Digital sovereignty and organisational/national resilience

Digital sovereignty refers to the ability of a state, an organization or a citizen to retain control over their digital infrastructure and data. In practice, this means ensuring that our data, our software and our information systems are subject only to local laws and jurisdictions, free from foreign interference. We speak of sovereign hosting when data is hosted on servers located in the country (for example in Quebec or in Canada), by a local company subject to local laws. The goal is for the data to benefit from national legal protection and to remain beyond the reach of foreign laws.

Beware of common misconceptions: just because your data is physically stored on Canadian soil does not necessarily mean it is shielded from the laws of another country.

For example, if a U.S. company such as AWS or Microsoft Azure hosts your data in Montreal, that data could still be accessible to U.S. authorities under extraterritorial laws such as the CLOUD Act. In other words, physical location alone does not guarantee sovereignty: you also have to look at who controls the infrastructure. A truly sovereign cloud therefore involves not only local hosting, but also a local operator subject exclusively to Canadian laws.

In short, opting for sovereign hosting comes down to retaining control over your data. This covers where it is stored, who has access to it, and which laws apply to it. For example, a Quebec organization that hosts its website and database with an independent Quebec provider ensures that this data is governed by the laws of Quebec and Canada (such as Law 25 or the federal PIPEDA), and not by potentially less protective foreign laws.

A geopolitical and economic issue in today's context

We live in a geopolitical context where data has become a major strategic asset – some even describe data as the “new oil.” The major powers have understood this well, and each one wants to defend its digital interests. This plays out in several ways:

• Extraterritorial laws and foreign surveillance: Countries such as the United States have adopted laws that allow them to access data anywhere in the world, as long as that data is in the custody of companies under their jurisdiction. The U.S. CLOUD Act is a striking example: it authorizes the U.S. government to demand access to your data even if it is hosted in Canada, as long as it is stored with a cloud provider subject to U.S. law. Put plainly, if a Quebec SMB uses a cloud service managed by a U.S. company, its data could be handed over to U.S. authorities without the Canadian government being able to object. This raises concerns about confidentiality and the surveillance of data by foreign entities.
  
• Trade tensions and technological independence: The major tech companies (often referred to as GAFAM for Google, Apple, Facebook/Meta, Amazon, Microsoft) dominate the global technology ecosystem. This situation creates a dependency of other countries on foreign technologies and services. In the event of diplomatic tensions or a trade war, this dependency can become a risk: imagine, for example, that an essential platform decides to cut off its services in certain countries to comply with sanctions or political pressure. Local organizations would be severely impacted. Ensuring your digital sovereignty means reducing that vulnerability and preventing foreign political decisions from paralyzing our economic activities or our communications.
  
• Privacy protection and local values: Each country or region has its own laws and values when it comes to protecting personal information. In Quebec, for example, the culture places great importance on privacy and on linguistic and cultural distinctiveness. Hosting locally makes it possible to better respect these specificities – for example, ensuring that software interfaces are in French, or that data management practices match local expectations. Conversely, handing over all your data to foreign companies means risking that it will be managed according to different rules and ethics, sometimes less strict when it comes to confidentiality. Digital sovereignty also aims to preserve our local digital values and identity.
  
• International initiatives: Aware of these issues, several governments are launching initiatives to regain control. In Europe, there is a great deal of talk about the “sovereign cloud” and projects such as Gaia-X, a federated European cloud network meant to guarantee that the data of European companies remains under European jurisdiction. Likewise, France has tried to develop its own national cloud solutions to counter U.S. hegemony. In Canada, the question also arises: Canadian cloud providers are emerging that present themselves as sovereign alternatives, and the government is increasingly requiring that sensitive data (for example government or health data) be stored on Canadian soil. This momentum toward digital sovereignty stems from the desire to protect national security, citizens' privacy and economic competitiveness in the face of foreign giants.
  

In short, sovereign hosting is not a local whim, it is a strategic imperative in today's world. Control over data and digital infrastructure has become a matter of power and independence, just like control over energy or natural resources. For Quebec and Canada, ensuring a degree of digital autonomy means protecting our democracy, our economy and our citizens in an uncertain global context.

Why does it matter for SMBs and non-profits?

One might think that these concerns only apply to governments or large corporations, but small and medium-sized businesses (SMBs) and non-profit organizations (NPOs) are just as concerned. Here is why digital sovereignty matters for them too:

• Protection of sensitive data: SMBs and NPOs often collect and process sensitive data: customer or member lists, financial information, personal data about employees or beneficiaries, intellectual property, and so on. If this information were to fall into the wrong hands (competitors, foreign states, cybercriminals), the consequences could be serious. By adopting sovereign hosting, a company ensures that its data remains protected by strict local privacy laws, and is not exposed to potentially more permissive foreign jurisdictions. For example, an NPO that manages a mental health database will want to avoid having it hosted on a cloud outside Canada where confidentiality standards are less strict.
  
• Legal and regulatory compliance: Law 25 in Quebec and Canadian privacy laws apply to most businesses and organizations (we will detail these laws further on). These regulations require organizations to protect citizens' data and to govern transfers of data abroad. An SMB that uses any online service has to ask itself: where is my data going? If it leaves the country, is it being done in compliance with the law? Opting for local hosting solutions greatly facilitates compliance. On the contrary, if your data is stored abroad, you often have to carry out rigorous assessments and obtain guarantees that the destination country offers equivalent protection – which can be complex. Law 25 notably requires a privacy impact assessment before communicating personal information outside Quebec. Failing to comply exposes the company to legal and financial penalties.
  
• Reduction of extraterritorial risks: As we have seen, foreign entities could legally access an SMB's data if it is hosted by a provider subject to extraterritorial laws. For a Quebec company, this can represent a risk of economic espionage (for example, its industrial secrets could be seized as part of a foreign investigation) or of loss of control in the event of a dispute outside our borders. By keeping its data under Canadian sovereignty, you reduce this legal risk: no foreign authority can legally seize your data without going through Canadian legal channels. This also assures clients and partners that their information will not be disclosed to foreign governments without legitimate reason.
  
• Strategic independence and business continuity: For an SMB or NPO, depending entirely on a single technology provider can be dangerous. What happens if that provider decides one day to change its terms, drastically raise its prices, or suffers a major outage or a ban on providing its services (for example following a sanction)? By using sovereign solutions, organizations gain strategic autonomy: they can choose more flexible local partners, or even host certain critical applications in-house. This improves their resilience – the continuity of operations is less likely to be compromised by decisions made abroad or by problems beyond their control. In the event of an international political or economic crisis, a digitally sovereign SMB will be better equipped to keep serving its clients.
  
• An image of trust and respect for values: Increasingly, the public cares about the protection of their personal data. For an NPO working with vulnerable populations, or for an SMB seeking to earn its clientele's trust, being able to state that “your data is hosted here, with us, and protected by our laws” is a significant asset. It is a mark of seriousness and ethics. Conversely, an organization that would funnel sensitive information about Quebecers to servers located abroad without transparency could arouse mistrust or criticism. In a context where corporate social responsibility is gaining importance, digital sovereignty can be one of the good governance practices to put forward.
  

In summary, for SMBs and NPOs in Quebec and Canada, ensuring sovereign hosting of their data means protecting their digital assets, complying with the law, minimizing the risks of leaks or interference, and demonstrating their commitment to confidentiality and security. All of this contributes to better governance and to the durability of their mission.

The importance for individuals and citizens' privacy

Citizens, as individuals, are also at the heart of digital sovereignty. After all, it is their personal data that is at stake: name, address, browsing history, photos, messages, health data, and so on. Why should ordinary people in Quebec care about sovereign hosting?

• Privacy protection: When you use a mobile app, a social network or an online service, your personal information can be stored anywhere on the planet. If this data is hosted abroad, it falls under the jurisdiction of the host country. For example, messages you send through a U.S. messaging service can, in theory, be requested by U.S. authorities. The country in question does not always offer the same privacy guarantees as Canada or Quebec. By keeping your data in the country, you benefit from local legal protections, such as Law 25, which strengthens your rights and strictly governs the use of your personal information. In other words, digital sovereignty strengthens your ability to control who has the right to see and use your personal information.
  
• More effective recourse and rights: If your data is hosted locally, in the event of a problem (data breach, misuse, etc.), it will be easier for you to exercise your rights. In Quebec, Law 25 gives you, for example, the right to access your information, the right to correct it, to withdraw your consent to its use, and even to request its deletion in certain cases. Try exercising these rights if your data resides in a foreign country: the process will be much more complex, even impossible if the company hides behind foreign laws that are less favourable to consumers. Digital sovereignty ensures that your rights follow your data – you remain in control of your personal information.
  
• Reduced risk of surveillance and abuse: The news has shown repeatedly that mass surveillance programs exist, and that some tech companies do not hesitate to exploit user data for questionable commercial purposes. Sovereign hosting does not eliminate every risk, but it limits the scope of these potential abuses. If your data stays in Canada, it will not be accessible to a foreign government without going through the Canadian justice system (which offers protections, such as the requirement to have valid grounds, warrants, etc.). Moreover, local laws such as Law 25 require clear consent for the collection and use of your data. You therefore have more control over what organizations do with your information, which is not always the case elsewhere.
  
• Maintaining a local digital ecosystem: Beyond privacy, there is also a cultural and community dimension. By choosing digital services that are local or respectful of sovereignty, citizens encourage the development of a Quebec and Canadian digital ecosystem. This means more tools in French, designed by people who understand the local context, our needs and our values. For example, a Quebec service will know that it has to comply with the Charter of the French Language for its interface, or will be attuned to local issues. Supporting these alternatives contributes to a more diverse internet, one less dominated by a handful of multinationals.
  

What can an individual do to promote their digital sovereignty? You do not need to be a computer expert to adopt simple habits that strengthen your control. Here are a few concrete tips:

1. Ask the hosting question: Every time you entrust data to a service (online purchase, signing up on a site, using an app), do not hesitate to ask yourself “Where is my data hosted?”. Companies often state in their privacy policies whether information is stored locally or transferred abroad. This awareness is an essential first step.
2. Favour local or ethical providers: If you have the choice, opt for services that host data in Quebec or in Canada. For example, some email services, online storage solutions or local office applications offer sovereignty guarantees. Likewise, alternative search engines or social networks emphasize respect for privacy and local data storage. Of course, they may be less well known than the U.S. giants, but using them supports the local digital economy and better protects your information.
3. Read (at least part of) the privacy policies: It is not the most entertaining activity, but glancing at the sections about data storage and international transfers can be enlightening. You will then know whether the service sends your data to another country. Many sites now have a section dedicated to data residency because of regulations such as Law 25 or the GDPR in Europe.
4. Exercise your rights: As a Quebec resident, you have concrete rights over your personal information thanks to Law 25. Do not hesitate to use them. For example, you can ask a company to provide you with all the data it holds about you, or to correct erroneous information. If you are not comfortable doing it yourself, know that there are organizations and letter templates to help you. By exercising your rights, you assert your individual sovereignty over your data.
5. Stay informed and vigilant: Data protection issues evolve quickly. New laws appear, and so do new services. Take an interest in privacy news, follow best-practice guides (there are very accessible ones online), and share this knowledge with those around you. The more the public is aware, the more businesses and governments will have an interest in respecting digital sovereignty. Forewarned is forearmed: by asking your internet provider or your mobile app to account for where your data is, for example, you help advance the cause.

Ultimately, data sovereignty directly affects the protection of your privacy and the control you exercise over your personal information. Every individual has a role to play in becoming an informed digital citizen who does not click “I accept” without thinking about the consequences. It is not about descending into paranoia, but about adopting an informed and responsible approach to our everyday digital tools.

The legal framework: Law 25 and data protection requirements

In Quebec and Canada, the growing awareness around digital sovereignty has translated into a strengthening of the legal framework in recent years. Law 25, adopted by Quebec, is a perfect example. Officially titled An Act to modernize legislative provisions as regards the protection of personal information, this law has updated and strengthened the rules in order to better protect privacy in the digital age.

A few highlights of Law 25 and the surrounding legal framework:

• Increased consent and transparency: Law 25 requires organizations (public and private) to obtain informed consent from individuals for the collection and use of their personal information. No more pre-checked boxes in fine print! For businesses, this has meant reviewing the cookie banners on their websites, clearly explaining what the collected data will be used for, and so on. The spirit of it is to create a culture of privacy protection in business practices.
  
• Obligations when transferring data outside Quebec: This is an aspect directly tied to digital sovereignty. Law 25 requires businesses to take specific measures before hosting or sending personal data outside Quebec. Concretely, a company has to carry out a risk assessment and ensure that the information will benefit from “equivalent” protection in the other jurisdiction. If that is not the case, the transfer could be prohibited. This strongly encourages organizations to keep data in Canada or to work only with partners offering solid guarantees. It is reminiscent of the principle of the European GDPR, which restricts sending Europeans' data to countries that are not deemed adequate. For a Quebec SMB, this means, for example, that it has to think twice before storing its customer databases on a server in the United States. Knowing where your data is hosted is crucial in determining which legal framework applies and what recourse you have in the event of a problem.
  
• New rights for citizens: In addition to the rights of access and rectification that already existed, Law 25 introduces rights inspired by the European model, such as the right to data portability (being able to retrieve your data in a transferable format) and transparency obligations when there is automated decision-making by algorithms. All of these elements strengthen individuals' power over their data. Yet this power can only be fully exercised if the data remains within reach of the local legal framework. Hence the importance, once again, of knowing where the data resides. A theoretical right is useless if the data is in a territory where it cannot be applied.
  
• Severe penalties and incentives: Failure to comply with these rules can result in significant fines. The Commission d'accès à l'information du Québec, responsible for enforcing Law 25, can impose penalties of up to several million dollars or a percentage of annual revenue, depending on the severity. Furthermore, starting in 2024, companies that are not compliant with Law 25 could be excluded from certain public contracts. This motivates organizations to get into compliance quickly. The government has even offered training programs and grants to help SMBs in particular adjust. The objective is clear: to make data protection a norm, not an exception. And that protection depends in large part on more rigorous localization and management of data (which brings us back to our topic of sovereign hosting).
  
• Federal framework and the future: In parallel, at the Canadian level, the existing federal law (PIPEDA – the Personal Information Protection and Electronic Documents Act) governs the management of personal information in the private sector. Canada is also preparing a reform of its laws through the proposed Bill C-27, which will include the Consumer Privacy Protection Act (a sort of “Canadian GDPR”) and an artificial intelligence act. The emphasis is on transparency, consent and corporate accountability. There is even talk of a future Canadian Digital Charter. All of this is in line with strengthening national digital sovereignty: Canada wants to ensure that its citizens' data is handled according to its standards, regardless of where the provider is located. It will be increasingly difficult for a company to justify data leaving the country without protection.
  

In short, the Quebec and Canadian legal framework is evolving to support digital sovereignty. Laws such as Law 25 in Quebec ensure that our data remains under the protection of our laws and impose limits on insecure transfers abroad. For organizations, this is both a challenge (you have to comply, adapt your systems) and an opportunity to rethink your digital strategy by favouring local and secure solutions. For citizens, it is an additional safety net that complements personal vigilance: the law equips individuals and sets up guardrails, although individual vigilance remains paramount.

Beyond location: the importance of the “backbone” and technological independence

We highlighted this above: digital sovereignty is not just about the geographic location of servers. You also have to consider the “backbone” of the infrastructure, that is, the entire technological chain that supports your digital services. This includes the owners of the data centres, the cloud service providers, the hardware used, the software deployed, and even the paths the data takes across the network.

Why is this just as important as location itself?

• Provider jurisdiction and the subcontracting chain: Suppose you host your data with a provider based in Montreal. Very good. But if that provider is in fact a subsidiary of a foreign multinational, or if it subcontracts some operations abroad, your data may still be at risk. For example, many companies use cloud services from U.S. giants (AWS, Microsoft, Google) that have data centres in Canada. However, these entities remain governed by the law of their country of origin (U.S. law for AWS/Microsoft/Google). This means that, in the event of a legal injunction in the United States, the Canadian subsidiary will have to comply and provide access to the data, even if it physically resides in Canada. The legal backbone matters as much as the location of the hard drive: who holds the key to the server? Who can access it remotely? Who administers the platform? If the answer is not “an organization from here, subject only to our laws,” then sovereignty is not complete.
  
• Control of access and personnel: Sovereignty includes the management of access to data. If your data is hosted by a local company but its technical team or support is outsourced abroad, people outside our jurisdiction could potentially access the systems. Of course, serious companies compartmentalize access, encrypt data and limit what an employee can do, but on a human level there is an issue of trust and control. An ideal sovereign hosting provider is one where all critical operations are carried out locally by trusted personnel subject to the same legal obligations (confidentiality, etc.). This reduces the risks of leaks or internal abuse that are difficult to prosecute legally because they occur outside our borders.
  
• Network and hardware infrastructure: The path your data takes across the internet can also have implications. For example, in Canada, a lot of internet traffic transits through the United States (because of the geography of the major cables and backbones). This means that even an email sent from Montreal to Quebec City can, depending on the circumstances, pass through routers located in the United States. Theoretically, this exposes it to foreign surveillance during transit. Efforts are being made to develop local internet exchange points and minimize these detours, precisely with technological sovereignty in mind. Likewise, the question of hardware arises: making heavy use of foreign hardware (routers, servers) can carry espionage risks if backdoors have been installed by unscrupulous manufacturers. In recent years, we have seen countries ban certain 5G equipment supplied by foreign companies for reasons of national security. This is part of digital sovereignty as well: being able to trust your underlying infrastructure, or to develop local alternatives when possible.
  
• Free software and independence from vendors: Another part of the technological backbone is the software we use. Many proprietary solutions (operating systems, databases, office suites, etc.) are produced by large, often foreign, corporations. Opting for free and open source software is one way to strengthen your digital sovereignty. Indeed, free software offers greater transparency (the code can be audited), and it can be hosted anywhere without depending on a particular vendor. Public institutions in France, for example, encourage the use of free software to reduce dependence on foreign proprietary solutions. For an SMB or an NPO, this can mean choosing an open source content management system for its website instead of a proprietary SaaS platform, or using a free office suite rather than storing all its documents on cloud tools whose inner workings it does not control. Open source brings software sovereignty, that is, control over the tools themselves, in addition to the data. Of course, not everyone has the means to verify the source code or host their own service, but the mere fact of choosing an open source tool often guarantees that you can switch hosting providers more easily, or keep your data in standard formats.
  

In short, digital sovereignty requires a holistic approach: you have to think about the entire ecosystem. Locating data in Canada is a necessary condition, but not a sufficient one. You also have to ensure that the hosting context (cloud owner, personnel, hardware, software) is aligned with our sovereignty imperatives. This is why, when we talk about a “sovereign cloud,” we emphasize that it must be operated by an entity governed by local law and subject exclusively to local laws. As soon as one link in the chain falls under an outside authority, a breach in sovereignty appears.

Fortunately, more and more initiatives are seeking to close these breaches: the development of national clouds, the encouragement of open source solutions, and the adoption of public policies to use local technologies when possible. For organizations, this can mean, for example, giving preference to buying digital solutions locally and reflecting on dependence on external providers. For individuals, it translates into a preference for more respectful applications, and support for an open and diverse internet.

Solutions for sovereign hosting: decentralized and open source alternatives

Faced with the issues described, one might feel a little overwhelmed. But the good news is that solutions exist to make sovereign hosting a reality and regain control. Alternatives – often open source, decentralized and local – are available in most digital domains.

Let's take an overview of what can be done:

Choosing local and independent hosting providers

Rather than automatically turning to the well-known cloud giants, it is possible to opt for Canadian hosting providers. In Quebec, there are data centres and companies specializing in cloud services that put sovereignty front and centre. Their promise: your data stays in the country, managed by a company from here, and will never be transferred abroad without your consent. Some even have certifications or partnerships guaranteeing this sovereignty (for example, VMware's “Sovereign Cloud” program includes a Canadian partner that is 100% locally owned).

In Europe, there are several national or regional sovereign clouds (OVHcloud in France, Hetzner in Germany, etc.) as alternatives to AWS-type services. In the same way, comparable offerings are appearing in Canada. There are also non-profit or cooperative initiatives: for example, in France, the CHATONS collective (Collectif des Hébergeurs Alternatifs, Transparents, Ouverts, Neutres et Solidaires) brings together ethical hosts providing privacy-respecting online services. One could imagine an equivalent here – indeed, some cooperatives or NPOs are starting to offer shared digital services for their members.

The advantage of a local provider: the relationship of trust is more direct. You can often speak with a manager, know the exact location of your data, and even visit the data centre if that is a major concern. Contracts can clearly specify that no international transfer will take place, and in the event of a problem, you can turn to the local courts. Moreover, supporting these providers contributes to the growth of the local tech industry and creates jobs here at home.

Implementing open source and self-hosted solutions

Thanks to open source, an organization can consider hosting certain critical services itself, or having them hosted by a trusted partner, without going through the proprietary platforms of the giants. Today there are free, turnkey solutions for almost every need:

• File storage and collaboration: Instead of using Google Drive or Dropbox, you can deploy a tool like Nextcloud, which is a free cloud suite. Nextcloud allows file sharing, synchronization, collaborative document editing, calendar and contact management, instant messaging and videoconferencing. It is a complete platform that additionally offers end-to-end encryption and fine-grained permission management. Major advantage: total control over the data – Nextcloud can be hosted on your own server or by a local provider, and you retain ownership of your files at all times. Moreover, being open source, Nextcloud complies with protection standards (GDPR in Europe, so fully aligned with Law 25). Several Quebec SMBs have, for example, adopted Nextcloud to replace foreign cloud services, with success.
  
• Messaging and team communications: Instead of Slack (owned by a U.S. company) or Microsoft Teams, there are open source alternatives such as Rocket.Chat or Mattermost. These solutions allow group chat, file sharing, audio/video calls, and so on. Their strengths are often decentralization (they can be hosted on your own servers), interoperability and code transparency. Rocket.Chat, for example, emphasizes the data sovereignty it offers: you decide where your conversations reside, with no need to store them in a third party's cloud. Some government organizations or sensitive businesses (the health sector, etc.) use Mattermost or Rocket.Chat precisely to keep their internal communications away from foreign servers.
  
• Email and online office tools: Many organizations use the Google Workspace suite (Gmail, Docs, etc.) or Office 365. Here too, sovereign options exist. For email, you can perfectly well have your email hosted by a privacy-respecting Canadian provider (there are several that encrypt emails end-to-end and guarantee local storage). For online office tools, solutions like OnlyOffice or Collabora Online coupled with Nextcloud allow several people to edit documents directly in a browser, in a similar way to Google Docs, all while hosting everything on a server under your control. OnlyOffice, for example, is open source and can be installed on premises; it offers compatibility with common Microsoft Office formats. The Nextcloud + OnlyOffice integration is a popular combination for anyone looking for a complete alternative to Google Drive/Docs.
  
• Websites and content management: Rather than relying on proprietary “all-in-one” platforms for your site (for example a site builder where you do not know where the data is stored), you can rely on well-established open source CMSs (WordPress, Drupal, etc.) hosted with a local provider. You thus retain control over the user database, the content, and so on. Here again, the open code makes it possible to verify the absence of a backdoor and to have a community that continuously improves security.
  
• Alternative social networks: For individuals who want sovereignty, the “Fediverse” (federated universe) movement offers decentralized social networks. Platforms such as Mastodon (an alternative to Twitter) or Pixelfed (an alternative to Instagram) are made up of independent servers (often managed locally or by communities) that communicate with one another. You can choose a Quebec server to create your Mastodon account, and your profile data, posts, etc., will stay on that server rather than going to Meta's or X Corp's servers. It is a way to regain control while staying connected with the world. Of course, these networks are still emerging compared to the giants, but they are gaining in popularity and demonstrate that a different, more decentralized internet is possible.
  
• Specific applications: For almost every proprietary application, there is a free and sovereign equivalent. Need an online project management tool? OpenProject is an open source solution with local hosting, used in Europe and compliant with European sovereignty rules. Need a videoconferencing tool? Jitsi Meet lets you hold video meetings without an account, by hosting the server yourself or via respectful instances. Need online password storage? Tools like Bitwarden (open source) can be self-hosted... The list is long.
  

Of course, using these solutions requires a certain level of technical expertise or the support of a competent provider. An SMB may not have a large IT department to install and maintain Nextcloud or Mattermost. However, there are local integrators or service companies ready to do it for you. The associated costs have to be weighed against the benefits in security and independence. Moreover, many of these free solutions are modular: you can start small (for example, migrating file sharing to a locally hosted Nextcloud, while keeping other services with an external provider) and then gradually expand to other tools as you build up skills or gain confidence.

One encouraging point: these open source alternatives are constantly improving and are supported by large communities. The benefits you can draw from them happen to align with the goals of digital sovereignty:

• Access to the source code: a guarantee of transparency and trust (you know what the tool actually does).
  
• Multi-server and decentralization: no single point of control, and therefore no grip of a single entity over your data.
  
• Guaranteed sovereign hosting: you choose where to deploy (at your premises or with a trusted local host).
  
• Ethical commitment: most of these projects pledge not to abusively monetize data and to respect privacy.
  
• Community and mutual support: in the event of a security flaw, thousands of developers around the world can contribute to fixing it quickly, which often makes free software into very robust tools.
  

You also have to be aware of the challenges: the interface of some free tools may be less polished than that of commercial products, user training is needed to change habits, and not all free solutions are yet on par with their Big Tech equivalents in certain respects (for example ergonomics, or the deep integration of certain features). However, these gaps are narrowing over time, and the investment can be worth it in the long run, to gain autonomy.

Finally, let us note that the government itself can play a supporting role. In France, the state has launched programs to help SMBs adopt sovereign digital tools (via the France Num initiative, etc.). In Canada, one could imagine grants or labels to encourage sovereign hosting. In the meantime, legal pressure (Law 25 and the like) is already acting as a driver of change.

Case study: comparing two hosting scenarios

To make all of this concrete, let's examine two scenarios illustrating the difference between non-sovereign hosting and sovereign hosting. Let's imagine a small fictional company, ABC inc. based in Quebec, which runs an e-commerce website and a customer database, including personal information (names, emails, addresses, purchase history).

Case 1: Non-sovereign hosting with a foreign giant

ABC inc. decides, for convenience, to host everything with “GlobalCloud”, a well-known provider (fictional for the example) based in the United States, which has data centres all over the world. When signing up, ABC inc. chooses the “Canada region” option to host its servers, thinking that this is enough to guarantee that the data stays here. The service is inexpensive and performance is excellent; the site runs well.

But behind the scenes: GlobalCloud's contract stipulates that, in the event of a legal obligation, the data may be handed over to the competent authorities of the country where the parent company is established. In plain terms, if a U.S. court requests it, GlobalCloud will have to turn over ABC inc.'s data (even though it is hosted in Canada) to U.S. authorities, under the Patriot Act/CLOUD Act. ABC inc. may not even be informed of it (some national security orders come with gag clauses).

Furthermore, GlobalCloud has system administration staff spread across several countries. Regularly, engineers in the United States or in India access the machines (including those of ABC inc.) for maintenance. ABC inc. has no visibility into these operations; it trusts the provider.

One day, ABC inc. learns that, through a security incident, customer data has been accessed by a third party. It is hard to know whether it was a hacker or a government access. The company has to disclose the breach to customers and to the Commission d'accès à l'information (a legal obligation to notify in the event of a confidentiality incident, provided for by Law 25). While investigating, ABC inc. realizes that its data regularly transited through servers in the United States for redundant backups, and that this is possibly where the unauthorized access occurred.

Moreover, ABC inc. realizes that, by storing personal data of Quebecers on a foreign service, it should have carried out a privacy impact assessment and ensured that GlobalCloud offered protections equivalent to Law 25 – which it did not formally do. It therefore risks penalties. Its mistake stems in part from a lack of awareness: the “Canada” location in GlobalCloud's interface gave it a false sense of security, whereas the backbone of the service was not sovereign.

Consequences for ABC inc. in this scenario: a loss of trust from some customers informed of the breach, a potential legal problem with the regulator, and definite stress about the confidentiality of its strategic data (should it fear that its sales figures are being analyzed by foreign entities?). True, it benefited from the convenience of a major cloud at first, but it is starting to see its limits and hidden risks.

Case 2: Sovereign hosting with a local provider + open source solutions

In the second scenario, ABC inc. chose from the outset (or after the previous incident, to make up for it) to bet on digital sovereignty. It contacts “CloudQuébec” (a fictional provider), a cloud computing company based in Quebec City, certified 100% Quebec-owned. CloudQuébec guarantees by contract that all data stays on its servers in Quebec, that no foreign employee or subcontractor will have access to the data without authorization, and that in the event of an access request by a non-Canadian authority, they will inform the client and contest the request if it does not comply with Canadian laws.

ABC inc. therefore migrates its site and its database to CloudQuébec. The company takes the opportunity to replace a few internal tools: it installs, for example, a Nextcloud hosted with CloudQuébec to store its files and share documents with its partners, replacing its former use of Google Drive in the process. It also uses a local email service (provided by CloudQuébec or another partner) instead of Gmail, so that the company's email communications stay in the country.

The deployment requires a bit of initial work and slightly higher costs than those of GlobalCloud, but in return ABC inc. gains several benefits:

• Legal compliance without the headache: Since customer data is now hosted locally, ABC inc. can demonstrate its compliance with Law 25 much more easily. It no longer has an international transfer to assess. In its privacy policy, it proudly states “Your data is stored in Quebec and is never transmitted outside our borders without your explicit consent.” That is a good mark in the eyes of the Commission d'accès à l'information and of privacy-conscious customers.
  
• Strengthened security and local support: CloudQuébec offers French-language support, in the same time zone. In the event of a problem, ABC inc. gets help quickly, with no cultural or linguistic barrier. Furthermore, CloudQuébec follows Quebec security standards, and being a small structure, it is transparent about its procedures. ABC inc. was able to visit the data centre (or at least receive a detailed report) and reassure itself about physical access controls, backups, and so on. It knows that its data will not be copied to another country without its knowledge.
  
• No foreign access without going through Canadian laws: If one day some authority wishes to access ABC inc.'s data (say, hypothetically, an investigation that would have to involve ABC inc.'s data), it will have to go through the Canadian justice system, and CloudQuébec will comply only with orders issued by a competent Canadian court. ABC inc. will have the opportunity to defend the confidentiality of its information before our judges. That is a level of legal protection far superior to scenario 1, where ABC inc. would not even have been informed of a foreign request.
  
• Value in the eyes of customers: On its website and in its communications, ABC inc. now highlights its commitment to data protection. It explains, in simple terms, to its users that their information stays in the country, protected by the laws of Quebec and Canada. This message reassures the clientele, particularly the more aware ones (among them perhaps public bodies, or clients from Europe subject to the GDPR who appreciate knowing that ABC inc. takes these subjects seriously, etc.). ABC inc. thus turns digital sovereignty into a competitive advantage and a positive marketing argument.
  
• Acquired experience and control: By managing its Nextcloud and working with a local cloud, ABC inc. has developed new in-house skills, or done so via its provider. The company better understands its infrastructure and can adapt it to its specific needs (something more difficult on an inflexible platform like GlobalCloud). For example, it was able to ask CloudQuébec to adjust the configuration to improve response times on its site during local peak hours, something a distant giant might not have done. This increased control gives it more latitude to innovate, to add new features without depending on the limitations imposed by a foreign provider.
  

Ultimately, scenario 2 shows that with a bit of planning and the right partners, it is entirely possible for an SMB to operate in a sovereign digital environment without sacrificing modernity or efficiency. ABC inc. can still sell online, communicate and collaborate just as well as before – but it now does so in a way that aligns technology with its values and its legal obligations. In doing so, it helps build a more robust local ecosystem.

Conclusion: toward a digital autonomy that benefits everyone

Sovereign hosting is not merely a patriotic whim or an inward retreat. On the contrary, it is a proactive approach to ensuring the security, confidentiality and independence of our digital activities in a hyperconnected world.

For SMBs and NPOs in Quebec and Canada, embracing digital sovereignty means strengthening their governance, reducing often-invisible risks, and earning the trust of those they interact with. For individuals, it is the promise of better control over their privacy, and the guarantee that their rights (the right to privacy, the right to be forgotten, etc.) can be fully exercised over their data.

We have seen that digital sovereignty encompasses a set of measures: localization of data under local jurisdiction, control over the backbone (infrastructure and tools), reliance on free software and decentralized solutions, without forgetting the support of a strong legal framework such as Law 25 that cements these good practices. Each of these aspects reinforces the others: a strict law pushes for the adoption of sovereign solutions, and the more local solutions there are, the easier it will be to comply with the laws and to convince others to do the same.

Of course, achieving complete digital sovereignty is a journey. It takes time to develop competitive local alternatives, to train businesses and the general public on new tools, and to adjust policies. But every step counts. In 2025, we can say that the awareness is there: the Quebec government is modernizing its laws, companies from here are innovating to offer a sovereign cloud, and more and more voices are calling for an internet that is more respectful of users and of national sovereignties.

By adopting an educational and informed approach – as we have tried to do in this article – we realize that digital sovereignty is not just a matter for specialists. It is everyone's business. SMBs, NPOs, citizens, government: each has a role to play in building a digital environment where our data does not slip away from us. It is, in a sense, about “taking back the power” over our technological tools, a power we had sometimes given up out of convenience or lack of awareness.

To conclude, let us keep this in mind: choosing sovereign hosting and open solutions means investing in a technology that serves people and the community. It means supporting the idea that digital progress can go hand in hand with respect for privacy, with autonomy and with a diversity of players. Quebec and Canada have all the skills and talent needed to excel in this field. By taking the step toward digital sovereignty, we create a future where the digital world strengthens our sovereignty (rather than diluting it), where every small business or individual can feel safe in the online world, just as in the physical world.

Digital sovereignty, ultimately, is the freedom to remain masters of our digital destiny, and it is essential in the current geopolitical context. Let us embrace it and adapt, for a digital world that is safer, more ethical and more our own.