MH · Cyber Sovereignty · 2026
Module MH — Digital Sovereignty
Cybersecurity
as a condition
for sovereignty.
Sovereign SOC · NIS 2 · DORA TLPT · Detection without dependency
Fundamental Rights #1, 2, 4 — ORBii Framework

"An organization that does not control its own threat detection depends on a third party to know whether it has been compromised. This is the most severe form of sovereignty loss — sovereignty over one's own security."

What this module covers

Internal vs outsourced SOC, operational NIS 2, DORA TLPT, vulnerability management, dependency on security vendors, cyber supply chain.

Target audience

CISO, CDO, CIO, continuity managers, SOC teams, risk managers, internal auditors, DORA/NIS 2 compliance officers.

Core regulation

DORA Art. 25-28 (resilience testing, TLPT), NIS 2 Art. 21 (technical measures), GDPR Art. 32 (security), EU AI Act Art. 15 (robustness).

Recommended duration

Half day (3h30) — 2 sessions + 1 SOC & vendor dependency diagnostic workshop.

ORBii.Academy — Digital Sovereignty & AIMH · P.01
MH · Cyber Sovereignty
Critical cybersecurity dependencies

The 4 forms of cyber dependency that threaten sovereignty.

Cybersecurity creates specific, often invisible dependencies that can simultaneously compromise detection, response, and regulatory compliance capabilities.

D1 — Outsourced SOC dependency

Entrusting detection and incident response to a third party creates an information asymmetry: the external SOC knows your systems better than you do. In case of contract termination or conflict of interest, you are blind.

DORA risk: inability to exercise audit rights (Art. 28.3.e)
D2 — Detection vendor dependency

If a single vendor provides your SIEM, EDR, and threat intelligence, a failure, acquisition, or regulatory decision (e.g., ban on a Russian or Chinese vendor) paralyzes your detection capability.

NIS 2 risk: non-compliance with Art. 21 technical measures
D3 — Threat intelligence dependency

Threat Intelligence feeds predominantly come from non-European actors. If these feeds are suspended, biased, or manipulated, your threat anticipation capability collapses — without your knowledge.

Risk: blind spots in advanced detection
D4 — Software supply chain dependency

Every third-party component integrated into your systems (open-source libraries, SDKs, plugins) is a potential attack vector. Without an SBOM (Software Bill of Materials), you cannot assess your exposure surface.

Risk EU AI Act Art. 15: robustness and AI supply chain
The fundamental rule — Cyber sovereignty

If you cannot detect, analyze, and respond to a threat without relying on a third party, you do not have cyber sovereignty — you have outsourced your security. DORA Art. 5.2 imposes direct responsibility on management bodies for digital resilience: this responsibility cannot be delegated.

ORBii.Academy — Digital Sovereignty & AIMH · P.02
Protected content

You have viewed the preview of this module (first 2 pages).
To access the full content, enter your access code or request access.

10 remaining pages Personal link · Valid 24h