The terms Digital Sovereignty or Souveraineté numérique have recently risen in prominence to describe the international rule of law as it applies to information and communication technologies. At a time when disinformation is proliferating and the rule of law, democracy, and human rights, together with long-standing relationships, are being cast aside, digital sovereignty is scaling in importance as a key defensive measure among many nations. Digital sovereignty protections are now being manifested through new international and domestic law, regulatory mandates, information resources, and enforcement mechanisms.

This article describes the extensive digital sovereignty ecosystem and its evolution over the past 175 years—articulating contemporary use cases and continuing challenges.

Digital Sovereignty Legacy Origins

What goes unappreciated is that digital sovereignty is celebrating its 175^th anniversary. The norm is quite literally the first and most fundamental rule of law for international cyber security, dating back to 1850. It has endured to serve critical roles essential to electronic communication over the years.

Digital sovereignty history began at the first international meeting to enable national network interconnections via a treaty instrument for digital networks at Vienna. Provisions were crafted in an agreement among “high contracting parties” that ensured their sovereignty over the networks and services within their borders. The Vienna agreement established the fundamental sovereignty norms that have emerged, evolved, and expanded over the next 175 years and remain essential today. Every nation signed the treaty instruments as a quid pro quo for enabling its own communication with the rest of the world. Every communication technology, service, and application are included. The norms include:

• Not to cause technical harm nor allow technical harm to occur to the facilities, operations, or communications of another country from any entity under the State’s jurisdiction under all provisioning arrangements;
• Not to cause harmful interference to the radio services and communications of another State
• To take measures to prevent the operation of electrical apparatus or installations of all kinds from causing technical harm to network facilities or communications, or disrupting network operations of another country from any entity under the State’s jurisdiction;
• To take measures to prevent electrical apparatus or installations causing harmful interference to radio services and communications of another country
• To take all possible measures to ensure communications security;
• To exchange information and assist other States when radio cyber security infringements occur.
• The stoppage of any communication transmission that “would appear dangerous to the security of the State, or contrary to the laws of the country, to public order, or to good morals.”

At the 1947 Atlantic City treaty conferences that formed the contemporary basis for all global communication networks and cooperation, an explicit, broad digital sovereignty provision was included at the outset of the basic treaty instrument.

While fully recognizing the sovereign right of each country to regulate its telecommunication, the plenipotentiaries of the Contracting Governments have agreed to conclude the following Convention, with a view to ensuring the effectiveness of telecommunication. International Telecommunication Convention, (Atlantic City, 1947).

Every nation in the world has acceded to the Atlantic City provision that has remained essentially unchanged in the 15 successive re-iterations to date.

At a more generic level, no single treaty explicitly guarantees national sovereignty. However, international instruments like the United Nations Charter (1945) and the Montevideo Convention on the Rights and Duties of States (December 1933) came into existence and considered foundational to the concept. The basic norm is that sovereign states have the right to self-determination and should be respected within their territorial boundaries, allowing them to govern themselves without external interference.

Contemporary Digital Sovereignty History

The transition to an open competitive global economy with the underpinning of the TCP/IP Internet in the 1990s resulted in significant economic and technology disruptions for the next twenty years. It also enabled some nations and transnational companies to leverage the USA government funded architecture and the lack of norms to achieve global dominance in the pursuit of market share, revenue and continuous disruption as a desirable goal. The concepts of sovereignty, the rule of law, international cooperation, and individual rights became deprecated. It was inevitable that a kind of bi-polar global cyber conflict emerged with Europe in the middle.

As a result, concerns over these destructive developments were researched and articulated as need for Digital Sovereignty Policy beginning a decade ago—especially within France’s ESEC Council. Benoît Thieulin’s published Opinion remains one of the best expositions of the Digital Sovereignty concerns, and resulted in the creation of a French ministry function.

The French initiative was subsequently taken up by the European Parliament’s research arm and became a priority. European technical standards bodies moved forward in 2021 with a comprehensive workshop agreement by fifteen parties for public consultations and future ICT standards organisation activities published as CWA17995.

The subsequent rapid emergence of social media platform extremist algorithms, dominant Direct to Device (D2D) LEO satellite systems, and AI implementations that skew societal norms and values through manipulated ingested data have further advanced the need for Digital Sovereignty requirements. Sovereign AI also became a new national imperative. Today, the Project 2025 manifesto and its unprecedented, dramatic disruptions in fundamental societal governance and norms highlight the prescience and urgency of the CWA17995 Agreement on Digital Sovereignty. Although the Agreement speaks to a European need, the societal essentials it embraces are those widely shared worldwide and should gain broad support.

Contemporary Use Case Framework

CWA17995 is an extraordinarily comprehensive aegis asserting shared values and bases for trust described as digital sovereignty. As its introduction notes “Digital Sovereignty may cover many domains and objectives such as cybersecurity, data jurisdiction and enforcement, trustworthiness, protection of fundamental rights and strategic autonomy. Defining and recognising Digital Sovereignty while promoting an open and free market, such as the EU single market, also leads to a need for interoperability as well as technological neutrality.” The CWA annex begins to articulate four initial use cases: tools dependency-standards openness, cloud-based metaverse, robot data integrity and confidentiality, and territorial space data. The framework below attempts to assemble a full array of use cases.

Technical Harm. Technical harm concerns trust and management of the risk of devices, services and processes in telecommunication and critical infrastructure networks. Every sovereign state has a right to institute measures that prevent and mitigate technical harm to infrastructure and services within its jurisdiction, including exterritorial requirements. The EU has instituted sets of definitive enactments with associated specifications and processes to address these needs that prominently include Cyber Resilience (CRA), Network Information Security (NIS2), Critical Infrastructure (CER), Financial Services (DORA), Radio Equipment (RED), Common Criteria (EUCC), and the Artificial Intelligence (AI Act).

Derivative Technical Harm - Trusted Resource Availability.The provisions dealing with harms rely on arrays of technical specifications and constantly evolving information resources that are essential to implementation. Historically—going back to the creation of the first international bureau in 1868 in Switzerland—the needed resources were provided by a stable secretariat that would remain persistently available under the ITU responsibility. Switzerland has long enjoyed the status as a trusted and neutral host to international collaborative activities. In the 1990s, that availability paradigm changed, and nations became increasingly reliant on a very small number of organizations and dominated by one nation state that is now proving increasingly unstable. The EU began addressing this concern with its adoption of its Cybersecurity Act which tasked the EU’s own agency to provide for necessary cybersecurity resources. A renewed focus on the resource availability aspect of digital sovereignty is certain to scale going forward.

Threats to National Security and Public Safety. In addition to the above relatively definitive harms, a significant number of ancillary needs and threats for security, stability, resilience, and recovery of a nation and its processes. These are sometimes denoted as NSEP (National Security/Emergency Preparedness) or Critical Communications. These were captured generically 175 years ago in what was known as Article 19 in the basic treaty for network communications concerning stoppage of communication. Within the EU—as in most nations—the requirements are reflected in multiple provisions and normative requirements that impose related compliance obligations.

In today’s complex ICT ecosystem, implementation of these obligations is complicated by roaming devices and users, by open information networks, services, and applications that are increasingly virtualised at cloud data centres, and by satellite systems communicating directly to end-user devices. A vast new array of diverse national security and public safety threats have arisen. The purposeful architecture of the TCP/IP Internet by the USA to its advantage has exacerbated the challenges. Nations are increasingly at extraterritorial risk or coercion by nations who leverage these shared network capabilities as political threats.

In addition, misinformation and disinformation are societal cyber security malware that can be rapidly amplified and exploited through AI platforms. A requirement for trusted identity (eIDAS) also goes to enhancing electronic identification.

The EU and Member States address these threats through a diverse array of different instruments, regulations, and technical requirements, including bilateral initiatives.

Threats to Human Rights and Societal Values including Privacy. A diverse array of human rights are fundamentally linked to ICT networks and services. The emergence of addictive social media in anticompetitive concentrations—especially any with algorithms designed to enhance disinformation and social strife—have received attention via the Digital Services Act (DSA). The DSA includes a Transparency Database. With the increased promotion of cyberbullying by some nation state actors, the EU individual Member States have taken action and are considering a regional enactment. Information integrity online—especially for undermining democratic elections—is a special focus and begin addressed by the European Shield initiative. Social networking applications, among others, have significantly diminished individual privacy and controls over their information and child safety that are increasingly important. The proliferation of health misinformation such as related to vaccinations is receiving increased attention. The Data Act is especially significant within the context of trusted AI implementations that meet EU human rights values as it helps ensure that ingested data is not skewed toward disinformation or diminished human rights being driven by new political agendas.

Threats to Ecology. Multiple EU instruments focus on threats faced to the ecology either by diminishing electronic junk or enhancing the energy efficiency. Data storage ecodesign has received increased attention.

Threats to Competition. The maintenance of effective competition in public network services has long been regarded as necessary both to an effective economy and the ability to provide alternative sources. It is a basic tenet of European governance. Open technical interfaces and standards are typically used to ensure competition opportunities. The emergence and proliferation of dominant social media platforms has resulted in anticompetitive concentrations that are also being addressed by the Digital Services Act (DSA)

Digital Sovereignty Future

The ongoing Project 2025 blitzkrieg dismantling of established legal norms, human rights, and international cooperation to create a new social order is making Digital Sovereignty rapidly more essential among many countries. Digital Sovereignty is also entwined with the Zero Trust Model for cybersecurity with vendors meeting the demand. It is driving an array of network technical developments and arrangements with some vendors offering related services and consultancies tracking global developments.

It is also noteworthy that the most significant contemporary use of Digital Sovereignty in recent has not been Europe. The USA, China and Russia have used the provisions to dramatically alter global routing of traffic and deployment of equipment in infrastructure.

The CWA17995 Agreement sums up the situation best. “The targeted audience of this document is any party interested in Digital Sovereignty, including, but not limited to, governments, policymakers, standardization organizations, lawyers, consumer associations, worker associations, business associations, organizations, and last but not least also individuals who have a need to better understand this notion and its implication on their self-determination in current and future digital worlds.” Digital Sovereignty rests on a solid 175-year bedrock of public international law.