Digital sovereignty in practice: Insights from the eGovernment Days

Max Schrems on digital sovereignty and what his insights mean for the public sector

Max Schrems is the Austrian lawyer and activist whose court cases against Facebook (Schrems I and II) effectively reshaped the entire EU approach to data protection and international data transfers. Today, he is one of Europe's most influential voices on privacy, data sovereignty and the relationship between the EU and US cloud services.

We had the opportunity to speak directly with Max about Sweden's situation and the specific challenges of the public sector. A valuable conversation about how municipalities and authorities need to think ahead, with the importance of building digital infrastructure that does not risk being affected by decisions far beyond the control of Sweden or the EU.

To his keynote – "Schrems III or Trump I? What's next?" – here , he reviewed the state of play after these historic rulings, what might be next, and how both US policy and the EU's upcoming decisions will impact.

Schrems explained the central conflict between EU data protection laws and US intelligence legislation. In particular, he highlighted that FISA 702 targets the company, not the geographical location of the server. This means that data stored in the EU can still be subject to US access if the provider has US connections.

This is the basis of what he calls sovereignty washing, when US cloud giants promote "European" or "sovereign" clouds even though the legal risks remain.

For the public sector, where trust and continuity are key, this is not a technical detail but a strategic risk.

The new reality of cybersecurity – the NCSC's perspective

In a session entitled "National Cyber Security Center – How to achieve robust protection against cyber threats", NCSC Director John Billow described the work that is already underway, and that will need to be strengthened, to protect Sweden against future cyber attacks.

He painted a clear picture of how Sweden's vulnerability is increasing. The public sector is the most vulnerable target group, with incidents directly affecting accessibility and public services.

Cyber-attacks are becoming more numerous, more advanced and much cheaper to carry out than before. Ransomware as a service, AI-assisted phishing attacks and complex attack chains make cybersecurity a matter of preparedness, not just technology.

At the same time, the skills shortage is growing and the increasing reliance on external providers makes many environments vulnerable. The choice of cloud provider is therefore not just about function, but about supply chains, ownership structures and risk.

The European framework now taking shape through NIS2, the AI Act, the Data Act and the GDPR omnibus all aim for the same thing: to strengthen Europe's digital sovereignty and reduce vulnerable dependencies.

Panel discussion on lessons learned from IT disasters

The panel discussion "Millennium and other IT breakdowns in the public sector" discussed why large system projects do not have the intended impact. The session focused on how the public sector can avoid future breakdowns through better implementation, governance and organisation.

The conversation showed that the big problems are rarely about the technology itself. They arise in governance, expectations and lack of support. Some of the key lessons learned were

• inadequate needs analysis
• oversized ambitions
• late involvement of users
• dependence on consultants leading to loss of skills
• management lacking digital understanding
• prestige that prevents pulling the emergency brake

The recurring advice was clear: Start smaller. Pilot. Document. Learn.
Above all – build skills that stay in the organisation.