Email, Trust, and Control: Why Sovereignty Is Becoming a Structural Requirement

Europe is waking up.

Not with a bang, but with a slow, uncomfortable realization: the digital foundations we rely on are not entirely our own.

Every year, Europe spends over €260 billion on Big Tech. This is not just an economic statistic. It reflects a structural dependency, where control, influence, and operational resilience increasingly sit outside the organizations that rely on these systems. That dependency becomes clearer when considering that an estimated 90% of Western data is stored by US hyperscalers. The scale of this dependency is significant because it leaves European organizations exposed to governance frameworks they did not choose and cannot control.  And even if 10% of that shifted toward European alternatives, the impact would not be incremental. It would redraw the map.

It is this imbalance that is now driving regulatory change within Europe.

With frameworks such as NIS2, the EU AI Act, and the Data Act, Europe is not merely acknowledging the current state of dependency. It is attempting to rebalance it by raising expectations around accountability, control, and operational transparency. It makes digital sovereignty no longer a philosophical discussion. It is becoming a practical requirement.

This raises a fundamental question:

Can organizations ensure trust in systems they do not fully control?

Sovereignty is not where your data sits

There is a persistent myth in the market: that European infrastructure equals European control. It does not. Location and governance are not the same thing. A data center can sit in Amsterdam while its operator answers to frameworks that are headquartered elsewhere.

“We’ve mistaken location for control. Sovereignty is not about where your data sits. If the provider is governed elsewhere, so is your data when it matters.”
— Diana Krieger, Soverin

Jurisdiction follows the provider, not the server rack. Under pressure, such as a regulatory investigation, a geopolitical disruption, or a legal dispute, the question that matters is not where infrastructure sits, but who makes decisions about it and under which law. Hence, framing sovereignty as a location problem produces solutions that look right on paper but leave the underlying dependency intact.

True digital sovereignty requires something deeper: control over the full stack, from infrastructure to mail- flow to policy enforcement. This includes not only the application layer, but also the physical infrastructure and network it runs on, which must be independently owned and governed within the same jurisdiction.

Where trust breaks down: the case of email

Trust in digital systems holds until the moment is tested. Under normal conditions, dependencies remain invisible. Under pressure, they define what’s possible. Email is where this becomes visible in practice.

Most organizations can tell you exactly where their customer data is stored. Far fewer can tell you what happens to an email in the four seconds between send and delivery, which systems touch it, under which jurisdictions, and governed by whom. The truth is that in many organizations, it is still treated as a technical layer, while responsibility for its outcomes sits at the organizational level.

That gap is worth examining because email plays a unique role in digital systems. 

Email is old enough to have accumulated decades of fragmentation. It is central enough that the consequences are real. And it has been overlooked long enough that most organizations have not yet asked who governs their email infrastructure, under which law, and what happens when that matters.

In practice, it is not only a communication tool but also a core component of identity and trust:

• It is used to authenticate users across services
• It carries sensitive and often regulated information
• It acts as a recovery mechanism for compromised accounts

Despite this, the underlying infrastructure is, in most deployments, fragmented by design. Routing is handled here. Filtering there. Storage somewhere else. Domain management by yet another party... Each of those providers operates under distinct technical and legal conditions, shaping how decisions are made and enforced, creating a dependency at each hand-off point. Many of these dependencies, which remain invisible to the organization responsible for the outcome, are, in regulatory terms, exactly the kind of exposure that frameworks like NIS2 were written to address. By placing accountability at the organizational level, they implicitly assume that control over the system exists or can be demonstrated.

But email infrastructure, as it is commonly structured, does not fully support that assumption. Which leads to a more fundamental point: If trust depends on the ability to understand, control, and account for how a system operates, then it cannot be established at the level of individual components alone.

It emerges from how the system as a whole is designed and governed.

From fragmented systems to controlled architecture

In environments where that system spans multiple providers, jurisdictions, and governance models, trust is no longer inherent. It becomes conditional. The instinct, when faced with this kind of fragmentation, is to reach for familiar solutions: distribute the workload, add redundancy, or switch to a provider with infrastructure inside Europe. These are reasonable steps, and organizations are right to take them. But they operate within the same fragmented model.

Redundancy improves availability. It does not change jurisdiction. Running workloads across multiple data centers does not alter the governance framework under which they operate. And infrastructure located in Europe does not guarantee control if the provider itself is governed elsewhere. Large hyperscalers, for example, operate data centers across the continent, yet remain subject to non-European jurisdictions when it matters most.

With that in mind, 61% of CIOs and technology leaders in Western Europe now plan to increase reliance on local cloud providers, with 53% expecting geopolitical factors to limit their use of global providers, according to Gartner. This is a necessary shift. But if it stops at the cloud layer while leaving email infrastructure fragmented, it remains incomplete. So, what changes the equation is not where individual components are placed, but how they are structured and governed as a whole, including the underlying infrastructure and network on which these systems depend.

In response to this, a shift is emerging in how email systems are designed and operated, with independent ownership and governance under a single national jurisdiction. Rather than treating mailflow, domain management, and mailbox services as separate layers, a growing set of privacy-focused and sovereignty-driven platforms is aligning these components within a single operational and governance framework. When those layers operate within a consistent framework, on infrastructure that is independently owned and governed under a single national jurisdiction, system behavior becomes predictable in a way that fragmented setups cannot achieve, not because of where the buildings are, but because of how decisions about them are made.

Providers such as Soverin reflect this model by integrating these layers into a unified platform, operated on infrastructure located and managed within the Netherlands. This approach depends on more than keeping data in-country. It requires alignment between the platform, the hardware it runs on, the data center infrastructure that hosts it, and the network through which it operates.

A key role in this model is played by BIT, a 100% Dutch-owned data center and network provider, which independently develops and operates its own facilities and infrastructure under Dutch jurisdiction. Within that environment, Soverin runs its platform on its own hardware, retaining control over the platform layer as well as the servers themselves.

This partnership ensures that control extends beyond the application layer into the physical and network layers of the stack. Rather than relying on hyperscale infrastructure, Soverin’s platform operates within an environment where governance, operations, and legal jurisdiction are aligned across the full system.

Together, Soverin and BIT operate in line with industry standards and certifications, including ISO 9001 and ISO 27001, embedding governance, security, and environmental controls across both platform and infrastructure by design.

In this model, control is not assumed. It is built into the system itself. This is what closing the sovereignty gap in email actually looks like. Not a different address on the same fragmented stack. A different architecture, with accountability built in from the start, spanning both the platform and the infrastructure it depends on.

And in a regulatory environment that is asking organizations to demonstrate control rather than assume it, these questions are no longer theoretical. They determine who remains in control when it matters.

Diana Krieger is the CEO of Soverin, an Amsterdam-based, privacy-first email platform founded in 2014. Soverin's unified platform integrates mailflow, domain management, and mailbox services on independently governed Dutch infrastructure, in partnership with BIT, a 100% Dutch-owned data center provider.

Els de Jong is BIT’s Marketing & Communication Coordinator. As a skilled writer, she regularly crafts articles on behalf of BIT, delivering valuable insights and engaging content to readers.