7 min read surveillancemethods

“Digital sovereignty” is one of those phrases that means whatever its speaker needs it to mean. To a minister announcing a national cloud, it means autonomy. To a censor, it means jurisdiction over speech. To a European regulator, it means that data about people carries their rights with it wherever it travels. The word is doing three jobs at once — control of the switch, control of the border, and control of the substrate — and arguments about digital sovereignty usually go wrong by sliding between them unannounced.

This piece takes a different approach: it follows the numbers. Four fronts of the sovereignty contest are now measured well enough, by organizations that publish their methods, to be charted rather than merely asserted. Each chart below is built from a small, documented dataset compiled for this article from those published figures — downloadable, checksummed, and traceable to its sources.

The switch: shutting down the network

The bluntest exercise of network sovereignty is turning the network off. Access Now and the #KeepItOn coalition have documented deliberate internet shutdowns since 2016, combining technical measurement with news reports and local accounts, and their trendline is the clearest single indicator in this article: 313 shutdowns across 52 countries in 2025 — the highest annual count they have ever recorded, and at least one shutdown somewhere in the world every day of the year [@accessnow2026].

Source: Access Now / #KeepItOn annual reports. Totals are revised retroactively as new information surfaces; this series uses the latest published revisions.

The composition of that number matters as much as its size. Conflict has been the leading trigger for three consecutive years — 125 of 2025’s shutdowns occurred in conflict settings — and the coalition documented 70 shutdowns coinciding with grave human rights abuses in 21 countries, arguing that blackouts increasingly function as a method of warfare rather than a public order tool [@accessnow2026]. The geography is concentrated: Myanmar led with 95 shutdowns and India recorded 65 — India’s lowest count since 2017 and still the highest of any democracy, atop a historical tally of 920 of the 2,102 shutdowns documented worldwide since 2016 [@accessnow2026]. A newer front is the targeting of workarounds: authorities cut low-Earth-orbit satellite connectivity 14 times across seven countries in 2025, up from four such cases the year before [@accessnow2026].

Shutdowns also carry a price the states imposing them rarely acknowledge. One independent estimate using the NetBlocks cost methodology put the global economic damage of deliberate disruptions at $19.7 billion for 2025 alone, across more than 120,000 cumulative hours of interference [@top10vpn2026]. Sovereignty exercised as a switch is real power — and a measurable self-inflicted wound.

The watcher: the commercial spyware trade

If the switch is sovereignty’s bluntest instrument, mercenary spyware is its most precise. The Carnegie Endowment’s global inventory documents at least 74 governments contracting with commercial firms for spyware or digital forensics between 2011 and 2023, with autocracies outnumbering democracies among the buyers — 44 to 30 — and 56 of those 74 governments procuring from firms based in or connected to Israel [@carnegie2023]. Estimates that include intelligence-community reporting run higher still: at least 80 countries are believed to have purchased spyware [@atlanticcouncil2024].

Source: Carnegie Endowment global inventory and reporting citing it. These are documented minimums, not totals.

The supply side is no longer a handful of notorious vendors. The Atlantic Council’s Mythical Beasts project mapped 435 entities across 42 countries participating in the spyware market — vendors, suppliers, holding companies, and investors — and documented the market’s signature evasion move: jurisdiction-hopping through renamed subsidiaries when sanctions or export controls tighten anywhere [@atlanticcouncil2024]. Enforcement exists and has teeth — the US entity-listed NSO Group in 2021, sanctioned Intellexa’s network, and a US court ordered NSO to pay damages in the WhatsApp case — but the procurement trendline above has not bent downward. This publication’s own surveillance exports dashboard tracks documented transfers in this market, and is embedded below.

Surveillance technology exports — documented transfers

Open full screen ↗

The border: keeping data home

The third front is quieter: laws requiring that data generated in a country stay there. ITIF’s census of data-localization measures found the practice more than doubling in four years — from 67 measures in force across 35 countries in 2017 to 144 measures across 62 countries in 2021, with dozens more proposed — led by China with 29 measures, followed by India, Russia, and Turkey [@itif2021].

Source: ITIF. The 2021 census is the most recent comprehensive count; the trend since has continued upward per subsequent ITIF commentary.

Localization is where the two faces of sovereignty are hardest to tell apart. The same legal instrument — a residency requirement for citizens’ data — can be a privacy protection, an industrial policy for domestic cloud providers, or a mechanism ensuring security services can reach the data without foreign legal process. ITIF’s econometric work argues the economic cost is real regardless of motive, with measurable drags on trade and productivity in restrictive countries [@itif2021]. The honest observation is that localization laws are proliferating faster than anyone’s ability to categorize their intent.

The substrate: who owns the machines

Beneath the laws sits the physical question: whose computers is everything running on? Synergy Research Group’s estimates for the first quarter of 2026 put Amazon at 28 percent of global cloud infrastructure spending, Microsoft at 21, and Google at 14 — three US companies holding more than 60 percent of a market that reached $129 billion in that quarter alone, growing 35 percent year over year on AI demand [@synergy2026].

Source: Synergy Research Group estimates, as reported via Statista and Data Center Dynamics.

This is the fact that gives every European “sovereign cloud” initiative its urgency and every data-localization law its awkwardness: a residency requirement satisfied inside a foreign hyperscaler’s local region changes where the disks sit, not who controls the software, the supply chain, or the company answerable to another government’s legal process. Substrate concentration is the sovereignty deficit that laws alone cannot legislate away — which is precisely why the policy response has shifted toward regulating conduct instead.

The counterweight: regulation with invoices attached

The European regulatory experiment is the most measurable attempt to assert sovereignty over data without owning the substrate. Eight years into the GDPR, cumulative fines exceed €7.1 billion, with roughly €1.2 billion issued in 2025 alone and more than 60 percent of the total value imposed since January 2023 [@dlapiper2026]. The CMS enforcement tracker counts over 2,200 published fines, and the concentration tells its own story: Ireland’s Data Protection Commission — lead regulator for most US platforms’ European headquarters — accounts for €4.04 billion of the total, and nine of the ten largest fines have landed on technology and social media companies [@cms2026; @dlapiper2026]. The largest single penalties are sovereignty cases almost by definition: Meta’s €1.2 billion fine concerned unlawful EU-to-US data transfers, and TikTok’s €530 million concerned transfers to China [@dlapiper2026].

Two honest complications belong next to those numbers. First, enforcement is contestable — Luxembourg’s €746 million Amazon fine was annulled on procedural grounds in early 2026, a reminder that headline totals include penalties still moving through courts [@cms2026]. Second, the regulatory layer is still thickening: the EU’s Data Act became applicable in September 2025, extending sovereignty-adjacent obligations from personal data to industrial data and cloud switching [@eudataact2023]. Regulation has proven it can attach real invoices to data power; whether invoices change the substrate is the open question of the next decade.

One timeline, four fronts

  1. 2013

    The Snowden disclosures

    Global surveillance revelations turn data jurisdiction from a technical topic into a political one.

  2. 2016

    Shutdown tracking begins

    Access Now launches #KeepItOn; the GDPR is adopted, with application from 2018.

  3. 2020

    Schrems II

    The EU Court of Justice invalidates Privacy Shield, making transatlantic transfers a live legal risk.

  4. 2021

    The Pegasus Project and the entity list

    Consortium reporting exposes spyware targeting at scale; the US entity-lists NSO Group.

  5. 2023

    The €1.2 billion fine

    Meta receives the largest GDPR penalty to date — a data-transfer case.

  6. 2025

    The record year

    313 documented shutdowns; the EU Data Act becomes applicable; cloud spending accelerates on AI.

What these numbers cannot say

Every dataset above is a documented minimum produced by an organization fighting undercounting. Shutdown totals are revised upward retroactively as evidence surfaces — the numbers in this article’s chart already differ from the ones first announced in each year’s headlines, and Access Now publishes those revisions deliberately [@accessnow2024]. Spyware procurement counts capture only exposed contracts; the market’s defining feature is that most of it is not exposed [@atlanticcouncil2024]. Localization censuses lag the laws they count. Market-share estimates are analyst reconstructions of revenue that companies report on their own terms. And none of these indicators measures the thing they orbit: whether any given exercise of “sovereignty” made the people inside that jurisdiction freer or less free. The numbers establish scale and direction. The judgment is still work.

The through-line of the four fronts is that sovereignty over networks is no longer rhetorical on any side. It is exercised as a switch 313 times a year, purchased as a service by at least 74 governments, legislated as a border 144 times over, and contested against a substrate that three companies mostly own. The obsidian mirror’s job — this publication’s job — is to keep the numbers attached to the word.

From this investigation

digital-sovereignty-indicators

CSV 498 B + 213 B + 135 B + 225 B · v1.0.0

Download

Published under CC-BY-4.0.