A contribution by Ismet Koyun, Founder and CEO of KOBIL

Digital sovereignty has become one of the most frequently used buzzwords in European digital policy. Hardly a summit, strategy paper, or political speech passes without reference to it. At the same time, practical implementation remains disappointing. Europe talks a great deal about digital sovereignty, but acts far too little. This must change.

For more than forty years, I have been developing security and identity solutions with a clear commitment to “Made in Europe.” I have seen how digital power is created, how dependencies emerge, and how difficult they are to reverse once they are entrenched. Today, I see Europe at risk of managing digital security and digital sovereignty primarily through administration, rather than shaping them through technology and entrepreneurship. That is precisely why, at KOBIL, we continue to consistently develop European security products for critical digital infrastructures. Not out of nostalgia, but out of industrial policy necessity.

This article explains why Europe suffers from structural misaligned incentives when it comes to digital sovereignty, why many companies hesitate, and why it is now crucial for European companies to pursue their own digital path.

What digital sovereignty really means

In Europe, digital sovereignty is often understood as the ability to make independent decisions, invest, and innovate in the digital space without isolating oneself from global markets. It is about openness combined with the capacity to act. Europe aims to reduce technological dependencies without sacrificing innovation, competitiveness, or international cooperation.

This ambition is correct. However, digital sovereignty does not mean autarky. It does not mean that Europe must build every technology itself. From an industrial perspective, digital sovereignty primarily encompasses four capabilities.

First, it means freedom of choice and bargaining power. Companies and governments must be able to switch providers, use multiple suppliers, and avoid technological lock-in dependencies.

Second, it means controlled risk exposure. Digital systems must be resilient to geopolitical tensions, legal access risks, supply chain disruptions, and security escalations.

Third, it means depth of value creation at strategic points. Europe must retain technological control where security, identity, data sovereignty, critical infrastructures, and system trust are created.

Fourth, it means scalable competitiveness. Digital sovereignty is sustainable only if European products can compete globally. Without international scalability, sovereignty remains a subsidized niche.

Regulation as a framework for technological sovereignty

In Europe, digital sovereignty is increasingly addressed through regulation. With the NIS 2 Directive, the Cyber Resilience Act, the evolution of eIDAS toward the European Digital Identity Wallet (EUDI Wallet), as well as existing frameworks such as the General Data Protection Regulation and sector-specific regulations like DORA for the financial sector, the EU is establishing a binding framework for security, resilience, and trustworthiness of digital systems. These regulations define important minimum standards for risk management, product security, identity verification, reporting obligations, and traceability.

However, regulation does not replace technological capability. Regulation can set guardrails, but it cannot create competitive security architectures. What matters is that European providers understand security and regulatory compliance as integral parts of product architecture, not as downstream obligations.

All KOBIL products comply with applicable European data protection and security requirements as well as regulatory frameworks such as the GDPR, NIS 2, and eIDAS 2.0. Compliance is not achieved through documentation alone, but through verifiable security mechanisms, clear control models, and transparent system architectures. Only when regulation and technological implementation work together does digital sovereignty become operational in practice.

Why companies rationally hesitate on digital sovereignty

Many European companies hesitate on digital sovereignty not due to a lack of courage, but because of economic rationality. In the current market structure, restraint is often the most rational decision.

The central reason is the lack of a short-term business case. Investments in digital security and digital sovereignty are rarely monetized quickly. Security and sovereignty features are considered baseline requirements in many markets. Customers expect them, but are often unwilling to pay higher prices for them. Willingness to pay primarily exists in heavily regulated sectors such as critical infrastructure, public administration, defense, and financial services.

Another key factor is the fragmentation of the European market. Despite the single market, different national procurement rules, certification requirements, and diverging interpretations of cloud, security, and data protection regulations persist in practice. Digitally, Europe effectively functions as a market of 27 individual countries. This structure prevents scale and significantly increases the cost of market entry, development, and sales.

In addition, there is a pronounced compliance overload. When digital sovereignty is defined primarily through audits, reports, and certificates, it is perceived internally as a cost center. It is not seen as part of product and growth strategy, but as a regulatory obligation.

Finally, Europe lacks sufficient growth capital for the late-stage scaling phase. Europe produces many strong technologies, but few global platform companies. International expansion, go-to-market scaling, and the development of digital ecosystems often fail due to lack of capital, market size, and speed.

Where state logic systematically slows digital sovereignty

State logic is indispensable for stability, legal certainty, and fairness. However, when it becomes the dominant mechanism for digital markets, it creates structural disincentives.

A major issue is the focus on inputs rather than measurable outcomes. Programs, consortia, and criteria catalogs often replace clear success metrics such as market share, revenue, international references, and technological adoption.

As a result, innovation processes become bureaucratized. Funding projects produce formal outputs, but rarely market-ready products with a robust product-market fit. In technology fields with rapid learning cycles such as cloud computing, artificial intelligence, and cybersecurity, this slowdown is particularly harmful to innovation.

Moreover, “European” is often understood as a label of origin rather than as a superior performance dimension. Yet verifiable security, transparent system architectures, compliance by design, and interoperability could be genuine competitive advantages for European providers.

Large-scale digital initiatives also often suffer from overloaded governance. When too many interests must be accommodated simultaneously, projects lose clarity and market focus. Market power does not emerge from committees, but from superior products, effective distribution, and long-term investment conditions.

The core problem of digital sovereignty in Europe

The central problem of digital sovereignty in Europe is the lack of sustainable competitive advantages. Politically, digital sovereignty is often described as independence. Companies, however, invest sustainably only when economic benefits arise.

These benefits must scale, improving economics as market size grows. They must create customer loyalty through real value, not through regulatory coercion. And they must be internationally competitive, not limited to national or European funding structures.

If digital sovereignty is organized primarily through bans, restrictions, and obligations, no network effects emerge. Instead, additional barriers are created. Such barriers have never produced global technology leaders.

Where Europe can build digital sovereignty

From an industrial policy perspective, a strategic layering model is crucial. Europe does not need to control every digital application. But it must master the decisive control layers.

These include security and trust layers such as digital identities, cryptography, key management, auditability, zero-trust architectures, and supply chain security.

Equally important are control mechanisms for cloud and compute infrastructures for critical workloads, especially where key sovereignty, policy control, and data access are security-relevant.

In addition, interoperable data spaces are required in core industrial sectors such as automotive, manufacturing, healthcare, and public administration.

Finally, semiconductors and hardware are also essential wherever supply security and intellectual property are strategically relevant.

Why European companies must go their own way

Digital power emerges at digital control points. Those who control cloud, identity, and security architectures define standards, margins, innovation speed, and access to data. Dependency is not a theoretical risk, but a continuous drain of value creation, know-how, and talent.

Geopolitical and legal uncertainty is no longer an exception. Access to digital infrastructure has become a question of power. Sovereign capabilities significantly expand the strategic options of companies and governments.

Digital security is credible only when it is technically verifiable and controllable. Marketing is not enough. Trust is created through transparent architectures, understandable security mechanisms, and verifiable control.

KOBIL as an industrial actor for digital sovereignty

For decades, KOBIL has pursued the goal of implementing digital security and digital sovereignty through technology. The ambition is clear: to secure Europe with European security products. At the core is the development of security-critical platforms that keep identity, data, and digital processes under European control.

With the KOBIL SuperApp, KOBIL follows a platform approach that brings together digital identity, secure communication, data sovereignty, and transactional processes within a sovereign architecture. The SuperApp is designed to function as a trusted digital layer for citizens, companies, and institutions, reducing dependencies on non-European platforms.

At KOBIL, mPower forms the technological foundation for a sovereign digital workplace. The enterprise platform bundles identity, communication, documents, approvals, and applications in a central hub and enables unified, highly secure access for employees, partners, and service providers. Security and compliance are integrated into the architecture from the outset, not added later. This creates control, transparency, and auditability across the entire digital lifecycle and fundamentally differentiates mPower from fragmented point solutions.

AppShield addresses the security of mobile applications at KOBIL as an integral component of digital sovereignty. The security-as-a-service solution protects existing mobile apps without code changes or integration effort, directly at the binary level. AppShield combines dynamic runtime analysis, AI-based threat detection, and real-time protection against tampering, reverse engineering, and attacks on compromised devices. Security is implemented quickly, verifiably, and at scale, enabling companies to provide mobile applications in a compliant and trustworthy manner.

KOBIL does not view these products as isolated solutions, but as contributions to a European digital ecosystem in which security, trust, and scalability are designed together. Digital sovereignty emerges where technological control is combined with market-ready platforms.

Conclusion

Europe will achieve digital sovereignty through competitive digital security products that enable real control, “made in Europe.” Digital sovereignty emerges where security, trust, identity, and data sovereignty are technologically mastered while global scalability remains possible.

The central mistake of many state-driven approaches lies in treating digital sovereignty as an administrative project. Companies invest long term only when sovereignty becomes an economic advantage. Europe needs fewer rulebooks and more market-ready solutions. Less administration and more entrepreneurial execution.

Digital sovereignty determines economic power, technological independence, and societal stability. It is not created by speeches, but by products.

Key Facts from an Industrial Perspective

The following points summarize the core industrial policy insights of this article: