The sovereignty paradox laying in your drawer for a decade

There's an obsession in the Dutch cloud sovereignty debate. That obsession is called 'hyperscaler'. But the biggest sovereignty gap isn't in the cloud. It's in the outsourcing contract that's been sitting in your drawer for ten years.

In every boardroom, at every conference and in every advisory report, the same question surfaces: how do we maintain control over our data and infrastructure when they run on platforms owned by American tech giants?

It's a legitimate question, but it's not the first question you should be asking. Many organisations worrying about sovereignty risks from AWS, Azure or Google Cloud have an equally significant sovereignty problem much closer to home. A problem that's not new, but that no one openly acknowledges: the outsourcing provider.

Our conviction is clear. The biggest sovereignty gap at many Dutch organisations isn't in the cloud. It sits in the relationship with the provider who manages the infrastructure, data, identities and security controls, all locked into contracts that reflect a threat landscape that no longer exists.

The keys were handed over long ago

Let's be honest about what outsourcing means in practice. Five to ten years ago, a large portion of Dutch business transferred the operation of their local IT environments to specialised providers, often foreign. The business case was clear: focus on your core, leave IT operations to a party that can do it more efficiently. In return, the provider gained far-reaching control over the technical environment.

Now look at what was actually transferred back then:

• Infrastructure. In many cases, the provider has rights over the infrastructure and how it's managed and used.
• Security controls. Firewall configurations, patch management, incident response, monitoring. The operational line of defence is fully delegated, with SLAs (service level agreements) as the only steering instruments.
• Identity management. The provider manages who has access to which systems. As an organisation, you have limited visibility into who has access at any given moment.
• Key management. Encryption keys, certificates, security protocols – the mechanisms that determine who can read, modify or move data. If the provider manages these, the question of where your data is stored becomes secondary. A more relevant question: who can access it?

The test to see if these sovereignty risks apply to your organisation is simple. If you had to switch outsourcing providers tomorrow morning (due to a cyber incident, contractual dispute or strategic pivot), could you? Do you have the technical and operational control to make the transition without months of disruption?

For most organisations, 'no' is the honest answer. At that point, you're no longer talking about outsourcing. You're talking about sovereignty loss.

A sovereignty risk in slow motion

This situation worsens through a dynamic we rarely acknowledge but that occurs structurally. The characteristics of that dynamic:

• Procurement negotiates to the bone. The focus is on cost reduction. The provider wins on price, not on innovation capacity or agility.
• The provider has no incentive to innovate. New technology can put SLAs under pressure. Modernisation can jeopardise targets. The rational strategy: deliver exactly what the contract prescribes, nothing more.
• The threat landscape evolves. The contract doesn't. Ransomware-as-a-service, zero-day exploits that have accelerated to zero-minute exploits, supply chain attacks, identity-based attacks – none of these threats were in the contract you signed ten years ago.
• Both parties are stuck. The organisation can't move because the contract doesn't allow it. The provider can't move because the contract doesn't reward it. The result: a frozen relationship in a world that becomes more dangerous every month.

We don't see this as market dynamics. We see it as a sovereignty risk in slow motion.

The weakest link isn't the technology, it's the governance model

This isn't theory. In 2025, a retail company was hit by a cyber attack with direct consequences for business operations. The response was as remarkable as it was revealing: the company terminated the outsourcing contract with the provider.

The attack exposed what remained invisible during calm times: the dependency on the outsourcing provider was a structural vulnerability that only became visible when it mattered most. When speed of action, operational control and direct access to systems made the difference between limited damage and operational disruption.

The other cyber attack in the same year tells a comparable story. Dependencies in the supply chain, including outsourcing, create vulnerabilities that only manifest when it's too late. The weakest link isn't the technology. The weakest link is the governance model around it.

The paradox that demands honesty

These examples aren't exceptions. They show what happens when the illusion of control is tested by reality. Dutch organisations are having intensive conversations about digital sovereignty in the cloud context. About data residency, about the Cloud Act, about European alternatives. Those conversations are important and necessary. But these same organisations handed over their local environments to (offshore) outsourcing providers years ago, effectively relinquishing the control they're now trying to protect in the cloud.

Three questions for the boardroom

The consequence is uncomfortable, but clear. Before you address sovereignty in the cloud, you need to answer several questions honestly.

1. Who actually manages our identities and keys? And what happens if that relationship ends tomorrow?
   
   Not who signed the contract. Who has operational control? If the answer is 'the provider', and there's no contractual and technical mechanism to quickly take over that control, that's your first sovereignty challenge.
2. Does our outsourcing contract reflect today's threat landscape, or the one from the year it was signed?
   
   Ask specifically about agile cyber technology, incident response and recovery procedures for a ransomware attack. About the room to intervene yourself during a zero-day. About the cybersecurity agreements. If the contract is five years old and hasn't been substantively revised since, it's not protecting you. It's locking you in.
3. What does it cost us, realistically not theoretically, to switch providers tomorrow?
   
   Time, operational disruption, knowledge loss, legal complexity. This figure determines your vulnerability and your negotiating position. If no one in the organisation knows it, that in itself signals that the dependency is greater than you think.

View outsourcing relationships the same way you view cloud relationships

The way forward isn't to abolish outsourcing. That's neither realistic nor desirable. Outsourcing can deliver value, provided the sovereignty balance is right. The way forward is to view outsourcing relationships through exactly the same sovereignty lens as cloud relationships.

• Map out who holds which keys per relationship. Not based on the contract, but based on actual technical reality. Identities, encryption, security controls, operational access – what's delegated, what's transferable and what's actually inseparably linked to the provider?
• Test each contract against the current threat landscape. Does the prevention and incident response model fit today's threats? Do you have contractual room for rapid adaptation? Can you intervene yourself during a crisis, or are you dependent on the provider to take the first step?
• Make sovereignty a core criterion in procurement. Not as an appendix, but as a selection criterion in contracting, assessment and renewal. The cheapest provider isn't the safest. And the safest isn't necessarily the most expensive, but it is the one you should trust with responsibility.
• Ask the same questions you ask your hyperscaler. Who manages the infrastructure? Who has operational control? How dependent am I on this single party? If you ask these questions of your hyperscaler but not your outsourcing provider, you have a blind spot larger than the problem you're trying to solve.

The current sovereignty discussion is too narrow

The sovereignty discussion in the Netherlands is currently too narrow. It focuses on the cloud, whilst the dependencies that matter most for many organisations aren't in the cloud at all. They're in outsourcing relationships that have been taken for granted for years.

This is the second part of a blog series on cloud sovereignty. The first part was about 'the collision no one acknowledges': the strategic clash between sovereignty and AI acceleration.