Gallo Fall is an expert in cybersecurity, digital sovereignty and risk governance, with more than a decade of experience; he is currently writing a groundbreaking strategic guide on digital sovereignty and cybersecurity strategy for African governments.

He holds a Bachelor of Science in Computer Science and Network Security with a minor in Computer Forensics from Dakota State University , a nationally recognized center of academic excellence in cybersecurity designated by the National Security Agency (NSA), offering comprehensive and practical programs in network security, cyber operations, and defense. He followed this with a Master of Science (MS) in Security Technologies from the University of Minnesota 's Technology Leadership Institute (TLI), specializing in cybersecurity, critical infrastructure, and risk management. This program is designed to protect the 16 critical infrastructure sectors in the United States, whose assets and systems are considered so vital that their destruction or incapacitation would undermine national security, economic stability, or public health and safety. These years of master's studies enabled him to understand and design resilient systems, identify and mitigate problems in critical infrastructure, and improve incident response planning for events such as cyberattacks.

Digital sovereignty without infrastructure sovereignty is an illusion. A government that stores its citizens' data on foreign cloud platforms, routes its internet traffic through foreign exchange points, and relies on foreign hardware and software for its critical systems is vulnerable—no matter how robust its laws may appear on paper. Dependence creates vulnerability. If a state's communications, financial systems, power grids, and government services depend on foreign-owned platforms or equipment, an adversary—or a corporation—can coerce, monitor, or cripple that state without firing a single shot. This is structural dependency, which we have historically recognized as a threat to sovereignty—we simply didn't have a digital version of it until recently. Infrastructure is not merely the technical substrate of the digital state. It is the arena where sovereignty is won or lost. Digital sovereignty is no longer just an aspiration; It constitutes a tangible requirement for operations and control, shaping a government's accountability. France's recent decision to reduce its strategic dependence on non-European digital infrastructure—echoing a broader trend across the European Union—marks a decisive turning point. Canada, too, is working to maintain control over its own digital future—including its data, technologies, and essential online services—rather than relying on foreign companies, systems, or legislation.

The real question has never been the origin of a digital service. This approach is driven neither by ideology nor by a rejection of foreign technologies; it stems from a pragmatic approach to risk management. Once political considerations are set aside, only one fundamental principle remains: a government cannot credibly assume responsibility for the continuity and integrity of critical services if the conditions governing their operation—legal, technical, and operational—are beyond its control.

To understand the true extent of a nation's exposure, we must examine three distinct prisms: the Physical Map , the Legal Map , and the Resilience Map. Together, they form a diagnostic framework—the Three Pillars of the Digital State—that dispels political rhetoric and reveals the underlying structural reality.

1. Pillar One: Data Residency — The Physical Map

The first question is the most fundamental: where are the servers located?

Africa's answer, for now, is largely: elsewhere. Cloud computing on the continent is dominated by a handful of foreign hyperscalers—Amazon, Microsoft, Google, Alibaba, and others—whose African data centers are concentrated in South Africa, Egypt, Kenya, and Nigeria. For the vast majority of the continent, this means that national data travels across transatlantic connections before reaching an infrastructure capable of processing it. The physical map, in most cases, points outward.

This is not a mere inconvenience. It is a structural vulnerability. When the machines that host a nation's data are located beyond its borders, sovereignty over that data becomes conditional — subject to the goodwill of foreign corporations and the stability of undersea cables that African governments largely do not own.

These cables deserve close scrutiny. Africa's international internet connectivity relies almost entirely on a network of submarine fiber optic cables encircling the continent. By 2024, approximately 30 active and planned cable systems will serve Africa—yet African governments and entities hold significant stakes in very few of them. The arteries of connectivity, in other words, belong to others.

Reclaiming ground on the Physical Map requires deliberate policy. Governments must participate in cable ownership consortia, even with minority stakes that confer governance rights. Cable landing stations must be considered strategic national infrastructure, subject to licensing and security oversight. Coastal nations must mandate multiple cables to eliminate single points of failure, and investment in transcontinental terrestrial fiber must reduce the continent's dangerous reliance on coastal routes alone.

In terms of cloud infrastructure, the most viable path for most African governments is a hybrid sovereign architecture: a government-operated cloud hosting all sensitive data within the national territory, combined with regulated foreign cloud platforms for non-sensitive services—subject to contractual data sovereignty protections and regular security audits. The goal is not to reject foreign capabilities outright, but to ensure that the most critical workloads never leave the national territory.

1. Pillar Two: Jurisdiction — The Legal Map

Physical location, however, is only part of the story. The second perspective poses a more difficult question: what law governs access?

A server can be located within a national territory while remaining legally subject to a foreign court. This is the silent trap of the Legal Map—and it's a trap that the current African telecommunications landscape sets with alarming regularity. The continent's mobile networks and broadband infrastructure are primarily served by a small number of large international operators, while Chinese equipment suppliers Huawei and ZTE provide a significant portion of the underlying network hardware. The result is a layered dependency: African data flowing through foreign-owned networks, running on foreign-built equipment, potentially subject to foreign legal constraints. Huawei and ZTE are banned in the United States primarily because the Federal Communications Commission (FCC) and US intelligence agencies consider the company a national security risk. Due to their ties to the Chinese government, there are concerns that Huawei and ZTE equipment could be used for espionage, surveillance, or disruption of critical infrastructure.

Ultimately, jurisdiction over data belongs not to the one who hosts it, but to the one who can compel its disclosure. When this authority resides abroad, sovereignty becomes a polite fiction—one that no national data protection law can fully remedy.

Governments must confront this reality directly. Diversifying equipment suppliers is essential, particularly for sensitive network components where reliance on a single vendor creates both security and legal risks. Open Radio Access Network (Open RAN) frameworks, which separate hardware from software and foster competitive and interoperable ecosystems, offer a structural path out of vendor lock-in. Satellite licensing frameworks must also ensure that connectivity infrastructure serves the national interest, not just the commercial interests of foreign operators.

The legal map must, over time, be redrawn so that the laws governing access to a nation's data are those of the nation itself.

1. Pillar Three: Digital Autonomy — The Resilience Map

Even nations that make progress on the first two pillars must face one final challenge: what happens when the connection is cut?

This is the Resilience Map question, and it's one that Africa's internet architecture is currently ill-equipped to answer. The continent has fewer than 50 internet exchange points—facilities where local networks connect and exchange traffic internally—compared to several hundred in Europe. As a result, internet traffic between two African cities often travels thousands of kilometers off the continent and back, passing through European exchange points before completing what should be a local journey. Cut off international connections, and vast swathes of the continent go dark—not because of an attack on African infrastructure, but because so little truly local infrastructure exists.

Internet Exchange Points (IEPs) may represent the highest-value, lowest-cost investment a government can make in digital resilience. By keeping traffic within national borders, they reduce latency, lower costs, and—crucially—ensure that local communications can withstand disruptions to international links. Governments should mandate or encourage the establishment of IEPs in all capital cities and major urban centers, and work within the African Union to build the pan-African network of IEPs envisioned in the AU Digital Transformation Strategy.

Ultimately, digital autonomy is not about isolation. It's about the capacity to endure. In my view, digital sovereignty is not protectionism. It is the prerequisite for ensuring that Africa captures its own digital dividend rather than subsidizing the economies of others. A severed connection to the global network should be a manageable contingency—not a civilizational catastrophe.

I am available if you have any questions or would like a follow-up, please send me an email to fallgallo@gmail.com .

Respectfully