Hisham Ibrahim

Many Sovereignties, One Internet

Author image
Hisham Ibrahim(RIPE NCC staff)

10 min read

0
Article lead image

Digital sovereignty is not simply good or bad. The commons test offers a practical framework for assessing whether different strategies expand choice, preserve interoperability, strengthen resilience and support meaningful participation, or create new dependencies and chokepoints.


Digital sovereignty is used to describe many different policy goals: building local capacity, reducing dependency, strengthening public digital infrastructure, supporting regional development, governing data flows, exercising strategic leverage, or increasing control over digital systems. These approaches are not equivalent. Some can strengthen the Internet commons while others can weaken it.

What matters is the kind of sovereignty being pursued, the instruments used and their effect on the global Internet commons.

The Internet commons

The Internet works because independently operated networks can interconnect through globally unique identifiers, open standards and operational coordination. Its strength is not that every country has the same laws, markets or political systems, but that different systems can still participate in one global network of networks.

That shared environment is the Internet commons.

At its core is a narrow set of technical coordination functions that make interoperability possible. Around that core is a broader enabling commons made up of communities, shared knowledge and institutions that help independent networks participate.

The core coordination functions are fundamental. They should not be repurposed as instruments of broader national policy or political control.

Many systems built on top of the Internet, including cloud platforms, content delivery networks, identity systems, app stores, payment rails and AI infrastructure, have become critical dependencies for users, markets and public services. They should be governed with care, but they should not be confused with the core coordination functions that keep the Internet interoperable. Problems involving markets, platforms or applications should be addressed at the appropriate layer rather than through interventions in the Internet’s technical core.

When the commons is weakened, the consequences are not only technical. People can experience less reliable access, fewer affordable alternatives, greater dependence on gatekeepers and, in some cases, weaker privacy protections.

Why digital sovereignty needs a commons test

Not every sovereignty policy affects the Internet in the same way. A government cloud strategy, a data protection law, an AI investment plan and an intervention in Internet technical coordination pursue different objectives and create different risks.

Governments have legitimate responsibilities to protect public services, national security, rights, markets, infrastructure and strategic capabilities. The issue is not whether they should act, but whether the measures they choose are necessary, proportionate and directed at the problem they are intended to solve.

These different approaches can be tested against the same basic question:

Does this approach expand meaningful choice while preserving the conditions that keep the Internet global, interoperable and trusted?

Capacity and control

Most sovereignty strategies contain elements of both capacity and control.

Sovereignty through capacity increases the ability to understand dependencies, choose between credible alternatives, build local expertise, participate in standards and governance, operate infrastructure and recover from failure.

Sovereignty through control increases the ability to direct, restrict, centralise, filter, localise or isolate digital systems.

Neither approach should be judged by the label alone. Capacity-building can benefit only a narrow set of actors or simply replace one dependency with another. Control can support accountability, rights protection and continuity when it is bounded, transparent and open to challenge. The relevant questions are what a measure is for, how far it extends, who can challenge it and what effect it has on the commons.

The same policy instrument can produce either outcome. Public procurement can build capacity when it supports open standards, local expertise and provider diversity. It can increase control when it locks public services into one mandated platform or supplier.

Capacity is not the same as substitution.

Capacity strengthens the commons when it creates real alternatives, builds trust capacity and improves the execution conditions needed to operate, secure and sustain digital infrastructure. Control creates risk when it produces chokepoints, removes practical alternatives or turns technical coordination functions into instruments of broader political control.

Capacity and control often take five recurring forms in national and regional strategies. These forms can overlap, and a single strategy may reflect several at once.

Building public digital capacity

Digital sovereignty can include public digital infrastructure and other publicly governed systems, such as identity, payments, data exchange, public platforms, government cloud services, AI compute and other shared digital capabilities.

These systems can expand access, support innovation and provide services where commercial markets have not delivered affordable or locally appropriate options.

Public investment can also shape the wider ecosystem by creating demand for open standards and strengthening the local capability needed to build, operate and improve shared infrastructure. But these systems can also create new dependencies, especially when essential services rely on a single identity system, platform or provider.

A commons-strengthening approach keeps public infrastructure interoperable, auditable and open to alternatives. It should widen access while preserving meaningful choice.

Commons test: Public digital capability strengthens the commons when it widens access, preserves interoperability and avoids lock-in. It weakens the commons when essential services depend on a single mandated system or provider.

Developing regional capacity

In many regions, digital sovereignty is primarily a development question: how to address infrastructure gaps, strengthen interconnection, build skills and reduce dependency through cooperation.

Regional strategies may support stronger interconnection and resilience by investing in Internet Exchange Points (IXPs), submarine cable capacity and landing infrastructure, cross-border fibre links, data centres, academic networks and cloud capacity. The challenge is often not excessive control but under-execution.

These investments can strengthen regional capability by supporting infrastructure, providers and demand for modern technologies and sound operational practices. They can provide commercial incentives for operators and providers to deploy IPv6, strengthen infrastructure security and improve operational resilience at scale while remaining connected to the global Internet.

But that capability becomes durable only when trust capacity and execution conditions develop alongside the infrastructure. Local operators need the skills, relationships and institutions to sustain it, as well as access to financing, community confidence and viable market conditions.

Locality is not the goal in itself. Local or regional infrastructure matters when it improves resilience, performance, competition and operational autonomy without reducing global reachability or meaningful choice.

Commons test: Regional investment strengthens the commons when it improves interconnection, skills, provider diversity and global reachability. It weakens the commons when it creates isolated or unsustainable systems with few practical alternatives.

Exercising strategic leverage

States, large markets and dominant firms can shape the choices available to others through export controls, industrial and procurement policy, cloud jurisdiction, standards influence, platform rules, supply-chain control and access to critical technologies.

Export controls on advanced semiconductors, for example, may be justified on security grounds. But they also influence which countries and companies can build advanced computing and AI systems at scale.

Strategic leverage does not only protect one actor’s autonomy. It can also limit the autonomy of others.

Leverage should therefore be assessed not only by whether it protects the autonomy of the actor exercising it, but also by whether it enables capable participants, preserves practical alternatives and avoids imposing durable dependencies on others.

Commons test: Strategic leverage strengthens the commons when it protects legitimate interests without unnecessarily limiting the choices available to others. It weakens the commons when market or jurisdictional power is converted into durable dependency.

Planning for continuity and crisis response

Some strategies define sovereignty through the ability to disconnect, filter, reroute, localise or centrally direct parts of a network during a crisis.

Continuity planning and emergency coordination can be necessary. During a genuine emergency, public authorities and operators may need to coordinate temporary, narrowly tailored measures to maintain essential connectivity or contain a specific threat. But infrastructure built for exceptional conditions can become a permanent control point.

Central control can reduce resilience when it concentrates operational authority, removes alternative paths or weakens the ability of independent operators to respond. It can also create a new point of failure.

Measures intended for crisis use should be necessary, proportionate, time-limited, independently reviewable and reversible. Crisis planning should strengthen continuity without making the Internet smaller, more brittle or more controllable by default.

Commons test: Crisis measures strengthen resilience when they are necessary, proportionate, temporary and reversible. They weaken the commons when exceptional powers or infrastructure become permanent points of control.

Enabling trusted flows

A different approach asks how data, services and operational relationships can continue across borders under trusted conditions rather than assuming they must always remain local.

Trust, however, cannot remain a label. It must be supported by enforceable safeguards, accountable institutions, technical and organisational assurance, and routes to challenge harmful decisions.

The challenge of trusted flows is not new to the Internet. For almost four decades, the Border Gateway Protocol (BGP) has allowed independently operated networks to exchange routing information and decide which routes to accept. That distributed model has enabled the Internet to scale, but BGP does not by itself provide a reliable way to verify every claim contained in a routing announcement. Trust has therefore depended on operational relationships, routing policy and the ability of networks to assess the information they receive.

Resource Public Key Infrastructure (RPKI) uses digital certificates to associate Internet number resources with their resource holders and support verifiable routing information. Route Origin Authorisations (ROAs) help networks verify whether an autonomous system is authorised to originate a prefix, while Autonomous System Provider Authorisation (ASPA) specifications under development are designed to support verification of provider relationships. These mechanisms make particular routing claims more explicit, testable and verifiable, but they do not make routing completely secure..

The lesson for digital governance is not that every trust problem has a technical solution. It is that trusted flows depend on clear responsibilities, verifiable claims, accountable institutions and known limitations.

Commons test: Trusted flows strengthen the commons when responsibilities are clear, important claims are verifiable and institutions are accountable. They weaken the commons when trust becomes an opaque label used to exclude participation or restrict choice.

Applying the commons test

Different actors will approach these questions from different perspectives. Governments, regulators, operators and affected communities will not always reach the same conclusions. But the same basic questions remain.

  • Does the measure pursue a legitimate objective through proportionate means?
  • Does it create real alternatives, and credible exit options, or a new dependency?
  • Does it strengthen local capacity and meaningful participation?
  • Does it preserve global interoperability and keep technical coordination functions narrow and trusted?
  • Does it distribute resilience, or create new chokepoints and single points of failure?
  • Can exceptional measures be reviewed, reversed or withdrawn when they are no longer needed?

Those questions matter more than the label attached to the policy because they reveal its practical effect on the Internet commons.

Capacity depends on trust and execution

Capacity is not just a matter of owning infrastructure, purchasing technology or calling something sovereign. It depends on whether people and institutions have the knowledge, relationships and operational confidence to use and sustain it.

Under-execution is not always a lack of ambition. It can reflect financing gaps, skills shortages, procurement constraints, market size, weak institutions or dependency on providers elsewhere. Trust capacity and execution conditions therefore have to develop together.

On the Internet, trust is sustained through accurate registries, standards developed through open processes, operators who can coordinate directly, IXPs that enable networks to interconnect, communities that share knowledge, and institutions that remain clear about their mandates.

Digital sovereignty should strengthen that architecture rather than bypass it.

Sustaining one Internet

The global Internet can accommodate different laws, markets, policies and national strategies. It has always done so.

Not every form of localisation is fragmentation. Not every public investment is centralisation. Not every large provider is a threat. Not every dependency is avoidable.

Many sovereignties can coexist with one Internet. What matters is not that they are the same, but that they preserve interoperability, meaningful participation and trusted technical coordination across borders.

0

You may also like

View more

About the author

Author image
Hisham Ibrahim Based in Dubai, UAE

Hisham Ibrahim is the Chief Community Officer at the RIPE NCC. He leads the RIPE NCC's engagement efforts to foster a dynamic, inclusive RIPE community. He is responsible for engagement with RIPE NCC members, the RIPE community, Internet governance and training services. Hisham is active on several committees in various Network Operator Groups (NOGs), peering forums, IPv6 task forces and forums across three continents.

Comments 0