Today, the drive for “digital” public trust is changing IT priorities. Ever since the European Union issued the General Data Protection Regulation (GDPR) in 2016, a seismic shift has taken place globally toward the need for data sovereignty. Data sovereignty means that data are subject to the laws and regulations of the geographic location where the data are collected and processed.1 Over 100 countries now have data sovereignty laws.2 For example, European businesses can be fined up to 20 million Euros if they do not follow GDPR.2

States and cities are adopting digital sovereignty

Data sovereignty has also moved to states and cities. In the US, the State of California enacted the California Consumer Privacy Act (CCPA) in 2020. And Barcelona in Spain has a well-documented “bottoms-up” data sovereignty initiative. An early adopter of smart city innovation after working with Cisco, Accenture, Schneider Electric, and others, Barcelona was well positioned for this new initiative. They learned that “top-down” data controlled by tech partners often conflicted with community priorities. During an economic downturn, they faced a housing shortage that conflicted with AirBnB’s market entry. In response, a new mayor, Ms. Ada Colau, worked to “democratize” Barcelona’s government with a new data sovereignty initiative.3

Their public conversation about data sovereignty was multi-faceted around three axles:

  • Legal – Does Barcelona own the data or is it only a guardian of the data?
  • Technological – What should the digital architecture look like? Also, what access rights and rules should be attached to data? How should data be managed, secured, and transferred?
  • Organizational – What rights do cities need to have to access and use data for the citizens’ benefit? And when should using data for the common good prevail over individual rights?4

Technology-wise, Barcelona learned data sovereignty intersects with data security, network architecture, and network sovereignty. The technology must also align with local laws.

Cybersecurity, the heart of data sovereignty

Cybersecurity technology is foundational in protecting data and operationalizing policy. It influences network architecture to achieve their desired outcomes. IDC recently interviewed state and city public sector leaders in the US.5 Their findings were significant:

  • Focused on public trust: Leaders’ highest priority outcomes were focused on improving trust in public services and technology, protecting constituent privacy, enabling faster response times to incidents, maintaining uptime of mission critical applications, and reducing the risk of ransomware/malware attacks.
  • Cybersecurity top investments: With budget and leadership support, top investments were directed at network security, cloud security, data encryption, and threat hunting, while complying with regulatory and compliance demands, vulnerability management, and next-generation firewall demands. For example, 65 percent of state agencies are researching SASE/SOAR Cloud Security, and almost half are evaluating Zero Trust Architecture and Security Information and Event Management to strengthen cybersecurity. Similarly, city leaders are also committed to evaluating and/or implementing Zero Trust Architectures, Managed Detection and Response, and Managed Security Services.

Challenges to implementing a digital sovereignty initiative

For many states and cities, developing and implementing digital sovereignty can be a formidable challenge. Municipal and state governments have identified insufficient training and education, capabilities, and technical gaps as impediments, as well as inadequate or outdated technology.

Watch how Cisco Business Critical Services can help you overcome barriers to data sovereignty:

Trusted expertise for your data sovereignty needs

Cisco Business Critical Services can help you overcome barriers to data sovereignty. Our tiered advisory services deliver trusted expertise – powered by our proprietary analytics, insights, and automation—to help you reimagine your future with smart innovation. For example, Cisco experts can help advise your teams on technologies like SASE/SOAR and Zero Trust.

Our globally available entry-level services tier, Essentials – National, was introduced to help public sector customers optimize performance, enhance compliance, and de-risk IT. Our National tier experts have the local qualifications, classifications, and citizenship needed to ensure data sovereignty and compliance. An on-premises air-gapped data collection option offers customers another level of protection. Agencies can also select Specialized Expertise options for staff and skills augmentation. Organizations that have used Business Critical Services were able to break even in four months and achieved a 253 percent ROI in three years.6

To learn more about Cisco Business Critical Services, contact your local account representative or authorized Cisco partner today to get the conversation started.

Sources: 1. Virtru, 2021, 2. In Country, 2021, 3. UCL Institute for Innovation and Public Purpose, 2022, 4. Cities for Digital Rights, 2021, 5. IDC, Government Buyer Intelligence Survey, 2021, 6. IDC Value Study, 2021


Pat Patterson

Leader, CX Solutions Marketing

Cisco Customer Experience (CX)