Across the African continent, digital transformation has accelerated over the past decade, often framed as a promise of sovereignty, development, and inclusion. Yet beneath the surface of digital optimism lies a deeper structural dependency on transnational technology companies. These actors, commonly referred to as Big Tech, are not only providing technical infrastructure and services but are increasingly shaping governance frameworks, security norms, and policy orientations.

This paper situates the African experience within the wider debate on digital sovereignty and global security governance. It argues that while digital sovereignty is frequently invoked by African states, it is undermined by what may be termed normative capture. This refers to a process by which private actors, under the guise of partnership and support, impose governance norms, security standards, and policy templates that are not rooted in domestic realities or local epistemologies.

In contexts where regulatory capacity is limited and institutional infrastructures remain underdeveloped, African states are particularly vulnerable to the absorption of external frameworks that carry with them unspoken assumptions, hierarchies, and strategic interests. The role of Big Tech thus extends beyond infrastructure into the ideational and normative realms, influencing how security is defined, who gets to govern it, and whose interests are ultimately served.

Rather than seeing these dynamics as isolated technical or geopolitical issues, this paper adopts a political sociological lens, anchored in both internet governance literature and African political thought, to interrogate the asymmetries of norm production and institutional voice in the current digital order.

Normative capture in security governance

The growing role of private technology firms in African digital governance cannot be understood merely as an issue of infrastructure provision. Increasingly, these companies act as normative agents in shaping the foundational values and operational definitions of what constitutes digital security. This transformation of private firms into de facto public actors represents a critical shift in the architecture of African security governance. While often framed as technical partnerships or development cooperation, these arrangements carry embedded assumptions about threat models, governance priorities, and policy tools. These assumptions are rarely contested and are almost never rooted in the lived realities or philosophical traditions of the African societies they are meant to serve.

The term normative capture describes the process by which foreign corporations, under the guise of technical assistance or commercial exchange, effectively embed their own institutional logic and policy preferences into domestic governance ecosystems. Unlike traditional forms of political capture, which operate through overt influence or coercion, normative capture functions more subtly. It redefines what is thinkable and actionable within national policy spaces, often without triggering immediate resistance. In the realm of digital security, this process manifests through the adoption of externally generated templates, standards, and so called best practices, frequently promoted as neutral or apolitical.

In the African context, the vulnerabilities to such capture are amplified by the confluence of limited regulatory capacity, resource constraints, and a widespread eagerness to integrate into the global digital economy. In many instances, governments do not possess the technical or institutional resources to develop indigenous policy frameworks. Consequently, foreign companies are invited explicitly or implicitly to provide not only infrastructure but also the regulatory scaffolding around it. This includes drafting cybersecurity laws, designing data protection policies, and implementing digital identification systems. These interventions often take the form of pilot projects, technical support agreements, or multistakeholder partnerships, where the corporate partner assumes disproportionate influence over both design and execution.

One illustrative example is the deployment of biometric identity systems across several African states, often spearheaded by private firms based in the Global North or financed through multilateral development agencies. These systems are lauded for enhancing governance efficiency and improving service delivery. Yet their design frequently bypasses national consultative processes and reflects data security norms drawn from European or American contexts. The consequence is not just a misfit between system architecture and local needs, but a broader erosion of agency over how identities are defined, verified, and governed.

The same logic applies in the domain of cybersecurity. International tech giants frequently enter into partnerships with African states to assist in securing government infrastructure, managing digital threats, and training personnel. While these efforts are essential, the terms of engagement are often opaque. Companies may provide services for free or at subsidised rates, thereby circumventing procurement rules and diminishing opportunities for public oversight. In such arrangements, the boundary between public service and private interest becomes increasingly blurred. The corporation assumes the dual role of service provider and standard setter, operating outside the traditional channels of accountability.

Another dimension of normative capture lies in the definition of threats themselves. What counts as a security risk, and who gets to define it, are profoundly political questions. Yet, when African governments rely on foreign firms to detect, mitigate, or report on digital threats, they also adopt the firm’s worldview, its typologies of risk, its thresholds for harm, and its logics of intervention. These logics often prioritise the protection of corporate assets and reputational risk over the complex sociopolitical implications of digital surveillance, censorship, or algorithmic bias.

This is not to suggest that African states are merely passive recipients of foreign agendas. In many cases, political elites strategically engage with Big Tech to advance domestic goals, consolidate power, or attract investment. However, the structural asymmetries in capacity, knowledge, and bargaining power mean that even these strategic engagements are constrained by external frameworks. The result is a governance ecosystem where core normative decisions are shaped elsewhere, decisions about how data is collected, stored, and used; about how platforms regulate speech; and about how infrastructure is secured and by whom.

Normative capture thus represents a deeper form of dependency. It is not merely about who builds or owns digital systems, but about who gets to define their purpose and limits. In the absence of robust counter narratives rooted in African political thought and institutional traditions, the norms promoted by private corporations acquire a veneer of inevitability. They become institutionalised not only in law and policy but in practice, habit, and expectation. Challenging this requires more than regulatory reform. It demands a re politicisation of digital governance and a reinvigoration of the normative imagination of what sovereignty, security, and technology can mean in African contexts.

Infrastructural dependencies and the geopolitics of digital power

Digital sovereignty in Africa is increasingly compromised by systemic infrastructural dependencies that position foreign actors, particularly Big Tech firms and foreign governments, as gatekeepers of essential services. These dependencies are not limited to consumer-facing applications or cloud hosting. They extend deep into the architecture of African states’ digital infrastructure, from undersea cables and data centres to public sector digitisation initiatives and biometric identification platforms. What appears on the surface as infrastructure for development is, upon closer inspection, often a lattice of control, influence, and asymmetrical interdependence.

One of the most emblematic cases of compromised digital sovereignty is the 2018 revelation of a long-standing data breach at the African Union headquarters in Addis Ababa. The building, constructed and equipped by the Chinese government, was found to be transferring internal data to servers in Shanghai every night for over five years. While China denied responsibility and no formal accountability mechanism was established, the incident highlighted the vulnerabilities associated with infrastructural gifts and opaque technical partnerships. The African Union, as the highest political body of the continent, was shown to be structurally dependent on a foreign power for the very systems that support its internal deliberations, security communications, and data governance.

This form of digital dependence is replicated at the national level through a variety of mechanisms. African governments increasingly rely on loans, grants, or technical assistance from bilateral partners and multilateral development banks to finance their digital transformation agendas. These funding arrangements often come bundled with foreign-built infrastructure, foreign-managed data centres, and proprietary software ecosystems. For instance, several countries including Ghana, Togo, and Nigeria have developed national data centres or e-government platforms through partnerships with foreign firms, sometimes with embedded foreign technicians or externalised maintenance contracts. These arrangements not only create technical dependencies but also limit the policy autonomy of states when it comes to data protection, cybersecurity, and content regulation.

In parallel, Big Tech companies have launched large-scale initiatives across the continent that blur the lines between philanthropy, market expansion, and influence-building. Initiatives like Facebook’s Free Basics, Google’s Project Loon, and Microsoft’s connectivity projects in East Africa offer services framed as development solutions, while simultaneously embedding users into closed digital ecosystems controlled by foreign firms. Such initiatives are often implemented through public private partnerships or memoranda of understanding that bypass parliamentary oversight and public consultation. This model of infrastructure delivery, wrapped in the language of inclusion and innovation, serves to entrench corporate standards and proprietary technologies as de facto public infrastructure.

The implications of these arrangements are profound. First, they raise serious concerns about the location and control of data. Despite growing discourse around data localisation and the creation of national cloud services, much of Africa’s data remains stored or processed outside the continent or within systems whose back-end infrastructure is owned and managed by foreign entities. This situation exposes African states to surveillance, data extraction, and external coercion, with few legal or technical means to resist.

Second, the infrastructural dominance of Big Tech reshapes regulatory trajectories by conditioning the very terms on which African states engage with issues of cybersecurity, content governance, and trust and safety. These corporations not only provide technical infrastructure but increasingly act as policy consultants, drafting guidelines, advising ministries, and participating in norm-setting platforms. Their participation in internet governance forums, cyber diplomacy dialogues, and trust and safety summits enables them to shape narratives around digital threats, rights, and responsibilities, often with minimal representation from African stakeholders.

Third, infrastructural dependencies have geopolitical implications that transcend bilateral relations. They tether African states to global power struggles, particularly between the United States and China, whose digital champions are vying for influence across the continent. The result is a fragmented digital sovereignty in which states must constantly navigate competing offers, standards, and allegiances without the institutional capacity or strategic autonomy to set their own agendas. African governments find themselves operating in an ecosystem where technological choices are rarely neutral and where infrastructure decisions double as geopolitical alignments.