The uncomfortable answer to “What does digital autonomy really cost?”

Sovereignty is often sold as a moral choice. “We need to break away from the hyperscalers.” Fine. But as soon as the conversation starts, someone pulls out an Excel spreadsheet and an important choice is reduced to: licenses vs. open source.

A few weeks ago, I was invited on LinkedIn to answer precisely that question: would you like to comment on the principles behind a cost comparison between hyperscaler cloud and the “sovereign” route taken by Schleswig-Holstein? Of course, I'd be happy to.

The Pulse article “What does digital autonomy really cost?” sets this out neatly and soberly: explicit assumptions, TCO under stress scenarios, control vs. dependence. Of course, I'll go into that. But I'm also going to go one layer deeper.

Sovereignty is not just today's calculation. It is tomorrow's bill: vendor lock-in, geopolitical risks, compliance under pressure, and your ability to innovate without asking permission. And that requires leadership.

Soevereiniteit wordt vaak verkocht als een morele keuze. “We moeten los van de hyperscalers.” Prima. Maar zodra het gesprek start, schuift iemand een Excel naar voren en wordt een belangrijke keuze gereduceerd tot: licenties vs. open source.

Vorige week werd ik door LinkedIn uitgenodigd om precies zo’n vraag te antwoorden: wil je reageren op de uitgangspunten achter een kostenvergelijking tussen hyperscaler cloud en de “soevereine” route van Sleeswijk-Holstein? Uiteraard, graag zelfs.

Het Pulse-artikel ‘Wat kost digitale autonomie écht?’ zet dat netjes en nuchter neer: aannames expliciet, TCO onder stress-scenario’s, regie vs. afhankelijkheid. Daar ga ik uiteraard op in. Maar ik ga óók één laag dieper. 

Soevereiniteit is niet alleen de rekensom van vandaag. Het is de rekening van morgen: vendor lock-in, geopolitieke risico’s, compliance onder druk en je vermogen om te innoveren zonder toestemming te vragen. En daar hoort leiderschap bij.

And then there's something else: with every dollar you spend on cloud services, you're also buying influence, knowledge, and revenue elsewhere. {Explain? Because why is that? Only then can these questions follow.} Do you want to keep exporting that? Or do you want to bring some of it back to Europe, to your own ecosystem of suppliers, developers, and innovators?

In this blog, I use the comparison “hyperscaler vs. Schleswig-Holstein” as a magnifying glass. Not because it is the only route to sovereignty (it isn't), but because focus helps. Let's have the real conversation: what do you want to control yourself and what are you willing to accept as dependency?

TCO shifts on one word: integration

Arnold van der Veen Meerstadt, the author of the article, sharply contrasts the two organizational models. His core assumption sounds logical, almost irrefutable: with the hyperscaler, "email, documents, collaboration, security, lifecycle management, and innovation are highly (...) integrated and largely developed and managed externally (...)". And that with open source, “licensing costs are lower, but architecture, integration, security, and further development are explicitly the responsibility of the user, often involving multiple suppliers and internal teams.”

But that's exactly where it starts to get tricky. Because this model hides work on the hyperscaler side under the word “integrated.”

Take Microsoft 365 as a practical example. The functionality is broad, certainly. But in the real world, “integration” often means multiple admin portals, different policies in different places, licenses that determine which buttons you even see, and dependencies that you only discover when things go wrong. That's not “externally managed.” That's you making it work. And above all, you making it manageable. The effort required to truly integrate is no less than with an open source solution.

Security is the most painful example. A hyperscaler provides capabilities, not security. Conditional Access is a policy engine. But you have to design, test, roll out, and maintain it. The link between Defender, Intune, and Conditional Access is not magic either; it is a chain that you have to actively set up. Turn Entra “on” and you have mainly... started.

Then there is the assumption that open source is by definition “modular” and therefore weak in terms of integration. That may be true. But it is not inherent. There are open-source workplace and collaboration stacks that are tightly integrated (with a single identity layer, a single place for rights, a single source of truth). The difference is not whether there is integration, but who is in control of the integration.

Finally... innovation. When your workplace is the battlefield, “innovation” at hyperscalers often feels like yet another portal, yet another label, yet another feature that requires you to update your governance. Open source also plays the innovation card much more often when it comes to underlying technology: while the Linux world has been developing a choice of file systems and architectures for decades, NTFS was introduced on Windows in 1993 and still forms the baseline in the Windows domain. Even with a little creativity, you can't really call that innovation...

In short: the cost-benefit ratio here depends heavily on one word: integration. If you equate that word with “less work for yourself,” then the hyperscaler wins before you even start calculating. That's not TCO. That's framing.

The five hyperscaler risks your board should be concerned about

Using hyperscalers often feels like the safe choice. Large. Professional. “Always available.”

Until you discover what else you're buying: dependency that isn't reflected in your budget.

Here are the two main risks. Plus three additional risks you can't ignore:

1. Ownership of data (and access to your own work)
   In theory, it is “your” data. In practice, access to your data is a service provided by a third party. If accounts or services are suspended, your organization comes to a standstill. A concrete, public example: reports about the blocking/shutdown of Microsoft services in connection with the ICC sanctions. This showed once again how quickly that scenario can become reality. 

Can you afford to have your email, documents, or identity suddenly become an “administrative issue”? Probably not...

2. Sudden price increases (and price leverage on renewals)
   Microsoft announced commercial price updates for Microsoft 365 effective July 1, 2026.

   And apart from that, there are price incentives in the billing model (e.g., a surcharge for monthly payments on an annual commitment).

   This is not an incident. This is leverage: the deeper you are in, the more expensive it becomes to say “no.”

3. Jurisdiction and extraterritorial access (CLOUD Act)
   Even if your data is physically located in Europe, legislation outside Europe may be relevant if the provider falls under that jurisdiction. The Dutch NCSC explains how the CLOUD Act can have an impact in Europe. NCSC: “EU Entities can be within the reach of the CLOUD Act, even if the EU Entities are located outside the U.S. In order for an EU Entity to completely avoid being subject to the CLOUD Act, it would need to process data using a non-U.S. entity”

   This sometimes makes “data residency” more about marketing than protection.

4. Vendor lock-in and exit costs
   Lock-in is not just about technology (APIs, identity, formats). It is also about processes, governance, tooling, skills, and security models. NIST explicitly mentions portability/interoperability as a challenge in cloud ecosystems.

   You can leave. But at what migration cost? And with what risk during the transition?

5. Concentration and unavailability risk
   When a single platform supports a large part of your workplace, identity, and collaboration, a malfunction immediately becomes a business incident. Reuters reported on a major Azure outage (October 2025) with widespread impact: many European Azure users lost an entire working day.

The bottom line: hyperscalers take work off your hands... but they also take away functionality. Which you only miss during a crisis. And then it's too late.

Free money, one clear direction, in 30 minutes.

Sovereignty cannot be covered in a single blog post. And honestly, it cannot be covered in a single standard solution either.

It is not just about workplaces. It is about your entire chain: identity, data, applications, management, suppliers, and the question of where your real dependencies lie. And you do not have to go “all in” or “stay in.” There is a world of difference between hyperscaler and fully open source.

Perhaps the best step is to move only your crown jewels. Or cover your risks with a hybrid model. Or finally design your exit path so that you're not tied to one party.

Are you curious about how much sovereignty is wise for your organization and how you can achieve it without chaos, ideology, or drama?

Schedule a no-obligation appointment with me. In 30 minutes, we will clearly map out:

• where your greatest dependency lies

• what risk you currently accept

• which route is realistic for your organization

Every conversation provides insight. Surprise, too. And... savings. As someone (CIO) put it so nicely: “Hugo, you're basically bringing us free money. I hope to see you often!” And that's how it is.