With the European Technological Sovereignty Package, the European Commission recently sent a clear signal: Europe wants to reduce its dependence on non-European suppliers for critical technologies. Commission President Von der Leyen explicitly referred to healthcare: "We cannot afford to depend on others for the technologies that keep our hospitals running."
This is no coincidence. Many hospitals, mental health institutions, nursing homes and general practitioners rely on American suppliers (or other suppliers outside Europe) for their EHR, cloud, AI and medical devices. At the same time, European healthcare legislation is piling up: MDR, AI Act, EHDS, NIS2, GDPR and NEN 7510 impose increasingly stringent requirements on data protection, supply chain security and transparency. One common theme runs through all these laws: maintaining control. Over your data, your (AI) systems and your suppliers.
Why would you want to be sovereign as a healthcare organisation?
1. Patient safety and continuity of care
What happens if your EHR supplier disappears, a cloud connection is interrupted, or a medical device manufacturer stops providing support? The more dependent you are on a single party, the greater the risk to your primary process. NIS2 now explicitly requires you to actively manage these kinds of supply chain risks. In practice, this means structurally assessing your critical suppliers on reliability and security level, making contractual arrangements about vulnerabilities, incidents and exit, and determining at organisational level which dependencies are acceptable and which you need to actively reduce or mitigate.
2. Protection of patient data under strict legislation
You process special categories of personal data, the most heavily protected category under the GDPR. Foreign legislation such as the CLOUD Act can grant access to data held by American suppliers, even if that data is physically stored in a European data centre. As you have probably already realised, this clashes with your duty of medical confidentiality and with the strict transfer requirements of the GDPR.
3. Strategic agility
Geopolitical tensions, sanctions or a unilateral price change by a dominant supplier can affect your organisation. Sovereignty means: retaining freedom of choice to switch when needed.
4. Trust from patients and staff
Patients expect their data to be safe. Staff want to work with systems they understand and trust. This makes sovereignty directly relevant to your credibility as a healthcare organisation.
Data data data
In practice, handling medical data immediately raises three questions related to sovereignty. First: where is the data stored? Physical location matters, but is not sufficient. The question is also: under which jurisdiction does the supplier fall? Second: who has access? Think not only of yourself, but also of administrators, sub-processors and the rest of the chain.
The EHDS adds another layer: patients gain the right to view, share and transfer their health data electronically. This forces EHR suppliers to work interoperably, making switching to another party more realistic. Medical confidentiality (Wgbo) and NEN 7510 converge here: you must be able to demonstrably guarantee that patient data remains confidential, including throughout the chain. A supplier that can be compelled under foreign law to hand over data does not fit easily into that picture.
Sovereignty as part of your existing digital strategy
You do not need to start a new strategy. You build sovereignty into what you are already doing: EHR renewal, cloud migration, AI pilots, regional data exchange and NIS2 implementation.
The GDPR requires conscious choices about legal basis, purpose limitation and transfers. NIS2 obliges you to implement supply chain risk management, giving you grip on your supplier chain. The MDR sets continuity and safety requirements for medical software. The AI Act requires transparency, logging and human oversight, giving you grip on AI models and their training data. The EHDS forces EHR suppliers towards interoperability. For research data and secondary use, you anticipate the EHDS route via national health data access bodies. Finally, NEN 7510 already requires a thorough assessment of suppliers, a review you can readily combine with sovereignty criteria so that you address both issues in a single coherent process.
What can you do as a healthcare executive?
Step 1: Map your dependencies
You can only steer on sovereignty if you know where your dependencies lie. Start with an overview of your critical systems (EHR, imaging, laboratory, medication, communication) and identify for each supplier its parent company and the applicable jurisdiction. Do not forget medical devices with cloud connections, AI applications (with their training and hosting locations) and any regional collaborations you have set up. Assess for each component how critical it is and how significant the sovereignty risk is.
Step 2: Assess your suppliers along five dimensions
For a structured assessment, you can use the Cloud Services Sovereignty Assessment Tool from DICTU (in Dutch), which is also used within the Dutch central government. This tool examines five dimensions: legal, data & AI, technology, operational and human. By assessing your suppliers along these dimensions, you obtain a well-founded risk profile.
Step 3: Review your existing contracts
The greatest practical gains lie in your contracts. Check whether exit provisions are workable and tested, how audit rights and transparency about sub-processors are documented, and how key management is arranged. Also look at continuity guarantees in the event of geopolitical disruptions and whether processing agreements comply with the GDPR transfer requirements. Many healthcare contracts were concluded years ago, before the current legal and geopolitical context. An update is often urgently needed.
Step 4: Set sovereignty requirements in new tenders or procurement processes
In every new tender or procurement process, you can include functional sovereignty requirements: data residency and EU support as mandatory requirements, open standards, a workable exit strategy required in the contract, transparency about sub-processors and their jurisdiction, and alignment with the interoperability requirements of the EHDS. This prevents you from being locked into a supplier you cannot escape from in five years' time.
Step 5: Make it a board-level matter
Sovereignty is not just an IT concern. Make it part of your risk management cycle and assign clear roles. Align as much as possible with your existing programmes to avoid duplication of effort.
Partner with us on digital sovereignty
We help healthcare organisations to build sovereignty practically into their existing digital strategy. We can help you map your greatest risks and dependencies, review contracts and support procurement. We offer an integrated compliance approach in which MDR, AI Act, EHDS, NIS2 and GDPR come together in a single programme, and we extend your existing NEN 7510 audit with a sovereignty lens.
For organisations that want to explore these issues more independently, we offer the AI Pro Pack. This includes a sovereignty assistant: an accessible way to put sovereignty on the agenda. Start your 14-day free trial now!
