Sovereignty as a feature, not a marketing line

European cryptographic sovereignty has been talked about for two decades. For most of that time, the talk has been ahead of the reality. The actual cryptographic primitives most European critical-infrastructure operators relied on were, and largely still are, supplied by US-controlled vendors and US-controlled certification authorities, embedded in US-controlled cloud platforms.

That is changing, and the change is not driven by any single dramatic event. It is driven by a confluence: NIS2, CER, eIDAS 2.0, the emerging Cyber Resilience Act, the post-quantum migration mandate, and a genuine procurement appetite among European critical-infrastructure operators to control more of the stack they depend on.

The procurement language has caught up. We are seeing tender documents from European energy operators that ask, plainly, whether the cryptographic primitives in the proposed system depend on a US authority for any part of their operation, and whether the system can operate inside an EU jurisdiction without legal or technical reach-back outside it. Five years ago, this question would have been decorative. Today it is dispositive.

Building a system that is sovereign by design — not retroactively wrapped, not 'EU-region' as a marketing label — is an architectural choice. It is the choice we made.

The DSSA protocol uses NIST-standardised post-quantum primitives, but we do not depend on a US-controlled binding. The protocol can be parameterised to use ETSI-standardised primitives end-to-end. We are based in Helsinki, our company is Finnish, our infrastructure is European. The cryptographic state of any deployment lives only in the endpoints — there is no service we operate that holds operational secrets on customers' behalf.

We are not anti-American. There is excellent work in NIST FIPS 203/204/205, and EdSSA uses it. We are pro-sovereignty, in the sense that operators who need to control where their cryptographic dependencies live should be able to control it. That is a feature, not a marketing line.

If you operate critical infrastructure under European jurisdiction, and the sovereignty box on your procurement scoresheet has been a yellow flag rather than a green check — talk to us.