At a glance
At a glance
In 2005, we had a mandate to put a computer on every desk at the International Criminal Court in The Hague. Every judge, every clerk, every chamber. The court was going paperless, and we were the ones brought in to make it happen.
One judge, a senior from Ghana, refused. He would not open his computer. He wouldn’t look at it. He wouldn’t acknowledge it was on his desk. Our first instinct was to push. We had a budget, we had a mandate, and we had a decision taken by the whole court. Everyone else had complied.
Instead, we stopped, and we listened. He told us he didn’t want the computer. What he wanted was three buttons. One to see what his colleagues had decided. One to store his own work and know it was safe. One to share his decision and know it reached the right people. Everything else on the keyboard, he wanted covered with a plastic sheet, so he didn’t have to look at it.
So we covered it. And that judge became the champion and the sponsor of the entire digital transformation of the court. Not despite his three buttons. Because of them. The moment someone understood what actually mattered to him, the most resistant person in the building became the one who carried everyone else.
At the time, we thought the lesson was about listening. Two decades later, it turned out to be the clearest lens we have on a law that did not yet exist.
The law that just landed
On 3 June 2026, the European Commission tabled the Cloud and AI Development Act. For the first time, it writes digital sovereignty into European law.
The mechanism is a ladder: four audited assurance levels of rising strictness, from data simply sitting in the EU at the bottom, up to full control of the software supply chain with no foreign interference at the top. Defence sits at that top tier. The Commission’s tech-sovereignty chief, Henna Virkkunen, framed the goal plainly: making sure that no provider of the workloads Europe depends on holds a “kill switch.”
For anyone bidding on the European Defence Fund (EDF), this is no longer background noise. Sovereignty is becoming a scoring property of the systems you propose to build, and the instinct is to treat the new ladder as a new box to tick.
But here is what is worth sitting with before you write a word of the proposal. The law describes what you procure. And a bid is not a procurement.
Why the level won’t win your bid
The four-level table looks like a checklist. Choose a compliant supplier, certify the level, write it into the proposal, move on. It feels like progress. It is not what wins.
EDF evaluators are not scoring your certificate. They are scoring whether your consortium actually understands the sovereignty problem it claims to solve. The gap between those two things has become the most common reason proposals fail. Across government bidding, lack of specificity is now the leading cause of failed proposal reviews: not weak technology, not a thin track record, but generic claims an evaluator cannot verify. Sovereignty language is especially prone to it. “We will deploy a Level 4 sovereign solution” reads as exactly what it is, a sentence that has told the evaluator nothing about whether you understand what Level 4 is for.
A level is the answer to a procurement question. The evaluator is asking a comprehension question. They want to see that you know what sovereignty actually protects in this capability, against which threat, for whom. A certified supplier is not evidence of that.
Sovereignty is a ‘Three Buttons’ problem
So what is the evaluator really looking for? Strip the new law of its bureaucracy, and it is asking the same three things the judge asked.
First, who can see your data: who has access, where it lives, who can read it. Second, who can protect it: who genuinely controls it, who owns the infrastructure, who holds the encryption keys, and whether a foreign hand can reach in. And third, who can act on it: who can operate it, move it, or switch it off.
See, protect, act. The judge’s three buttons, twenty years before Brussels wrote them into a regulation. The four-level table is, in the end, a procurement department’s way of asking the question a judge in The Hague asked with a plastic sheet over his keyboard. And once you see sovereignty this way, the flaw in the checklist becomes obvious. You can assemble a system from components that are every one of them eligible for Level 4, and still fail all three buttons. A single cross-border login lets the wrong party see. An offshore support contract lets someone act. A key held by your provider rather than by you means you do not really protect. None of it shows up when you certify the parts, because each part, on its own, is compliant. The certificate is attached to the components. The three buttons are a fact about the whole.
That is why a bid built on certificates can be beaten by a bid built on understanding. Even when both name the same providers.
What this means for your bid
This changes how you write the proposal, in four concrete ways.
Lead with the three buttons, not the vendor. Open your sovereignty narrative by showing the evaluator who can see, who can protect, and who can act on the capability you are proposing, designed from the architecture up. That is the story of a consortium that understands the problem. A provider’s certification is a footnote to it, not a substitute.
Be specific about what you remove. Specificity is what evaluators can score, so do not claim sovereignty in the abstract. Tell them which third-country dependency your design eliminates, and how. One named, verifiable dependency closed, is worth more than a page of sovereign-by-design language.
Reconcile the three buttons across the consortium before it forms. This is the trap that catches cross-border bids: each participating nation may answer who can see, protect, and act differently, and an architecture that satisfies the lead nation can quietly fail a partner nation’s bar. That is not an annex you add at the end. It is a design decision you settle at the table, while the consortium is still being shaped.
Show you will hold the buttons through delivery. A level certified at award does not stay true. Subcontractors change, support arrangements grow, a shortcut gets taken to hit a milestone, and the system drifts below the tier it was certified at, while the certificate insists nothing has changed. A bid that shows how it keeps the three buttons true across the life of the program reads as written by people who have delivered before. Which is exactly what evaluators are trying to find.
Conclusion
Sovereignty has always been a people-and-control problem before it is a technology problem. Just like the resistant judge who became the champion of the whole transformation, an EDF bid is no different. The evaluator, the end-user, the partner nation; each of them has three buttons.
So if there is a single thing to take from the new sovereignty law as you prepare your bid, it is this. It is not the level you can buy. It is whether you can answer the three buttons as a design decision, and keep answering them as you deliver. That work starts long before the proposal is written, and it is the conversation we are glad to have early, while your architecture is still a set of choices you can shape, rather than a problem you have inherited.
In 2005, we had a mandate to put a computer on every desk at the International Criminal Court in The Hague. Every judge, every clerk, every chamber. The court was going paperless, and we were the ones brought in to make it happen.
One judge, a senior from Ghana, refused. He would not open his computer. He wouldn’t look at it. He wouldn’t acknowledge it was on his desk. Our first instinct was to push. We had a budget, we had a mandate, and we had a decision taken by the whole court. Everyone else had complied.
Instead, we stopped, and we listened. He told us he didn’t want the computer. What he wanted was three buttons. One to see what his colleagues had decided. One to store his own work and know it was safe. One to share his decision and know it reached the right people. Everything else on the keyboard, he wanted covered with a plastic sheet, so he didn’t have to look at it.
So we covered it. And that judge became the champion and the sponsor of the entire digital transformation of the court. Not despite his three buttons. Because of them. The moment someone understood what actually mattered to him, the most resistant person in the building became the one who carried everyone else.
At the time, we thought the lesson was about listening. Two decades later, it turned out to be the clearest lens we have on a law that did not yet exist.
The law that just landed
On 3 June 2026, the European Commission tabled the Cloud and AI Development Act. For the first time, it writes digital sovereignty into European law.
The mechanism is a ladder: four audited assurance levels of rising strictness, from data simply sitting in the EU at the bottom, up to full control of the software supply chain with no foreign interference at the top. Defence sits at that top tier. The Commission’s tech-sovereignty chief, Henna Virkkunen, framed the goal plainly: making sure that no provider of the workloads Europe depends on holds a “kill switch.”
For anyone bidding on the European Defence Fund (EDF), this is no longer background noise. Sovereignty is becoming a scoring property of the systems you propose to build, and the instinct is to treat the new ladder as a new box to tick.
But here is what is worth sitting with before you write a word of the proposal. The law describes what you procure. And a bid is not a procurement.
Why the level won’t win your bid
The four-level table looks like a checklist. Choose a compliant supplier, certify the level, write it into the proposal, move on. It feels like progress. It is not what wins.
EDF evaluators are not scoring your certificate. They are scoring whether your consortium actually understands the sovereignty problem it claims to solve. The gap between those two things has become the most common reason proposals fail. Across government bidding, lack of specificity is now the leading cause of failed proposal reviews: not weak technology, not a thin track record, but generic claims an evaluator cannot verify. Sovereignty language is especially prone to it. “We will deploy a Level 4 sovereign solution” reads as exactly what it is, a sentence that has told the evaluator nothing about whether you understand what Level 4 is for.
A level is the answer to a procurement question. The evaluator is asking a comprehension question. They want to see that you know what sovereignty actually protects in this capability, against which threat, for whom. A certified supplier is not evidence of that.
Sovereignty is a ‘Three Buttons’ problem
So what is the evaluator really looking for? Strip the new law of its bureaucracy, and it is asking the same three things the judge asked.
First, who can see your data: who has access, where it lives, who can read it. Second, who can protect it: who genuinely controls it, who owns the infrastructure, who holds the encryption keys, and whether a foreign hand can reach in. And third, who can act on it: who can operate it, move it, or switch it off.
See, protect, act. The judge’s three buttons, twenty years before Brussels wrote them into a regulation. The four-level table is, in the end, a procurement department’s way of asking the question a judge in The Hague asked with a plastic sheet over his keyboard. And once you see sovereignty this way, the flaw in the checklist becomes obvious. You can assemble a system from components that are every one of them eligible for Level 4, and still fail all three buttons. A single cross-border login lets the wrong party see. An offshore support contract lets someone act. A key held by your provider rather than by you means you do not really protect. None of it shows up when you certify the parts, because each part, on its own, is compliant. The certificate is attached to the components. The three buttons are a fact about the whole.
That is why a bid built on certificates can be beaten by a bid built on understanding. Even when both name the same providers.
What this means for your bid
This changes how you write the proposal, in four concrete ways.
Lead with the three buttons, not the vendor. Open your sovereignty narrative by showing the evaluator who can see, who can protect, and who can act on the capability you are proposing, designed from the architecture up. That is the story of a consortium that understands the problem. A provider’s certification is a footnote to it, not a substitute.
Be specific about what you remove. Specificity is what evaluators can score, so do not claim sovereignty in the abstract. Tell them which third-country dependency your design eliminates, and how. One named, verifiable dependency closed, is worth more than a page of sovereign-by-design language.
Reconcile the three buttons across the consortium before it forms. This is the trap that catches cross-border bids: each participating nation may answer who can see, protect, and act differently, and an architecture that satisfies the lead nation can quietly fail a partner nation’s bar. That is not an annex you add at the end. It is a design decision you settle at the table, while the consortium is still being shaped.
Show you will hold the buttons through delivery. A level certified at award does not stay true. Subcontractors change, support arrangements grow, a shortcut gets taken to hit a milestone, and the system drifts below the tier it was certified at, while the certificate insists nothing has changed. A bid that shows how it keeps the three buttons true across the life of the program reads as written by people who have delivered before. Which is exactly what evaluators are trying to find.
Conclusion
Sovereignty has always been a people-and-control problem before it is a technology problem. Just like the resistant judge who became the champion of the whole transformation, an EDF bid is no different. The evaluator, the end-user, the partner nation; each of them has three buttons.
So if there is a single thing to take from the new sovereignty law as you prepare your bid, it is this. It is not the level you can buy. It is whether you can answer the three buttons as a design decision, and keep answering them as you deliver. That work starts long before the proposal is written, and it is the conversation we are glad to have early, while your architecture is still a set of choices you can shape, rather than a problem you have inherited.
© 2026 iMotivat B.V – All Rights Reserved
© 2026 iMotivat B.V – All Rights Reserved
