In 1940, Soviet forces seized Estonia’s national archives. Eighty years later, Estonia decided that would never happen again — by storing its most critical government data in Luxembourg, under diplomatic immunity, on servers it controls but does not physically possess. It is the most radical rethinking of what sovereignty means since Westphalia. And almost no one outside the Baltic has understood its implications.
By Vladimir Tsakanyan, PhD · Center for Cyber Diplomacy and International Security · cybercenter.space
In December 2024, a vessel assessed to be part of Russia’s shadow fleet severed the Estlink 2 subsea cable connecting Estonia to Finland. In September 2025, Russian MiG-31 fighter jets penetrated Estonian airspace for twelve minutes before withdrawing. In early 2026, with Ukraine under pressure to cede territory and NATO’s eastern flank increasingly anxious, Estonia raised its defence spending to five percent of GDP. For a country of 1.3 million people sharing a land border with the Russian Federation, the threat calculation is not abstract. It is the lived condition of national security planning.
Against this backdrop, Estonia’s data embassy in Luxembourg is not an innovation. It is an existential hedge. The question that its architects were answering when they signed the agreement with Luxembourg in 2017 was not a technical one. It was a philosophical and strategic one: what does it mean to be a state in a world where the most critical functions of governance — the registries of citizens, property, business, and identity; the continuity of courts, pensions, and public services — exist primarily as data? And if that data can be seized, corrupted, or destroyed, can the state itself be said to continue?
Estonia’s answer — store the sovereign state in servers abroad, under diplomatic immunity, recoverable from exile — is not, on reflection, as novel as it appears. The governments of Belgium, France, and the Netherlands operated in exile during the Second World War, maintaining their legal and institutional continuity from London while their territories were occupied. Estonia’s data embassy is the twenty-first century equivalent of that continuity-of-government doctrine: a mechanism by which a state’s essential institutions can survive the loss of their physical territory and reconstitute themselves when conditions allow. It is sovereignty made portable. And in 2026, with Russian expansionism no longer a theoretical concern on NATO’s eastern flank, it is no longer a curiosity. It is a model.
The Westphalian Assumption — and Why It Is Failing
The Peace of Westphalia in 1648 established the conceptual architecture that still governs international relations: the sovereign state as the primary actor, defined by its exclusive authority over a fixed territorial space. Territory, in the Westphalian model, is not merely a geographic fact. It is the foundation of sovereignty — the physical container within which a state’s laws apply, its institutions function, and its power is legitimate. Everything that international law subsequently built — the doctrine of non-interference, the concept of diplomatic immunity, the framework of consular relations — rests on the assumption that sovereignty and territory are coextensive and inseparable.
The digital transformation of governance has not, in most policy discussions, been understood as a challenge to this foundational assumption. It should be. When a state’s population register, land registry, court system, and pension database exist primarily as digital records, the question of where those records are physically stored is not merely a technical infrastructure decision. It is a question of where the state actually resides. If those records exist only on servers within the state’s territorial boundaries, then any actor capable of seizing, destroying, or denying access to those servers — whether through military occupation, cyberattack, or natural disaster — has effectively seized, destroyed, or denied the state itself. The territory remains. The state, in any functional sense, does not.
Estonia understood this earlier than any other government, and the understanding was forged in direct experience. The 2007 cyberattacks — the first state-scale cyber operation ever recorded, attributed to Russian actors responding to the relocation of a Soviet-era war memorial — simultaneously disrupted the websites of the Estonian parliament, banks, newspapers, and government agencies. For a country that had built ninety-nine percent of its public services into digital form, this was not an inconvenience. It was a demonstration of what total digital disruption would feel like, delivered at a scale calibrated to cause pain without crossing the threshold of armed conflict. The lesson was absorbed at the highest levels of government and translated, over the following decade, into the data embassy concept: if the state cannot guarantee the physical security of its digital infrastructure, it must guarantee the digital continuity of its state.
Analyst note
The legal architecture of Estonia’s data embassy is more innovative than its technical architecture. The bilateral agreement between Estonia and Luxembourg extends the protections of diplomatic immunity — inviolability, extraterritoriality, freedom from the host state’s jurisdiction — to a data centre. This is not straightforwardly supported by the Vienna Convention on Diplomatic Relations, which was drafted with physical premises and human diplomatic personnel in mind and makes no provision for server racks. The agreement between Tallinn and Luxembourg is, in international legal terms, a bespoke instrument creating a new category of protected foreign facility. No multilateral framework exists to govern it. The legal clarity it provides is real but fragile — dependent on bilateral goodwill and vulnerable to challenge in jurisdictions that do not recognise its premises.
Portable Sovereignty — and Who Is Learning from It
Monaco signed a data embassy agreement with Luxembourg in 2021 — not because it fears Russian tanks, but because a city-state of 2.08 square kilometres faces a different but equally existential digital continuity problem: no natural disaster affecting its territory can be contained to its territory, and any significant disruption to its physical infrastructure has no domestic backup option. The Estonian model, adapted to Monaco’s threat profile, provides what the Westphalian framework cannot: the ability to maintain state functions at a physical distance from the state’s geographic footprint.
Bahrain has taken a different approach to the same underlying problem. Its 2018 Cloud Law creates a legal framework under which data stored in Bahraini data centres remains subject to the exclusive domestic jurisdiction of the data owner’s home country — inverting the normal assumption that data is governed by the laws of the territory in which it physically resides. This is sovereignty as legal architecture rather than diplomatic agreement: an attempt to extend the jurisdictional reach of the home state into foreign territory through contract and legislation rather than through bilateral treaty.
These experiments have attracted serious interest across the global south, among small island states facing climate-driven territorial loss, and among governments in conflict-adjacent regions for whom the continuity-of-state question is not hypothetical. The concept discussed at a World Economic Forum panel in Davos in January 2026 — adding AI-based processing capabilities to offshore data facilities, shifting them from passive backup toward active sovereign infrastructure — represents the next evolutionary step: not merely storing the state abroad, but governing from abroad, with AI systems capable of maintaining public service delivery even during periods of physical territorial inaccessibility.
Estonia did not store its state abroad because it is technologically adventurous. It did so because it remembered 1940, when Soviet forces seized its archives and with them, the documentary evidence of its institutions. Sovereignty made portable is sovereignty made survivable.
The Unanswered Legal Questions
The data embassy concept is intellectually compelling and operationally useful. It is also, in international legal terms, a frontier that the existing framework of public international law is poorly equipped to govern. The questions that Estonian and Luxembourg diplomats resolved through a bespoke bilateral agreement in 2017 have not been resolved multilaterally, and the proliferation of similar arrangements — each negotiated individually, each creating its own legal architecture — is producing a patchwork of digital sovereignty instruments whose interaction is, in many cases, untested and potentially contradictory.
The jurisdictional problem is the most acute. When Estonian government data is stored on servers in Luxembourg under diplomatic immunity, whose law governs a dispute about that data? Estonian law, because the data is sovereign Estonian property? Luxembourg law, because the servers are physically located on Luxembourg territory? EU law, because both states are EU members and the data may contain the personal information of EU citizens subject to GDPR? The bilateral agreement between Estonia and Luxembourg provides a working answer for the specific parties to that agreement. It does not provide a framework applicable to the forty-odd states that have expressed interest in similar arrangements, many of which are not EU members and whose relationships with potential host states do not carry the same density of pre-existing legal harmonisation.
The liability question is equally unresolved. If a data embassy is breached — by a cyberattack, by a rogue employee of the host state’s data centre operator, by a legal order issued by a third country’s court — who bears responsibility? The sending state, because the data is its sovereign property? The host state, because it guaranteed immunity and failed to protect it? The private operator, because it built the facility? The answer, in the absence of a multilateral framework, is a bilateral dispute resolution process that will be slow, contested, and — for the smaller states that most need the protection — structurally disadvantaged.
Analyst note
The terminology debate that surfaced at Davos in January 2026 is more than semantic. When Jovan Kurbalija of Diplo argued that “data embassy” is a misnomer — that a protected server facility is not an embassy in any traditional sense, and that calling it one misleads both the public and policymakers — he was identifying a genuine governance risk. Institutions derive part of their legal protection from the precision of their categorisation. An “embassy” has specific protections under the Vienna Convention. A “secure data facility in a foreign country” does not. If the analogy is stretched too far, or too quickly, or by states whose bilateral relationships with host countries do not command the same legal weight as Estonia’s relationship with Luxembourg, the protection will prove more nominal than real. The concept needs a legal framework — not a name borrowed from a different body of law.
What Portable Sovereignty Means for the International Order
The data embassy concept, taken seriously as a doctrine rather than as a bilateral curiosity, has implications for the international order that extend well beyond the immediate question of digital continuity. If sovereignty can be portable — if a state’s essential institutions can be maintained outside its territorial boundaries, recoverable from exile, independent of physical occupation — then the traditional coercive instruments of territorial aggression are partially devalued. Seizing a country’s territory no longer necessarily seizes its governance capacity. Occupying its capital no longer necessarily destroys its institutional continuity. The digital state can survive what the physical state cannot.
This is, for small states on the periphery of aggressive neighbours, an unambiguously positive development. It is also, from the perspective of international order, a development whose full implications have not been worked through. If states can govern from exile more effectively than they historically could, the calculus of occupation and annexation changes — but so does the calculus of legitimacy, recognition, and succession. Which institutions, running on which servers, in which foreign jurisdiction, constitute the legitimate government of a state whose territory is contested? Estonia’s data embassy provides continuity of government infrastructure. It does not, by itself, provide the international recognition that makes a government-in-exile a government with authority. The legal and diplomatic questions that digital portable sovereignty generates are, in 2026, ahead of the frameworks available to answer them.
What is clear is that the concept will proliferate. The combination of advancing threats to small states — Russian hybrid warfare, climate-driven territorial loss, cybercampaigns of increasing sophistication — and advancing digital governance capability makes the data embassy not an Estonian eccentricity but a model that every digitally dependent state with a serious threat environment will eventually need to consider. Luxembourg has declared itself ready to host further data embassy agreements and has built its offer of high-tier secure data facilities into a deliberate element of its digital foreign policy. The question is not whether the model spreads. It is whether the legal framework governing it develops at a pace sufficient to make the protection it offers real, durable, and available to states that need it most — which are, as in most domains of international law, precisely those with the least leverage to negotiate the terms.
Bottom line assessment
Estonia’s data embassy is the most consequential innovation in the theory of sovereignty since the development of the continental shelf doctrine in the mid-twentieth century — an expansion of the concept of state territory into a domain that the Westphalian framework did not anticipate and cannot cleanly govern. Its practical value, as a continuity-of-government mechanism for small states facing existential threats, is demonstrated and real. Its legal architecture is a bespoke bilateral instrument where a multilateral framework is needed. Its proliferation — to Monaco, to Bahrain, and to the forty-odd states watching the model with interest — will generate jurisdictional conflicts, liability disputes, and legitimacy questions that no existing body of international law is equipped to resolve. The concept has outrun the governance architecture it requires. Building that architecture — through a multilateral instrument that creates clear legal categories, defines host-state obligations, and extends enforceable protections to data embassies regardless of the bilateral leverage of the parties — is one of the most important and least discussed tasks in contemporary international law. It is also, in the current environment of great-power competition and institutional dysfunction, one of the least likely to be accomplished at the pace that the proliferating threat environment demands.
This is Article 2 of the series “Digital Diplomacy & Power.” Previous: The New Ambassadors — Why Tech Companies Have Become Sovereign Actors in Global Diplomacy. Next: The Algorithmic Envoy — Social Platforms, Geopolitics, and the Battle for Diplomatic Narrative. All articles available at cybercenter.space.
Data Embassy Digital Sovereignty Estonia International Law Small States Digital Diplomacy Cyber Governance Vladimir Tsakanyan
Leave a comment