What does Digital Sovereignty mean for digital exams and e-assessment?

Where’s our candidate data going? Who can access it? Does someone have a kill switch?

USA’s ‘America First’ policy is causing panic and answer-scrabbling for many exam owners and digital exam sector suppliers. The flight to domestic concerns and protectionism since January 2025 has created a new world; geo-political relations and commercial relationships are more fluid, complex, and unsettled.  

Why is Digital Sovereignty important? Exam owners are worried about nationalist land-grabs – potentially locking them out of mission-critical digital services. As digital assessment systems are typically hosted by one of the three dominant cloud data centre providers, this is creating tension. No European data centre provider makes the global top 10 list of the largest tech companies. The USA has 10x the number of data centres compared to Germany, the next largest country.

What is Digital Sovereignty and why should Exam Owners be concerned? It is the (re)gaining of power to decide how digital technologies are used, developed, and governed - free from undue external influence or control.

Post-Brexit, the UK’s digital legal regime was fluid: reform of EU privacy law was stalled in parliament, but made headline news last month via the UK Online Safety Act. This regulatory uncertainty meant that many exam owners and suppliers shifted their attention to post-pandemic operational stability, and using valuable head-space to make sense of AI.

As digitisation continues apace, many exam owners are now trying to decipher the geopolitical shifting sands, enacted legislation, evolving social norms, and new expectations of workforce entrants. Digital Sovereignty means that their digital plans are now (often unwittingly) outdated.

Regulatory uncertainty, coupled with a craving for post-Covid operational stability with AI turbulence, means many are scrambling to understand Digital Sovereignty’s impact.

What are CTOs doing to respond? CTOs are demanding zero trust architecture, hugely reducing attack vectors, ‘home hosting’, and re-evaluating existing tech. Does it support digital sovereignty and control? Are providers offering transparent control over where data is processed, stored, and transmitted? Perhaps legal protection from foreign access? And it’s not a blank cheque – tech choices that can reduce risk, but also costs.

What laws and provision are already in place? The good news is that there are cross-border mechanisms and data protection laws to provide assurance and comfort. For example, the US Data Privacy Framework (DPF) programme has provision for reliable transfer of personal data between the US and the EU, Switzerland, and UK. Many digital assessment providers are already signed-up to DPF.

Is there current evidence of significant change? Countries such as Denmark and German devolved administrations are phasing out their use of commercial operating systems, and moving to open source products, hosted and controlled locally. Escalating license fees jar against weakening budgets, especially in the public/ not-for-profit sector.

The European public sector is acting now: decoupling from legacy big-tech provision to local control.

What are suppliers being asked by exam owners? Where is the code and learner data created, stored, transmitted, handled? How is rights access controlled and audited? What is your attack vector plan for how risk is detected, determined, and mitigated? What’s the provenance of the solution chain and basket of assessment tools being used?

Exam owners must ask, ‘Where is it hosted? Which country are the developers and hosts in? How is the data handled? Which country is the entity that I’m signing the contract with based in?’

What else needs to happen? Many exam owners are now savvy to data location and legal status, such as storing UK learner data under UK jurisdiction and requirements. But some struggle with Digital Sovereignty: the control of their technology ‘stack’ or interconnected/ dependent systems. Deploying ‘Here Today’ tech such as encryption, blockchain, and secure multiparty computation can help with cybersecurity, access controls, and incident response protocols. All helping to solve issues of data control, legal clarity, and uncompromising security – all crucial aspects of assessments and qualifications with currency.

Deploying 'Here Today' technology helps preserve assessment integrity and currency.

It’s all about control The ability to control systems, curriculum, and exams are significant ‘tells’ of a mature outlook on digital exams and assessment. However, much of the comfort built through off-shoring is under challenge. A nation's, organisation's, or individual's ability to control their own digital environment, including data, infrastructure, and technology, isn’t a cris de coeur. Digital sovereignty demands action from those entrusted with exams to evidence control. To continue underpinning confidence and currency in qualifications and certifications needs a revised, agile approach, no matter what our world presents to us.