Digital sovereignty is the new policy mantra. Less dependence on Big Tech, more European infrastructure, preferably fast. In advice and visions, it sometimes sounds like a simple correction: we have it set up wrong, so we turn it around. As if it is a matter of deciding and implementing. A closer look reveals that this thinking leans on a persistent but misleading analogy.
It sometimes refers, explicitly or implicitly, to the 1967 Swedish example. In one day, Sweden switched from driving on the left to driving on the right. Everyone adapted. Traffic did not collapse; on the contrary, the number of accidents even dropped temporarily. The story is fondly cited as proof that large-scale system change is possible, if well prepared and clearly communicated. Those who project that image onto Europe's digital infrastructure, and certainly that of the cultural sector, are fundamentally mistaken.
Bright days
The Swedish operation, known as Days H, was an intervention in a system that was completely regulated by the state, was uncluttered and above all: unambiguous. There was one rule that changed for everyone at the same time. The road remained the same, the car remained the same, the destination remained the same. Only the arrangement was changed. It was an abrupt but clear transition within a closed system. That clarity is completely missing in digital reality.
Digital infrastructure is the opposite. It is not a roadway, but a layered stack of systems, services, agreements and dependencies. Cloud, software, data, identity, communication, archiving, security and now AI are intertwined. Not just technically, but organisationally and humanly. Cultural institutions operate on top of these layers without mastering or even fully understanding them themselves. Moreover, that infrastructure is not defined nationally or Europe-wide, but globally.
Basic questions
In the cultural sector in particular, this complexity is rarely recognised. IT is often historically grown, fragmented and outsourced. Boards and regulators increasingly talk about AI and digital autonomy, but rarely about the basic questions that precede it: where is our data, who manages our systems, what happens if something fails, what knowledge do we have in-house? In many organisations, IT is not a strategic domain, but a necessary cost item that should remain as invisible as possible.
In an earlier article, I referred to the recent research from DEN into the state of digitisation in the Dutch cultural sector. The report grade: a six. Add to that the 2023 survey into cyber risk management - and the observation, based on its own research and practical experience, that the situation has hardly improved since then - and the starting position becomes painfully clear.
Vulnerable
Moreover, the recent example of the Veenkolonie Museum shows once again how vulnerable cultural institutions are. A cyber-attack resulted in personal data of stakeholders ending up in the hands of criminals, also with direct consequences for business operations in addition to the impact on stakeholders.
Even a leading telecom company like Odido proved unable to withstand digital intrusions last week, in which very large amounts of personal data of Dutch citizens were captured. What happens to that data is rarely immediately visible, but experience shows that something good rarely comes out of it.
Incident
Also more striking is the way such events are invariably framed. Terms like ‘incident’ or ‘occurrence’ suggest a certain inevitability - as if these were natural phenomena that organisations are powerless to deal with. That portrayal is misleading. This is not bad luck or coincidence, but the predictable consequence of inadequate cyber risk management. Not an abstract technical problem, but a managerial reality. Digital security is thus not an IT issue, but an organisational-level responsibility. Those who continue to ignore that distinction will continue to experience ‘incidents’ and stakeholder anger.
Against this background, the call for ‘sovereign European IT’ takes on uncomfortable connotations. Not as a strategy, but as wishful thinking. Not because autonomy is not a legitimate aspiration, but because the preconditions are lacking. European and certainly Dutch alternatives often lack the scale, robustness and integration of the platforms on which cultural institutions currently run.
Lock-in
Companies like Microsoft, Google, Apple and Amazon dominate not out of ideology, but because their systems operate globally, are constantly being developed and are deeply intertwined with daily work processes. Moreover, this dependency is not only technical, but economic and cognitive. Organisations are not simply users of systems, but participants in ecosystems in which standards, interfaces and work processes reinforce each other. This is not preference, but lock-in.
A switch then is not a gesture of principle. It is a major operation with far-reaching consequences. Data has to be migrated, processes redesigned, links rebuilt. Employees have to be trained, while time, money and attention are already scarce in the sector. Productivity drops temporarily, errors increase, and dependence on external consultants grows.
Ripe
For a sector structurally struggling with understaffing and high workload, this is not a detail, but an existential risk. Moreover, digital transformation is a limited budget item, in which cyber risk management is already completely underrepresented. And without money, of course, nothing happens.
The Swedish example is often misunderstood here. The strength of Days H lay not in the abrupt changeover itself, but in the fact that the system was ripe for that step. The infrastructure was prepared, the rules were clear and the state was in full control. In today's digital reality, that direction is missing. Even the European Union is deeply dependent on the same technology companies it wants to politically constrain. Digital autonomy thus becomes a political ambition that clashes with operational reality. This makes the call for the cultural sector to lead the way all the more problematic.
Paradox
What remains is a paradox. Institutions are expected to be digitally resilient and autonomous, while operating in an ecosystem they did not design and cannot bear. The ambition is public, the risks are private. In that context, those who advocate rapid decoupling are shifting the bill and responsibility to organisations least able to bear it.
The conclusion is not that everything should stay the same. But that digital autonomy is not a matter of switching, but of building: knowledge, governance, alternatives, scale and trust. Only when those conditions are in place can a sector think about real choices. Until then, the comparison with Sweden in 1967 is mostly reassuring for policymakers, and misleading for practitioners.
The cultural sector does not need a Digital Days H. It needs realism, time and support to understand at all the road it is driving on - and who is at the wheel. And that there will be a serious budget to make the digital shift and move from a six to a nine. The sector deserves that.
Nederlands 
English (UK) 
Français 
Aha, it is not a natural phenomenon that cultural institutions have put themselves at the mercy of Micro$oft, Google and all sorts of local vendors. Surely they decided that themselves.
So while in many areas art pretends to be at the forefront and at least consciously approaching society, here they drop stitches.
Open source alternatives are available for all IT applications, free of charge and often running on cheaper hardware as well as being more secure.