Digital sovereignty series · Companion piece

By Panagiotis Toumpaniaris

It started in a kitchen.

One morning, the Alexa assistant of Judge Kimberly Prost stopped responding. The e-book she had been reading the previous evening was no longer on her device. By the end of the week, her Google account had been cancelled, her credit cards declined, and her Amazon orders refused. Prost had done nothing wrong, and certainly nothing illegal. She is a judge at the International Criminal Court.

What turned an arrest warrant in The Hague into the silencing of a smart speaker in a European home was not a court, a police force, or a bailiff. It was an executive order, a sanctions list, and a chain of automated systems that most European banks, platforms, and cloud providers had no direct legal duty to apply against an EU resident with no US legal nexus, but applied anyway. The whole apparatus had been designed for terrorists, narco-traffickers, and hostile regimes. It was now pointed at a sitting judge.

This piece is a companion to my digital sovereignty series. Before the cloud and AI deep-dives, it is worth pausing on what sovereignty looks like at the scale of one person, one family, one ordinary life. The ICC story is the cleanest case study we have, because the people affected have spoken about it on the record, and what happened to them was not a glitch. It was the system working as designed. The question is whether we want a system that works that way, and what each of us can do, today, to make sure that one stroke of a foreign pen does not send our own daily life back to the stone age.

A new kind of civil death

Between February 2025 and December 2025, the United States sanctioned eleven officials of the International Criminal Court under Executive Order 14203. Prosecutor Karim Khan was designated first, on 13 February 2025. Four judges followed in June: Solomy Balungi Bossa from Uganda, Luz del Carmen Ibáñez Carranza from Peru, Reine Alapini-Gansou from Benin, and Beti Hohler from Slovenia. Four more officials were added in August: Judges Kimberly Prost from Canada and Nicolas Guillou from France, alongside Deputy Prosecutors Nazhat Shameem Khan from Fiji and Mame Mandiaye Niang from Senegal. Two further judges, Gocha Lordkipanidze from Georgia and Erdenebalsuren Damdin from Mongolia, were added in December.

None of these people are criminals. They are judges, prosecutors, and elected officers of a court constituted by 125 states parties, doing the work they were appointed to do. Their sanctioned offence, in every case, was either authorising arrest warrants in the Palestine investigation against Israeli officials, or authorising a war-crimes investigation into US conduct in Afghanistan. The legal mechanism used against them is the same one the US deploys against terrorist financiers, narcotics cartels, and hostile foreign regimes.

What that mechanism does to a person living in Europe has now been described, on the record, by several of those affected. Speaking to a hearing of the European Parliament in early 2026, Judge Beti Hohler described the consequences as immediate. Her credit cards were cancelled within twenty-four hours of her designation. Her Apple ID, iCloud, Amazon, Airbnb, and PayPal accounts were blocked or terminated. A longstanding European bank closed her account within days. She reported euro transfers between two European banks being rejected by automated compliance systems, even where no US legal nexus was visibly involved.

Prosecutor Khan’s case, reported by the Associated Press in May 2025, was similar in shape. His UK bank accounts were blocked, his Microsoft-hosted ICC email account was cut off, and he was forced to migrate to Swiss-based Proton Mail. Microsoft’s president later denied a corporate cessation of services, but the prosecutor’s mailbox was, for him, gone.

For Judge Kimberly Prost in Canada, the cascade reached into the kitchen, as the opening of this piece described: an Alexa device that no longer responded, a Google account closed, an Amazon account cancelled, an Uber app that could no longer book a ride. Judge Luz del Carmen Ibáñez Carranza, a Peruvian national, reported that her Dutch bank cancelled her credit card and that her daughter’s Google accounts were also cut, by some unexplained extension of the designation. Judge Nicolas Guillou, a French national, told Le Monde that all of his accounts with US-headquartered companies, including Amazon, had been closed, and that even UPS refused to deliver packages to his address.

The families have absorbed a disproportionate share of the impact. Spouses lost their own US travel access. A daughter’s visa was cancelled. Children’s Google accounts disappeared. In one widely reported instance, a friend’s Amazon account was suspended because the friend had attempted to send a gift to a designated person. The automated system saw a transaction tied to a listed name, and that was enough. None of these family members or friends had been designated. None of them had done anything at all.

The cumulative effect, as Hohler put it, is a state of constant uncertainty: not knowing whether a failed card transaction is a glitch or a sanction, not knowing which provider will cancel next, not knowing whether a transaction inside one’s own country will still be screened out. It is a form of civil death administered by software, and it is the cleanest demonstration we have of what happens when one’s entire daily life is mediated by infrastructures owned, headquartered, or merely connected to a single foreign jurisdiction.

It wasn’t the law. It was the automation.

The European Union’s blocking statute could, in principle, prohibit European companies from complying with US sanctions that Brussels deems unlawful. Slovenia, the home state of Judge Hohler, asked Brussels to activate it the week she was designated. As recently as 6 May 2026, Spanish Prime Minister Pedro Sánchez and Slovenian Prime Minister Robert Golob made a fresh joint call for the Commission to act. Brussels has remained silent. In the meantime, the practical question is not “what does US law require of my bank?” but “what does my bank’s compliance system actually do when a name matches?”

The mechanism is straightforward, and almost entirely automated. The US Treasury’s Office of Foreign Assets Control publishes its Specially Designated Nationals (SDN) list as a machine-readable file. The moment a new name is added, that file is ingested by the global risk-intelligence databases that sit between banks, card networks, platforms, and their customers. The largest of these is LSEG’s World-Check, used by more than 40,000 institutions worldwide and aggregating entries from OFAC, the UN, the EU, the UK and other regimes alongside politically exposed persons and adverse media flags. Dow Jones Risk and Compliance is the other major player. Banks, card issuers, cloud providers and even logistics companies subscribe to these feeds and run them continuously against their customer base.

When a name matches, the institution is rarely making a considered legal judgement about whether that particular customer in that particular jurisdiction is genuinely captured by the sanction. The institution is making an operational risk calculation. The cost of unwinding a relationship with a flagged customer is small. The cost of being seen, at any future audit, to have transacted with a person on the OFAC list is potentially existential. The default response, accordingly, is to close the relationship rather than to investigate it. This is what over-compliance looks like at scale, and it is the actual transmission mechanism by which a US executive order propagates into the daily life of a European judge.

The Hohler euro-transfer moment is the cleanest illustration. A transfer between two European banks, denominated in euro, with both customer and counterparty resident in the EU, has no obvious US legal nexus. There is no US person, no US dollar, no US jurisdiction. And yet the transfer was rejected. Three things plausibly contributed. Most cross-border euro transfers are routed through SWIFT, which, despite being headquartered in Belgium, is subject to significant US pressure and has historically removed designated parties from the network. Many European banks maintain US correspondent-banking relationships that they prize and will not put at risk. And the bank’s own compliance system, fed by World-Check or an equivalent, will simply flag any party on the OFAC SDN list and decline as the safer default. In any of those scenarios, the European bank is not executing US law. It is executing its own automated risk policy, calibrated to a worst-case audit.

Reporting at the time of the first wave of judge designations noted that the practical effect was to place them in a screening service used by banks worldwide, making it very difficult to hold or open bank accounts or transfer money anywhere in that network. As Judge Prost put it after she was added to the list in August 2025, “I’ve worked all my life in criminal justice, and now I’m on a list with those implicated in terrorism and organised crime.” That is the automated answer to her name, returned by the same database that screens for narcotics traffickers and foreign-terrorist organisations. The database does not know the difference. Many of the institutions consuming it do not pause to ask.

Automation cuts both ways

It would be easy, at this point, to argue that the answer is to take automation out of compliance. That would be wrong. Automation in financial-services screening exists because the alternative does not work. The European Union alone clears tens of billions of card transactions every year, plus untold millions of bank transfers, account openings, beneficial-owner checks, and ongoing periodic reviews. No team of human compliance officers could read every name against every list, in real time, every time. Automation is what allows your bank to detect, within seconds, that your card has been cloned and used at a petrol station two countries away from where you are sitting, and to block that transaction before the criminal reaches a second pump. Automation is what catches synthetic-identity fraud rings, what flags carousel VAT fraud, and what spots the same shell company being used to launder money across three jurisdictions in twenty minutes. It is, on balance, a good thing. This article is not asking anyone to undo any of that.

The point is narrower. Automation has been built, in financial services, with an asymmetric attitude towards its two kinds of errors. When the algorithm gets a transaction wrong in your favour, the institution has spent twenty years building well-staffed processes to put it right. When the algorithm gets it wrong against you, those processes do not yet exist.

The card-fraud case is the cleanest example. The cards we carry are protected by some of the most sophisticated real-time anomaly detection in commercial use. If your bank’s system suspects a fraudulent transaction, it will decline it inside a second, send you an SMS, and very often freeze the card pending your confirmation. So far, so reasonable. What happens next is what matters. There is a published twenty-four-hour hotline. There is a contestation path. There is a clear route to having the transaction reversed, the card unblocked, and a replacement issued within days. The whole apparatus assumes that the system will sometimes get it wrong, and it is designed to make those errors recoverable. The customer is not punished for the algorithm’s mistakes.

Compare this with what happens when the same bank’s automated compliance system matches your name against the OFAC SDN list. There is no number to call. There is no published review threshold. There is no time-bound hold, after which the account is reactivated pending investigation. The decision is, in many cases, terminal: the relationship is closed, sometimes overnight, with no opportunity to demonstrate that you are not the person described in the database, or that you are that person but the designation does not apply to you in your country, or that the designation is itself being contested in courts. There is no published process by which the affected ICC judges could have challenged the closure of their accounts, no public timeline for review, no contact path equivalent to the fraud line on the back of a card.

This asymmetry is not a law of nature. It is a design choice, and a choice that institutions can revisit. The same bank that can call you within sixty seconds about a suspicious charge can, in principle, call you within twenty-four hours about a sanctions-screening hit. The same platform that operates trust-and-safety appeals for content moderation can, in principle, operate equivalent appeals for compliance-driven account closures. None of this is technically hard. It is a question of whether the institution treats the automated rejection of a customer as an event that, like fraud, sometimes requires a human in the loop, or as an event that, unlike fraud, is final by default.

The Financial Action Task Force itself has for years warned that wholesale “de-risking”, the practice of closing entire categories of customer relationships rather than carrying out proper case-by-case assessments, is itself a compliance failure rather than a safe choice. It pushes legitimate customers into less regulated channels and makes financial flows harder, not easier, to track. The ICC sanctions case is de-risking by another name, dressed up in the language of OFAC compliance. The customers in question are not money launderers or terrorist financiers. They are sitting judges. The institutions have, in many cases, no direct legal obligation to close their accounts. They do it because the automated path of least resistance leads there, and because no countervailing process exists to slow it down.

Sovereign where possible, exit-ready where not

If the previous sections have set up the problem, this one is about what to do about it. None of what follows is sanctions-evasion advice. It would not shield a US person from US legal obligations, or a designated person from a designation against them. These are resilience measures, addressed to ordinary readers who would prefer that a mistaken lockout, an account takeover, a vendor outage, or an over-compliance cascade did not flatten their daily life.

The goal is not to retreat from the global digital economy. The goal is to reduce the number of single points of failure that one foreign signature can pull. I will call this principle concentration-risk reduction, because it is the personal analogue of what every chief risk officer in Europe is currently being told to do for cloud and AI. The discipline is the same at every scale: identify the places where your life depends on a single jurisdiction, a single vendor, or a single account, and add a survivable second option.

The good news is that you do not have to do this all at once, and you do not have to give up the things that work. Most of what follows is about adding a parallel option, not replacing what you already use. Sovereign where possible, exit-ready where not.

Identity and authentication

The most important single change is the one many readers will already have made: stop using “Sign in with Google”, “Sign in with Apple”, “Sign in with Facebook”, or “Sign in with Microsoft” for anything you care about. Social logins are the cascading lockout vector. If your primary Google or Apple account is closed by an automated compliance system, every service you have signed into with it will follow within hours. Replace social logins with a dedicated account at each service, secured by a long unique password and, where available, a passkey.

Store those passwords and passkeys in an open-source password manager rather than in the one built into your operating system. Bitwarden, KeePassXC and Proton Pass all work across platforms and store both passwords and passkeys. The relevant property is that none of them is welded to your Apple ID or Google account; if either of those is cancelled, your password vault keeps working.

Keep at least one recovery email address on a provider that does not share a corporate ecosystem with your primary mailbox. If your primary is Gmail, your recovery should be on Proton or Infomaniak. If your primary is Outlook, your recovery should not be on a Microsoft-owned domain. The point is to ensure that an account cancellation cannot also lock you out of the inbox you would use to recover from it.

Mail

Proton Mail is the easiest sovereign alternative for most people in Europe. It is Swiss-jurisdiction, end-to-end encrypted for messages between Proton users, and supports custom domains on its paid plans. Infomaniak’s kMail is the strong Swiss-hosted alternative for people who want their email at a Swiss data centre under Swiss data-protection law. Mailbox.org is the German equivalent and supports a useful range of professional features.

A further step, and arguably the most important for long-term resilience, is to own your own domain. Register a personal domain through a registrar that is independent of your email provider, and use it as the custom domain for your mailbox at Proton, Infomaniak, or Mailbox.org. Your email address is then decoupled from the provider entirely. If the provider closes your account tomorrow, you can point the domain at another provider next week and your address stays the same. The people you correspond with do not need to update anything. People who have done this once rarely go back.

You do not need to migrate everything at once. Many readers will be best served by keeping their existing Gmail or Outlook for low-risk subscriptions while moving identity-critical recovery and personal correspondence to a sovereign mailbox on a domain they own. The principle is that the loss of one mailbox should never be the loss of all of them, or, worse, of an address you have used for fifteen years.

Messaging

The messengers most Europeans use, WhatsApp, Facebook Messenger, iMessage, and to a lesser extent Signal, all share a structural weakness: they tie your account to a single phone number and a single platform under US jurisdiction. Threema is the Swiss alternative that breaks both ties. It sells you a random identifier rather than tying you to a phone number, the company is in Switzerland, and the app works without a Google or Apple identity in the background. For users who want a fully decentralised option, SimpleX (which uses no persistent user identifiers at all) and Matrix (federated, and used by several European governments) are credible technical choices.

Pick one, install it on the devices of the people you most need to reach (close family, immediate colleagues), and keep it warm. The worst time to set up an alternative messenger is the day after your WhatsApp has been deactivated.

The Apple ID problem

There is, today, no like-for-like alternative to the Apple ecosystem if you use a Mac or iPhone. This is the honest truth and it is also the limit of how far this article will pretend otherwise. The point is not to leave Apple. The point is not to host your entire life there.

Three small habits matter. First, do not let iCloud be the only place your contacts and calendars live. Both can be synced via CalDAV and CardDAV to a sovereign provider such as Infomaniak or Mailbox.org, and your phone will use Apple and the sovereign provider side by side without complaining. Second, keep a local administrator account on your Mac that is not your iCloud account. If your Apple ID is ever deactivated, that local account is the difference between a working computer and a paperweight. Third, keep iCloud Keychain out of your critical recovery chain. Your password manager should be the source of truth for your passwords and passkeys, not Apple’s.

The same logic applies to Google for Android users. Use it, but do not let it own every credential, every photo, every contact, and every two-factor recovery on your phone.

Cloud and storage

For files, Infomaniak kDrive, Tresorit, pCloud and Proton Drive are the Swiss and EU-jurisdictional options that most directly substitute for Dropbox, Google Drive, and OneDrive. For the documents that matter most (identity documents, contracts, hardware-key backups, recovery codes), keep a separate encrypted copy on local storage that you control. VeraCrypt is the standard tool. An encrypted USB stick in a drawer is a remarkably effective backstop against a cascade of account cancellations.

Payments

The most resilient setup is straightforward, and is becoming more common. Hold accounts at two banks with different ownership and payment dependencies, with at least one of them less exposed to US-centred international banking flows. For Swiss residents, that often means a relationship with a cantonal bank or PostFinance alongside whatever international institution handles your other needs.

For day-to-day spending, prefer payment rails that are not owned by US card networks. Not every option marketed as “European” qualifies. Maestro and V-Pay are owned by Mastercard and Visa respectively, run on those networks, and are in any case being phased out. The genuinely sovereign domestic schemes are different beasts: TWINT in Switzerland, Bizum in Spain, Bancomat Pay in Italy, and Girocard in Germany all run on domestic infrastructures and continue to work in many of the scenarios where international cards do not. They do not bypass sanctions screening, which is performed by the banks behind them, but they do remove the US card network as an additional point of failure.

The pan-European story is finally moving as well. Wero, launched by the European Payments Initiative in 2024, is now live for account-to-account payments in Germany, France, and Belgium, with Luxembourg and the Netherlands coming on stream during 2026 and 2027, and point-of-sale acceptance rolling out in 2026. The Digital Euro, with a pilot scheduled for the second half of 2027 and a potential first issuance in 2029, is the longer-term sovereign anchor for retail payments in the euro area. Neither is a substitute for an international card today, but both are worth using where they are already available, and worth being ready for where they are not yet.

Keep some cash at home. This is not paranoid; it is the same resilience principle that civil-protection agencies have been quietly recommending to Swiss and EU households for decades.

Smart home

The household tier is the easiest to fix and the most overlooked. The Alexa silence in Judge Prost’s kitchen was not symbolic. It was the literal consequence of running her thermostat, her lights, her smart-speaker stack, her e-books, and her shopping through one US cloud account. Anything you actually need to work tomorrow morning should not depend on a single vendor’s cloud staying nice to you. Home Assistant is the open-source standard for local-first home automation, runs on a small home computer, and supports virtually every major device family. Door locks, alarm systems, and heating controls in particular should be installed with the assumption that the vendor’s cloud may, one day, simply not be there.

None of these changes is hard. None of them costs much. Done together, they do not make you a paranoid hermit. They make you a person whose daily life would still work, more or less, on the morning after a foreign government decided to add your name to a list.

What institutions owe us

Personal sovereignty cannot do all the work. If automation is going to stay in the compliance loop, and it should, then the institutions running that automation owe their customers a few things that they do not, today, provide.

First, a published contestation path. Every bank, card network, platform, and cloud provider should publish, in the same way they publish their fraud-recovery hotline, the procedure by which a customer flagged on a sanctions or compliance basis can challenge the decision. A telephone number that connects to a person. A timeline within which a response is owed. A reviewer who can see beyond the database hit.

Second, a human review threshold. For high-impact decisions, including the termination of a long-standing account, the suspension of a child’s account, or the blocking of a transfer with no clear US legal nexus, automation should propose and a human should dispose. Not the other way around.

Third, time-bound holds rather than terminal cancellations. The card-fraud model is the right one. Freeze first, contact the customer, give them a reasonable window to respond, and only then proceed to closure if the case still requires it. Closures that begin as terminations leave customers with nothing to appeal and no time to migrate.

Fourth, a notification obligation. A customer is entitled to know that they have been screened out, on what basis, and by what authority. “Internal compliance” is not an answer that any other regulated industry would accept from itself, and it is not one any supervisor should accept from financial services either.

These are not radical demands. They are the standard that already exists for fraud and chargebacks, applied to the other end of the same algorithm. Until the institutions running the compliance machinery extend it, the individual measures in the previous section are the only line of defence European customers have. That is not where this should be left.

Sovereignty as peace of mind

None of this is fear-mongering. It is basic resilience. The article has used the ICC sanctions as its case study because they are the cleanest and best-documented examples we have of cascading lockout in real life, but the same daily life would be just as disrupted by an identity thief who takes over your primary Google or Apple account, by a routine fraud-detection mistake that closes the wrong bank account, or by a single-vendor outage that turns the lock on your front door into a paperweight. The mechanism that broke Judge Prost’s Alexa is the same mechanism that breaks any household built on too few foundations. Sanctions are merely the most ostentatious version of a risk that has been quietly present all along.

What this piece, and the broader digital sovereignty series it sits alongside, is asking of the reader is therefore quite modest. Be conscious of the risks. Know which of your daily essentials depend on a single account, a single vendor, or a single jurisdiction. Add a parallel option where you can, and an exit plan where you cannot. Do this not to live in fear, but for the opposite reason: to live with the peace of mind that comes from knowing your daily life can survive an event you did not see coming.

The same principle scales. The next two articles in this series will look at how organisations apply it to the cloud and to AI: where the dependencies sit, what concentration risks are quietly being accepted, and how a chief risk officer in Bern or Brussels should think about reducing them. Sovereignty, as the previous article in this series concluded, is not a destination but a discipline. The discipline starts in the kitchen.

Disclaimer

Sources have been checked by AI using multiple LLMs, multiple times. Mistakes are still possible, so I apologise in advance!
All pictures are AI generated, blame the lack of even one creative bone in my body.
Happy to hear your suggestions, corrections, criticism and thoughts.