en
Back to blog

DIGITAL SOVEREIGNTY

Picture of Luc Brouwers
Luc Brouwers Jun 23, 2026 11:00:00 PM
blogs articles

BE-CEC 2026 Q2 Title Renaud

Why Digital Sovereignty Has Become the New Security Perimeter

Presented by Renaud Larsen,  F5 Principal Solution Engineer EMEA, at BE-CEC on June 23, 2026 in Auberge du Pêcheur , Sint-Martens-Latem.

On June 23, 2026, cybersecurity leaders, CISOs, CIOs, legal experts, and technology strategists gathered at Auberge du Pêcheur during the Belgian Cyber Executive Circle (BE-CEC), hosted by Pointury, for an afternoon of high-level discussions on the future of cyber resilience.

Among the most thought-provoking sessions of the day was the presentation by Renaud Larsen, titled “Sovereignty is the New Perimeter.”

1

Renaud’s message was both urgent and clear: the traditional perimeter-based view of cybersecurity is obsolete. Firewalls, networks, and geographic hosting locations are no longer sufficient to define control. In today’s environment, shaped by AI, cloud computing, cross-border data transfers, and increasingly complex regulation, sovereignty has become the true perimeter of enterprise resilience.

This is not merely a compliance challenge. It is a strategic transformation that touches architecture, governance, risk management, and board accountability.

The old perimeter has collapsed

For decades, security teams operated under a relatively straightforward assumption: protect the network perimeter, and you protect the enterprise.

That assumption no longer holds.

Applications are distributed across public clouds, SaaS platforms, edge environments, APIs, and AI systems. Employees work remotely. Critical data flows constantly across jurisdictions. The enterprise no longer lives inside a single network.

Renaud argued that the perimeter has shifted from infrastructure to jurisdictional control.

2

The key question is no longer:

“Where is my data stored?”

The real question is:

“Who can legally compel access to my data, my systems, and my cryptographic keys?”

This distinction matters enormously.

DSC06711

The extraterritorial reach of the CLOUD Act means that U.S.-headquartered providers can be compelled to provide access to data, even when that data is physically stored in Europe. Meanwhile, the consequences of Schrems II continue to shape the legality of transatlantic data transfers.

Renaud summarized the new reality with a powerful statement:

The perimeter is no longer at the firewall. It is wherever the data is touched — by whose stack, under whose law, with whose key.

This reframes cybersecurity entirely.

Regulatory convergence is accelerating

One of the strongest themes in Renaud’s presentation was the convergence of multiple regulatory frameworks.

6

Organizations often treat NIS2, DORA, GDPR, EU AI Act and CRA as separate workstreams. But according to Renaud, this siloed approach creates inefficiency and weakens resilience.

These frameworks are not separate. They all evaluate the same operational reality from different angles.

NIS2 focuses on risk management, incident reporting, and supply-chain security.

DORA introduces deep operational resilience requirements, especially for the financial sector, including ICT third-party risk, recovery testing, and threat-led penetration testing.

GDPR evaluates lawful data processing, security controls, and cross-border transfers.

The EU AI Act adds obligations around model governance, traceability, risk management, and explainability.

The Cyber Resilience Act pushes secure-by-design requirements into digital products.

Renaud’s key insight: all regulators are examining the same data path.

That means companies should stop building five compliance programs.

They need one unified control architecture.

Sovereignty as an equation

To simplify the complexity, Renaud introduced a powerful formula:

Sovereignty = Country × Vertical × Technology Layer

This framework helps organisations understand sovereignty as the product of three interdependent dimensions.

1. Country: Jurisdictional reach

This dimension asks:

  • Which laws apply?
  • Which regulators have authority?
  • Which intelligence services can compel access?

The critical insight is that sovereignty is not about physical location alone.

A European data center does not automatically provide European sovereignty if the control plane, support access, or encryption keys remain under foreign jurisdiction.

2. Vertical: Sector obligations

Different industries carry different regulatory burdens.

A financial institution must meet DORA obligations

A healthcare provider may need to satisfy health-data sovereignty mandates.

Critical infrastructure operators face heightened NIS2 scrutiny.

Sector matters.

3. Technology layer: Where control is enforced

This is where sovereignty becomes real.

Renaud emphasized that sovereignty is enforced through architecture, not policy documents.

Critical layers include:

  • Control plane
  • Key management
  • AI model execution
  • Data plane
  • Telemetry
  • Logging
  • Recovery infrastructure

The most important observation from the session was this:

Sovereignty is multiplicative, not additive.

If any one factor equals zero, overall sovereignty collapses.

Strong encryption without sovereign key custody? Not sovereign.

EU hosting with foreign-controlled telemetry? Not sovereign.

Perfect policies with weak architecture? Not sovereign.

That message resonated strongly with the BE-CEC audience.

Sovereign resilience: CIA + R

Traditional cybersecurity uses the CIA triad:

  • Confidentiality
  • Integrity
  • Availability

Renaud proposed a modern extension:

CIA + R

The fourth component is Recoverability.

7

This matters because resilience is no longer about preventing incidents alone. It is about proving recoverability under sovereign control.

Sovereign Confidentiality

Data should only be readable with keys held within the trusted jurisdiction.

This creates a crucial distinction between encryption and sovereignty.

Encryption alone is not enough.

If a cloud provider controls the decryption keys, a regulator may not consider the protection sufficient.

As Renaud put it:
The key—not the ciphertext—is the sovereignty boundary.

Sovereign Integrity

Systems must ensure that only authorised actors can modify configurations, data, or models.

This requires:

  • Identity verification
  • Schema validation
  • Signed configuration states
  • Policy enforcement

Integrity is especially critical in AI systems, where subtle manipulation can have massive downstream consequences.

Sovereign Availability

Services must remain operational without dependency on foreign infrastructure.

Questions organisations should ask:

  • Can applications survive a control plane outage?
  • Can DNS fail over within sovereign infrastructure?
  • Is recovery dependent on a foreign cloud region?

These are no longer theoretical concerns.

They are regulatory concerns.

Sovereign Recoverability

Recovery is now a board-level issue.

DORA in particular emphasises tested recovery, not just documented plans.

Organizations must prove:

  • Recovery time objectives (RTO)
  • Recovery point objectives (RPO)
  • Backup integrity
  • Failover capabilities
  • Incident response maturity

Recovery that depends on external jurisdictional dependencies introduces hidden risk.

DSC06708

Three architectural primitives of sovereignty

Renaud translated sovereignty into practical architecture using three control families.

1. Cryptographic controls

This is the first pillar.

Core elements include:

  • TLS 1.3
  • Mutual TLS
  • Hardware Security Modules (HSMs)
  • Bring Your Own Key (BYOK)
  • Customer-held key custody
  • Post-quantum cryptography readiness

The message here was practical: encryption must be paired with sovereign key management.

Without key ownership, encryption offers limited sovereignty value.

Renaud also emphasized preparation for post-quantum cryptography.

Why?

Because adversaries may already be harvesting encrypted data for future decryption once quantum capabilities mature.

This creates long-term confidentiality risk.

2. Federated controls

The second pillar reduces jurisdictional chokepoints.

Renaud highlighted several important mechanisms.

Federated identity

Access decisions should follow identity and context—not just network location.

This aligns with zero-trust principles.

API governance

APIs are increasingly the enterprise attack surface.

Shadow APIs, zombie APIs, and undocumented endpoints create significant risk.

Schema enforcement ensures only valid requests reach backend systems.

Multi-cloud portability

Organizations need portability across sovereign cloud environments.

Vendor lock-in can become sovereignty lock-in.

Architectures should allow workloads to move without major rewrites.

Sovereign telemetry

Logs, traces, and configuration evidence are themselves sensitive assets.

Audit evidence leaving jurisdiction may create compliance exposure.

Telemetry must remain sovereign.

3. Operational controls

The third pillar focuses on runtime resilience.

Renaud described a four-step recovery chain:

Detect

Unified telemetry identifies incidents quickly.

Isolate

Policies are pushed from sovereign control planes.

Re-route

Traffic is redirected to healthy regions.

Restore

Infrastructure is rebuilt from configuration-as-code repositories.

This operational maturity transforms recovery from a paper exercise into measurable resilience.

AI changes everything

One of the most compelling parts of the session focused on AI.

Renaud argued that AI introduces an entirely new perimeter.

His statement was striking:

Every prompt sent to a foreign model is a cross-border data transfer.

That idea reframes enterprise AI adoption.

Every employee prompt could potentially expose:

  • Personal data
  • Trade secrets
  • Source code
  • Credentials
  • Sensitive customer information
  • Intellectual property

The risk is not limited to input.

Outputs can leak sensitive information as well.

12

Renaud highlighted five essential AI controls.

Input filtering

Detect:

  • Prompt injection
  • Jailbreak attempts
  • PII leakage
  • Sensitive requests

Output filtering

Inspect responses for:

  • Credentials
  • PII
  • Confidential IP
  • Toxic outputs

Model routing

  • Prompts should be routed according to policy.

  • Not all prompts should reach the same model.

  • Highly sensitive prompts may need sovereign, in-jurisdiction models.

Prompt observability

  • Every prompt should generate auditable evidence.

  • This supports AI Act compliance.

AI guardrails

Guardrails enforce safe and compliant runtime behavior.

This is where AI governance becomes operational.

The BE-CEC audience clearly recognized the importance of this shift.

Many organizations still treat AI governance as policy and training.

Renaud showed that AI governance must become architecture.

Board accountability has arrived

Perhaps the most important message of the session concerned leadership.

Sovereignty is no longer just a technical discussion.

It is now a governance issue.

Under NIS2, management bodies face personal accountability for ICT risk.

That changes the conversation dramatically.

Renaud mapped accountability across leadership roles:

16-1

Board / Non-Executive Directors

Define risk appetite and investment priorities.

CISO

Translate regulation into architectural controls.

DPO / Legal

Ensure transfer mechanisms satisfy regulatory scrutiny.

CIO / Operations

Own evidence, recovery, and operational resilience.

This alignment matters.

Previously, these functions often operated independently.

Now they are answering the same question:

Can the organization prove sovereign resilience?

That requires a shared architecture and shared evidence.

Investment priorities for 2026–2027

Renaud concluded with a pragmatic roadmap.

H2 2026 — Establish the boundary

Priorities include:

  • Sovereign key custody
  • HSM deployment
  • SIEM consolidation
  • Telemetry localisation
  • Control matrix publication

H1 2027 — Close AI and API gaps

Key investments:

  • AI guardrails
  • API schema enforcement
  • AI evidence pipelines
  • LLM governance

H2 2027 — Prove and scale

Final priorities:

  • DORA-ready recovery testing
  • Post-quantum cryptography rollout
  • CRA secure-by-default implementation
  • Software Bill of Materials (SBOM) maturity

This roadmap gives boards a clear investment framework.

Final reflection: sovereignty is no longer optional

Renaud Larsen’s presentation stood out at BE-CEC because it challenged a deeply rooted assumption in cybersecurity.

Security is no longer primarily about defending a network.

It is about controlling data, AI, evidence, and recovery across jurisdictions.

That is why his final message resonated so strongly.

Don’t argue jurisdiction. Demonstrate the architectural irrelevance of jurisdiction.

This may be the defining cybersecurity principle of the coming decade.

Organizations that continue to treat AI governance, cybersecurity, and compliance as separate initiatives will struggle.

Those that unify them into a sovereignty architecture will gain something far more valuable than compliance.

They will gain resilience.

At BE-CEC 2026, one conclusion became impossible to ignore:

Sovereignty is not a policy you write.
It is a system property you build.
And in 2026, it has become the new perimeter.

 

Contact Us