Who holds the keys to digital sovereignty? It might not be who you think

As governments think more about digital identity as a pillar of digital public infrastructure, and therefore a matter of vital national interest, it is perhaps inevitable that concerns around sovereignty arise.

At MOSIP Connect 2026 in Rabat, Morocco, identity sovereignty came up repeatedly, from keynote addresses to small panels and side discussions.

A Day 1 session on “Strengthening Digital Sovereignty through Sovereign Cloud Adoption: Enabling Trusted and Scalable DPI” addressed the topic head-on.

Pete Herlihy of Amazon Web Services presented AWS Outposts, which run a sovereign cloud within the host country’s data center as a dedicated tenant. The service is specifically designed for countries that do not have an AWS region or local zone in which to deploy a cloud instance to run their ID system.

The UN also has its own ICT services arm, the United Nations International Computing Centre (UNICC).  The open-source driven body uses shared infrastructure to build replicable applications, and in that capacity has helped to build self-sovereign identity (SSI) system for countries facing shortfalls in trust and capacity.

The UNICC introduced its UNIQCloud at the beginning of 2025 to help UN entities and international organizations complete digital transformation while also protecting their sensitive data.

Following presentations from AWS and UNICC, a digital sovereignty panel discussed the relative importance of data residency and access, and of cloud sovereignty, which the participants agreed should be considered only a part within a larger issue.

Keeping your own cryptographic keys is actually more important to sovereignty than some of these other measures, panelists argued.

In a Day 3 unconference session, the issue was discussed again, with Gluu Founder Michael Schwartz pointing out that governments tend to be better at governance controls than they are at tasks like operating data centers.

In his view, the sovereignty of a digital identity system is better protected by careful consideration and mitigation of risks than by imposing measures like strict data residency rules.

How well a national ID system pays its engineers may also be more indicative of its robustness than who owns the server racks. Singapore pays GovTech engineers market rate, but as Next ID Director Adam Cooper pointed out, GovTech uses AWS.

Schwartz suggests there may be misalignment between the messaging of digital public goods (DPGs) and the reality of ensuring sovereign control over ID systems, and the resilience desired may require some compromise.

Idemia Business Developer and Head of Biometric Terminals Adil Choukri pointed out that Morocco dealt with a wave of cyberattacks on its public sector systems with several data centers dispersed across the country – all running an Azure sovereign cloud with Oracle security.

Consensus emerged from the discussion that open-source technologies can provide the community-hardening that protects them from cyberattacks and other threats to critical national systems, but also that a critical mass of IT talent is necessary for a country to effectively protect its digital assets.

With Europe attempting to assert its digital sovereignty and U.S. diplomats instructed last month to push back against data sovereignty initiatives, the issue is global, and it is not going away.

Article Topics

Amazon Web Services (AWS)  |  cloud services  |  digital public infrastructure  |  digital sovereignty  |  MOSIP (Modular Open Source Identity Platform)  |  MOSIP Connect 2026  |  United Nations International Computing Centre