Africa is investing in digital infrastructure, but the leverage sits with whoever controls the platforms and the contracts.
Africa is investing in digital infrastructure, but the leverage sits with whoever controls the platforms and the contracts.
When I talk about digital sovereignty, I am not talking about protectionism. I am not arguing that African governments should block foreign investment, restrict international platforms, or attempt to build domestic alternatives to everything. That framing misses the point entirely and would be counterproductive…. Ethel Cofie
There is a conversation is currently happening in many spaces including public sector and private sector across Africa., It is not about whether Africa should embrace digital infrastructure. That question has been settled. It is about who controls the infrastructure Africa is building on, and whether we will shape the terms of that relationship before it shapes us.
I have spent years working across African countries on fintech policy, digital governance, and technology strategy. I have sat in rooms with central bank governors, ministers, and CEOs as they navigate the extraordinary complexity of leapfrogging decades of analogue infrastructure in a single policy cycle. The ambition is real. The momentum is real. But so is the risk and I think we are not talking about it with enough urgency or enough honesty.
This essay is my attempt to change that. It draws from a white paper I have just released on Africa’s digital sovereignty, and I want to make the core argument as plainly as I can. Because the window to get this right is open, but it will not stay open indefinitely.
The Numbers Tell a Specific Story
Africa’s average internet penetration was 38% in 2024. The global average is 68%. That gap represents hundreds of millions of people who are not yet online, whose businesses are not yet digital, whose governments are not yet delivering services through connected platforms. That gap is closing. The adoption wave is coming, and it will be the largest in the continent’s history.
Now consider what that wave will be built on.
Africa currently represents 0.6% of global data-centre capacity. The top five cloud infrastructure providers control 82.1% of the global market. In 2025, announced global investment in data centres exceeded 270 billion US dollars, driven significantly by the artificial intelligence race and the overwhelming majority of that capital is flowing into markets where providers already have established scale.
Africa is receiving investment. But not at the pace or on the terms that would meaningfully shift the structural balance.
The March 2024 West and Central Africa subsea cable failure showed us what this means in practice. A single infrastructure event, linked to cable breaks on a key system, cascaded simultaneously across multiple countries. Businesses went dark. Government services were disrupted. Communications failed. This was not a worst-case scenario. It was the baseline risk profile when infrastructure is concentrated and redundancy is inadequate.
INTERPOL’s 2025 assessment tells us that cybercrime now represents more than 30% of reported crime in Western and Eastern Africa, with significant capability gaps in response. And Access Now documented 296 internet shutdowns across 54 countries in 2024 alone.
This combination accelerating adoption, thin domestic infrastructure, concentrated global market power, and escalating systemic risk is what I call the squeeze. And the defining governance question of this decade is whether Africa’s regulators, policymakers, and institutional leaders will act on it before the terms of the relationship are locked in.
What “Control” Actually Means in 2026
When I talk about digital sovereignty and control, I am not talking about protectionism. I am not arguing that African governments should block foreign investment, restrict international platforms, or attempt to build domestic alternatives to everything. That framing misses the point entirely and would be counterproductive.
What I am arguing is more precise. A country has meaningful control over its digital infrastructure to the extent that it can do five things without major disruption.
First, it can move workloads and data to an alternative provider, or to domestic infrastructure, without prohibitive cost or an impossibly long transition period.
Second, it can audit and verify who accessed sensitive government and financial systems, under what authority, and in response to what legal process including processes initiated across borders.
Third, it can require upstream and downstream suppliers to disclose material incidents within defined timeframes and enforce those requirements.
Fourth, it can identify where single-provider dependency is building in essential services before that dependency becomes a structural fragility.
And fifth, it can negotiate on terms that reflect credible alternatives, meaning that the option to switch or regulate is real, not theoretical.
Digital Sovereignty in 2026 is not about flags on servers. It is about continuity, enforceability, and options. Where those three things exist together, a country is sovereign over its digital infrastructure. Where they do not, it is not regardless of what the law says on paper.
We Are Not Starting from Zero
Here is something that often gets lost in these conversations: Africa’s regulators are not behind. In many respects, they are doing remarkable work under extraordinary constraint.
Ghana’s Cybersecurity Authority is advancing Critical Information Infrastructure designation and compliance frameworks under legislation that positions it to set mandatory security standards. The Data Protection Commission has real legal authority and a growing enforcement posture. NITA’s national infrastructure connects public systems into a backbone that creates the possibility of genuine domestic capability. The 5G rollout is being managed through a wholesale model that preserves regulatory leverage over a strategic asset.
Nigeria signed its Data Protection Act in 2023 and created a formal statutory authority in the Nigeria Data Protection Commission. NDPC has fined a major bank, opened investigations into large international platforms, and is sending clear signals that data governance obligations carry real consequences. That enforcement posture matters enormously for shifting market behaviour.
Kenya is attracting headline infrastructure commitments including a billion-dollar investment package with a green data centre and cloud region. Its courts have imposed governance discipline on digital identity deployment that few other African markets have matched. Its judiciary is asking questions about privacy and accountability that are, frankly, ahead of where many regulators in the Global North were at an equivalent stage of digital adoption.
The legal architectures are substantially in place. The political will to assert governance standards is increasingly present. What is needed now is the translation of ambition into operational discipline enforceable contracts, measurable resilience requirements, verifiable audit obligations, and a shared view of where dependency is concentrated before it becomes a crisis.
Africa Is Being Built on Someone Else’s Foundation. Here Is What We Do About It.
The Gap That Will Define the Next Decade
The governance gap I am most focused on is not the gap between Africa and the rest of the world. It is the gap between the policy language we have and the operational enforcement we do not yet have.
Consider procurement. Across the continent, public-sector contracts for cloud services, data management, and digital infrastructure are being signed without mandatory portability clauses. Without defined exit timelines. Without clear migration responsibilities. Without enforceable audit rights. Without incident reporting obligations that extend down the subcontractor chain. Governments are building critical systems on foundations they have contractually committed to having no exit from.
Consider dependency mapping. We know, in general terms, that concentration risk is building in financial services, telecommunications, and government systems. But most sector regulators working in separate institutional silos with separate mandates do not have a shared view of where the highest-concentration risks actually sit. They cannot act together on what they cannot see together.
Consider AI. The next wave of digital infrastructure dependency will not be about cloud platforms. It will be about the compute and models that power artificial intelligence at scale. Countries that allow their AI capability to develop entirely on imported infrastructure, without any domestic capability strategy, will be having this same sovereignty conversation again in five years from a much weaker position.
Europe and Asia are instructive here, not as templates to copy, but as evidence that governance responses work. The EU Data Act introduced switching rights. NIS2 expanded mandatory cybersecurity obligations across critical sectors. DORA created a comprehensive resilience regime for financial sector ICT. Japan subsidised domestic AI compute under an economic security framework. South Korea attached strict security conditions to data export approvals. These are not protectionist measures. They are governance disciplines inserted at the point of contract and procurement, before dependency becomes irreversible.
The lesson is timing. Governance that is designed before scale arrives has leverage. Governance that is designed after scale has arrived is managing consequences.
The Window Is Open
I want to be direct about where I think we are.
Africa’s adoption wave is coming faster than most governance frameworks are moving. The AI-driven global infrastructure buildout is concentrating investment and capability in ways that will make the structural imbalance harder, not easier, to address over time. The cybersecurity risk environment is deteriorating. The trust environment, measured by the frequency of internet shutdowns and the weakness of incident disclosure norms, is fragile.
And yet. The legal foundations are there. The institutional leadership is there. The political moment is there. The window to establish the rules of engagement on favourable terms is open.
What I have tried to do in the white paper this essay draws from is to give regulators, policymakers, board members, and institutional leaders a clear, actionable framework for the governance decisions that need to be made now. Six pillars: continuity requirements for essential services, verifiable data governance, dependency oversight, procurement rules that prevent lock-in, cyber resilience across sectors, and AI governance tied to domestic capability. Applied to the specific contexts of Ghana, Nigeria, and Kenya. Grounded in the evidence of what Europe and Asia have tried, what has worked, and what the limits of those approaches are.
The full paper is available for download. I wrote it because I believe this conversation needs to happen at the level of decision-makers who can actually act on it, and it needs to happen now.
The foundation Africa builds its digital future on is being laid today. The question is whether we are the architects, or just the tenants.
Ethel Cofie is Founder and CEO of EDEL Technology Consulting, Founder of Women in Tech Africa, and Strategic Advisor of the Ghana Fintech and Payments Association. She convenes the Future of Finance Dialogues, bringing together regulators, financial institutions, and technology leaders to shape Africa’s digital governance architecture.
Download the full white paper: Africa’s Digital Sovereignty: Infrastructure, Dependency and the Governance Imperative