Abstract
Digital sovereignty is at the heart of European policy, yet its practical implementation is often hijacked by commercial interests. This article examines how proprietary European IT companies and Big Tech-aligned entities exploit the digital sovereignty debate to create new forms of vendor lock-in. Through an analysis of the Cyber Resilience Act (CRA), EU AI Act, and real-world examples like Nextcloud, OpenStack, and Lomiri, we argue that free and open source software (FOSS) is the only viable path to true digital independence. The article concludes with policy recommendations and a critical reflection on the challenges Europe must overcome.
Keywords: digital sovereignty, free and open source software, Cyber Resilience Act, EU AI Act, vendor lock-in, technological independence
1. Introduction
Digital sovereignty is a cornerstone of European policy, driven by the need for independence from non-European tech giants and control over critical infrastructure (Bendrath 2021; EU Parliament 2022). Initiatives such as the Digital Sovereignty Act, GAIA-X, and the EU Cloud Rulebook emphasize the importance of local data storage and European technology. However, implementation is complicated by two opposing forces:
- Proprietary European IT companies that, under the guise of sovereignty, create new vendor lock-in.
- Big Tech-aligned entities that engage in "sovereignty washing" to maintain their proprietary models.
This article explores how FOSS provides the only sustainable solution for true digital sovereignty, with special attention to the Cyber Resilience Act (CRA) and EU AI Act as regulatory frameworks.
2. Proprietary European IT Companies: A New Form of Dependency
Europe's pursuit of digital sovereignty has led to a paradox: while the EU seeks to reduce dependence on American and Chinese tech giants, new dependencies are emerging in the form of proprietary European companies. These firms present themselves as "sovereign" alternatives, yet their closed systems and proprietary licensing models create a new form of vendor lock-in. This phenomenon undermines the original goal of digital sovereignty: regaining control over critical technologies and data.
2.1 SAP: Closed Systems Under the Guise of Sovereignty
SAP promotes its RISE with SAP initiative as a "sovereign" cloud solution for European businesses and governments. In practice, this means customers become tied to a closed ecosystem, where migration to other platforms becomes difficult and costly. SAP's approach exemplifies a broader trend: using the sovereignty argument to gain market share without giving customers actual control over their data or software (Techzine.nl 2025; Computable.nl 2026b). SAP has recently made concessions to the EU to avoid an antitrust investigation, highlighting that even European players are not immune to criticism of their closed models (Techzine.nl 2025).
2.2 OVHcloud: Sovereignty with Limitations
Since the fire in Strasbourg (2021), OVHcloud has positioned itself as a symbol of European digital independence. The blaze destroyed the SBG2 data center and severely damaged SBG1, prompting a review of safety protocols (Tweakers 2021; OVHcloud 2021; Techzine.nl 2021). While OVHcloud markets itself as a "sovereign" cloud provider, its underlying infrastructure is largely proprietary. Customers using OVHcloud can rely on European data centers, but they lack access to the source code of the software used. This limits their ability to adapt or relocate infrastructure, conflicting with the core principles of digital sovereignty: transparency and control (Solutions Magazine 2023a; Solutions Magazine 2023b).
2.3 The Problem: Sham Sovereignty
This development raises fundamental questions about what digital sovereignty truly means. According to Richard Stallman (2002):
“True sovereignty requires not only local hosting but also the freedom to inspect, modify, and abandon software without penalties or technical barriers.”This principle is often ignored in current policy debates, where the focus is on geographical location rather than technological independence (Stallman 2002; ICTMagazine.nl 2026).
3. Big Tech and Sovereignty Washing: A Wolf in Sheep’s Clothing
Even more problematic is the role of Big Tech companies like Microsoft, Google, and Amazon, which market their proprietary solutions as "sovereign" alternatives. Microsoft’s EU Data Boundary is a prime example. These initiatives promise that European data will remain within the EU, but the underlying technology—from operating systems to management software—remains entirely under American control. This means that European governments and businesses comply with local data protection laws but remain dependent on an American company for critical updates, security patches, and licenses.
3.1 Microsoft’s EU Data Boundary: False Security
Microsoft’s EU Data Boundary restricts where personal data is stored and processed, but it fails to address the core issue: the technology itself remains proprietary and subject to American jurisdiction (Microsoft 2026; Kiteworks 2026; Follow the Money 2026). The Schrems II ruling (2020) made it clear that local data centers do not suffice if the technology itself is not sovereign. Yet, European institutions continue to massively use Microsoft 365 and Azure, often under the guise of "practical necessity" or "lack of alternatives" (Follow the Money 2026).
3.2 Sovereignty Washing in Practice
This phenomenon, which we can term sovereignty washing, is a deliberate strategy to maintain the status quo. By emphasizing that data is "locally stored," these companies create the illusion of sovereignty while actual control over the technology remains elsewhere. Ralf Bendrath (2021) describes this as a "dangerous illusion":
"The idea that you are sovereign as long as your data is in Europe is misleading. If you don’t know what’s happening in the software, or if you depend on a foreign party for updates and security, you are not sovereign."
3.3 Criticism from the Sector
European cloud companies have written an open letter to the EU demanding stricter rules to protect digital sovereignty against AWS, Azure, and Google Cloud, which market their services as "sovereign" without giving European customers actual control (Computable.nl 2026b).
4. Free and Open Source Software: The Only Path to True Sovereignty
Fortunately, there are alternatives that truly meet the principles of digital sovereignty. Free and open source software (FOSS) offers a radically different approach, centered on transparency, interoperability, and local control. Unlike proprietary solutions, FOSS allows users to inspect, modify, and share the source code. This means European governments and businesses can fully control not only their data but also their software.
4.1 Nextcloud: A European Success Story
Nextcloud is an open-source alternative to Dropbox and Microsoft 365, increasingly adopted by European governments. In Germany, the Bundeswehr has implemented Nextcloud for secure file sharing, while in France, government agencies like the Ministère de l’Éducation Nationale use the software for internal communication (Tweakers 2026; Nextcloud 2026; Belgiumcloud 2026). In the Netherlands, SURF has made Nextcloud widely available to educational and research institutions as an alternative to American cloud services (NU.nl 2025).
4.2 OpenStack: Open Infrastructure for Europe
OpenStack is an open-source cloud platform used by organizations such as CERN and Deutsche Telekom. OpenStack enables users to build their own cloud environments based on open standards. This means they are not bound to a single vendor but can freely choose between different hardware and software providers. This is precisely what the Cyber Resilience Act (CRA, 2022) aims for: an ecosystem where users are not trapped in closed systems but can switch providers freely (Computable.nl 2026a; T-Systems 2026; Open Telekom Cloud 2026).
4.3 Policy Framework: Cyber Resilience Act (CRA) and EU AI Act
The Cyber Resilience Act (CRA) mandates that manufacturers report vulnerabilities in software and encourages the use of FOSS for security and transparency. The law makes notable exceptions for open-source software, as it is essential for the cybersecurity of digital products. Open-source stewards have their own obligations, such as establishing a cybersecurity policy and reporting actively exploited vulnerabilities, but they are not subject to administrative fines (European Commission 2024; ibestuur 2026; OpenSSF 2026). The EU AI Act (2024) encourages open-source AI models to reduce dependence on proprietary systems. The regulation entered into force on August 1, 2024, and sets binding requirements for the safety and transparency of AI systems, with special attention to open source as a means to promote innovation and control (European Commission 2024; Rijksoverheid.nl 2024; Consilium 2024).
5. Policy and Future Perspectives: What Europe Must Do
To make FOSS the norm, Europe must take several steps. First and foremost, the Cyber Resilience Act and EU AI Act must not only promote open source but also actively counteract vendor lock-in. This means that governments should only procure software that adheres to open standards and guarantees interoperability.
- Counter vendor lock-in: The Cyber Resilience Act and EU AI Act must ensure that governments only purchase software that meets open standards and interoperability requirements.
- Funding for FOSS projects: More funding is needed for open-source projects, such as programs like NLnet and NGI Zero, which support innovation in FOSS.
- Education and knowledge sharing: Europe must invest in developing skills among governments and businesses to implement and maintain open-source solutions.
5.1 Leaders in Europe
France is leading the way with an open-source strategy that mandates government software to be open source by default unless there are compelling reasons not to do so. The French Ministry of the Interior uses Nextcloud as a secure alternative to American cloud solutions (Interoperable Europe 2019; Open Overheid 2025).
Germany is following with initiatives such as Matrix/Element, an open-source communication platform used by multiple ministries and health institutions (Tweakers 2021; ICTMagazine.nl 2026). The Dutch government also has an "open, unless" policy for government software, where source code must be made public by default (Digitale Overheid 2024; Open Overheid 2025).
5.2 Challenges and Fragmentation
A major challenge is the fragmentation of open-source solutions in Europe. Each country often chooses its own solutions (e.g., Nextcloud in Germany, Tchap in France), which hinders scalability and interoperability. To overcome this, collaboration at the EU level is essential, such as through GAIA-X and Eurostack, which promote open standards and shared architectures (ICTMagazine.nl 2026).
6. The Dutch Tax Agency Debacle: A Case Study in Sham Sovereignty
One of the most striking examples of how digital sovereignty in the Netherlands is undermined is the policy of the Dutch Tax Agency. Despite all local and European legislation aimed at ensuring digital independence and data protection, the Tax Agency has made two controversial decisions in recent years that make Dutch public institutions even more dependent on American tech giants and their proprietary systems.
6.1 The Replacement of Lotus Domino with Microsoft Office 365
In 2021, the Tax Agency decided to replace its outdated Lotus Domino environment (formerly IBM Notes) with Microsoft Office 365. This move was presented as necessary modernization, but critics point out that the Tax Agency is creating a new form of vendor lock-in, binding the Dutch government to an American tech company for years. The migration, which has already cost over 14.4 million euros, is being pushed through despite political and public criticism of dependence on American technology and the risks to digital sovereignty (Accountancy Vanmorgen 2026; Tweakers 2026; Computable.nl 2026b).
6.2 The Outsourcing of the VAT System to an American Company
Even more shocking is the recent decision by the Tax Agency to fully outsource the management of the VAT system to the American company Fast Enterprises. This means that a critical Dutch tax infrastructure, which generates 1.5 billion euros in state revenue weekly, is now in the hands of a foreign party. Experts warn that this makes the Dutch government vulnerable to political pressure and blackmail, for example, if the American government demands access to Dutch tax data via the CLOUD Act or shuts down the system during a conflict (de Volkskrant 2026; AD.nl 2026; Techzine.nl 2026). Perhaps most concerning is that the decision-makers do not realize the magnitude of the risk at play.
6.3 Political and Public Reactions
The Dutch House of Representatives has been critical of both decisions, but a majority finds it too drastic to halt the projects. State Secretary Eelco Eerenberg (Finance) has emphasized that the choices comply with the national cloud policy and that future decisions will be left to his successor (Accountancy Vanmorgen 2026; AD.nl 2026).
6.4 Conclusion: A Missed Opportunity for True Sovereignty
The Tax Agency debacle illustrates how Dutch public institutions, despite all rhetoric about digital independence, actively choose dependency on American tech giants. The arguments put forward for this—such as the lack of alternatives or the need for modernization—are refuted by experts and open-source communities. The fact that the Tax Agency did not seriously consider Nextcloud and other European solutions underscores that this is not about a lack of options but a lack of political courage and vision.
7. Conclusion
True digital sovereignty is only possible with free and open source software. Proprietary “sovereign” solutions are often new forms of vendor lock-in, while Big Tech companies use sovereignty as a marketing tool. Europe must embrace FOSS as the foundation for digital independence, supported by legislation such as the CRA and EU AI Act.
Abstract
Digital sovereignty is at the heart of European policy, yet its practical implementation is often hijacked by commercial interests. This article examines how proprietary European IT companies and Big Tech-aligned entities exploit the digital sovereignty debate to create new forms of vendor lock-in. Through an analysis of the Cyber Resilience Act (CRA), EU AI Act, and real-world examples like Nextcloud, OpenStack, and Lomiri, we argue that free and open source software (FOSS) is the only viable path to true digital independence. The article concludes with policy recommendations and a critical reflection on the challenges Europe must overcome.
Keywords: digital sovereignty, free and open source software, Cyber Resilience Act, EU AI Act, vendor lock-in, technological independence
1. Introduction
Digital sovereignty is a cornerstone of European policy, driven by the need for independence from non-European tech giants and control over critical infrastructure (Bendrath 2021; EU Parliament 2022). Initiatives such as the Digital Sovereignty Act, GAIA-X, and the EU Cloud Rulebook emphasize the importance of local data storage and European technology. However, implementation is complicated by two opposing forces:
- Proprietary European IT companies that, under the guise of sovereignty, create new vendor lock-in.
- Big Tech-aligned entities that engage in "sovereignty washing" to maintain their proprietary models.
This article explores how FOSS provides the only sustainable solution for true digital sovereignty, with special attention to the Cyber Resilience Act (CRA) and EU AI Act as regulatory frameworks.
2. Proprietary European IT Companies: A New Form of Dependency
Europe's pursuit of digital sovereignty has led to a paradox: while the EU seeks to reduce dependence on American and Chinese tech giants, new dependencies are emerging in the form of proprietary European companies. These firms present themselves as "sovereign" alternatives, yet their closed systems and proprietary licensing models create a new form of vendor lock-in. This phenomenon undermines the original goal of digital sovereignty: regaining control over critical technologies and data.
2.1 SAP: Closed Systems Under the Guise of Sovereignty
SAP promotes its RISE with SAP initiative as a "sovereign" cloud solution for European businesses and governments. In practice, this means customers become tied to a closed ecosystem, where migration to other platforms becomes difficult and costly. SAP's approach exemplifies a broader trend: using the sovereignty argument to gain market share without giving customers actual control over their data or software (Techzine.nl 2025; Computable.nl 2026b). SAP has recently made concessions to the EU to avoid an antitrust investigation, highlighting that even European players are not immune to criticism of their closed models (Techzine.nl 2025).
2.2 OVHcloud: Sovereignty with Limitations
Since the fire in Strasbourg (2021), OVHcloud has positioned itself as a symbol of European digital independence. The blaze destroyed the SBG2 data center and severely damaged SBG1, prompting a review of safety protocols (Tweakers 2021; OVHcloud 2021; Techzine.nl 2021). While OVHcloud markets itself as a "sovereign" cloud provider, its underlying infrastructure is largely proprietary. Customers using OVHcloud can rely on European data centers, but they lack access to the source code of the software used. This limits their ability to adapt or relocate infrastructure, conflicting with the core principles of digital sovereignty: transparency and control (Solutions Magazine 2023a; Solutions Magazine 2023b).
2.3 The Problem: Sham Sovereignty
This development raises fundamental questions about what digital sovereignty truly means. According to Richard Stallman (2002):
“True sovereignty requires not only local hosting but also the freedom to inspect, modify, and abandon software without penalties or technical barriers.”This principle is often ignored in current policy debates, where the focus is on geographical location rather than technological independence (Stallman 2002; ICTMagazine.nl 2026).
3. Big Tech and Sovereignty Washing: A Wolf in Sheep’s Clothing
Even more problematic is the role of Big Tech companies like Microsoft, Google, and Amazon, which market their proprietary solutions as "sovereign" alternatives. Microsoft’s EU Data Boundary is a prime example. These initiatives promise that European data will remain within the EU, but the underlying technology—from operating systems to management software—remains entirely under American control. This means that European governments and businesses comply with local data protection laws but remain dependent on an American company for critical updates, security patches, and licenses.
3.1 Microsoft’s EU Data Boundary: False Security
Microsoft’s EU Data Boundary restricts where personal data is stored and processed, but it fails to address the core issue: the technology itself remains proprietary and subject to American jurisdiction (Microsoft 2026; Kiteworks 2026; Follow the Money 2026). The Schrems II ruling (2020) made it clear that local data centers do not suffice if the technology itself is not sovereign. Yet, European institutions continue to massively use Microsoft 365 and Azure, often under the guise of "practical necessity" or "lack of alternatives" (Follow the Money 2026).
3.2 Sovereignty Washing in Practice
This phenomenon, which we can term sovereignty washing, is a deliberate strategy to maintain the status quo. By emphasizing that data is "locally stored," these companies create the illusion of sovereignty while actual control over the technology remains elsewhere. Ralf Bendrath (2021) describes this as a "dangerous illusion":
"The idea that you are sovereign as long as your data is in Europe is misleading. If you don’t know what’s happening in the software, or if you depend on a foreign party for updates and security, you are not sovereign."
3.3 Criticism from the Sector
European cloud companies have written an open letter to the EU demanding stricter rules to protect digital sovereignty against AWS, Azure, and Google Cloud, which market their services as "sovereign" without giving European customers actual control (Computable.nl 2026b).
4. Free and Open Source Software: The Only Path to True Sovereignty
Fortunately, there are alternatives that truly meet the principles of digital sovereignty. Free and open source software (FOSS) offers a radically different approach, centered on transparency, interoperability, and local control. Unlike proprietary solutions, FOSS allows users to inspect, modify, and share the source code. This means European governments and businesses can fully control not only their data but also their software.
4.1 Nextcloud: A European Success Story
Nextcloud is an open-source alternative to Dropbox and Microsoft 365, increasingly adopted by European governments. In Germany, the Bundeswehr has implemented Nextcloud for secure file sharing, while in France, government agencies like the Ministère de l’Éducation Nationale use the software for internal communication (Tweakers 2026; Nextcloud 2026; Belgiumcloud 2026). In the Netherlands, SURF has made Nextcloud widely available to educational and research institutions as an alternative to American cloud services (NU.nl 2025).
4.2 OpenStack: Open Infrastructure for Europe
OpenStack is an open-source cloud platform used by organizations such as CERN and Deutsche Telekom. OpenStack enables users to build their own cloud environments based on open standards. This means they are not bound to a single vendor but can freely choose between different hardware and software providers. This is precisely what the Cyber Resilience Act (CRA, 2022) aims for: an ecosystem where users are not trapped in closed systems but can switch providers freely (Computable.nl 2026a; T-Systems 2026; Open Telekom Cloud 2026).
4.3 Policy Framework: Cyber Resilience Act (CRA) and EU AI Act
The Cyber Resilience Act (CRA) mandates that manufacturers report vulnerabilities in software and encourages the use of FOSS for security and transparency. The law makes notable exceptions for open-source software, as it is essential for the cybersecurity of digital products. Open-source stewards have their own obligations, such as establishing a cybersecurity policy and reporting actively exploited vulnerabilities, but they are not subject to administrative fines (European Commission 2024; ibestuur 2026; OpenSSF 2026). The EU AI Act (2024) encourages open-source AI models to reduce dependence on proprietary systems. The regulation entered into force on August 1, 2024, and sets binding requirements for the safety and transparency of AI systems, with special attention to open source as a means to promote innovation and control (European Commission 2024; Rijksoverheid.nl 2024; Consilium 2024).
5. Policy and Future Perspectives: What Europe Must Do
To make FOSS the norm, Europe must take several steps. First and foremost, the Cyber Resilience Act and EU AI Act must not only promote open source but also actively counteract vendor lock-in. This means that governments should only procure software that adheres to open standards and guarantees interoperability.
- Counter vendor lock-in: The Cyber Resilience Act and EU AI Act must ensure that governments only purchase software that meets open standards and interoperability requirements.
- Funding for FOSS projects: More funding is needed for open-source projects, such as programs like NLnet and NGI Zero, which support innovation in FOSS.
- Education and knowledge sharing: Europe must invest in developing skills among governments and businesses to implement and maintain open-source solutions.
5.1 Leaders in Europe
France is leading the way with an open-source strategy that mandates government software to be open source by default unless there are compelling reasons not to do so. The French Ministry of the Interior uses Nextcloud as a secure alternative to American cloud solutions (Interoperable Europe 2019; Open Overheid 2025).
Germany is following with initiatives such as Matrix/Element, an open-source communication platform used by multiple ministries and health institutions (Tweakers 2021; ICTMagazine.nl 2026). The Dutch government also has an "open, unless" policy for government software, where source code must be made public by default (Digitale Overheid 2024; Open Overheid 2025).
5.2 Challenges and Fragmentation
A major challenge is the fragmentation of open-source solutions in Europe. Each country often chooses its own solutions (e.g., Nextcloud in Germany, Tchap in France), which hinders scalability and interoperability. To overcome this, collaboration at the EU level is essential, such as through GAIA-X and Eurostack, which promote open standards and shared architectures (ICTMagazine.nl 2026).
6. The Dutch Tax Agency Debacle: A Case Study in Sham Sovereignty
One of the most striking examples of how digital sovereignty in the Netherlands is undermined is the policy of the Dutch Tax Agency. Despite all local and European legislation aimed at ensuring digital independence and data protection, the Tax Agency has made two controversial decisions in recent years that make Dutch public institutions even more dependent on American tech giants and their proprietary systems.
6.1 The Replacement of Lotus Domino with Microsoft Office 365
In 2021, the Tax Agency decided to replace its outdated Lotus Domino environment (formerly IBM Notes) with Microsoft Office 365. This move was presented as necessary modernization, but critics point out that the Tax Agency is creating a new form of vendor lock-in, binding the Dutch government to an American tech company for years. The migration, which has already cost over 14.4 million euros, is being pushed through despite political and public criticism of dependence on American technology and the risks to digital sovereignty (Accountancy Vanmorgen 2026; Tweakers 2026; Computable.nl 2026b).
6.2 The Outsourcing of the VAT System to an American Company
Even more shocking is the recent decision by the Tax Agency to fully outsource the management of the VAT system to the American company Fast Enterprises. This means that a critical Dutch tax infrastructure, which generates 1.5 billion euros in state revenue weekly, is now in the hands of a foreign party. Experts warn that this makes the Dutch government vulnerable to political pressure and blackmail, for example, if the American government demands access to Dutch tax data via the CLOUD Act or shuts down the system during a conflict (de Volkskrant 2026; AD.nl 2026; Techzine.nl 2026). Perhaps most concerning is that the decision-makers do not realize the magnitude of the risk at play.
6.3 Political and Public Reactions
The Dutch House of Representatives has been critical of both decisions, but a majority finds it too drastic to halt the projects. State Secretary Eelco Eerenberg (Finance) has emphasized that the choices comply with the national cloud policy and that future decisions will be left to his successor (Accountancy Vanmorgen 2026; AD.nl 2026).
6.4 Conclusion: A Missed Opportunity for True Sovereignty
The Tax Agency debacle illustrates how Dutch public institutions, despite all rhetoric about digital independence, actively choose dependency on American tech giants. The arguments put forward for this—such as the lack of alternatives or the need for modernization—are refuted by experts and open-source communities. The fact that the Tax Agency did not seriously consider Nextcloud and other European solutions underscores that this is not about a lack of options but a lack of political courage and vision.
7. Conclusion
True digital sovereignty is only possible with free and open source software. Proprietary “sovereign” solutions are often new forms of vendor lock-in, while Big Tech companies use sovereignty as a marketing tool. Europe must embrace FOSS as the foundation for digital independence, supported by legislation such as the CRA and EU AI Act.