market (and 6G when it arrives), low latency is a key differentiator and many of the foreseen use cases are for the (industrial) B2B market. This requires data and processing to be close to the end customer, i.e. in the local market and under local regulatory control. This is a great opportunity for local operators, as it gives them a strategic advantage vis-à-vis hyperscalers (provided they are able to make use of it). See also this article from Sebastian Barros. We therefore see MNOs establishing local data centres (on their own or with partners) - and we also see independent and multi-purpose data centres being established across the country (I heard that in my own country Norway there are already more than 80 large data centres running or planned). Worth noting in this area, however, is that not only MNOs but also many of the hyperscalers are doing the same – so, if using data centres by partners or third parties, it is critical for the MNOs to remain in control of their data and their services.

Going beyond MNOs (which are suppliers of critical infrastructure), any enterprise making use of applications for their business need control of its own data – and security in terms of the applications they use.

Security and backup

While it is important to have sovereignty of critical data, i.e. typically stored locally within the country, it should be noted that, when Russia started the full-scale invasion of Ukraine in 2022, “over 10 million gigabytes of critical Ukrainian data, including government, university, and bank records, were moved to Amazon's cloud servers in the U.S. to prevent destruction and ensure postwar recovery”. This probably saved Ukraine from an even larger disaster. It is important to have a backup of critical data, whether stored locally or in a process with “friendly neighbours”.

Applications are more difficult to handle. They can be stored and backed up locally, but they do not belong to the enterprise and are, as such, controlled by the application owner (e.g. Microsoft, Facebook, Google etc).

Sovereignty for whom?

In addition to what sovereignty is about, it is also important to distinguish for whom the sovereignty is – and what that means in practical terms.

Being a former mobile operator, it is easy to think about what sovereignty means for them as they are providers of critical infrastructure. They not only have to consider their own operability but also what they can sell to consumers and enterprises (refer e.g. all the references above on Telenor, SK Telecom and other European or Canadian operators). Operators need to consider the resilience of their own networks and services in case of an international fall-out and it is always risk-based – and as we know, the risks these days have increased due to geopolitics.

Enterprises will need to consider the same risks – but their infrastructures are different and, in most cases, dependent on connectivity from their operators. They may have data and computing in-house, but increasingly enterprises are using cloud-based services from international big-tech companies and connectivity from their local operators.

For consumers, it is most likely more about managing their daily lives or having fun, and mostly related to the use of their phone or laptops. Should Facebook, Instagram or TikTok fall out for some reason, however, it could start some form of riot in the country – as consumers might not know what to do and might lose connections with their friends or family.

Governments, with the responsibility to protect consumers and enterprises and to ensure that the country operates, will need to consider all the above and to secure resilience and operability for all. Governments may also have pure political ambitions (refer e.g. my earlier articles on “Digital lead and geopolitics” and “Taking the digital lead”).

For every type of player, however, it is all about risk management. The considerations may, however, be different.

The impact of AI

Artificial Intelligence is on everyone’s’ lips these days – and it is getting increasingly used in all areas. Consumers use ChatGPT and similar services for fun or for daily work. Students even use it in their studies (or even for cheating at exams). They also use TikTok for the same reason (which also uses AI extensively – refer also my MWC update). The mobile industry is looking at how they can use it for optimizing their networks – and all kind of companies are looking into how they can use AI for efficiency or for new revenues.

For network operators, AI may have a huge impact on the traffic in their networks. The traffic across networks could increase significantly (increased cost but possibly without revenue effect) - and the traffic will also change compared to earlier (see e.g. my earlier article here). Operators are therefore studying not only “AI for networks” but also “networks for AI”. At the recent Mobile World Congress in Barcelona (refer my summary from MWC), the GSMA and a number of mobile operators also launched their initiative on “telco-grade AI” – since general AI models are not very well suited for telco use.

So, what is AI? AI is a lot of things, but it is generally about collecting huge amounts of data, which must be stored somewhere, in a format that can be analyzed digitally, and then using complex analytic models and processing on this data to produce specific outputs. ChatGPT, for example, uses Large Language Models (LLMs) to respond to general questions as some kind of “dictionary” – and must be trained with huge amounts of general data. For more specific use cases, AI can be used for specialized tasks with specific data – like e.g. for network optimization for a mobile operator, e.g. with “AI agents” and “agentic AI”.

Without getting into more specifics on AI, it is about huge amounts of data that must be stored somewhere – and, if the amount of data is very large and must be stored somewhere centrally, there will be huge amounts of traffic needed to be transported / exchanged in or across networks.

In the telco world, we therefore see new developments or ideas like “AI at the edge”, “AI in the device” etc – meaning that handling of AI is moving closer or even very close to the customer – in the extreme case even without need for connectivity (which requires a lot of local storage and processing in the base station or in the device, and possibly even battery capacity).

The geopolitical aspect

Although sovereignty and resilience have always been sensible topics to keep in mind, in today’s world it is really all about geopolitics. Countries have for years wanted to have a “digital lead” (even my own small country Norway – refer e.g. my earlier articles here and here). On a company level, there is also a rivalry between huge, big tech American and ^Chinese companies – and the more fragmented European countries and operators – where regulation has been largely used as a measure.

New in the last two years though, for Europe and many other countries, is the growing skepticism around trust in the USA and American companies – and therefore, a need to build more independence in case of crisis. This is of course backfiring for the Trump administration – and they don’t like it. Therefore, they are fighting back (e.g. here: US calls on diplomats to fight data s... - Mobile World Live and here: FCC chair calls on AI regulators to t... - Mobile World Live).

Concluding remarks

All the initiatives across countries and companies on “sovereign cloud”, “sovereign AI” etc that we see today are mostly about location of data and location of processing through establishment of local data centres storing data and processing locally. Some players of critical infrastructure thus refer to it as “data sovereignty”. They also add aspects of security (e.g. with protected physical and logical access at the data centres) and sustainability (e.g. with the use of “green energy” etc).

The more difficult area to secure from a sovereignty perspective is applications – and this is where companies, countries and regions (as e.g. Europe) need diversity in terms of the applications to use.

So, what could be done?

• The simplest case is consumers. They may not know what to do – and they will also expect the Government and Service providers (e.g. operators) to handle it for them, i.e. to secure that their services and applications work at any time. What they can do, however, is to secure that they have alternatives to Facebook, Instagram, TikTok etc. This will, however, not be an easy sell and will probably also need a network effect to take off.

• Operators, as providers of critical infrastructure, will need to secure that they can still have access to and can work with their critical data in case of loss of an international connection for any reason. Building their own “sovereign” data centres is a good choice – or, if deciding to use local data centres owned or operated by third parties, make sure that they have the right security and governance model so that they control their own (and customers’) data and services. Building resilience within their national networks through routing diversity, including also international connections through satellites or other means, is also critical. Operators are already also making use of their sovereign data centres using agentic AI for optimizing their own operations.

• Enterprises will need to make use of sovereign data centres - and also ensure that they have alternatives to applications like MS Office and other critical business support systems. In case not all data is critical, enterprises could also differentiate and select the data and applications required for sovereign cloud. Enterprises may also use the local data centres trying out sovereign AI.

• For all companies, based on the Ukrainian experiences, it is important not to put all eggs in one basket – and even if data and processing are handled in a local cloud, it may be useful to have a backup scenario (either on premise or internationally). In the latter case, data privacy and security will also need to be carefully considered.

• Governments are handling the topic of sovereignty from a political perspective, considering geopolitical risk and resilience. Western countries have for many years relied on the USA but cannot dare to do that anymore. They will typically put requirements on operators of critical infrastructure plus requirements on regions and municipalities for local data centres and resilience. To drive the country’s AI adoption, Governments should also promote the establishment of local LLMs with local language in the country. They will finally also need to consider the more difficult challenge of fostering tech innovation in their countries (or e.g. among close allies like e.g. Europe). It will be about “geopolitical diversity”, i.e. having fallback from (mostly American) big tech giants. Some examples of this exist but not many.

Sovereignty is something that has been considered in countries for many years. For example, self sufficiency in terms of food production within a country has been on the agenda for many, many years. What is new in the recent years (in Europe but also elsewhere) is that it has become more relevant and higher on the agenda also in the telecoms and tech sectors – and it is all about geopolitics and risk management.

The emergence of AI has further amplified the push for sovereignty – as “everything” is predicted to be controlled by AI within a few years (let us see how that will end up though). An important aspect of AI not so much discussed anymore is trust. As an old guy that wants to understand what is going on, I remember that when I first learnt to use MS Excel some decades ago, I was very impressed with a colleague who used macros within Excel extensively. I never really learnt how to use it myself, but I can say that if I had, I might have trusted it – but if it had been done by someone else, I would probably not. I guess the same would apply to AI. I would be skeptical. More objectively, though, transparency and auditability in AI is very important – as there are clear risks or errors, or hallucinations, discrimination or bias (see e.g. a quite old article on AI from six years ago on “Artificial Intelligence - Friend or foe?”).

As I started off saying, everyone is talking about sovereignty these days. I have tried to put together some thoughts around it – although others may have provided much deeper insights. I hope it is useful. It has been for me.