Dutch municipalities are highly digitized and experience an increased digital dependency. Between 2017 and 2025, municipal reliance on Software as a Service (SaaS) for their main tasks has increased from 16% to 70%. Municipalities are highly dependent on a small number of US cloud service providers, which together have a 75-90% EU cloud services market share. This dependency raises democratic and geopolitical concerns. US legislation, including the Foreign Intelligence Surveillance Act (FISA) Section 702, grants the US government access to data stored by US cloud service providers, regardless of where it is stored. Furthermore, US sanctions can terminate access to cloud services. Simultaneously, private cloud service providers can implement unilateral changes to services used by the municipalities, without democratic oversight or explicit municipal consent. Current dependencies are large and run deep. Therefore, any approach should be strategic: full autonomy is unfeasible and undesirable.

This thesis addresses these concerns through the lens of digital strategic autonomy, defined as "the capabilities, capacities, and control to decide and act autonomously on essential digital aspects of our economy, society and democracy", following Timmers. Unlike the binary concept of digital sovereignty, digital strategic autonomy acknowledges degrees of control and better captures the nuanced reality of contemporary digital dependencies.

The research employs a Design Science Research Approach to develop both an analytical theory of digital strategic autonomy and an artefact for municipal application. The methodology combines literature review, semi-structured interviews, actor analysis and legal doctrinal research. The study conceptualizes digital infrastructure through a layered ‘stack’ framework, focusing specifically on the cloud, data & AI, and application layers where municipal vulnerabilities are most pronounced. The research identifies two critical dimensions of digital strategic autonomy: the geopolitical dimension, where foreign jurisdiction poses risks to data confidentiality (the panopticon effect) and service availability (the chokepoint effect), and the public/private dimension, highlighting private actors imposing private values on public service delivery.

Based on this conceptualization, the study develops a self-assessment tool that enables municipalities to evaluate their digital strategic autonomy for specific processes supported by SaaS applications. This tool operationalizes the analytical theory by providing concrete indicators across multiple dimensions. Applying self-assessment tool and an institutional analysis results in technical, institutional and governance measures.