Digital sovereignty starts with procurement: Interview with Prof. Dr. Dennis-Kenji Kipker

Digital sovereignty is no longer just a policy debate, but a question of real-world decisions.

To explore what that means in practice, we spoke with Professor Dennis-Kenji Kipker ahead of the Nextcloud Summit 2026 in Munich, Germany, on June 9.

Working at the intersection of law and technology, he advises governments and institutions on cybersecurity, global regulation, and digital resilience, from Europe to the U.S. and China.

Discover why he thinks sovereignty starts with procurement, where Europe still falls short, and what it will take to turn ambition into reality.

1. How do you define digital sovereignty, and how do you apply it in your daily life? 

Digital sovereignty is, first and foremost, a procurement question, not a definitional one. No amount of conceptual debate makes us more digitally sovereign in practice.

Both consumers and organizations need to understand that political declarations alone do not produce sovereignty. Every single procurement decision is a vote for or against greater digital independence.

Digital sovereignty is not something that can be distributed by decree across a country like water from a watering can in the form of political decisions. It materializes through concrete choices.

That is precisely why I believe the state has a co-responsibility to make digitally sovereign solutions accessible to everyone, not just to large institutions with dedicated IT departments.

In my own life, I try to use sovereign tools and solutions wherever it is feasible. And frankly, in the personal sphere, that turns out to be considerably easier than most people initially assume.

Every procurement decision is a vote for or against digital independence.

Prof. Dr. Dennis-Kenji Kipker

Speaker at the Nextcloud Summit 2026

2. Your work sits at the intersection of law and technology. Those two fields often operate very differently. Especially in areas like cybersecurity and AI, that gap can be challenging. How do you bring them together?

Law and technology may operate on different timescales and speak different languages, but they are ultimately both systems for governing behavior and managing risk, which makes their intersection unavoidable rather than optional.

In cybersecurity and AI, the connection becomes particularly visible when we ask who bears responsibility when systems fail, who sets the standards by which « secure » or « trustworthy » is defined, and who has the authority to enforce those standards.

Technology creates facts on the ground. Law defines what those facts mean and what consequences follow. The challenge is not that the two fields are incompatible.

Technology creates facts on the ground. Law defines what those facts mean.

Prof. Dr. Dennis-Kenji Kipker

Speaker at the Nextcloud Summit 2026

It is that law has traditionally been reactive, codifying norms after society has already absorbed the impact of a technology, whereas effective cybersecurity and AI governance demands a more anticipatory approach.

Bridging the two requires legal scholars who are technically literate enough to understand what they are regulating, and technologists who appreciate that design choices are never value-neutral but are always already embedded in a normative framework.

3. And how do you see the role of the government in leveling the playing field for the digital market in Europe?

The government has several distinct levers here, and the key is using all of them coherently rather than in isolation. Competition law must be enforced with genuine ambition; breaking up or constraining the market power of digital monopolies is a precondition for any meaningful level playing field.

At the same time, targeted support for European start-ups and scale-ups is essential, because a healthy competitive ecosystem cannot emerge if promising companies are either acquired by incumbents before they mature or simply leave for more favorable jurisdictions.

Perhaps most underappreciated, however, is the role of public procurement: governments are among the largest buyers of digital products and services in Europe, and systematically making alternative, sovereign solutions accessible through procurement frameworks would both create demand and send a clear market signal.

These three approaches, competition enforcement, innovation support, and procurement reform, need to work in concert if Europe is to move from a position of digital dependence to one of genuine strategic agency.

4. As an advisor to the German Federal Government and the European Commission, what main challenge(s) do you see remaining in the EU to achieve digital sovereignty?

The most persistent challenge is the gap between regulatory ambition and operational reality. The EU has produced genuinely significant legislation. This includes the GDPR, the NIS2 Directive, the AI Act, and the Cyber Resilience Act. But the effectiveness of that legislative architecture depends on consistent, well-resourced enforcement across 27 member states with very different administrative capacities and political appetites.

A regulation that is enforced vigorously in one member state but largely ignored in another does not create a level playing field; it creates regulatory arbitrage. Beyond enforcement, there is also the structural challenge that European digital infrastructure remains deeply dependent on a small number of non-European providers for cloud, semiconductors, and foundational AI models.

Changing that dependency requires not only investment but a willingness to accept a degree of short-term friction. Think of slower procurement, higher initial costs, and more complex vendor management. But in exchange, you get long-term strategic resilience. Communicating that trade-off honestly to policymakers and the public remains genuinely difficult.

The real challenge is the gap between regulatory ambition and operational reality.

Prof. Dr. Dennis-Kenji Kipker

Speaker at the Nextcloud Summit 2026

5. The CII also focuses on supporting young people and promising cyber start-ups. What advice would you give to them with regard to digital sovereignty?

My core advice is to treat digital sovereignty not as a compliance burden or a marketing label, but as a genuine design principle from day one.

For young founders and developers, the decisions made in the earliest stages of a product — which cloud provider to use, which data model to adopt, which jurisdictions to build for — have compounding consequences that become very costly to reverse later.

Building with sovereignty in mind from the start is dramatically easier than retrofitting it after growth has locked you into dependencies. Beyond the technical dimension, I would encourage young people in this space to engage seriously with the policy and regulatory environment rather than treating it as an external constraint.

The rules being written right now on AI, cybersecurity, or data markets will shape the competitive landscape for the next decade, and those who understand them deeply will have a significant advantage over those who merely react to them.

Sovereignty, in the end, is also about knowing the rules of the field you are playing on.

6. What do you expect from the Nextcloud Summit?

I come to the Nextcloud Summit with a specific interest in where the community stands on translating the concept of digital sovereignty from a principled commitment into scalable, enterprise-ready practice.

The Nextcloud Summit is one credible proof point to show that open, sovereign infrastructure can compete on functionality, but the gap between what is technically possible and what actually gets deployed in governments, hospitals, and mid-sized companies remains significant.

I am hoping for honest conversations about that last mile: the procurement barriers, the interoperability challenges, and the organizational inertia that still prevent sovereign solutions from reaching their full potential adoption.

More broadly, I see events like this as important nodes in the ecosystem where policy people, technologists, and practitioners can stress-test each other’s assumptions. And that kind of productive friction is exactly what the field needs right now.