Over the past year, the digital sovereignty conversation in Canada has accelerated.

Last September, Prime Minister Mark Carney announced the development of a Canadian sovereign cloud through the Major Projects Office. Evan Solomon, minister of artificial intelligence and digital innovation, has called digital sovereignty “the most pressing policy and democratic issue of our time.”

Microsoft has pledged $7.5 billion in the next two years for Canadian AI infrastructure along with a promise to defend Canadian digital sovereignty — a promise its own executives acknowledged under oath that they cannot keep.

Much of this discussion has focused on infrastructure, including where the data is stored, who operates the servers and which providers governments and institutions should trust.

Who governs the digital sphere? How U.S. proxy lobbying erodes Canada’s digital sovereignty

Canada must ensure its digital sovereignty in the face of U.S. threats

The right way for Canada to secure cloud sovereignty

Lawrence Zhang argues that sovereignty can be secured through contracts and encryption rather than physical infrastructure. Guillaume Beaumier emphasizes cloud-agnostic services and domestic capacity, while Natasha Tusikov and Blayne Haggart warn that Canada’s AI strategy risks deepening dependence on foreign hyperscalers.

But the conversation hasn’t yet reached the software layer, where my research indicates the vast majority of systems used by Canadian entities are foreign-owned or foreign-controlled.

That’s a key failing.

If Ottawa wants to truly protect the country’s digital sovereignty, it should require software vendors seeking federal government contracts to disclose their ownership and controlling parent, implement a classification system at the point of procurement that distinguishes Canadian-owned from foreign-controlled software, and weight that classification alongside price in bid evaluation.

The problem with software

One step above infrastructure sits the software that organizations interact with daily — systems that handle payroll, client records, patient files and internal communication, among many other things. It is at this level that data is created, processed and accessed in day-to-day operations. It is also where foreign legal authority can reach Canadian data in ways that infrastructure policy does not currently capture.

To better understand Canada’s vulnerabilities in this layer, I compiled a dataset of more than 750 software-as-a-service (SasS) platforms used by Canadian organizations, mapping each to its parent company, jurisdiction of incorporation and potential exposure under the U.S. CLOUD Act, which allows American law enforcement to compel U.S.-based technology companies to disclose data through legal process, regardless of whether the data is stored in the U.S. or abroad.

Classifications in my dataset were derived from corporate registries, public filings and subsidiary disclosures, rather than vendor marketing. The full dataset and methodology are publicly available at Upper Harbour. While no dataset can fully capture a rapidly evolving market, the results provide an overview of the ownership structures that shape Canada’s day-to-day digital exposure.

Industry and government research points in the same direction. The Balsillie School of International Affairs, citing the federal government’s digital economy strategy, reports that more than 80 per cent of Canadian cloud services rely on foreign infrastructure. But no equivalent analysis has mapped the software layer that runs on top of that infrastructure.

What the data shows

Two-thirds of the tools analyzed in our dataset are operated by companies subject to the CLOUD Act, while only 17 per cent are Canadian-owned. Among the 201 tools that offer Canadian data residency — often cited as a sovereignty safeguard — one in three remain under U.S. parent jurisdiction.

This is not evenly distributed. Among communications tools — the platforms used for internal email, video calls and messaging — 91 per cent fall under foreign jurisdiction. The only Canadian-owned option is Mitel, a legacy telecom provider. In developer operations, the figure is 92 per cent. In analytics and customer support, it approaches 90 per cent. In many of these categories, there is no meaningful domestic alternative.

Across the 30 major software categories in the dataset — spanning finance, health care, human resources, legal, education and more — nearly one in four has no Canadian-owned option. These include analytics, customer support, enterprise resource planning, design and developer operations — systems that underpin the day-to-day operations of modern organizations.

The pattern extends into sensitive sectors. Among legal technology tools, including those that handle solicitor-client privileged material, 74 per cent fall under foreign jurisdiction. In education technology, the figure is 68 per cent.

A Canadian hospital may schedule staff using a foreign-parented workforce platform, manage patient intake through a foreign-parented customer relationship manager (CRM), store records in a foreign-parented system and communicate internally through a foreign-parented messaging platform. Each introduces a separate point of jurisdictional exposure. Infrastructure choices alone do not resolve this.

What this means for policy

The legal reality is already acknowledged. The federal government white paper on data sovereignty concluded that full sovereignty cannot be assured when service providers are subject to foreign law. Barry Appleton’s recent analysis for the Balsillie School reaches the same conclusion.

But other governments have moved beyond analysis.

France announced in January its 2.5 million state civil servants will stop using Microsoft Teams and Zoom by 2027, replacing them with a domestically developed platform hosted on sovereign infrastructure.

The German state of Schleswig-Holstein migrated 44,000 employee accounts from Microsoft to open-source software. Austria’s military dropped Microsoft Office entirely for LibreOffice. The Dutch parliament approved a motion to tender for a national cloud service after an investigation found 67 per cent of Dutch government domains were linked to American providers.

Recently, a fully European-owned alternative to Microsoft 365 and Google Workspace launched from The Hague, built on open-source technology and hosted entirely in Europe.

These governments have recognized what Canada has not: sovereignty cannot be addressed solely at the infrastructure layer. In Canada, this issue is split across two policy frameworks that do not fully align.

The first sits within the Buy Canadian procurement policy framework introduced in December, which identifies digital sovereignty as a priority and includes IT services as a strategic sector. Its primary mechanism is a bid-price preference for Canadian suppliers. What it does not require is disclosure of parent-company jurisdiction or an assessment of how ownership structures affect legal risk.

This creates a blind spot. Under the framework, a supplier qualifies as Canadian if it has a place of business in Canada — a requirement that can be met with a single office. A SaaS vendor may present itself as Canadian at the point of procurement while being owned or controlled by a foreign parent subject to external legal authority. That status can also change over time through acquisition without triggering reassessment.

A targeted amendment to the strategic procurement evaluation criteria could address this directly. Vendors should be required to disclose parent jurisdiction, corporate control structure and potential exposure to foreign legal regimes such as the CLOUD Act. That disclosure should be weighted alongside price and Canadian content in bid evaluation.

The second gap sits between the Buy Canadian procurement policy framework and a framework with which it does not engage.

The federal digital sovereignty framework, released in November, assesses cloud providers and acknowledges that most government software comes from a small number of global companies.

But it explicitly states that sovereignty is “distinct from procurement policies that encourage domestic sourcing.”

In practice, the digital sovereignty framework understands that the jurisdictional problem does not shape procurement, while the Buy Canadian framework that governs procurement does not assess jurisdiction.

Neither catches a U.S.-parented SaaS tool sold through a Canadian office. Which means a product can check every procurement box while carrying the jurisdictional exposure that the entire sovereignty conversation is trying to solve.

Bridging this gap requires a classification system applied at the point of procurement. At minimum, this would distinguish between Canadian-owned and Canadian-operated software, foreign-parented software with localized data residency, and foreign-parented software subject to full extraterritorial legal exposure. Without that layer, policy frameworks will continue to talk past each other.

If the applications that organizations rely on every day are controlled by entities subject to foreign legal authority, then sovereignty is already constrained long before the question reaches a “sovereign” cloud.