Sovereign Technology: Implementation Challenges

In an earlier post, we talked about what Sovereign Technology means, and factors that matter: technology, national security, and the economy.

In this post, we’ll explore some of the challenges around implementing sovereign tech capabilities. It's not straightforward and here are some key challenges:

• Understanding and knowing your tech stack is non-trivial. Modern technology is layered, and complex. Most businesses struggle to effectively enumerate the top level of technology they use, let alone understand what lurks underneath.
• There is no “one action” to take. Data sovereignty is not just about where the underlying compute takes place, geographically speaking. 
• Going your own way is very difficult. Technology capability is concentrated in a few countries globally. That technology is pretty good, and people want to use it. Making change happen is likely an evolutionary activity if you want to minimize disruption.

The Modern Tech Stack

The reality is that achieving tech sovereignty isn’t as simple as ticking the “local datacenter” box in your Microsoft 365 settings. Modern digital systems are layered. Cloud services depend on hyperscalers, like Microsoft, Google and Amazon. As an aside, this dependence on hyperscalers is also a concentration risk, when one goes down (and they do), whole segments of government or businesses do too. But I digress.

In the security world, there is a concept of a “Software Bill of Materials” or SBOM. Like what you’d expect on the tag of a new mattress, or on the side of a soup can, software providers are beginning to list out all the dependent or repackaged software included in the product you’ve bought. It sounds easy and simple—but of course, it isn’t. Most of the software you use has dozens, if not hundreds of dependent software packages. Beyond the challenge enumerating the list, each entry carries security, sovereign tech, and supply chain considerations.

Making matters more complex, in the SaaS and Internet application world, software is not only executed but it updates regularly and connects to peer applications, such as an identity management provider when you log into a service, continuously.

At Tidal Point, we’re a Canadian company and have customers that want to retain their data and operations within Canadian law. Fair enough. If you are conscious and purposeful about the technology stack you build, world class capability is just a few clicks away. But even then, there are snags. For example, we leverage a capability provided by a Canadian LLM provider to improve search results (“re-rank”). Even though most of the application stack is either in Canada or using Canadian tech, the actual systems that expose the re-rank features are based outside of Canada for technical reasons. Domestic and sovereign solution all the way through, except some of it is hosted abroad. This begs the question: Is this now a non-sovereign capability?

Technology configuration is always going to be complex and nuanced, so we have to ask – does it matter if it is hosted abroad? The answer is “yeah, probably”.

Why would it matter if your digital applications use foreign suppliers and capacity? There are lots of reasons, and they include:

• Privacy and Security: foreign jurisdictions are likely to have different views, norms and laws around who can look at corporate data, and for what reasons. In the earlier post, we pointed to the admission by Microsoft in France for example, that it could not refuse a lawful US order to access French data, residing in Microsoft’s France datacenters.For those of a certain vintage, probably most reading this, Blackberry famously routed its traffic through Waterloo, Ontario, which was of concern to governments around the world, including the US.Security architecture matters though, and we’ll touch on this later on. For example, if you are  using a system with properly implemented end-to-end encryption, it wouldn’t matter if the server was hosted by your worst enemy (well, at least so far as them reading the data “at rest” is concerned).
• Control of Use: if another nation has absolute control over a specific technology, they can at any time, opt to control its availability (whether in their own country or outside of it). This is not an edge case; it is \ common. For example, restrictions around what countries can use which cryptographic algorithms to secure data remain in place.In an inversion of this scenario, your own government might restrict your ability to use foreign technology in your own country for a host of reasons, security and economic among them. Huawei and telecommunications equipment being a well-known example in many western nations.This is a complex topic, because as we know – governments change, government policies change, and laws around data and control of technology can change too. It is not a “point in time” decision and discussion.
• Economic Development: Innovation breeds economic development. As we’ve discussed, technology works in ecosystems, and you have a better chance of being part of that ecosystem when you have domestic companies already producing technology and being part of the future. More tech companies mean more business, and the need for adjacent services – like marketing, sales, and leadership expertise. More jobs, more tax revenue, and so on. A virtuous job creation cycle if you can swing it.

I think most people would agree the above factors matter quite a bit nationally. This in turn answers the question we posed, “does it matter if technology is hosted abroad?”. It does, and for reasons that span a few dimensions. The follow-on question is what to do about it, because (spoiler alert) the answer is not “just build everything in house”.

Building Capacity, the Right Way

If you can do it all and be it all domestically, this discussion becomes pretty short.  For most countries, it isn’t in the cards. But this doesn’t mean throwing in the towel, it should mean pushing harder and creating conditions that are ripe for new businesses to thrive and innovate. This is job one.

It is also helpful to consider creating national advantage through establishing a confident, stable and trust-enabled business environment. Businesses follow what is dependable, trusted, and meets their other basic needs. Privacy and Security don’t have to be a chore, they can be a competitive advantage, even at a national scale.

Next is to fill in the gaps:

• Ask questions about the value of sovereign technology and be thoughtful about what it means.
• Accept the nuance and complexity of the technological environment.
• Don’t settle for simplistic solutions that equate datacenter location to “sovereign capability”.
• And finally, be realistic about what is critical to domicile, and what just feels critical. 

Finally, where you can’t innovate, where do you partner? Many nations worldwide do align very closely on their values and intent around security and privacy. For example, in Canada we have PIPEDA, which governs a significant portion of organizations in the country regarding data privacy. As a (positive) consequence, under the EU’s General Data Protection Regulation (GDPR), the European Commission has designated Canada (among others) as providing “adequate protection” for personal data — meaning EU organizations can transfer personal data there without needing special safeguards.

A Pragmatic Path Forward

Sovereignty isn’t a checkbox — it’s understanding where your data lives, how it moves, and which jurisdictions it passes through. Even if two organizations in the same country exchange data, it may route internationally before arriving — sometimes to locations governed by laws with very different interpretations of privacy and access.

A realistic path forward blends domestic innovation with strategic partnerships, encouraging foreign providers to operate as locally as possible while creating conditions for homegrown capabilities to thrive. The goal isn’t perfection — it’s clarity, intention, and strengthening national resilience.

Sovereign technology is ultimately about making informed choices in a complex ecosystem and building capacity where it matters most.