Digital sovereignty – The new strategic imperative for banks

By Dominik Löber and Julian Gulden

Digital transformation in banking has reached a new level of maturity. Core banking functions now run on scalable cloud and AI platforms that deliver efficiency gains and enable new business models. But the same platforms also create strategic vulnerabilities: the leading position of US providers in computing power and technological maturity means that European banks are heavily dependent on them. In this article, we examine the strategic risks created by these dependencies and set out practical options for banks to strengthen digital sovereignty – without slowing innovation or pursuing unrealistic technological autarky.

Currently, more than 80 percent of the digital products, services and intellectual property used in the European Union originate from non-European companies. US hyperscalers dominate the cloud market and provide much of the infrastructure on which AI applications run. Even European data hosting via an EU sovereign cloud does not remove all legal and operational exposure: in a crisis or conflict scenario, access could still be restricted. When it comes to AI, the imbalance is even clearer: around 40 major AI models were developed in the United States in 2024, compared with only three in Europe. This is no longer just an innovation gap – it is a dependency in a technology that is becoming central to industrial and banking value creation.

Why banking exposure matters

For European banks and public finance institutions, the risks are concrete. Model availability can be restricted through US sanctions or export controls. Sensitive data and metadata may be exposed to third-country access. Banks face less cost certainty and weaker negotiating leverage. They have limited influence over provider roadmaps. The stakes reach beyond banks’ own balance sheets, too. As providers of payments and credit, banks are multipliers across the economy. If vulnerabilities in banking cascade, the wider European economy is exposed.

At the same time, AI value creation is shifting from publicly available data toward proprietary corporate and institutional knowledge. Internal knowledge is becoming a key differentiator for banks, making it critical to decide which information is made usable for AI and how it is shared with third parties. Many dependencies cannot be eliminated quickly. In the past, they were often accepted for valid innovation and efficiency reasons; now they must be made transparent and actively managed.

The good news? European banks already have a strong starting point. Encryption and cryptographic key control provide a foundation for stronger digital sovereignty. What matters now is turning that foundation into a practical roadmap – from model diversification to more sovereign cloud and data architectures.

Drivers of digital sovereignty

The regulatory landscape is a key driver of digital sovereignty. With the Digital Operational Resilience Act (DORA) and the EU AI Act, Europe is creating a legal framework that explicitly demands controllability and resilience to reliance on external dependencies – especially on US service providers, infrastructure and ecosystems. The EU AI Act is expected to set strict requirements for “high-risk” AI systems, a category that covers virtually all banking AI applications, from credit decisions to fraud detection. Institutions must demonstrate full transparency, robust risk management and technical documentation.

Geopolitical developments are a second key driver. If tensions escalate or sanctions are imposed, for example, access to cloud services, updates, software as a service (SaaS) or AI models could be restricted. In extreme cases, access could be entirely disabled – a scenario often described as a “kill switch”. These risks lie outside the direct control of European institutions and must therefore be treated as strategic resilience requirements in architecture and sourcing decisions.

In parallel, a clear market trend is emerging as financial institutions diversify their technology partnerships and deliberately reduce single-vendor dependencies. Here, three best practices are emerging – often combined by institutions into a hybrid setup that balances innovation speed with sovereignty and resilience:

• Best practice 1: Use US AI systems with additional controls

Some institutions are using US providers but implementing additional control mechanisms, such as multi-model setups, sovereign-cloud controls or exit readiness

• Best practice 2: Choose European alternatives

Another strategy for reducing dependence on the United States is to choose European providers for cloud, SaaS and AI models instead, typically starting with selected use cases as a second source or fallback option

• Best practice 3: Build your own ecosystem

Other players are building their own AI ecosystems with stronger data control and minimal reliance on external vendors, for example open-source models and self-managed operations

A tiered target architecture

Not all data and processes are equally critical, and not every component must be operated in a fully sovereign way immediately. A tiered target architecture focuses sovereignty efforts where risks and regulatory requirements are highest: sensitive and critical workloads are operated in a more sovereign manner, while less critical areas can continue to run on established cloud, SaaS and AI services. This hybrid approach increases sovereignty where it delivers the greatest value, while preserving performance and innovation capability.

Importantly, different institutions will have different ambition levels with regard to sovereignty. Each institution should define its own sovereignty target along dimensions such as data control, operational steering capability, architectural portability and contractual transparency, aligned with its specific business model and risk profile. Full technological decoupling is not a universal requirement – what matters is a controlled, institution-specific management of dependencies.

Four practical actions for banks

The path to greater digital sovereignty involves a strategic and phased approach for diversifying the technology stack. This includes strengthening vendor risk management practices to ensure more rigorous assessment and continuous monitoring of external dependencies. Equally important is the principle of retaining control over truly critical capabilities: highly sensitive operations and strategic data assets should remain in-house wherever feasible, rather than being run on external services or outsourced to third-party providers. This approach combines selective insourcing with enhanced oversight of external partnerships and technological dependencies.

We recommend four practical levers across the technology stack, which banks can combine selectively depending on workload criticality and sovereignty ambition. Each delivers a different sovereignty gain for a different level of effort, balancing the pragmatic use of external solutions with strategic self-reliance in mission-critical areas.

The value of strategic partnerships

Selecting the right partners is critical. European providers do not yet have the full functional breadth of leading US providers, but the market is evolving rapidly. There are also credible non-European alternatives, including providers from China and India, but replacing one dependency with another is not a sovereignty strategy. Strategic early partnerships can help banks access credible alternatives and shape the emerging European ecosystem.

Banks should focus on partnerships that expand their options across the technology stack. European AI model providers can complement US models, while technology partners can strengthen the data and orchestration layers needed for scalable operations. European cloud providers can also support data storage and processing within European legal jurisdictions, particularly for sensitive workloads.

Beyond direct partnerships, institutions should support initiatives that promote open standards, interoperability and shared best-practice platforms between industry and academia. These structural enablers are ultimately more durable levers for digital sovereignty than individual vendor relationships.

For European banks and public finance institutions, digital sovereignty is not an ideological goal or a call for technological autarky – it is a strategic necessity. It means the ability to make autonomous technology decisions and actively manage unavoidable dependencies on global providers. Dependence on US cloud, SaaS and AI providers creates tangible risks, from model access and data exposure to cost certainty and strategic influence.

Conclusion

• The answer is not abrupt decoupling, but phased diversification tailored to each institution’s context and risk profile. European and open source AI models can broaden choice, while European providers for critical operations and HYOK can strengthen control. None of these approaches is a full replacement for existing solutions, but together they create more strategic room to maneuver as regulatory pressure increases and European alternatives mature.

Yet sovereignty is not just about infrastructure. As AI value creation shifts toward proprietary corporate knowledge, banks must decide which internal knowledge is made usable for AI and how value leakage is prevented. They must also retain control over the layers that define competitive differentiation, especially the business architecture and orchestration logic that connect technology to unique customer processes. This is where digital sovereignty becomes a question not only of resilience, but of long-term strategic autonomy.

Digital sovereignty starts with a clear view of where dependency matters most. Contact one of our financial services experts to discuss which strategic path best fits your institution’s capabilities and risk profile in cloud and AI.