// Blog / Security
04.06.2025

Data sovereignty in SMEs: why now is the time to act

The German SME sector is widely regarded as the backbone of the economy: millions of small and medium-sized enterprises (SMEs) provide jobs, drive innovation, and create regional value. Altogether, they account for well over 90 percent of all German companies. Their digital data – in all its forms – plays a central role in this contribution: from accounting and document management to highly sensitive information such as intellectual property. As business processes become increasingly digitized or even fully digital, one question becomes ever more pressing: who controls this data? And how secure is the digital infrastructure it all depends on?

In this context, the concept of “data sovereignty! is gaining importance – yet in many SMEs, it still flies under the radar. That’s a growing problem, because these companies are now being targeted by cybercriminals, they rely on secure and efficient systems to collaborate with customers and partners – and they must comply with legal and regulatory requirements.

Data sovereignty – what it means
The term “data sovereignty” refers to the right and ability of companies or individuals to retain full control over their data. In concrete terms, this means that companies must know which data is processed when, where and by whom - and always retain sovereignty over these processes. Data sovereignty is already a critical factor, particularly in heavily regulated industries, but in view of unstable data protection agreements and increasing compliance requirements (e.g. NIS-2, DORA or TISAX), it is also becoming relevant for industries that have been less affected to date. This means that it should not be neglected by SMEs either.

Data sovereignty requires transparent, self-determined and traceable data processing. However, it often remains unclear what exactly is required for sovereign data management. One thing is clear: data sovereignty complements data protection or data security but does not replace them. It is aimed at the power of disposal over all “own” data – including, for example, business secrets such as internal documents or research data. Data sovereignty is therefore also a critical factor for the competitiveness of SMEs in the future.

The risks are growing – even for SMEs
The long-standing assumption that cyberattacks only affect large corporations or "someone else" is misleading. The range of threats is vast. Whether it's a security breach, compliance issue, system outage, or the loss of control over critical business data – every incident involves costs. When it comes to outages or data leaks, the consequences can be especially severe: from lost time and operational costs to reputational damage. Several recent examples highlight this:

Sabotage and geopolitics: In November 2023, a critical undersea data cable in the Baltic Sea between Sweden and Estonia was damaged – reportedly due to external interference. And in early May 2025, Microsoft disabled the email account of the Chief Prosecutor at the International Criminal Court – reportedly on orders from the U.S. government. These incidents show just how vulnerable digital infrastructure can be, and how fragile international data flows are. If connections fail, are disrupted, or shut down, access to systems and data may be cut off completely. While such scenarios once seemed unlikely, they are now a real concern – especially for SMEs that lack the resources to monitor IT systems around the clock. The highest level of security and control is only possible with data processing in Germany and reliable local partners.

Insecure providers, mishaps, and data leaks: According to Bitkom’s Corporate Security Study 2024, around 74 percent of German companies fell victim to digital sabotage, espionage, or data theft – with a particularly large number of SMEs affected. While it is difficult to quantify the damage in individual cases, the overall risk is substantial: two-thirds of companies fear for their very survival. The use of insecure or non-transparent services poses a serious risk – regardless of company size. One example is the exploitation of a major vulnerability in MOVEit file transfer software by the Clop ransomware group, which affected organizations in over 100 countries. Particularly alarming: many companies had no idea that MOVEit components were embedded in the services they were using.

What data sovereignty is – and what it isn’t
Data sovereignty starts with the basics – knowing where business-critical data is stored, who can access it, and what risks are involved. Decisions must be traceable and made with a clear understanding of risks, dependencies, and available alternatives. For instance, anyone sharing sensitive files via unsecured cloud platforms – without knowing where the data is stored – is handing over control. And ignorance is no defense when consequences arise.

 

It’s important to clear up a common misunderstanding: data sovereignty does not mean hosting everything yourself, sealing off all systems, or operating your own data centers. Nor does it mean avoiding international providers altogether. At its core, data sovereignty means taking responsibility for your data. In practice, this starts with choosing certified, trustworthy services, setting up structured data storage, and ensuring clearly defined access rights.

Choosing the right partner matters
Data sovereignty cannot be achieved without the right partners. Companies using external infrastructures must take even greater care to ensure control, transparency, and compliance. This also includes preventing data from being unintentionally passed on – whether via hidden clauses in terms of use or through foreign laws. While contracts can help, they’re not enough. Choosing the right provider is essential, especially when it comes to processing and storing sensitive data.

This is especially relevant in the cloud. While cloud solutions offer many advantages, the concentration of services in the hands of a few large and powerful providers has led to near-monopoly conditions and a growing loss of control for users. For many companies, it is virtually impossible to trace where their data is stored, which laws apply, or who may be able to access it – legally or technically.

Where to start? Opt for a secure virtual data room instead of open cloud folders, and for certified enterprise file sharing instead of questionable and insecure providers. Key criteria to consider include:

  • Headquarters and ownership structure of the provider

  • Server location

  • Relevant certifications and attestations

  • System availability

  • Support and service levels

  • Security functions

  • Contractual terms (e.g. data processing agreements)

Who’s responsible? – Clarifying roles in SMEs
Especially in small and medium-sized enterprises, one question often remains unanswered: Who is responsible for data security, digital tools – and data sovereignty? Clear responsibilities are often missing. Tasks such as IT security, privacy compliance, or software selection may fall to the managing director, be picked up by committed team members, or delegated to an external IT provider – often without any strategic coordination.

This structural gap can have serious consequences. If no one is responsible, essential tasks like system selection or backups are neglected. Clearly assigned responsibility is the foundation for a secure, sovereign, and future-proof IT strategy – regardless of company size.

Where to start? Appoint someone who understands your company’s specific needs and reality. Invest in IT security and infrastructure – because recovering from failure is always more expensive than preventing it.

The advantages of data sovereignty for SMEs
Data sovereignty is not a luxury – it’s a necessity. And SMEs not only can, but must take steps to secure their digital resilience and independence. More than that, sovereignty can become a competitive advantage. With a strong focus on data control and trustworthy technology, SMEs can benefit from:

  • Legal certainty and compliance

  • Protection against data loss and system failures

  • Enhanced competitiveness and resilience

  • Reduced dependence on monopolized platforms

  • Greater trust among customers and partners

netfiles – your trusted partner for data sovereignty
netfiles is your reliable partner in achieving data sovereignty. We place just as much importance on the protection and security of your data as on availability and ease of use. netfiles data rooms are suitable for all industries and use cases – from M&A transactions to external collaboration, from secure backups to simple, secure document sharing across locations. As an owner-managed company based entirely in Germany – from headquarters to development and hosting – we are subject exclusively to strict German data protection laws and international compliance standards. All systems are independently audited and certified.

Want to know more? We’re happy to advise you on how netfiles can help you take control of your data. Get in touch – we look forward to hearing from you.