Be updated, subscribe to the OpenKM news

Data Sovereignty and Regulatory Compliance

Written by Gaspar Palmer on September 12, 2025

In recent years, Europe has made it clear that it wants to build its digital autonomy on two inseparable pillars: data sovereignty and regulatory compliance. These are no longer theoretical concepts, but strategic priorities that directly affect the competitiveness of companies of all sizes. With the AI Act entering into force, the revision of the eIDAS 2.0 Regulation, and the imminent obligation for B2B e-invoicing in Spain, companies must learn to innovate in their processes without losing sight of control over the information they handle.

From Aspiration to Obligation: Data Sovereignty in Europe

For a long time, the concept of data sovereignty was perceived as a political ideal linked to Europe’s technological independence from the United States and China. Today, however, that ideal translates into very concrete operational requirements: data localisation within European jurisdictions, control over the information lifecycle, and full traceability.
According to a recent European Commission report, more than 80% of European companies consider that digital sovereignty will be decisive for their competitiveness over the next five years. It is no longer enough to store information: it must be governed, protected, and demonstrably so to third parties.

AI Act: Traceability as a Licence to Innovate

The AI Act, adopted in 2024, marks a turning point. It requires companies that use artificial intelligence to document, audit, and ensure the quality of training data, especially in high-risk sectors such as healthcare, transport, finance, or public administration. This means AI models must not only be innovative, but also explainable and compliant with regulation.
As Satya Nadella, CEO of Microsoft, noted at the most recent World Economic Forum in Davos: “Trust becomes the licence to operate in the age of AI.” Trust is not improvised: it is built through traceability and transparency processes that allow regulators, customers, and partners to know where data comes from and how it is used.

eIDAS 2.0: Digital Identity and Cross-Border Trust

The update to the eIDAS 2.0 regulation introduces the European Digital Identity Wallet (EUDI Wallet), which will allow citizens and companies to authenticate and sign electronic documents in any Member State with full legal validity. For businesses, this represents a leap in efficiency, but also a higher bar: every digital transaction will have to be verifiable and auditable.
The European Commission estimates that this measure could save European companies and citizens more than €11 billion per year in administrative costs thanks to safer, more standardised digital processes.

B2B E-Invoicing in Spain: From Compliance to Efficiency

The most immediate case is mandatory e-invoicing between companies in Spain, which will be phased in from 2025. Its goal is to reduce late payments and increase fiscal transparency, but its scope is broader: it will force thousands of SMEs to digitise processes that still depend on paper or fragmented systems.

The Bank of Spain estimates that late payments between Spanish companies weigh on the economy by more than 1.3% of GDP. The digitisation and traceability delivered by e-invoicing not only meet a legal obligation, but also become a direct driver of productivity and liquidity.

Compliance as a Competitive Advantage

What unites these three frameworks (the AI Act, eIDAS 2.0, and e-invoicing) is that they transform compliance into a strategic enabler. Those who approach it reactively will experience it as a burden; those who anticipate it and integrate it into their management model will turn it into a competitive advantage.

In this context, innovation can no longer advance outside the rules. At the same time, compliance ceases to be a “sunk cost” and becomes a guarantee of resilience: more transparent processes, evidence-based decisions, and customers who trust that their data is protected.

The Real Debate: Control or Dependence

The core question is not whether companies should comply, but what model of sovereignty they wish to adopt. Organisations that fully delegate the management of their information to providers without real control over jurisdiction, custody, or interoperability risk losing strategic autonomy. By contrast, those who design document-management processes aligned with European regulation ensure a lasting framework of trust.

Europe, with its fabric of SMEs and mid-sized companies, cannot compete on price or scale alone against global giants. Its competitive edge lies in making compliance a hallmark—a guarantee that business here is conducted with security, transparency, and responsibility.
In the words of European Commissioner Margrethe Vestager: “If Europe wants to lead, it must prove that innovation and the protection of fundamental rights can go hand in hand.” That is the real challenge: to demonstrate that there is no contradiction between innovating and protecting, but rather a virtuous circle that strengthens trust in Europe’s digital market.