Why Digital Sovereignty Has Become the New Security Perimeter
Presented by Renaud Larsen, F5 Principal Solution Engineer EMEA, at BE-CEC on June 23, 2026 in Auberge du Pêcheur , Sint-Martens-Latem.
On June 23, 2026, cybersecurity leaders, CISOs, CIOs, legal experts, and technology strategists gathered at Auberge du Pêcheur during the Belgian Cyber Executive Circle (BE-CEC), hosted by Pointury, for an afternoon of high-level discussions on the future of cyber resilience.
Among the most thought-provoking sessions of the day was the presentation by Renaud Larsen, titled “Sovereignty is the New Perimeter.”
Renaud’s message was both urgent and clear: the traditional perimeter-based view of cybersecurity is obsolete. Firewalls, networks, and geographic hosting locations are no longer sufficient to define control. In today’s environment, shaped by AI, cloud computing, cross-border data transfers, and increasingly complex regulation, sovereignty has become the true perimeter of enterprise resilience.
This is not merely a compliance challenge. It is a strategic transformation that touches architecture, governance, risk management, and board accountability.
For decades, security teams operated under a relatively straightforward assumption: protect the network perimeter, and you protect the enterprise.
That assumption no longer holds.
Applications are distributed across public clouds, SaaS platforms, edge environments, APIs, and AI systems. Employees work remotely. Critical data flows constantly across jurisdictions. The enterprise no longer lives inside a single network.
Renaud argued that the perimeter has shifted from infrastructure to jurisdictional control.
The key question is no longer:
“Where is my data stored?”
The real question is:
“Who can legally compel access to my data, my systems, and my cryptographic keys?”
This distinction matters enormously.
The extraterritorial reach of the CLOUD Act means that U.S.-headquartered providers can be compelled to provide access to data, even when that data is physically stored in Europe. Meanwhile, the consequences of Schrems II continue to shape the legality of transatlantic data transfers.
Renaud summarized the new reality with a powerful statement:
The perimeter is no longer at the firewall. It is wherever the data is touched — by whose stack, under whose law, with whose key.
This reframes cybersecurity entirely.
One of the strongest themes in Renaud’s presentation was the convergence of multiple regulatory frameworks.
Organizations often treat NIS2, DORA, GDPR, EU AI Act and CRA as separate workstreams. But according to Renaud, this siloed approach creates inefficiency and weakens resilience.
These frameworks are not separate. They all evaluate the same operational reality from different angles.
NIS2 focuses on risk management, incident reporting, and supply-chain security.
DORA introduces deep operational resilience requirements, especially for the financial sector, including ICT third-party risk, recovery testing, and threat-led penetration testing.
GDPR evaluates lawful data processing, security controls, and cross-border transfers.
The EU AI Act adds obligations around model governance, traceability, risk management, and explainability.
The Cyber Resilience Act pushes secure-by-design requirements into digital products.
Renaud’s key insight: all regulators are examining the same data path.
That means companies should stop building five compliance programs.
They need one unified control architecture.
To simplify the complexity, Renaud introduced a powerful formula:
Sovereignty = Country × Vertical × Technology Layer
This framework helps organisations understand sovereignty as the product of three interdependent dimensions.
This dimension asks:
The critical insight is that sovereignty is not about physical location alone.
A European data center does not automatically provide European sovereignty if the control plane, support access, or encryption keys remain under foreign jurisdiction.
Different industries carry different regulatory burdens.
A financial institution must meet DORA obligations
A healthcare provider may need to satisfy health-data sovereignty mandates.
Critical infrastructure operators face heightened NIS2 scrutiny.
Sector matters.
This is where sovereignty becomes real.
Renaud emphasized that sovereignty is enforced through architecture, not policy documents.
Critical layers include:
The most important observation from the session was this:
Sovereignty is multiplicative, not additive.
If any one factor equals zero, overall sovereignty collapses.
Strong encryption without sovereign key custody? Not sovereign.
EU hosting with foreign-controlled telemetry? Not sovereign.
Perfect policies with weak architecture? Not sovereign.
That message resonated strongly with the BE-CEC audience.
Traditional cybersecurity uses the CIA triad:
Renaud proposed a modern extension:
CIA + R
The fourth component is Recoverability.
This matters because resilience is no longer about preventing incidents alone. It is about proving recoverability under sovereign control.
Data should only be readable with keys held within the trusted jurisdiction.
This creates a crucial distinction between encryption and sovereignty.
Encryption alone is not enough.
If a cloud provider controls the decryption keys, a regulator may not consider the protection sufficient.
As Renaud put it:
The key—not the ciphertext—is the sovereignty boundary.
Systems must ensure that only authorised actors can modify configurations, data, or models.
This requires:
Integrity is especially critical in AI systems, where subtle manipulation can have massive downstream consequences.
Services must remain operational without dependency on foreign infrastructure.
Questions organisations should ask:
These are no longer theoretical concerns.
They are regulatory concerns.
Recovery is now a board-level issue.
DORA in particular emphasises tested recovery, not just documented plans.
Organizations must prove:
Recovery that depends on external jurisdictional dependencies introduces hidden risk.
Renaud translated sovereignty into practical architecture using three control families.
This is the first pillar.
Core elements include:
The message here was practical: encryption must be paired with sovereign key management.
Without key ownership, encryption offers limited sovereignty value.
Renaud also emphasized preparation for post-quantum cryptography.
Why?
Because adversaries may already be harvesting encrypted data for future decryption once quantum capabilities mature.
This creates long-term confidentiality risk.
The second pillar reduces jurisdictional chokepoints.
Renaud highlighted several important mechanisms.
Access decisions should follow identity and context—not just network location.
This aligns with zero-trust principles.
APIs are increasingly the enterprise attack surface.
Shadow APIs, zombie APIs, and undocumented endpoints create significant risk.
Schema enforcement ensures only valid requests reach backend systems.
Organizations need portability across sovereign cloud environments.
Vendor lock-in can become sovereignty lock-in.
Architectures should allow workloads to move without major rewrites.
Logs, traces, and configuration evidence are themselves sensitive assets.
Audit evidence leaving jurisdiction may create compliance exposure.
Telemetry must remain sovereign.
The third pillar focuses on runtime resilience.
Renaud described a four-step recovery chain:
Unified telemetry identifies incidents quickly.
Policies are pushed from sovereign control planes.
Traffic is redirected to healthy regions.
Infrastructure is rebuilt from configuration-as-code repositories.
This operational maturity transforms recovery from a paper exercise into measurable resilience.
One of the most compelling parts of the session focused on AI.
Renaud argued that AI introduces an entirely new perimeter.
His statement was striking:
Every prompt sent to a foreign model is a cross-border data transfer.
That idea reframes enterprise AI adoption.
Every employee prompt could potentially expose:
The risk is not limited to input.
Outputs can leak sensitive information as well.
Renaud highlighted five essential AI controls.
Detect:
Inspect responses for:
Prompts should be routed according to policy.
Not all prompts should reach the same model.
Highly sensitive prompts may need sovereign, in-jurisdiction models.
Every prompt should generate auditable evidence.
This supports AI Act compliance.
Guardrails enforce safe and compliant runtime behavior.
This is where AI governance becomes operational.
The BE-CEC audience clearly recognized the importance of this shift.
Many organizations still treat AI governance as policy and training.
Renaud showed that AI governance must become architecture.
Perhaps the most important message of the session concerned leadership.
Sovereignty is no longer just a technical discussion.
It is now a governance issue.
Under NIS2, management bodies face personal accountability for ICT risk.
That changes the conversation dramatically.
Renaud mapped accountability across leadership roles:
Define risk appetite and investment priorities.
Translate regulation into architectural controls.
Ensure transfer mechanisms satisfy regulatory scrutiny.
Own evidence, recovery, and operational resilience.
This alignment matters.
Previously, these functions often operated independently.
Now they are answering the same question:
Can the organization prove sovereign resilience?
That requires a shared architecture and shared evidence.
Renaud concluded with a pragmatic roadmap.
Priorities include:
Key investments:
Final priorities:
This roadmap gives boards a clear investment framework.
Renaud Larsen’s presentation stood out at BE-CEC because it challenged a deeply rooted assumption in cybersecurity.
Security is no longer primarily about defending a network.
It is about controlling data, AI, evidence, and recovery across jurisdictions.
That is why his final message resonated so strongly.
Don’t argue jurisdiction. Demonstrate the architectural irrelevance of jurisdiction.
This may be the defining cybersecurity principle of the coming decade.
Organizations that continue to treat AI governance, cybersecurity, and compliance as separate initiatives will struggle.
Those that unify them into a sovereignty architecture will gain something far more valuable than compliance.
They will gain resilience.
At BE-CEC 2026, one conclusion became impossible to ignore:
Sovereignty is not a policy you write.
It is a system property you build.
And in 2026, it has become the new perimeter.