On January 26, 2026, Bercy provided a political and operational framework to an idea that had long remained theoretical: digital sovereignty is only worthwhile if it becomes manageable. For these first Digital Sovereignty Meetings, the Ministry of Economy highlights two initiatives designed to “measure in order to decide”: a Digital Sovereignty Observatory and the Digital Resilience Index (DRI). (economie.gouv.fr)
The DRI claims a precise ambition: to make digital dependency readable at the executive committee level. In other words, to transform a diffuse concern—vendor lock-in, extraterritoriality, software supply chain fragility, cloud dependency—into structured decision-making. What do we protect as a priority? What do we diversify? What do we require in contracts? What do we invest in internal skills?
From proclaimed sovereignty to governed resilience
Organizations have piled up siloed assessments: cybersecurity, business continuity, GDPR, procurement, audits. Many dashboards. Little convergence. The launch of the DRI precisely addresses this missing link: a unified metric that forces conversation between strategy, risk, legal, IT, data, and AI.
Bercy’s press release speaks of a “paradigm shift”: moving from a political horizon—sovereignty—to a management discipline—digital resilience. Minister Anne Le Hénanff describes the index as a “detailed self-analysis” based on “8 objective and measurable pillars.”
The risk targeted is not only the security incident. It’s the loss of decision-making capacity, because technical, economic, or legal conditions become locked in. Caisse des Dépôts summarizes the logic in four families: business and strategic dependencies, security dependencies, technological dependencies (including AI model explainability), and governance/operational control capabilities. (caissedesdepots.fr)
An “executive-compatible” thermometer: what the DRI actually measures
Methodologically, the DRI presents itself as an “open,” “transparent,” and “auditable” standard, backed by a public framework and a Git repository. The approach starts with critical business functions, then descends by layers—application, data, platform, infrastructure, skills—to connect risk to systems and teams. (Digital Resilience Index)
The structure is organized around eight pillars: strategic resilience; economic and legal; data & AI; operational; supply chain; technological; security; environmental. The website describes a 0–100 scoring per pillar and a R/NR (resilient/non-resilient) logic for each criterion. (Digital Resilience Index)
Several press articles mention a grid of around twenty criteria. This detail matters: credibility will depend on the precision of criteria, their weighting, and the evidence required. (La Tribune)
Quantified sovereignty: triggers, not verdicts
The DRI is deployed in an environment where orders of magnitude serve as alarms. The initiative notably cites: over 90% of Western data transiting or being stored on cloud infrastructures owned by American companies (Wavestone, July 2025); 80% of European spending on professional software and cloud services—€265 billion/year—captured by American players (Asterès for Cigref & Numeum, April 2025); and a market share of European cloud providers at 15% (compared to 29% in 2017). (Digital Resilience Index)
The Asterès report published by Cigref gives these figures a political scope: dependency is not a technical irritant. It’s a value transfer, therefore a strategic fragility. (Cigref)
But a number doesn’t decide. It triggers a need for management. And that’s where the DRI seeks to make the connection: moving from the macro (European dependency) to the micro (dependencies of a critical system), where architecture decisions and contractual negotiations are made.
Governance: the real hidden issue behind the index
A metric becomes influential when it becomes a checkpoint. At that point, governance is no longer an administrative matter: it’s the condition of trust.
The launch press release describes a multi-stakeholder initiative, led by three co-founders (Arno Pons, Yann Lechelle, David Djaïz) and backed by public and private actors (Caisse des Dépôts, DINUM, Cigref, RTE, Docaposte, Numeum). The honorary presidency is held by Olivier Sichel.
Another structural choice: the framework is published under Creative Commons CC BY-NC-ND license, which protects integrity but limits commercial appropriation and modification. This can prevent fragmentation. It can also slow tooling and dissemination if the ecosystem cannot adapt certain elements.
Labeling: market signal or compliance mechanism?
The press release announces a clear trajectory: official opening of the standard and, in the following weeks, accreditation of consulting and audit firms to conduct DRI assessments and label results according to the association’s rules.
On paper, the interest is obvious. The debate on reversibility, exit clauses, auditability, or AI system explainability can become an enforceable criterion. In other words: a governance requirement, and no longer just a posture.
But this point also opens the first risk: the “checklist” that produces a score faster than it reduces a dependency. Two precautions are essential. First, proof: does a “resilient” score on cloud reversibility have the same value if it’s based on a clause, or if it’s based on a conducted exit test? Second, scope: the DRI is designed to be applied to one or more critical systems. Without communication discipline, labeling can become a staging tool rather than a decision instrument.
Europe first, concrete version: articulation with law and standards
The Data Act, as explained by the European Commission, devotes a chapter to switching between data processing services, with minimum requirements to facilitate interoperability and enable provider switching. (digital-strategy.ec.europa.eu)
If the DRI wants to be a management tool, it must be able to rely on this movement: reversibility is no longer a slogan, it’s a compliance and negotiation issue.
Another convergence: the supply chain. NIST, with SP 800-161 Rev.1, formalizes the integration of supplier risk into governance. ENISA publishes best practices dedicated to supply chain cybersecurity. (csrc.nist.gov)
These frameworks don’t validate the DRI. They pose a requirement: a credible metric is a metric backed by auditable evidence.
Why this directly concerns AI entrepreneurs
For the entrepreneurial ecosystem, the DRI is not just a “cloud” debate. It touches the core of AI products. The framework claims to measure dependency across the entire IT, data, and AI chain, down to the skills needed to design and operate solutions. (Digital Resilience Index)
Concretely, young companies will have to answer questions their clients are already asking: where does the data reside? what does inference depend on (API, GPU, proprietary model)? can a system be audited and explained in sensitive use cases? These requirements converge with the European logic of transparency and traceability around AI systems, carried by the AI Act framework. (digital-strategy.ec.europa.eu)
Finally, if the DRI becomes a purchasing signal, it could accelerate a “buy European” dynamic defended by industrial collectives like Eurostack, by transforming a political intention into evaluation criteria usable in tenders. (Le Monde.fr)
The test: a decision-making tool, from day one?
At this stage, the DRI is a promise of alignment: aligning the language of executives, lawyers, CIOs, and data-AI managers. The interest lies in the index’s ability to provoke concrete trade-offs.
Two testimonials cited at the launch illustrate this ambition. RTE explains using the DRI as a “common grammar” to document and share risks and solutions on its information systems. Docaposte mentions a “strategic compass” for executive committees and boards.
Three uses emerge. The first is prioritization. Naming the systems that, if they stop, stop the organization. The second is renegotiation. Diversifying, demanding exit clauses, imposing audit conditions, documenting open source dependency, clarifying responsibilities. The third is trajectory. Resilience is not a state. It’s a multi-year plan. The score is only useful if it triggers tests, budgets, and contractual decisions.
The DRI will not escape a simple question: does it become a governance discipline, or just another label? The answer will not be theoretical. It will come from the rigor of evidence required, the transparency of accreditation rules, and actual use in procurement and tenders.
