The multidimensional problem

Daniel Melin

Business Development Manager

In these debates, it is not uncommon for one side to argue that there are legal obstacles, whereupon the other side claims that the right IT security resolves the legal obstacle. In the end, no one is any wiser about what the rules actually are.

After far too many such discussions and a continued state of confusion, I started wondering why the issue is so hard to discuss. One answer is of course that the party putting forward their argument has some sort of stake, for example that it benefits the person’s employer. But even if a party is not arguing intellectually honestly and instead argues from their special interest, the problem remains that very few seem able to make both a competent and complete assessment. Note that I am not claiming I can either.

I am convinced the problem lies in the complexity of the issue, which means that anyone who wants to reason about this needs to be relatively well-read and knowledgeable in at least six domains. The ones I have identified are geopolitics, IT security, continuity, law, control, and industrial policy. Of course, there is some overlap between these six, and you can certainly add more.

Up until 2020, the discussion was almost exclusively about OSL, GDPR, and IT security. Geopolitics, control, and continuity became increasingly common after Russia’s full-scale invasion of Ukraine and Sweden’s NATO accession. The industrial-policy consequences are still conspicuously absent, although the industry initiative EuroStack has put the issue on the agenda in 2025.

Another influencing factor is that it has been in American vendors’ interest to keep various issues unclear, thereby encouraging each organization to conduct its own investigation. Classic divide-and-conquer.

Six domains

To provide some guidance, I define the six domains as follows:

Geopolitics is an academic discipline in which politics, history, and sociology are analyzed with reference to geography. We can observe geopolitics daily in various statements from political leaders who draw on their own country’s history, distinctiveness, and the special status of their population. For example, the EU and NATO are geopolitical actors without being countries.

IT security concerns how various IT systems and their information are protected against, for example, adversarial attacks, unauthorized access, manipulation, destruction, and theft. IT systems need to be constantly reviewed to patch vulnerabilities and reduce the attack surface. Encryption is a common way to protect information. One can argue that the domain should be information security or cybersecurity, but in this context that is of minor importance.

Continuity is about how different events can affect an organization’s ability to function. With good continuity planning, an organization can increase its resilience against excessively negative effects.

Law consists of various laws and regulations from Sweden, the EU, and other countries. Laws and regulations from countries outside the EU are commonly referred to as third-country legislation. Difficulties regarding legislation from certain countries include, for example, that the legislation is deliberately vaguely written, that it is secret, and that it can be changed at very short notice. In law, I also include supplier contracts that are more or less comprehensible, change often or rarely, and are provided in full or only in part.

Control is the ability to decide independently by maintaining control yourself. Control can take many forms; a commonly used concept is “digital sovereignty.” Digital sovereignty is about a country having independent control over its digital assets in the same way as its land, sea, and air.

Industrial policy, according to the government, is about creating the conditions for jobs and growing companies. The area includes, among other things, conditions for business and entrepreneurship, innovative capacity, and well-functioning competition. According to the government, too few startups grow into successful scale-ups within the EU. This signals that Europe is not fully capable of converting its innovation capacity into globally competitive companies. The single market, which should be a springboard for growth, remains fragmented, limiting access to capital, talent, and markets. Both the European Commission and Swedish governments can hardly be accused of having made it easier for Swedish IT companies to grow, but that is another article to write.

One way to visualize the six domains is as a puzzle in which all the pieces are needed to see the whole—in this case, Swedish society.

Reasoning

As you can see, I take a broader perspective than just the individual organization; for example, it is not an individual authority’s role to choose a cloud service partly based on industrial-policy considerations. A pitfall is revealed already here. If we go back to the original discussion with two parties, but instead of law and IT security, the problem is that one party factors Swedish industrial policy into their assessment while the other party considers only the individual organization. It becomes difficult to reach consensus in that situation.

A constantly recurring line of argument is risk—that every choice carries risk. But merely asserting that every choice carries risk offers no guidance on how an organization should choose. In IT security, risk is a given; there is no IT system that is both accessible to users and 100% secure. When it comes to control, it is more binary: either the organization has control over its information or it does not. Law is somewhere in between: in some cases there is clear legislation and/or precedential rulings that show the boundary between legal and illegal. In other cases, it is currently unclear exactly where the line lies. Some organizations seem to consider that as long as something is not explicitly prohibited, it is permitted, while others choose the opposite. Some authorities have even taken it upon themselves to “challenge the law” in order to use various (American) cloud services more freely.

In the National Cybersecurity Strategy 2025–2029, the government writes that “it can entail serious risks if many organizations depend on the same service or system and that dependencies on digital product and service deliveries from organizations based in third countries can both be inappropriate and constitute a vulnerability that can be used as political leverage.” Here the government adopts a clear societal perspective on, for example, cloud services. In Sweden’s digitalization strategy 2025–2030, it states that “an important aspect of withstanding stress is access to secure and robust supply chains for both hardware and software. To achieve secure supply chains requires systematic work with continuous risk assessments, a diversity of supplier options, and solid requirements on suppliers.” At the same time, the foreign policy declaration from February 2025 states that “the transatlantic link is crucial for Swedish and European security and that Sweden’s and the USA’s bilateral relations are very good and are strengthened by our being allies in NATO. The USA is a partner of particular importance for Sweden and for Europe—commercially, in security terms, and politically.” One can sense that these different communiqués are not entirely consistent with each other given the fact that American cloud services totally dominate the Swedish market and that no attempts have been made politically to change this.

Conclusion

The next time you encounter a discussion about the so-called “cloud question,” start by trying to clarify which domains the different parties include in their reasoning. In this way, we might collectively elevate the discussion to the societal level so that Sweden can obtain a reasonable degree of digital sovereignty as quickly as possible, and so that the discussions become more meaningful and intellectually honest.