Digital Sovereignty: 6 Practical Pathways to Increase Resilience

You’ve likely heard the term “Digital Sovereignty” many times in meetings. But as an engineering lead or executive, you might look at your current setup and ask: Where do I actually start? I hear this often from customers; they aren’t just looking for a buzzword; they are looking for long-term resilience, the freedom to innovate without vendor-dictated roadmaps, and the ability to optimize resources as their business evolves.

I wrote this post to move past the high-level talk and give you specific steps to take. Today, companies want more than just autonomy; they want a foundation that allows them to scale into new markets or integrate emerging technologies like private AI without being held back by proprietary barriers. It is one thing to know you need to be independent; it is another to know which move actually creates that independence.

At SUSE, we don’t promise “100% sovereignty.” No one can. Instead, we provide a foundation built on enterprise-grade Open Source and, crucially, Open Standards. Sovereignty isn’t just about the code; it’s about interoperability. When you build on open standards—using common APIs, schemas and frameworks you ensure your team’s expertise remains portable.

The goal isn’t to lock you in, but to ensure you choose to work with us because of the value we provide. By hardening open source and applying open standards — a commitment validated by recognitions such as the Digital Public Good (DPG) designation — we help you move from being a passenger in your own IT strategy to being the driver.

In my previous post on the Application Trust Hierarchy, I talked about identifying your “Crown Jewels.” Once you know which infrastructure and applications matter most, you have to decide how to move.

Here are six ways to get your control back, one layer at a time.

1. The base: A true independent Linux

The operating system is the core of your stack. If that foundation is controlled by a vendor subject to shifting extra-territorial regulations or sudden corporate strategy pivots, your entire infrastructure becomes a passenger to their decisions. Digital sovereignty starts with ensuring your OS foundation is predictable, transparent and governed by rules that align with your specific regional requirements.

The Move:

Transition from Red Hat Enterprise Linux (RHEL) to SUSE Linux Enterprise Server (SLES). By moving to an independent, transparent provider, you gain a foundation designed to support local compliance whether you are navigating NIS2 in Europe, strict data privacy laws in APAC, or federal security standards in the US. Rather than relying on “blind trust,” we provide technical proof through a checked software supply chain using SLSA standards and SBOMs (Software Bill of Materials). This provides a foundation with an up to 16-year support period, offering the long-term stability that regulated industries like government and finance demand globally.

Once you make this switch, you get an operating system built for auditability. You can show your auditors exactly where every piece of code came from and, crucially, verify how it was built. While some providers utilize “black box” build systems, SUSE champions reproducible builds. This means you can independently verify that the binary running on your server is a bit-for-bit match to the audited source code.

This isn’t just about where a company is headquartered; it’s about verifiable security. It means you stop worrying about sudden changes in license terms or foreign policy shifts that could disrupt your business. You get the certainty that your base is stable, transparent, and under your control for nearly two decades.

2. Infrastructure independence: The VM migration

Many organizations see their ending VMware contracts as more than a renewal; they see it as a chance to modernize their entire workload strategy. This is the moment to move toward a unified infrastructure. Imagine a single platform where you can migrate legacy VMs at your own leisure and deploy new containerized apps from day one, all through a single API. By consolidating your hardware and software ecosystem now, you stop managing vendor complexity and start driving innovation on your own terms.

The Move:

Update black box setups with open source virtualization by moving to SUSE Virtualization.

Transferring virtual machines to an open platform, you remove the “black box.” You can run everything in your own environment, even without an internet connection, without data being sent to external clouds. It gives you more freedom and lets you put your budget elsewhere.

After you migrate, you break the cycle of rising costs and closed-off tech. You own the layer that runs your servers. This means you can keep your data in your own rooms. You decide when to update and how to grow, which puts you back in control of your own data center.

3. Taking back the cloud: Choice for your workloads

Hyperscalers offer great scale and speed, making them a good fit for many of your regular applications. But for your Crown Jewels, being tied to one provider’s specific tools can be a risk if your strategy changes. It’s about having the freedom to pick the best home for each workload based on how much control you need: for example, SUSE Linux Enterprise Server, SUSE Virtualization or SUSE Rancher Prime depending on the workload you need to move.

The Move:

Use an open cloud infrastructure platform that works anywhere. Whether it’s in your own data center, a regional cloud, under a local jurisdiction, or a small office, your platform should work and act the same way. By using SUSE in these environments, you keep your workloads, logs and information under your legal control. You aren’t stuck using one provider’s specific way of doing things.

When you transition these workloads to an open foundation, you ensure that your digital assets are governed by your own legal and security policies rather than the proprietary constraints of a specific provider. This move allows you to exercise full jurisdictional control, ensuring that your data residency and operational standards remain consistent, regardless of whose infrastructure the workloads are physically running on. You can run the same applications on a local provider or your own hardware without changing your code. 

4. Securing the supply chain: Using validated and curated images

Software developers today use a large number of applications to build their own work. The quickest way for a team to get a new tool is often to pull an image from a public site like Docker Hub or a repository found online. When teams do this, they rarely know the details of what they are downloading. They might pull in code with licenses they aren’t allowed to use or security holes that put the whole company at risk. 

This type of shadow IT creates a big blind spot. Combine that with some potential shadow AI tools they’re using and your cocktail is complete. You are building your business on parts you haven’t checked, creating a risk of failing audits and having a direct impact on your finances. By moving to the SUSE Application Collection, you take back control over these external parts.

The Move:

Stop using unverified public repositories and switch to a curated set of checked images.

We provide over 100 application images that we have tested and checked. These aren’t just simple files. Each one comes with a full history, clear license information, an SBOM and regular security scans. You choose which applications are allowed in your production environment. This makes it much easier to handle your legal, regulatory and security duties because you know exactly what is in every box. This can be achieved for all your engineers by using Rancher Developer Access, a combination of Rancher Desktop and SUSE Application Collection.

By securing your software supply chain with SLSA and SBOMs, you offload the massive complexity of risk mitigation and compliance reporting. This shift is vital as upcoming legislation such as the EU Cyber Resilience Act (CRA) and the AI Act enforces strict auditing requirements and significant fines for both vendors and consumers of software. 

Instead of manual checks slowing you down, you provide your internal product teams with the velocity to innovate at scale, ensuring that even your most advanced AI-driven projects are compliant and audit-ready from day one. 

Your developers still get the apps they need to stay fast, but they no longer bring in risky code or license problems by mistake. You have a central source of truth where every application is checked and ready. This turns a messy habit into a clean process that proves your software is safe. It gives you a clear way to handle audits, showing that your applications meet the rules you set.

5. New tech without data leaks: The private AI setup

Every executive wants AI to gain a competitive advantage, but no one wants their data leaked to third parties. Every organization faces the same pressure: the desire to use AI tools and frameworks while being exposed to significant risk and the expectation to follow strict regulations.

The challenge with most AI today is that the “brain” often lives in a foreign cloud, and every time your team asks a question, your data leaves your jurisdiction. This creates a risk of “Shadow AI,” where users connect local tools to unknown models and lose sight of where their intellectual property is going.

The Move:

Run AI with local models on a hardened, sovereign platform. Sovereignty in AI is about providing a safety net for your innovation. We offer the security, hardening and guardrails needed to use AI frameworks with your most sensitive data. We provide the setup to run Large Language Models (LLMs) on your own hardware or within your own network. 

This ensures that your data never leaves your company premises, as it is processed entirely locally. This gives you the insights to see exactly how your data is being treated and the control to stop it from moving outside your legal borders. We focus on providing the engine and the steering wheel the proxies and libraries that manage your data rather than forcing you into one specific model.

After setting this up, your data stays yours. You gain the power of AI while knowing your information stays behind your firewall. By using our observability and security tools, you can detect unauthorized AI calls on your network and act before data is exposed. SUSE is positioned to give you the practical guardrails needed to move fast and stay compliant. You own the setup and the data, so you can build internal tools that are private by design and ready for future regulations like the EU AI Act.

6. The strong edge: Keeping operations running

For Telcos and utility providers managing critical infrastructure, control means staying online. In this context, sovereignty is a physical concept as much as it is a legal one. Remote sites have to stay operational even if they’re completely severed from the global internet or a vendor’s central management console.

The Move:

Make sure the edge can run on its own. Instead of relying on a constant heartbeat to a proprietary cloud-based controller, deploy a lightweight, purpose-built stack (like SUSE Edge) that is designed for air-gapped or disconnected operations. This move allows you to manage thousands of remote locations as a single fleet while ensuring each location is a self-sufficient island of compute.

In this setup, a branch office or a cell tower doesn’t stop working just because a cable is cut or a foreign service goes down. Our edge tools work in high-security, disconnected spots. Your business stays live regardless of what happens globally.

When your edge is set up this way, your locations become self-sufficient. A loss of connection to the main office doesn’t stop your business. You gain a level of stability that does not depend on global network stability or foreign-owned cloud regions. It means your local operations stay up and running no matter what is happening elsewhere in the world.

The missing link: Secure the human element, operational sovereignty through local expertise 

Even with a transparent, open source stack, a hidden risk remains: the “support lifeline.” If your infrastructure depends on technical expertise or a supply chain of engineers located in a different jurisdiction, your resilience is still subject to their local laws and shifting foreign policies. True independence requires that the people who maintain your foundation and the data they access are governed by the same legal framework as your organization.

The Move: 

Implement SUSE Sovereign Premium Support. This pathway addresses the vital human side of the sovereignty framework. It ensures that your support is handled exclusively by support engineers based within the EU. This means that your sensitive operational data never leaves the region and is managed only by local experts who are subject to the same privacy and security mandates as you are. You no longer have to worry about a “remote kill switch” or support being throttled due to extra-territorial policy changes.

By securing the human layer, you improve on Operational Sovereignty. You bridge the gap between having sovereign software and running a sovereign business. This move provides the final reassurance that your critical systems remain stable and compliant, supported by a team that shares your local landscape. It is the missing link that ensures your digital sovereignty isn’t just a technical configuration, but a permanent business reality.

Moving forward

We are starting this discussion because many of you are looking for a way to turn high-level strategy into real action. The six pathways we have explored show that you can increase your independence without losing the speed you need to stay ahead. It is about moving your key workloads to a base that is proven, checked and headquartered right here in Europe. 

When you stop pulling random images from the web and start owning your virtualization layer, you remove the risks that keep leaders up at night. You gain a setup that is built to last, giving you the power to build new things on your own terms. Let’s take that first step together and ensure the applications that run your business are as independent and secure as they need to be.

Success in this space requires two sides of the same coin: visionary strategy and technical rigor. While analysts like Gartner and IDC consistently recognize SUSE for market leadership and vision, a great vision is only as strong as its underlying technology.

Choosing SUSE means building on the most vetted in the open source market. This status is backed by hard evidence, not just promises. We hold EAL4+ certifications, representing the highest procedural checks for software integrity. Through reproducible builds and a verified supply chain, we ensure the binary in production is exactly what was audited. 

We secure this investment for the long term with support for up to 16 years for some of our products, making sure your essential infrastructure stays stable and fully compliant with emerging regulations like NIS2.

Where does your mission-critical infrastructure reside today? Let’s explore which of these six pathways aligns best with your organization’s 2026 goals.

Talk to us or learn more about SUSE’s digital sovereignty approach.