Sovereign Resilience

Most discussions around digital sovereignty have focused on a relatively simple question: Where is my data stored?

As organisations became more aware of data residency requirements, attention shifted towards understanding which jurisdictions governed their information and whether sensitive data remained within national borders.

Today, however, sovereignty is evolving into something much bigger.

The conversation is no longer just about where data sits. It is increasingly about national resilience, sovereign capability, and maintaining operational control over the critical tech technologies services and data that organisations depend upon.

From Data Sovereignty to Sovereign Capability

Recent discussions across Government, Defence, and CNI sectors have highlighted a growing concern: many of the technologies that power modern organisations are owned, operated, or controlled outside the UK.

While these services often provide innovation, scale, and convenience, they can also create strategic dependencies.

As a result, the focus of digital sovereignty is shifting from data location operational control.

The question organisations should now be asking is not simply:

“Where is my data?”

But rather:

“How will we continue to operate if I can no longer access the data, technology and services my organisation depends upon?”

This represents a significant shift in thinking and recognising that sovereignty extends beyond where data resides. It is about retaining sufficient or operational control to maintain critical functions when technology, suppliers, or geopolitical circumstances change.

Understanding Dependency Risk

Recent public debates have illustrated how quickly concerns around sovereignty can emerge. Whether discussing healthcare data, AI platforms, cloud services, or critical software suppliers, the underlying question remains the same:

“How dependent are we on organisations, technologies, or governments beyond our control?”

In an increasingly uncertain geopolitical environment, resilience planning can no longer focus solely on cyber-attacks, hardware failures, or natural disasters. Organisations must also consider scenarios where access to technology becomes restricted due to political, legal, commercial, or international events.

These risks may seem unlikely, but recent examples have demonstrated how quickly technology providers can alter licensing arrangements, commercial models, service availability, or operational requirements. In many cases, organisations may not fully understand the extent to which their operational capability relies on external providers until that dependency become disruption.

You Cannot Mitigate What You Have Not Identified

Before organisations can address dependency risks, they must first understand them.

Operational control starts with visibility.

This requires visibility across:

• Technology supply chains
• Cloud providers
• Software vendors
• Managed service providers
• AI platforms
• Data hosting environments
• Critical third-party services

For many organisations, dependencies extend far beyond the obvious.

A saas application may appear independent but could rely on infrastructure, operating systems, cloud services, identity platforms, or support functions provided by organisations in other jurisdictions.

Without visibility into these relationships, organisations cannot accurately assess the level of operational control they retain over their critical services.

Understanding these relationships is becoming a fundamental part of resilience planning.

Resilience Beyond Cyber Security

Traditionally, resilience programmes have focused on protecting against cyber threats.

While cyber security remains essential, resilience is broader.

True resilience depends on understanding whether organisations can maintain operational control during periods of disruption.

Organisations should be asking:

• What is our exposure to foreign-owned critical services?
• Which business functions would be impacted if those services became unavailable?
• What alternatives exist?
• How quickly could we transition?
• What level of operational disruption would we face?
• Where do we lack sufficient operational control?

This is not simply an IT challenge. It is a business resilience challenge.

The consequences of losing access to a critical platform may be every bit as disruptive as a cyber incident, even if no attack has occurred.

The Government’s Growing Focus on Resilience

The UK Government’s increasing focus on resilience reflects this changing landscape. The UK’s National Resilience Framework emphasises the need to understand and reduce vulnerabilities across critical systems, supply chains, and infrastructure.

Alongside this, proposed legislation such as the Cyber Security and Resilience Bill is expected to strengthen requirements for organisations operating within critical national infrastructure sectors.

While much of this legislation will focus on specific regulated sectors, the principles behind it are relevant to all organisations.

At their core, these initiatives are designed to improve visibility, reduce dependency risk, and strength and operational control across essential services.

The objective is not simply compliance. It is reducing the impact of disruption before disruption occurs.

Organisations outside regulated sectors may not be legally required to adopt these practices, but the business case for doing so is becoming increasingly compelling.