Question Period Note: Digital sovereignty

Digital sovereignty is defined as the ability to exercise autonomy over digital infrastructure, data and intellectual property, as well as critical technologies. This protects national security, supports economic competitive and allows a country to operate independently and reduce the risks of foreign interference in the digital age. It includes:

• Data sovereignty: Ensuring data complies with national laws and remains under the jurisdiction and control of the country

• Operational sovereignty: Retaining control over how digital services are deployed and preventing reliance on, or interference from, foreign entities

• Technological sovereignty: Maintaining the ability to make independent decisions about technology without being overly dependent on monopolistic or foreigncontrolled vendors

Key facts

• Under the Directive on Service and Digital, departments and agencies are expected to prioritize computing facilities in Canada—or on Government of Canada (GC) premises abroad—for storing or handling sensitive electronic information, such as Protected B, C or classified data. This helps keep important data secure and under Canadian control.

• Under the Policy on Privacy Protection, departments and agencies must protect personal information properly, reduce privacy risks and remain open and accountable, even when it is processed or stored by third-party companies.

• Data protection obligations are embedded in contracts with service providers through standardized security clauses, access restrictions and incident reporting requirements.

Key messages

• Digital sovereignty is a critical priority for the GC to protect essential data, reduce risks of foreign interference and strengthen domestic IT capabilities.

• Shared Services Canada (SSC) is investing in Canadian technology capabilities and strengthening policies to protect critical infrastructure.

• SSC has launched a procurement process to establish Sovereign Canadian Cloud capabilities for the GC through a process that prioritizes Canadian-owned and controlled cloud service providers. These efforts will secure Canadian capacity as part of the GC cloud ecosystem.

• SSC will also develop a sovereign made-in-Canada AI platform that can be deployed across the government, in partnership with leading Canadian AI companies, and enable greater access to sovereign AI compute.

• SSC has been actively working to strengthen IT diversification by reducing vendor concentration and influence in strategic areas, while promoting Canadian-made solutions.

If pressed on protections

• The GC applies a range of technical safeguards to protect data, maintain service reliability and ensure continued operation of its systems. These include secure system design; encryption to protect information in storage and in transit; access and identity management; and continuous monitoring to detect and respond to incidents.

If pressed on how SSC strengthens digital sovereignty

• SSC works with Canadian telecommunications companies and provides the GC with a fast and reliable network in Canada that operates on Canadian-owned assets. This helps keep important data secure and under Canadian control.

• SSC uses state-of-the-art enterprise infrastructure and multiple layers of defence, including cutting-edge sensors designed to identify and eradicate cyber threats.

• SSC delivers hybrid hosting models to meet the GC’s needs for security, scalability and sovereignty. Hosting models range from fully GC-owned data centres (maximum sovereignty) to public cloud services (lower control, higher scalability).

• SSC’s enterprise data centres (EDCs) are located within Canada and operate on Canadian-owned assets. This helps keep important data secure and under Canadian control.

• Due to the global dominance of U.S.-based technology vendors and the comparatively small size of Canada’s IT sector, targeted interventions are essential to scale Canadian capabilities. Cloud computing, in particular, is dominated by Amazon Web Services, Google Cloud and Microsoft Azure, posing challenges to operational and technological sovereignty.

• Advanced cyber threat actors are increasingly using supply chains to bypass traditional security defences by introducing vulnerabilities. Since 2012, SSC has mitigated this risk through Supply Chain Integrity (SCI) procurement reviews for equipment, software and services. These assessments help departments and agencies to identify and potentially mitigate security vulnerabilities before they impact operations.

• The GC has made strategic investments in Canadian IT firms, including a March 2025 announcement by Innovation, Science and Economic Development Canada (ISED) of up to $240 million in funding for Toronto-based Cohere Inc. This investment marks Cohere as the first recipient of the AI Compute Challenge, part of the $2 billion Canadian Sovereign AI Compute Strategy. In August, the GC signed a memorandum of understanding with Cohere to explore opportunities for deploying AI technologies across the GC to enhance operations within the public service and to build out Canada’s commercial capabilities in using and exporting AI.

N/A