The incident in which the International Criminal Court (ICC) temporarily lost access to its email environment touches on a fundamental governance issue: digital sovereignty. The Court, based in The Hague, is an independent international tribunal that prosecutes serious crimes such as genocide and war crimes. Such an organization must be able to operate autonomously at all times, without interference from states or commercial parties. The fact that access to an essential communication tool could be restricted by an external provider caused significant international concern. The incident illustrates that digital dependencies are not neutral and that sovereignty in the digital world extends beyond flags, treaties, and jurisdiction.
What happened: access to email as an instrument of power
The core of the incident was that the ICC obtained its email services from a commercial cloud provider, in this case Microsoft. Due to geopolitical tensions and legal pressure from the United States, the service provision came under pressure, resulting in the Court (temporarily) losing access to its email. For an organization like the ICC, email is not a supporting tool, but a primary infrastructure for communication with states, lawyers, and investigators. For non-technical readers, it is important to see this clearly: this was not about a technical failure, but about a governance and legal issue in which a provider effectively gained influence over the operational continuity of an international organization.
Sovereignty in the digital chain
Traditionally, sovereignty is seen as control over territory and legislation. In digital reality, this shifts to control over data, systems, and access. When core processes run on platforms that fall under foreign law, a new dependency emerges. The ICC incident shows that even organizations with an international mandate are vulnerable to decisions by external parties that fall outside their sphere of influence. This is a typical supply-chain risk: not the organization itself fails, but a link in the chain becomes a power factor. For executives, this is an uncomfortable realization, because these risks are often implicit and only become visible when things go wrong.
The role of legislation and geopolitics
What makes this incident particularly complex is the interweaving of technology and geopolitics. American technology companies fall under American legislation and can therefore be confronted with sanctions, export restrictions, or political pressure. This directly affects customers worldwide. For the ICC, which must be independent of individual states, this is problematic. But the same dynamic applies in milder form to European governments, regulators, and semi-public organizations. The question is not whether providers are reliable, but under which legislation they operate and what obligations they may be required to fulfill. Digital sovereignty therefore also means: understanding which external forces can influence your digital infrastructure.
Governance lessons: email is not a commodity
An important lesson from this incident is that some digital services are too quickly viewed as “commodities.” Email, cloud storage, and collaboration platforms seem generic and replaceable, but are in reality deeply intertwined with primary processes. For executives, this means that choices for providers are strategic, even when dealing with seemingly standard services. The question “what happens if the provider pulls the plug tomorrow?” is not a doomsday scenario, but a legitimate governance question. For CISOs and CIOs, the task lies in making these dependencies explicit and translating them into risks for continuity, reputation, and autonomy.
Sovereignty is not an all-or-nothing choice
The ICC incident also shows that digital sovereignty is not a black-and-white concept. Operating completely independently is not realistic for most organizations. The challenge lies in consciously choosing where dependency is acceptable and where it is not. This requires differentiation: which systems are critical for mission and mandate, and which are supporting? For critical systems, stricter requirements, alternatives, or exit scenarios can be chosen. This is not an argument against cloud usage, but for conscious governance. Sovereignty is not about rejecting technology, but about maintaining control.
Relevance for Dutch organizations
Although the ICC has a unique international position, the lessons are highly relevant for Dutch governments and medium-sized organizations. They also use foreign cloud providers for core processes. The incident makes clear that digital dependencies require governance ownership. Especially in sectors where confidentiality, continuity, and independence are crucial, sovereignty must be an explicit part of risk management. Positively, these types of incidents deepen the conversation. They help executives see digital supply chain risk not only as a security issue, but as a strategic theme that touches on autonomy and trust.
Conclusion: sovereignty begins with insight
The temporary denial of email access at the International Criminal Court is not a technical incident, but a governance wake-up call. It shows that digital sovereignty is vulnerable when core processes depend on external parties under foreign law. For boards and CISOs, the most important lesson is that insight into digital dependencies is a prerequisite for autonomy. Those who understand where the controls are and who can operate them can make better choices. In a world where digitalization and geopolitics are increasingly intertwined, this is not a luxury, but a necessity.
