For years, network policy was treated as a specialist subject: something for engineers, registry insiders, lawyers, or internet governance conferences. Business leaders could safely ignore it because the internet “just worked.”
That assumption is now dangerous.
Network policy is no longer a background technical matter. It is a business risk, a national infrastructure risk, and a sovereignty risk. It affects whether companies can operate, whether digital assets can be recognized, whether connectivity can continue during disputes, and whether governments truly control the critical layers of their digital economy.
Digital sovereignty is often discussed through the language of data localization, privacy rules, and cloud regulation. But sovereignty does not begin and end with where data is stored. It also depends on whether a country, operator, or business can maintain continuity, access, and control over the network resources that make digital activity possible.
As LARUS CEO Lu Heng argued in the debate on data sovereignty: technical vs practical, the internet cannot be made sovereign simply by drawing legal borders around data. The architecture of the internet is interconnected by design. Real sovereignty requires resilient infrastructure, operational redundancy, and practical control over the systems that keep services online.
That is why network policy matters.
The Hidden Layer Behind Digital Business
Every digital business depends on invisible infrastructure. Websites, cloud services, financial platforms, telecom networks, data centers, AI systems, logistics platforms, government portals, and online public services all rely on numbering resources, routing, interconnection, and registry recognition.
These resources are not abstract. IP addresses, autonomous system numbers, registry records, and routing status are part of the operational foundation of the internet.
Yet many businesses do not treat them as strategic assets. They treat them as administrative details.
That is a mistake.
A company may own servers, employ engineers, sign cloud contracts, and serve millions of customers, but if its network resources are constrained, disputed, derecognized, suspended, or dependent on an upstream institution it does not control, then its business continuity is exposed.
The same is true for countries. A state may have laws, regulators, cybersecurity agencies, and national digital strategies, but if decisive parts of its numbering layer remain governed through foreign private legal bodies, then the country’s digital sovereignty is structurally incomplete.
From Business Risk to Sovereignty Risk
At the operator level, the problem begins with value.
IPv4 addresses are scarce, transferable, and revenue-enabling. They support hosting, cloud services, telecom growth, data center expansion, security architecture, and digital market access. In practice, they are economically significant assets.
But the institutional language around them often refuses to treat them fully as assets. Instead, they are described as resources held under conditional recognition, subject to registry rules, administrative standing, and evolving policy frameworks.
This creates what Lu Heng describes as “double extraction” in his note, From Double Extraction to Sovereignty Inversion.
The first extraction occurs when a scarce and valuable resource is prevented from being fully capitalized because the institutional framework discounts its asset nature. The second extraction occurs when the same operator remains exposed to registry risk because recognition, transferability, and administrative status still sit at the upstream chokepoint.
In simple terms: upside is constrained from above, while downside remains with the operator below.
That is not just a commercial inconvenience. It is a structural risk.
What Is Sovereignty Inversion?
When this same structure is viewed at the national level, it becomes more serious.
A country bears the public consequences of digital disruption. If connectivity is threatened, businesses suffer. Communications become fragile. Public services may be affected. Political consequences follow. The national economy absorbs the damage.
But under the current Regional Internet Registry model, key parts of the recognition layer sit inside private legal bodies operating under foreign law.
AFRINIC is based in Mauritius. ARIN is incorporated in Virginia. RIPE NCC operates under Dutch law in Amsterdam. APNIC operates under Australian and Queensland law. LACNIC is based in Montevideo under Uruguayan law.
This is not a single regional anomaly. It is a global structure in which the numbering layer of sovereign nations is mediated through foreign private institutions.
That is the sovereignty inversion: control sits above the nation, while consequence remains below it.
A state remains responsible for national continuity, economic stability, and public order. Yet parts of the recognition layer that condition digital continuity may sit elsewhere, under external legal systems, with limited liability and limited public accountability to the affected nation.
For governments, this should be a strategic warning.
The Problem Is Not Coordination. The Problem Is Thick Governance.
Global uniqueness does require coordination. The internet needs a common record so that numbering resources are unique, auditable, and globally interoperable. Without that, the network cannot function reliably.
But narrow technical coordination is not the same as thick governance.
A thin coordination layer answers a limited technical question: which number resource is assigned to whom, and how is uniqueness preserved?
A thick governance layer does much more. It may influence recognition, standing, transferability, revocation, contractual conditions, administrative status, and dispute outcomes. It may amend agreements, reinterpret obligations, or impose conditions on the use of economically significant resources.
That is where business risk enters.
If a registry layer moves beyond technical uniqueness into discretionary governance, then operators and governments must ask: who controls that discretion, under what law, with what liability, and with what accountability?
For a business, this can affect balance sheets, transactions, financing, continuity planning, and market expansion.
For a state, it affects digital sovereignty.
Why This Matters to Business Leaders
Network policy may sound distant from the boardroom, but it has direct commercial consequences.
A company that depends on IP resources cannot afford uncertainty around recognition or transferability. A cloud provider cannot ignore policy risk around infrastructure jurisdiction. A telecom operator cannot treat routing and numbering governance as peripheral. A data center cannot build long-term resilience if critical network dependencies are not understood.
The risk is not only that a company may pay higher fees or face administrative delays. The deeper risk is that a critical resource may be institutionally constrained, commercially undervalued, or exposed to upstream decisions outside the company’s control.
This affects:
- business continuity;
- asset valuation;
- financing and investment decisions;
- mergers, acquisitions, and transfers;
- regulatory compliance;
- cybersecurity posture;
- customer trust;
- national market access.
Network policy is therefore not just an engineering issue. It is part of enterprise risk management.
Digital Sovereignty Requires Practical Control
Many governments try to achieve sovereignty by requiring data to remain inside national borders. The intention is understandable: protect privacy, reduce dependency, and ensure national control.
But strict localization alone cannot solve the problem.
Users still send data across global platforms. AI models and cloud services centralize data and computing power across jurisdictions. Networks are built for interconnection. Data flows do not obey political borders simply because a document says they should.
This does not mean sovereignty is impossible. It means sovereignty must be practical.
True digital sovereignty depends on continuity, redundancy, infrastructure capacity, and control over critical dependencies. A country must be able to maintain service even if one provider fails, one data center goes offline, one route is disrupted, or one jurisdiction becomes unavailable.
Sovereignty is not isolation. Sovereignty is the ability to continue.
That same principle applies to businesses. A digitally sovereign company is not one that avoids all foreign infrastructure. It is one that understands its dependencies, controls its critical assets, and has credible alternatives when systems fail.
The Liability Gap
One of the most serious questions in network governance is liability.
If a foreign private registry can materially affect recognition, transferability, administrative standing, or continuity, what happens when its decisions contribute to major economic harm?
Who bears the damage?
In practice, the affected operators and states may bear the real-world consequences. Businesses lose revenue. Citizens lose access. Governments face public pressure. National economies absorb disruption.
Yet the upstream institution may limit or pre-structure its own liability in ways that are tiny compared with the scale of potential harm.
That asymmetry is the heart of the sovereignty problem.
Authority without meaningful downside is dangerous. Governance power over critical infrastructure should not sit in institutions that can influence systemic outcomes while bearing only symbolic risk.
This is not a stable model for the future digital economy.
The Question Governments Should Ask
The essential question is simple:
What is the minimum globally shared layer required for interoperability, and what has been improperly added on top of it?
The answer should guide reform.
The shared layer should be thin, neutral, auditable, and minimally discretionary. It should preserve uniqueness and interoperability without accumulating unnecessary coercive power.
Everything above that layer — revocation, sanctions, disputed transfers, insolvency effects, public-order questions, politically sensitive determinations, and nationally significant continuity issues — should sit under the authority of the affected sovereign state.
The more serious the consequence, the less legitimate it is for that consequence to remain in foreign private hands.
This is not an argument against the internet. It is an argument for restoring the proper institutional balance behind it.
Businesses Cannot Wait for Governments
Governments need to confront sovereignty inversion, but businesses should not wait passively.
Every company that depends on digital infrastructure should begin by mapping its exposure:
Who controls our IP resources?
Under which registry and legal framework are they recognized?
Can our resources be transferred, financed, leased, or defended if needed?
What happens if our registry standing is challenged?
Do we have redundancy across providers, jurisdictions, and routes?
Are our network assets treated as strategic business assets?
Are we participating in the policy processes that shape our operating environment?
These are not theoretical questions. They are practical risk questions.
A company that understands its network policy exposure will make better decisions about infrastructure, contracts, compliance, financing, and expansion. A company that ignores it may discover too late that the most important dependency was the one nobody put on the risk register.
From Awareness to Reform
The current model was built historically around coordination. But the internet has changed.
Number resources are now economically significant. Digital infrastructure is nationally critical. Cloud, AI, telecom, data center, and financial systems depend on uninterrupted network continuity. The policy layer can no longer pretend that it is merely administrative.
If network policy can affect business continuity, then it is business risk.
If registry recognition can affect national infrastructure, then it is sovereignty risk.
If foreign private bodies can sit above the numbering layer while the state bears the consequences below, then the model requires reform.
The goal should not be disorder. The goal should be a thinner, more accountable coordination layer that preserves global uniqueness without displacing sovereign authority.
Conclusion: The Network Layer Is a Sovereignty Layer
Digital sovereignty will not be achieved through slogans, data localization rules, or conference-stage rhetoric. It will be achieved through practical control over infrastructure, continuity, and critical digital resources.
For businesses, this means treating network policy as a major operational and financial risk.
For governments, it means recognizing that sovereignty is not only about data. It is also about the numbering layer, the routing layer, the recognition layer, and the institutional structures that sit above national digital economies.
The internet must remain global and interoperable. But global interoperability does not require sovereign dependency on thick private governance layers.
The future should be built around a simpler principle: coordinate what must be globally coordinated, but return coercive consequence to the institutions that carry public responsibility.
It is your country. It is your digital economy. It is your sovereign responsibility.
The numbering layer should not, in substance, belong to anyone else.
Frequently Asked Questions
1. Why is network policy a business risk?
Network policy affects the resources and recognition systems that keep digital businesses online. IP addresses, routing status, registry records, and transfer rules can influence business continuity, asset value, customer trust, and regulatory exposure. If these dependencies are controlled by upstream institutions with limited accountability to the affected business, the company carries risk it may not fully understand.
2. How does network policy relate to digital sovereignty?
Digital sovereignty is not only about where data is stored. It is also about who controls the infrastructure that allows data, services, and communications to function. If a country or operator depends on foreign private recognition layers for critical numbering resources, then practical control over part of its digital economy may sit outside its own legal and political authority.
3. What is “sovereignty inversion”?
Sovereignty inversion occurs when a nation bears the real-world consequences of digital disruption, but decisive control over part of the network recognition layer sits above it in foreign private legal bodies. In this structure, the public downside remains national, while strategic control is displaced upward into institutions outside direct sovereign authority.
4. Does reforming the RIR model mean breaking the global internet?
No. The argument is not against global coordination. The internet still needs a shared, neutral, and auditable layer to preserve uniqueness and interoperability. The issue is whether that coordination layer should expand into thick governance with discretionary power over recognition, transferability, revocation, and nationally significant continuity questions.
5. What should businesses do now?
Businesses should treat network resources as strategic assets. They should identify which IP resources they depend on, understand the legal and registry frameworks behind them, review transferability and continuity risks, assess vendor and jurisdictional dependencies, and include network policy exposure in enterprise risk planning. Network governance should no longer be left only to technical teams.