Critical Mismatch: Impact of Corporate Governance on Digital Sovereignty

While Portugal demonstrates commendable national control over its Critical Digital Infrastructures (CDIs), a deeper dive into the relationship between corporate structure and ownership reveals significant strategic vulnerabilities that demand focused attention. Digital autonomy is not guaranteed merely by local headquarters; it requires alignment across legal jurisdiction and ownership.

The analysis highlights a critical governance gap: the geographical misalignment between where a company is legally based and the nationality of its shareholders.

The Challenge of Misaligned Control

The analysis of ISPs and data centres shows full national control. This is defined as having both the headquarters and all shareholders exclusively in Portugal – nevertheless this is far from universal:

• ISP Misalignment: A concerning 39% of ISPs analyzed lack both their headquarters and shareholders exclusively in Portugal.
• Data Centre Misalignment: 46% of the data centres either don’t have its headquarters or its shareholders in Portugal.

Mapping Dependencies: The Hidden Risks of Foreign Capital

A crucial element of digital sovereignty risk stems from the presence of capital originating from countries outside the EU. Even though national control is predominant, specific categories of dependence introduce strategic exposure:

1. Moderate Dependence (Level 3): This category captures entities with headquarters in Portugal but where the capital ownership is predominantly non-EU. This applies to 7 ISPs and 10 data centres reviewed. These cases require regular monitoring due to the potential influence of external interests.
2. External Capital Presence: Non-EU shareholders represent roughly 16% of the total. The presence of non-EU capital, while minor overall, introduces exposure to external jurisdictions and geopolitical interests that must be continuously scrutinized.
3. Total External Dependence (Level 6): The study identified a few entities operating with total dependence with headquarters and 100% of shareholders located entirely outside the EU. represents the highest risk profile.

The Call for Strategic Monitoring

The analysis confirms that the exposure to external interests and legal jurisdictions is present, especially in key areas like ISPs. To safeguard strategic autonomy, authorities must move beyond simple headquarters location when assessing risk. Strategic attention must focus on continuous monitoring of corporate structural movements, particularly involving capital originating from outside the European political and regulatory sphere.

By understanding and actively managing the complex ownership structures of these critical assets, Portugal can proactively mitigate vulnerabilities and fully secure its digital sovereignty against external influence. 

Join the conversation and stay tuned for our next analysis.

Read More: 

• New Age of Autonomy: Mapping Portugal’s Digital Sovereignty
• Portugal’s (Open Source) Advantage: Software Paradox
• 5% Barrier: Digital Assets and Foreign Dependency
• Critical Vectors of Dependence : E-mail, Certificates, and CDNs
• Digital Infrastructure Dependency and the Urgency of Strategic Autonomy