Cloudflare and sovereignty
On November 18, 2025, Cloudflare experienced a global service outage. During the outage, many widely used websites (and sparsely used ones like mine) became unavailable for users worldwide. The problem was not an external attack, but an internal “configuration” error, which underlines that providers like Cloudflare remain vulnerable to being single-points-of-failure. This is a vivid representation of how infrastructure centralization conflicts with goals of sovereignty.
Many discussions around “sovereignty” focus narrowly on data residency but the Cloudflare outage shows that sovereignty extends deeper into areas like routing, traffic inspection, and content delivery that sit in front of nearly every modern application. As per research by w3techs 1 2 3, about 25.2% of the public websites on the internet rely on Cloudflare for hosting, and about 81.5% for reverse proxying.
%3bfont-family:arial%2csans-serif%3b%7d%23mermaid-dark-0%20.slice%7bfont-family:arial%2csans-serif%3bfill:%23ccc%3bfont-size:17px%3b%7d%23mermaid-dark-0%20.legend%20text%7bfill:hsl(28.5714285714%2c%2017.3553719008%25%2c%2086.2745098039%25)%3bfont-family:arial%2csans-serif%3bfont-size:17px%3b%7d%23mermaid-dark-0%20:root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg/%3e%3cg%20transform='translate(225%2c225)'%3e%3ccircle%20cx='0'%20cy='0'%20r='186'%20class='pieOuterCircle'/%3e%3cpath%20d='M0%2c-185A185%2c185%2c0%2c1%2c1%2c-102.02%2c154.327L0%2c0Z'%20fill='%230b0000'%20class='pieCircle'/%3e%3cpath%20d='M-102.02%2c154.327A185%2c185%2c0%2c0%2c1%2c-184.898%2c6.132L0%2c0Z'%20fill='%234d1037'%20class='pieCircle'/%3e%3cpath%20d='M-184.898%2c6.132A185%2c185%2c0%2c0%2c1%2c-152.201%2c-105.166L0%2c0Z'%20fill='%233f5258'%20class='pieCircle'/%3e%3cpath%20d='M-152.201%2c-105.166A185%2c185%2c0%2c0%2c1%2c-121.089%2c-139.866L0%2c0Z'%20fill='%234f2f1b'%20class='pieCircle'/%3e%3cpath%20d='M-121.089%2c-139.866A185%2c185%2c0%2c0%2c1%2c-83.337%2c-165.166L0%2c0Z'%20fill='%236e0a0a'%20class='pieCircle'/%3e%3cpath%20d='M-83.337%2c-165.166A185%2c185%2c0%2c0%2c1%2c-42.832%2c-179.973L0%2c0Z'%20fill='%233b0048'%20class='pieCircle'/%3e%3cpath%20d='M-42.832%2c-179.973A185%2c185%2c0%2c0%2c1%2c0%2c-185L0%2c0Z'%20fill='%23995a01'%20class='pieCircle'/%3e%3ctext%20transform='translate(132.87441892308522%2c39.94935914194935)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e59%25%3c/text%3e%3ctext%20transform='translate(-121.09893570129651%2c67.7245175103762)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e15%25%3c/text%3e%3ctext%20transform='translate(-133.12403857229157%2c-39.10949826069145)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e10%25%3c/text%3e%3ctext%20transform='translate(-103.30654064838471%2c-92.6246250155089)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e4%25%3c/text%3e%3ctext%20transform='translate(-77.24465803469941%2c-115.25981652381002)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e4%25%3c/text%3e%3ctext%20transform='translate(-47.63821102175106%2c-130.31562972509136)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e4%25%3c/text%3e%3ctext%20transform='translate(-16.172352919089313%2c-137.80427243398668)'%20class='slice'%20style='text-anchor:%20middle%3b'%3e4%25%3c/text%3e%3ctext%20x='0'%20y='-200'%20class='pieTitleText'%3eMarket%20shares%20of%20DNS%20providers%3c/text%3e%3cg%20class='legend'%20transform='translate(216%2c-77)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(77%2c%2016%2c%2055)%3b%20stroke:%20rgb(77%2c%2016%2c%2055)%3b'/%3e%3ctext%20x='22'%20y='14'%3eCloudflare%3c/text%3e%3c/g%3e%3cg%20class='legend'%20transform='translate(216%2c-55)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(63%2c%2082%2c%2088)%3b%20stroke:%20rgb(63%2c%2082%2c%2088)%3b'/%3e%3ctext%20x='22'%20y='14'%3eGoDaddy%3c/text%3e%3c/g%3e%3cg%20class='legend'%20transform='translate(216%2c-33)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(79%2c%2047%2c%2027)%3b%20stroke:%20rgb(79%2c%2047%2c%2027)%3b'/%3e%3ctext%20x='22'%20y='14'%3eNewfold%20Digital%3c/text%3e%3c/g%3e%3cg%20class='legend'%20transform='translate(216%2c-11)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(110%2c%2010%2c%2010)%3b%20stroke:%20rgb(110%2c%2010%2c%2010)%3b'/%3e%3ctext%20x='22'%20y='14'%3eHostinger%3c/text%3e%3c/g%3e%3cg%20class='legend'%20transform='translate(216%2c11)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(59%2c%200%2c%2072)%3b%20stroke:%20rgb(59%2c%200%2c%2072)%3b'/%3e%3ctext%20x='22'%20y='14'%3eAmazon%3c/text%3e%3c/g%3e%3cg%20class='legend'%20transform='translate(216%2c33)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(153%2c%2090%2c%201)%3b%20stroke:%20rgb(153%2c%2090%2c%201)%3b'/%3e%3ctext%20x='22'%20y='14'%3eWix%3c/text%3e%3c/g%3e%3cg%20class='legend'%20transform='translate(216%2c55)'%3e%3crect%20width='18'%20height='18'%20style='fill:%20rgb(11%2c%200%2c%200)%3b%20stroke:%20rgb(11%2c%200%2c%200)%3b'/%3e%3ctext%20x='22'%20y='14'%3eother%3c/text%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
'%3e%3ccircle cx='0' cy='0' r='186' class='pieOuterCircle'/%3e%3cpath d='M0%2c-185A185%2c185%2c0%2c0%2c1%2c173.894%2c63.134L0%2c0Z' fill='%23ECECFF' class='pieCircle'/%3e%3cpath d='M173.894%2c63.134A185%2c185%2c0%2c0%2c1%2c-43.954%2c179.703L0%2c0Z' fill='%23ffffde' class='pieCircle'/%3e%3cpath d='M-43.954%2c179.703A185%2c185%2c0%2c0%2c1%2c-183.915%2c-20.011L0%2c0Z' fill='hsl(80%2c 100%25%2c 56.2745098039%25)' class='pieCircle'/%3e%3cpath d='M-183.915%2c-20.011A185%2c185%2c0%2c0%2c1%2c-105.515%2c-151.959L0%2c0Z' fill='hsl(240%2c 100%25%2c 86.2745098039%25)' class='pieCircle'/%3e%3cpath d='M-105.515%2c-151.959A185%2c185%2c0%2c0%2c1%2c-54.773%2c-176.706L0%2c0Z' fill='hsl(60%2c 100%25%2c 63.5294117647%25)' class='pieCircle'/%3e%3cpath d='M-54.773%2c-176.706A185%2c185%2c0%2c0%2c1%2c-17.085%2c-184.209L0%2c0Z' fill='hsl(80%2c 100%25%2c 76.2745098039%25)' class='pieCircle'/%3e%3cpath d='M-17.085%2c-184.209A185%2c185%2c0%2c0%2c1%2c0%2c-185L0%2c0Z' fill='hsl(300%2c 100%25%2c 76.2745098039%25)' class='pieCircle'/%3e%3ctext transform='translate(113.6253913100272%2c-79.62934728881805)' class='slice' style='text-anchor: middle%3b'%3e30%25%3c/text%3e%3ctext transform='translate(65.46154958129304%2c122.3370263919142)' class='slice' style='text-anchor: middle%3b'%3e23%25%3c/text%3e%3ctext transform='translate(-113.62539131002727%2c79.62934728881795)' class='slice' style='text-anchor: middle%3b'%3e23%25%3c/text%3e%3ctext transform='translate(-119.2827727416916%2c-70.87441447415247)' class='slice' style='text-anchor: middle%3b'%3e13%25%3c/text%3e%3ctext transform='translate(-60.81999187630867%2c-124.70962708694844)' class='slice' style='text-anchor: middle%3b'%3e5%25%3c/text%3e%3ctext transform='translate(-27.093363175530424%2c-136.07906588391475)' class='slice' style='text-anchor: middle%3b'%3e3%25%3c/text%3e%3ctext transform='translate(-6.413845769188776%2c-138.60167777645788)' class='slice' style='text-anchor: middle%3b'%3e1%25%3c/text%3e%3ctext x='0' y='-200' class='pieTitleText'%3eMarket shares of web servers%3c/text%3e%3cg class='legend' transform='translate(216%2c-143)'%3e%3crect width='18' height='18' style='fill: rgb(236%2c 236%2c 255)%3b stroke: rgb(236%2c 236%2c 255)%3b'/%3e%3ctext x='22' y='14'%3eNginx%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c-121)'%3e%3crect width='18' height='18' style='fill: rgb(255%2c 255%2c 222)%3b stroke: rgb(255%2c 255%2c 222)%3b'/%3e%3ctext x='22' y='14'%3eCloudflare%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c-99)'%3e%3crect width='18' height='18' style='fill: rgb(181%2c 255%2c 32)%3b stroke: rgb(181%2c 255%2c 32)%3b'/%3e%3ctext x='22' y='14'%3eApache%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c-77)'%3e%3crect width='18' height='18' style='fill: rgb(185%2c 185%2c 255)%3b stroke: rgb(185%2c 185%2c 255)%3b'/%3e%3ctext x='22' y='14'%3eLiteSpeed%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c-55)'%3e%3crect width='18' height='18' style='fill: rgb(255%2c 255%2c 69)%3b stroke: rgb(255%2c 255%2c 69)%3b'/%3e%3ctext x='22' y='14'%3eNode.js%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c-33)'%3e%3crect width='18' height='18' style='fill: rgb(215%2c 255%2c 134)%3b stroke: rgb(215%2c 255%2c 134)%3b'/%3e%3ctext x='22' y='14'%3eMicrosoft-IIS%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c-11)'%3e%3crect width='18' height='18' style='fill: rgb(255%2c 134%2c 255)%3b stroke: rgb(255%2c 134%2c 255)%3b'/%3e%3ctext x='22' y='14'%3eEnvoy%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c11)'%3e%3crect width='18' height='18' style='fill: rgb(32%2c 255%2c 255)%3b stroke: rgb(32%2c 255%2c 255)%3b'/%3e%3ctext x='22' y='14'%3eGoogle Servers%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c33)'%3e%3crect width='18' height='18' style='fill: rgb(255%2c 32%2c 32)%3b stroke: rgb(255%2c 32%2c 32)%3b'/%3e%3ctext x='22' y='14'%3eCaddy%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c55)'%3e%3crect width='18' height='18' style='fill: rgb(255%2c 32%2c 255)%3b stroke: rgb(255%2c 32%2c 255)%3b'/%3e%3ctext x='22' y='14'%3eIdeaWebServer%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c77)'%3e%3crect width='18' height='18' style='fill: rgb(32%2c 255%2c 144)%3b stroke: rgb(32%2c 255%2c 144)%3b'/%3e%3ctext x='22' y='14'%3eTengine%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c99)'%3e%3crect width='18' height='18' style='fill: rgb(255%2c 83%2c 83)%3b stroke: rgb(255%2c 83%2c 83)%3b'/%3e%3ctext x='22' y='14'%3eKestrel%3c/text%3e%3c/g%3e%3cg class='legend' transform='translate(216%2c121)'%3e%3crect width='18' height='18' style='fill: rgb(236%2c 236%2c 255)%3b stroke: rgb(236%2c 236%2c 255)%3b'/%3e%3ctext x='22' y='14'%3eArvanNginx%3c/text%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
If one company’s internal bug can break state services, then the state does not meaningfully control compute infrastructure. This is a symptom of the modern internet being structured around centralized services for proxying, routing and traffic analysis.
A sovereignty-aware architecture of the internet could be achieved with
- Regional or community-owned infrastructure
- Open standards for routing, identity, and security
- Transparent governance and auditability of data providers