Dependence on global cloud providers is a reality for financial institutions in the foreseeable future. Full independence is not currently achievable—pursuing it as a strategic objective could become so consuming that it slows decision-making rather than enabling it.
Against the backdrop of geopolitical developments, economic considerations, regulations such as DORA, and increasing cyber threats, digital sovereignty is becoming a strategic governance issue, encapsulated by the principle: dependent by default, sovereign by design.
For banks, insurers, and other financial institutions, cloud dependency was long regarded primarily as an operational reality. As long as services remained available, costs stayed manageable, and innovation was supported, the discussion mainly focused on sourcing, architecture, and procurement.
That approach is no longer adequate. The focus is shifting as critical services, data platforms, security tools, and AI capabilities become concentrated among a small number of providers. The question is no longer whether that dependency exists, but whether it can continue to be effectively managed.
Because cloud, data and AI dependencies grow together, scaling these capabilities concentrates spend on a small number of global providers. That strengthens their revenue, margins and capacity to invest in research and development, and it widens the gap with European alternatives over time. For financial institutions, this means sourcing decisions are no longer only commercial. They shape future switching costs, negotiating power and fallback options.
Digital sovereignty is therefore best understood as a disciplined way to preserve choice. If Europe could divert a percentage of this spending to European parties, this could be enough to reinvigorate the technology sector and attain productivity benefits.
Four factors are driving this agenda.
Even when all four factors are considered, the debate on digital sovereignty often takes an unhelpful direction. Too often, digital sovereignty is presented as an all-or-nothing choice: do we remain on global cloud platforms, or do we move away from them? For most financial institutions, both extremes are unattractive. A wholesale exit would be costly, slow, and potentially constrain innovation. At the same time, it is equally difficult to justify having critical dependencies that are poorly understood, rarely tested, and difficult to control. Rather than viewing digital sovereignty as a single end-state, a more effective approach is to treat it as an ongoing cycle of choices: gaining insight, choosing strategic pathways, stress-testing, and implementing measures.
The first step is gaining insight. For each critical or important business function, identify the providers, services, regions, and operating layers on which it depends, including any underlying providers and open-source tools that are currently out of view. The objective is not merely to create an inventory, but to understand where dependencies create the greatest vulnerabilities. What are the risks of concentration, supply chain dependencies, or lock-in? Which underlying providers are not sufficiently visible? And which components are the most difficult to relocate, restore, or manage when circumstances change?
This insight only becomes truly valuable when it focuses on capabilities rather than individual technologies. Do not focus only on business functions; also consider technical capabilities such as identity and access management, key management, logging, recoverable backups, customer data platforms, digital channels, and AI services. These capabilities are often critical to an institution’s ability to remain in control and resilient. When they come under pressure, service delivery is likely to be affected.
Next, assign each capability a sovereignty score based on two dimensions: autonomy and continuity on the one hand, and protection against unwanted access on the other. In addition, assess the functional applicability of available alternatives.
The second step is selecting a pathway for each business and technical function. In practice, this almost always results in a mix. Some measures (no-regret measures) are sensible in virtually every scenario, such as maintaining continuous visibility of digital dependencies, increasing control over identity and access management and key management, independent logging, and improving the portability of data and selected workloads. For the most sensitive business functions, this should be complemented by a strategic pathway that does not require a complete overhaul of the cloud strategy: either a standby fallback option alongside the current model or—where the functional fit and business case justify it—targeted repositioning towards a more sovereign alternative.
The third step is stress-testing those choices against future scenarios. What if geopolitical tensions decrease and global providers remain attractive? What if European alternatives mature faster than expected? And what if geopolitical escalation makes access to certain services or support models less predictable? Precisely because the future cannot be predicted, the objective is to avoid a sovereignty approach that works only under one set of circumstances.
The approach presented here recognises that cloud dependency is inherent in modern digital business models. However, it also highlights when dependency becomes a strategic weakness: when it is invisible, poorly governed, or unmanageable when circumstances change.
This matters because financial institutions often cannot afford to slow down their digital transformation. Data, data analytics, and artificial intelligence are becoming increasingly central to customer service, operational efficiency, and competitive strength. Innovative players are poised to capture market share from established organisations and are less likely to constrain their cloud usage due to sovereignty concerns.
The more growth the cloud enables, the more important the quality of dependency management becomes. If critical components continue to be concentrated among a small number of external providers, organisations must be clear about where control lies and which options remain available if circumstances change.
Digital sovereignty affects strategy, resilience, compliance, and freedom of choice in the long term. As a board member, you do not need to launch a major sovereignty programme today based on an abstract ideal of complete independence. But you do need to make the topic an ongoing strategic priority rather than a one-off initiative. This means incorporating sovereignty criteria into sourcing, architecture, and investment decisions, prioritising no-regret measures for the most critical functions, and determining where a fallback option should be kept on standby.
For financial institutions, the core question is not whether they are dependent on global technology providers. For the foreseeable future, that is largely unavoidable. The real question is whether they manage those dependencies effectively.
Partner FS Data & Technology, PwC Netherlands
Ad is partner at PwC Netherlands and responsible for data and technology in the financial sector. Drawing on a background in IT audit, he has spent the past twenty years as an external advisor and executive, leading end-to-end technology transformations across the financial sector and beyond, with a particular focus on improving IT delivery and platform development.
Cybersecurity Partner, PwC Netherlands
Mimoent is a partner cybersecurity, resilience & privacy and has extensive experience in setting up and leading cybersecurity and risk management functions in complex, highly regulated environments. She focuses on strategic issues related to digital sovereignty and the risks arising from technological dependencies.