Skip to main content
Mark Arnold – VP Advisory Services, Lares
Michael Crouch – Adversarial Collaboration Engineer
Andrew Heller – Marketing Manager

Digital sovereignty in the EU is no longer just about where data is stored. It is about whether an organisation can maintain meaningful control over critical systems, communications, suppliers, and data flows when conditions are under stress.

At Damovo’s Offensive Cybersecurity Advisory Team, Lares, this shift is visible every day. Regulations such as NIS2 and DORA are pushing organisations beyond checklist compliance and toward a higher standard: proving that security controls actually work against realistic threats.

Adversarial testing is how that proof is generated. Lares helps organisations expose weak points, validate security controls, and turn digital sovereignty from an aspiration into something that can be tested, evidenced, and improved over time.

Working alongside Damovo’s cybersecurity, enterprise networks, unified communications, contact centre, and managed services teams, Lares focuses on validating sovereignty where it matters most: in the systems that keep business running and customer engagement live.

What is digital sovereignty in the EU?

Digital sovereignty is the ability to control critical digital assets, services, and data in line with business, legal, and operational requirements. In practical terms, that includes control over where sensitive data resides, who can access it, which jurisdictions may apply, how dependent key workloads are on external providers, and whether essential services remain resilient during an incident.

This is why digital sovereignty should not be confused with simple data residency. Data may be hosted in Europe, but supporting services such as identity, telemetry, backup, AI processing, or privileged support access can still introduce exposure outside the expected legal and operational boundaries.

For many organisations, the real issue is not full independence from global technology ecosystems. It is the ability to make deliberate choices about where control must be strongest and then prove that those choices hold up in the real world.

Why digital sovereignty now matters more

Across Europe, digital sovereignty is becoming more urgent because risk is no longer limited to classic cyberattacks. Organisations must also deal with concentrated supplier risk, geopolitical uncertainty, and the operational impact of complex cloud and SaaS dependencies.

At Lares, this is increasingly seen as both a cybersecurity problem and an architecture problem. Damovo has already highlighted how NIS2 strengthens expectations around governance, incident management, risk treatment, network security, and protection of sensitive information. DORA adds a more explicit testing mindset for financial services through digital operational resilience requirements and threat-led penetration testing. The EU AI Act also increases pressure to validate robustness and security in AI-enabled services and workflows.

Together, these trends are changing what “good” looks like. It is no longer enough to state that controls exist. Organisations increasingly need evidence that they can detect, contain, and recover from attacks that threaten critical services or sensitive data.

Where sovereignty breaks in practice

Most sovereignty failures do not begin with one dramatic mistake. From Lares’ perspective, they usually emerge through small gaps across architecture, process, and supplier relationships.

Common examples include:

  • A cloud workload is hosted in the EU, but logs or backups are replicated elsewhere.
  • A collaboration or contact centre platform is regionally configured, but privileged support access remains too broad.
  • A business-critical application stores data locally, but external APIs, analytics tools, or AI connectors create new pathways out of the expected control boundary.
  • A network is secure by design on paper, but segmentation and identity controls fail under realistic attack conditions.

This matters because modern enterprise environments are deeply interconnected. Unified communications, enterprise networks, cloud platforms, contact centre tools, and managed services now operate as a single business system, not as separate silos. When a weak point appears in one layer, it can quickly undermine resilience, customer trust, and compliance in another layer.

Why adversarial testing matters

Adversarial testing is one of the most practical ways to move from assumptions to evidence. Instead of asking whether a control exists, it asks whether that control works when an attacker applies pressure.

This is where Lares plays an important role inside the broader Damovo portfolio. Through offensive cybersecurity services, Lares takes an aggressive yet controlled approach to identifying and mitigating vulnerabilities before malicious actors can exploit them. Through Purple Teaming, Lares helps organisations improve detection, response, and visibility by testing attacks in ways that drive measurable defensive improvements.

A strong adversarial programme run by Lares can help answer questions such as:

  • Can an attacker pivot from a third-party integration into a critical communications platform?
  • Can sensitive EU data be moved across borders without triggering alerts?
  • Can teams maintain continuity if identity, cloud administration, or network controls are disrupted?
  • Can defenders see and contain abuse quickly enough to protect operations and trust?

These are digital sovereignty questions as much as cybersecurity questions. They test whether the organisation is truly in control when it matters most.

Schedule a digital sovereignty testing workshop

The role of Red Teaming and Purple Teaming

Traditional penetration testing still has value, but it often focuses on isolated technical weaknesses within a fixed timeframe. Sovereignty challenges usually sit higher up the stack. They involve people, processes, third parties, operational workflows, and the trust assumptions built into complex environments.

That is why Red Teaming and Purple Teaming are especially relevant.

Red Teaming
At Lares, Red Teaming simulates realistic attackers across the full attack path. These engagements are designed to test whether critical services, privileged access, and cross-platform dependencies can be exploited in ways business leaders and defenders may not expect.
Purple Teaming
At Lares, Purple Teaming creates a feedback loop between attackers and defenders, enabling organisations to validate and improve controls faster. This is especially useful when the goal is not only to find weaknesses, but also to close detection gaps, improve incident response, and demonstrate progress over time. Together, these services support a more mature approach to sovereignty. They help organisations test resilience, validate architecture decisions, and measure whether control is improving or eroding.
Map your digital sovereignty posture

A practical framework for proving digital sovereignty

A useful programme does not start with tools. From Lares’ perspective, it starts with clarity on what needs protecting most

  1. Define where sovereignty matters most

    Lares typically starts by helping organisations identify which services, data types, and operational workflows require the strongest degree of control. This often includes regulated customer data, critical communications, core infrastructure, and systems tied to essential service delivery. 

  2. Map dependencies across the full stack

    Lares then works to understand which networks, cloud services, communications platforms, APIs, AI tools, and support arrangements underpin those services. This is often where hidden dependencies and jurisdictional surprises appear.

  3. Build threat-led test scenarios

    Next, Lares designs adversarial exercises around realistic sovereignty risks, such as abuse of privileged access, data exfiltration through cloud pathways, compromise of a key supplier, or disruption of communications during an incident.

  4. Translate findings into decisions

    Testing only creates value when findings lead to action. Results should inform architecture choices, remediation priorities, supplier governance, and the level of control needed for specific workloads.

  5. Repeat and refine

    Digital sovereignty is not a one-time state. Cloud services evolve, suppliers change, AI capabilities expand, and attack paths shift over time. Regular Red Teaming, Purple Teaming, cloud and application reviews, and managed cybersecurity support help keep control aligned with reality.

The Solution

Digital sovereignty ultimately comes down to a practical question: can critical systems, communications, suppliers, and data flows withstand realistic pressure while still meeting EU expectations? Policies, diagrams, and hosting choices matter, but on their own, they do not prove that security controls will hold up when tested by real attack paths.

That is where Damovo’s Offensive Cybersecurity Advisory Team, Lares, adds value. Through adversarial testing, Red Teaming, Purple Teaming, and offensive advisory, we help organisations uncover weak points, validate security controls, and build evidence that resilience is improving over time. Working alongside Damovo’s broader cybersecurity and infrastructure teams, Lares helps turn digital sovereignty from a strategic objective into an operational discipline that can be tested, measured, and continuously strengthened.

Design an adversarial test

Frequently asked questions

Is digital sovereignty the same as sovereign cloud?

No. Sovereign cloud can support digital sovereignty, but sovereignty is broader. It also includes operational control, supplier dependency, privileged access, resilience, and the ability to maintain service under attack.

How does NIS2 relate to digital sovereignty?

NIS2 raises expectations around governance, risk management, network security, incident handling, and supply‑chain assurance for essential and important entities. It does not prescribe specific test types, but it makes regular security assessment and demonstrable risk reduction essential, which is where adversarial testing from Lares can provide concrete evidence.

How does DORA relate to adversarial testing?

DORA places a strong emphasis on digital operational resilience and requires threat‑led penetration testing for certain financial entities. In practice, this points toward TIBER‑EU‑style exercises where Purple Teaming is mandatory, indirectly driving the use of Purple Teaming to validate how critical ICT services withstand realistic attacks.

When should organisations use Red Teaming instead of Purple Teaming?

Red Teaming is best when the aim is to simulate realistic attack paths and test resilience end-to-end. Purple Teaming is best when the aim is to improve defensive visibility and response through close collaboration between offensive and defensive teams.

What should a first digital sovereignty assessment cover?

A strong starting point includes critical services, data flows, cloud and SaaS dependencies, privileged access, jurisdictional exposure, and adversarial scenarios linked to business impact.

Speak with Damovo’s Offensive Cybersecurity Advisory Team
Join over 10,000 others on the Damovo email list to get the latest insights and exclusive content.
Subscribe Now