1. Start with governance and policy

 

Digital sovereignty isn't a technology project; it begins with clear choices in governance and policy. By 2026, a substantial number of organizations plan to tighten their internal policies regarding governance and compliance, including to better align with GDPR. NIS2 and the EU AI Act.

Practical steps here are:

• explicitly include digital sovereignty in IT and data strategy, including AI policy

• determine which data are considered critical and under which jurisdiction they ideally fall

• setting up a multidisciplinary working group or data and AI governance board that aligns policy, risks and architecture

For organizations that already work with AI, this directly ties in with previously shared tools to Working with AI in a GDPR-compliant way.

 

2. Make data location and jurisdiction explicit

 

The research shows that organizations primarily store their data in the Netherlands and Europe, but that some also remain dependent on data centers in the United States. At the same time, it's not always entirely clear which legislation applies to data, especially with more complex cloud structures.

Concrete actions are:

• create an up-to-date overview of where data is located, with which supplier and under which jurisdiction

• specify for which types of data the Netherlands or EU jurisdiction is the standard

• include data location and jurisdiction as hard selection criteria in tenders and contracts with cloud and AI providers

European frameworks such as the EU Data Act, which regulates the sharing and use of data and should strengthen the position of European parties.

 

3. Consciously choose private and hybrid as a basis

 

The research shows that private cloud is now the most commonly used form of data storage, followed by hybrid environments. Fully public cloud and fully on-premises are less common. This indicates that organizations are actively seeking a balance between scalability and control.

By 2026 this means:

• consciously deploy hybrid cloud, where generic workloads benefit from scale and flexibility, while critical data and applications remain in a private or sovereign environment

• Reduce single-vendor dependency with a multi-cloud or hybrid strategy, so that adjustments can be made in the event of changing legislation or geopolitics

• collaborate with partners who combine data centers on Dutch or European soil with demonstrable expertise in compliance and sectoral standards, such as the sovereign cloud solutions from Uniserver

Uniserver previously described how sovereign cloud in sectors such as healthcare will reach a tipping point in 2025.

 

4. Integrate AI into sovereignty design

 

The second part of this series revealed that AI is still deployed in a fragmented and ad hoc manner within many organizations, while concerns about security, bias, and control over data usage are significant. At the same time, security and privacy risks are decisive factors for a clear majority in AI decisions.

Key design choices include:

• limiting public generative AI for critical or confidential data

• where possible, opt for private AI solutions that run within your own infrastructure and fall under European jurisdiction

• Link AI projects to existing frameworks for data classification, logging, auditing, and access control, rather than treating AI as a standalone experiment

Anyone who wants to organize this properly can build on previously shared insights about private AI and how to securely integrate AI within a private cloud environment.

 

5. Build a sovereign architecture step by step

 

For most organizations, the path to a fully sovereign IT architecture isn't a major leap, but rather a phased transformation. The research shows that organizations are combining various measures, such as more secure AI use, stricter governance, restricting foreign software, and moving data to private or sovereign cloud environments.

A practical roadmap might consist of:

• inventory: map data location, jurisdiction, vendors, and critical workloads

• segmentation: determine which data and applications are prioritized for movement to a sovereign environment

• migrate: move critical data and systems step by step to a private or sovereign cloud, preferably on Dutch or European soil

• embed: ensure sovereignty in governance, contracts, architectural principles and the AI ​​strategy

• optimize: use the space created for controlled innovation with AI, data platforms and new services

In previous customer cases and sector blogs, Uniserver showed what these steps can look like in practice, for example, for the healthcare sector and municipalities.

 

From insight to implementation

 

The research shows that digital autonomy is now an explicit part of the IT strategy for a large majority. At the same time, its implementation is hampered by complex legislation, vendor dependency, and limited internal expertise. The challenge for the coming years lies in bringing together technology, legal frameworks, and governance into a single, cohesive design.

Organizations that now opt for an architecture in which a sovereign cloud, clear data location choices, and private AI solutions are the norm not only gain more control, but also lay a stable foundation for responsible innovation. This means that digital sovereignty will not be a brake on innovation, but the prerequisite for continued secure, compliant, and future-proof digitalization after 2026.

This concludes this blog series: In February 2026, we will publish a whitepaper with all the research results. Want to stay informed? Subscribe to our newsletter now.