Sovereignty by design

Alexander Zwart, CITO | Rabobank

Alexander Zwart is the Chief Innovation and Technology Officer and Member of the Managing Board at Rabobank. He has been with the bank since 2008, holding a range of senior roles across digital transformation, technology, and customer experience, including Head of Digital Transformation and CTO for Retail Netherlands. Prior to joining Rabobank, he held roles at Nuon and Coca‑Cola, and holds a master’s degree in business economics from Erasmus University Rotterdam/Michigan State University


What does digital sovereignty mean to you?

The problem with sovereignty is that so many people understand so many different things by it. The way we approach it is by asking what scenarios could plausibly play out in the world, and what kind of technology setup would best fit each of them. The inconvenient truth is that there is no single solution that ticks all the boxes.

A concrete example: when Iran was firing rockets on Dubai, people living there were quite happy that many banks were using a hyperscaler like AWS, because in a war situation they could move workloads somewhere else. If those banks only had data centers in Dubai, they would have been in a very bad place. But then we have also seen the opposite scenario, most recently with the American government deciding not to give access to certain AI models, and how impactful that can be. Two very different scenarios, one a war situation, the other a foreign government simply deciding to cut off access. The same architectural choice can be both a strength and a vulnerability, depending on the scenario.

As a bank, you have to be able to deal with both. Cash flow is king. A company survives or disappears depending on whether cash flow works. As soon as a bank cannot do payments, society has a huge problem. As soon as a bank cannot manage its treasury, the bank itself is in trouble. So whatever scenarios play out, payments and treasury must function independently of them. That means the answer is not either sovereign infrastructure or hyperscaler. You probably have to work with both. It is about being portable, being able to switch between different solutions, maintaining optionality, and being redeployable, meaning you can rebuild your technology stack very quickly if a specific landing zone fails.

The same architectural choice can be both a strength and a vulnerability, depending on the scenario.

These discussions are often very polarized and very negatively framed. That misses the point. In ten years’ time, we will still work very intensively with Azure and AWS. The real question is whether, whatever happens in the world, we can still serve our customers. That is what matters most.

That means the answer is not either sovereign infrastructure or hyperscaler. You probably have to work with both.


What is your view on the ongoing digital sovereignty debate in Europe?

As a predominantly European company, the debate is very relevant. The operational resilience question about sovereignty is about making sure our critical functions remain available regardless of what any external party does. The strategic question is about the fact that Europe, as a continent, has simply not invested enough in technology. If you look at India, or at China, you see large parts of the world that did invest and built substantial industries. The United States did the same. Europe did not.

What concerns me is that some technology companies have become what I would call tech nations. It is not really a US versus Europe discussion. It is a question of whether Europe wants to have some very large technology companies that are European owned, with their main interests in Europe. Because what we have seen is that certain companies have become so large that the only government genuinely capable of controlling them is the US government.

Europe, as a continent, has simply not invested enough in technology.


Rabobank is a cooperative bank. Does that change how you approach these questions in practice?

The key difference is that our members are our shareholders. The General Members Council, which appoints our supervisory board, is made up of actual customers. And customers are much more interested in the long-term profitability and sustainability of the bank than a typical stock market investor might be. That means they are also willing to accept certain investments that a purely listed company might weigh very differently.

Concretely, we are willing not just to become a customer of certain technology providers, but in some cases to become an investor as well. If we see a technology provider, potentially a European one offering capabilities not yet available in the market, and if we see that other organizations are also willing to become clients, we are prepared to invest for a period of time to help that company scale. Not to become a technology company ourselves, but to stimulate the market.

we are willing not just to become a customer of certain technology providers, but in some cases to become an investor as well.

This is exactly what we have done. We became a customer of one such company and told them we were willing to invest to help make it happen. Alone, this would not have been possible. Our decision was driven by the fact that the Bank of New York was also investing in them, and that other parties in the market were willing to help that company scale. A cooperative bank can internalize that kind of long-term, society-oriented rationale more easily than a listed company can.


Beyond investment, what concrete steps is Rabobank taking on the operational side?

We are analyzing our entire technology landscape through the lens of what we call business functions. Every capability we need to serve customers sits within a business function, whether that is the front office for mortgages, our banking app, or something else. These functions run on landing zones. In the past, we made choices about which landing zones to use with which providers, but we were not always sufficiently deliberate about which landing zones we wanted to support for which critical functions, or how concentrated our dependencies were becoming.

We are now much more conscious of concentration, and the way I frame it is this: in the past we looked primarily at how much money we spent with a given vendor. Now we also look at how concentrated we are in our processes with that vendor, and across which value chains. We assess whether we are highly concentrated in a critical value chain and whether we are portable enough to move if we need to. These are intentional decisions we are making rather than letting them emerge by default.

It is a balance, and it is important to be honest about that. A bank also has to meet serious security requirements. With the current capabilities of AI models, as soon as a vulnerability is identified, within minutes someone can determine the root cause and attack everyone who has not yet patched it. Even lower-level vulnerabilities become stepping stones into your systems. The risks in the world are increasing dramatically, so we cannot be naive on the security side while pursuing greater optionality on the sovereignty side. Both have to be held together.

In the past we looked primarily at how much money we spent with a given vendor. Now we also look at how concentrated we are in our processes with that vendor, and across which value chains.


What role do payments play in sovereignty?

Payments are so deeply embedded in people’s lives that if they stop working, society has a problem. It is like electricity. If we cannot sell mortgages for a week, that would be very unpleasant for us, but Dutch society would not particularly care. Customers would go to another bank for a loan. But if payments do not work, customers cannot easily switch. Large companies work with multiple banks globally and can absorb a failure. But the vast majority of our customers are smaller enterprises, and they are deeply dependent on the single bank they work with, especially for cash flow and payments.

It is essential that a meaningful number of players are able to offer payment services. Right now, Mastercard and Visa are globally dominant, and I am quite positive about the European Payments Initiative precisely because Europe needs a credible alternative alongside them. That does not mean the other methods disappear. But having a European payment alternative is vital.

What India has done in this space is genuinely impressive. A local payments infrastructure has scaled enormously there. Payments and identity are so core to the functioning of society that you need competition and you need alternatives. A very limited set of global players controlling those functions is not healthy for the global economy.

Having a European payment alternative is vital.


How do you see the relationship between banks and hyperscalers evolving from here?

We will continue to work very closely with hyperscalers. Depending on your size, there is a limited set you can work with in practice, so we want more than one, but we also do not want ten. The relationship is broadly good. But I think something important has to change in how the hyperscalers think about themselves.

Banks have faced a similar tension. Most banks earn their money through mortgages and lending. Payments is often not where they make the money, but it is probably what society values most about what banks do. The same applies to hyperscalers. With cloud, they have become vital infrastructure for the world, and vital infrastructure, even when it sits inside the same company as everything else, is a different business. It has to be treated differently.

If the Google search engine goes down, people get frustrated. If Google Cloud goes down, the world has a major problem. Once you recognize that, the nature of the relationship has to change. The depth of knowledge we share, how well we understand the issues they face on the infrastructure side, how we take mitigating action so that even if that infrastructure fails our critical operations continue: all of that becomes far more important. The energy sector shows how this works in practice. Grid operators have to ensure supply regardless of what happens in the commercial layer above them. We already apply the same logic: our data centers have backup generators precisely because we do not wait to be rescued when supply fails. Hyperscalers have become multiple companies inside one entity, which is fine, but it means we have to look at them, and work with them, differently on those specific parts of the business.

We will continue to work very closely with hyperscalers.


Is open source a path to greater sovereignty?

We are an organization that is still very attractive to good engineers, and that means we have the capability to build significant things ourselves. For organizations like us, working with open source genuinely helps, because you can draw on all the knowledge that has been integrated into open-source communities globally, and we have people capable of working with it.

There is also a practical resilience dimension. If a SaaS solution we purchase is heavily based on open source, and for some reason the vendor can no longer support it, we could in principle take it over ourselves. In practice, we’ve done exactly that. We worked with Pivotal Cloud Foundry, and when needed, because Cloud Foundry is open source, we were able to insource the software and run it ourselves with our engineers connected to the Cloud Foundry community. That experience shapes how we think about architectural choices. Open source is now one of our architectural principles. All else being equal, we prefer solutions that are open source over purely proprietary code.


When it comes to AI, where does a bank’s real sovereign asset lie?

You have to be ruthlessly specific about where a bank is genuinely unique. Everybody thinks they are good at everything, but if you are truly critical about it, the set of things a bank is uniquely good at is quite small. The biggest asset is the ability to assess risk. The second is the ability to comply with regulation. Beyond those two, we are good at many things, but not uniquely so.

The truly proprietary data is not just the structured data sitting in databases. It is also the unstructured data in documents, and the knowledge that exists in people’s heads, which gets discussed but never written down. That is the data a bank should be very careful about how it shares externally. Training models on that data makes complete sense. But you have to be specific about where you are actually unique, because if you are not, you are not building a sustainable advantage.

A good example is our ability to assess the risk of a small or medium enterprise customer. We hold detailed knowledge about that customer that is simply not publicly available anywhere. For a large, listed company, there is so much public information that the information asymmetry largely disappears. It is precisely where that asymmetry exists that banks have a unique position, and that data is really the business model.


Do sovereignty requirements constrain innovation?

I think history simply shows the opposite. Innovation consistently happens when people face constraints. The most common argument I hear inside the bank is that someone needs more budget to innovate. But reality has proven, repeatedly, that if you give brilliant people a limited set of resources and a clear task, they find ways to accomplish things that unlimited resources would not have produced. DeepSeek is a recent and vivid example of exactly that. Resources are not the constraining factor. What makes the difference is a brilliant north star, the ability to bring intelligent and motivated people together, and a mindset oriented toward how we can do this rather than why we cannot. Constraints do not prevent innovation. In many cases, they produce it.