Digital Sovereignty: Canada’s New Political Frontier in Technology

Author(s): Cole Cioran

There’s a moment in every technology transformation when the conversation shifts. The audience expands from techies to the media. Sometimes, if the issues are great enough, they are debated on the national stage in Parliament. We’ve reached that moment. Debates over privacy and procurement were just the start. Technology has evolved into something more fundamental: a reckoning with sovereignty itself.

Information technology has been a political football in Canada since the fifties. From the Phoenix Pay System fiasco to the billion-dollar gun registry blowout, Parliament has repeatedly found itself in reactive mode – scrambling to contain the fallout from failed systems, opaque contracts, and public outrage. But today, the stakes are higher. The emergence of digital sovereignty as a political issue marks a shift from operational failure to existential risk.

From Privacy to Sovereignty: A Political Evolution

The post-WWII rise of computing sparked Canada’s first major tech debate: privacy. In the 1970s, fears of government databanks led to the creation of the Privacy Commissioner and the Privacy Act. Since then, Parliament has wrestled with a parade of IT controversies – HRDC’s “Big Brother” database, the Phoenix debacle, and most recently, the ArriveCAN app’s ballooning costs and questionable value.

But something changed this year. The conversation has moved beyond cost overruns and technical failures. It is about control. It’s about who owns our data, who governs our infrastructure, and who defines the rules of engagement in the digital realm.

Enter digital sovereignty.

The Sovereign Cloud: A New Class of Risk

Shared Services Canada’s recent RFI for sovereign cloud services is more than a procurement exercise – it’s a declaration of intent. The definitions laid out are uncompromising. To qualify as a Canadian cloud vendor, a company must be:

Incorporated, operated, and headquartered in Canada.
Owned and controlled by Canadian citizens or permanent residents.
Not subject to foreign laws that could compel access to data – even through parent corporations.

This is not just about data residency. It’s about legal jurisdiction, corporate governance, and national security. It’s a line in the sand – and one that many current vendors cannot cross. The federal government is not going it alone. Nova Scotia was quick to pick up the call to action, and every province is addressing the question of sovereignty in technology and technology services.

The severity of these definitions reflects a growing awareness that sovereignty is not just a constitutional concept. It’s a digital one. And it’s one that Canada must now defend as if our lives depended on it.

The Defence Dilemma: Sovereignty vs. Capability

Traditionally the Department of National Defence has been first in line to protect Canada. Newly released documents show that DND has spent over $1.3 billion on cloud services from US companies – including mission-critical applications hosted on Amazon Web Services and Microsoft Azure.

These systems support aircraft coordination, situational awareness, and operational planning. They are essential to both domestic emergency response and international engagements. And they are hosted on infrastructure subject to the US CLOUD Act – which allows American authorities to compel access to data held abroad.

This is not a theoretical risk. It’s a live one. Even so-called “sovereign clouds” from US vendors remain subject to US law. In a time of trade tensions and geopolitical uncertainty, Canadian data could be exposed – without our consent, and without recourse. This resulted in DND being in the crosshairs in the sitting of Parliament that began this past Monday, 15 September, 2025.

Sovereignty as National Risk Management

Technology leaders need to embrace that this is where the national conversation is going. Sovereignty is not just a political ideal. It’s a risk category. And it’s one that technology and program leaders in government must begin to manage explicitly.

We already manage risks related to privacy, cybersecurity, and procurement. Sovereignty must join that list. It demands new frameworks, new metrics, and new conversations – ones that go beyond compliance and cost to ask: Who controls the infrastructure? Who sets the rules? And what happens when those rules change?

This is not about fear. It’s about foresight. Sovereignty risk is not just about what might happen. It’s about what we cannot control. And in a world where data is power, that lack of control is itself a vulnerability.

A Call to Action: Leadership in the Age of Sovereignty

Technology leaders in government must now embrace sovereignty as part of their mandate. This means:

Reframing procurement: Sovereign cloud is not a niche offering. It’s a national imperative. Contracts must reflect that.
Building Canadian capacity: The SSC RFI rightly emphasizes the need to grow Canadian cloud providers. This is not protectionism. It’s resilience.
Educating stakeholders: Sovereignty is complex. Technology leaders must help policymakers, partners, and the public understand what’s at stake.
Integrating sovereignty into governance: Risk registers, architectural reviews, and program plans must include sovereignty as a dimension.
Sovereignty is a journey, not a destination: People and processes and technology need to be developed to not just attain digital sovereignty but to sustain it in perpetuity.

This is not just a technical shift. It’s a leadership one. Canada was a world leader in digital government after Y2K. We’ve been losing ground ever since, in part because we have not invested enough in sustaining the people, processes, and technology. Real digital sovereignty will require courage, clarity, and a willingness to challenge the status quo. It’s not enough to build systems that work. We must build (and continue to invest) in systems that serve Canada’s long-term interests – and that means systems we control.

Our Take – Take the Lead on the Road Ahead

Canada is not alone in this journey. The EU’s GAIA-X initiative, France’s push for cloud independence, and global debates over data localization all point to a new era of digital nationalism. But Canada’s path must reflect our values: openness, fairness, and public service.

Digital sovereignty is not about isolation. It’s about agency. It’s about ensuring that our digital infrastructure reflects our laws, our priorities, and our democratic principles.

We’ve spent decades reacting to technology failures. Digital sovereignty is the new frontier for Canada that allows us to stop reacting and start leading.

Want to Know More?

Info-Tech is conducting a major research project on digital sovereignty that will be showcased at our upcoming Info-Tech Live Canada in Montreal, November 25-26, 2025. If you would like to contribute or join us for the conversation on digital sovereignty you can book a call now to discuss this critical issue.