HomeDomainsD6

D6 · Digital sovereignty and geopolitics

Axis II · D6

Digital sovereignty and geopolitics

Thesis. Digital sovereignty is not a patriotic luxury but a condition of deployability. For an AI system in health, finance, defence or operator-of-vital-importance settings, runtime jurisdiction is a functional requirement, on par with latency.

The distinction that cuts

Data localization vs processing jurisdiction. Data hosted in Frankfurt by a provider subject to the CLOUD Act is legally requisitionable from the United States. Geography alone does not protect what jurisdiction exposes.

Typical market error

Reducing sovereignty to hosting (« our servers are in Europe »), while omitting the contract (applicable law, competent jurisdiction), the chain of subcontractors, the nationality of capital, the extraterritorial obligations of the provider, and effective portability in case of rupture. Practical test: can you migrate to another provider in less than 90 days without functional loss?

Failure signals

No mapping of extraterritorial dependencies (CLOUD Act, FISA §702, Chinese data extraction laws 2017/2021). Contracts without explicit jurisdiction clause, or with a clause not opposable to the subcontractor. Foundation models hosted outside EU with no documented fallback path. Confusion between HDS / SecNumCloud / EUCS, where each covers a distinct perimeter and none covers the others.

References

HDS reference framework from ANS; SecNumCloud 3.2 (ANSSI); EUCS certification (ENISA, European scheme in finalization); Regulation (EU) 2022/2554 DORA for finance; Regulation (EU) 2022/2555 NIS2; ITAR for defence; for legal context, US CLOUD Act (2018), FISA §702, China Data Security Law (2021) and PIPL (2021).

Ground of implementation

WINSRV2025X64AI is an on-prem infrastructure (Windows Server 2025 + WSL2, local GPU, open-weight models for sensitive workloads, vLLM, Tailscale as overlay network with no provider dependency) with explicit sovereignty boundary. Clinical and pseudonymized data stays local; non-sensitive data is authorized on SaaS. The instance illustrates a hybrid architecture where the boundary is contractualized, not endured; it does not prove total autonomy is economically viable at all scales.

Articulation

Inseparable from D2, since data sovereignty is null if the infrastructure does not trace it. Inseparable also from D4, which fixes its binding thresholds by sector.