Friday, July 3, 2026

Europe’s sovereignty ambitions stall at the procurement desk

Sachiko Muto, chair of OpenForum Europe and senior researcher at Rise Institute, has spent the better part of two decades telling European policymakers that open source must be at the heart of digital sovereignty.

She has watched ministerial declarations come and go, celebrated hard-law mandates that went largely unread, and sat through enough high-level summits to recognise the cycle. When the EU Technological Sovereignty Package landed in June, she skimmed the draft and felt something she had not expected: emptiness. “It’s the equivalent of a New Year’s resolution to get fit,” she told an audience at the Nextcloud Summit in Munich. “We all know what happens.”

That the comparison came from someone who describes herself as more optimistic than she has been in two decades is not a contradiction, it is a precise diagnosis. The technology exists. The political will is visible at the highest level. The question Europe is now navigating is whether this time the commitments will survive contact with procurement desks, lobbying cycles and five-year implementation timelines.

The EU package is the most substantive set of commitments on open source and digital independence that the commission has produced. It attaches an open source strategy, complete with budget, monitoring framework and key performance indicators, directly to the broader sovereignty communication. A revision of the public procurement directive is due in weeks, with an open source preference that, if enacted in strong form, would mark a structural shift in how EU public bodies select technology. The commission’s own open source strategy, published alongside the package, puts the annual EU spend on non-EU proprietary digital products and services at €264bn.

Muto was careful to distinguish what is different this time. “There is now a commissioner whose flagship policy is technological sovereignty, and she is putting open source at the heart of it,” she said.

The commission’s documentation, argued Muto, reflects a genuine operational understanding of what open source delivers, rather than the standard boilerplate about cost savings and avoiding lock-in.

The network of open source programme offices that the package envisages, known as OSMOs, is the detail she most wants to see survive into the final adopted text. “You want to have people for whom it is their job, on a Monday morning, to continue this collaboration,” she said. “Not just a high-level agreement you sign and then think things will happen automatically.”

Her central warning, however, was equally explicit. Europe has an implementation and enforcement crisis. A lot of legislation is passed, lobbied during negotiation, and then quietly ignored on the ground. The procurement directive is the mechanism that determines whether the package becomes operational. “If we get the strong wording into the procurement directive, and people pay attention to it and litigate on it, that is when we will see change,” said Muto. “That is when people will not be able to ignore it.”

Sovereign deployment demands

Before procurement even happens, organisations must first make sovereignty work on the ground. The Nextcloud Summit provided three concrete illustrations of what sovereign deployment demands in practice.

Lars Neumann, senior vice-president for T-Cloud at Deutsche Telekom, described a market that has shifted gear in the past 18 months. His first lesson learned after roughly a year of building out T-Cloud was blunt: sovereignty is the topic, but customers still lead with the financials. “The first question is always whether sovereignty costs something, or whether it comes for free, and how do I get the same functionality as the US hyperscalers,” he said during a press roundtable.

According to European Commission figures cited by Neumann, 70% of European workloads currently run in US clouds. Between 2017 and 2022, the share of European cloud providers in that market fell from 29% to 15%. T-Cloud Public has been on the market for 10 years, said Neumann, but serious investment only followed in the past year.

Deutsche Telekom built a complete datacentre for sovereign AI infrastructure in Munich in six months, and invested €1bn in graphics processing unit (GPU) capacity. This sold out on the day it went live. The deeper problem, in Neumann’s view, is structural rather than technical. Small European companies are building the right sovereign offerings but cannot access the capital to grow. Investment is going elsewhere. “We are missing the capital to scale,” he said. “The trouble is that capital is flowing outside the EU.”

Lessons from the field

What sovereign deployment looks like in practice is best illustrated not by a technology company, but by a ministry. Benoît Piédallu, project manager at the French Ministry of Education’s digital directorate, has spent years building Nuage, the ministry’s Nextcloud-based collaboration platform, for a target user base of 1.2 million people. The platform’s central constraint is one that no software update can fix: of those 1.2 million users, 850,000 are teachers who receive no hardware from the state.

The ministry manages roughly 50,000 computers centrally and can push the Nextcloud desktop sync application to those machines automatically. The remaining 850,000 are on their own devices, running whatever operating system they happen to have, and the ministry has no way to reach them directly. The platform currently has 400,000 active accounts, a third of which arrived without any outreach at all. Piédallu said the ministry has deliberately kept a low profile, partly because scaling to the full 1.2 million users would immediately push storage costs beyond the current budget.

Where Piédallu’s challenge is logistical, Philipp Eickhoff, head of digital workplace chief technology officer and growth for Central Europe at Atos, points to a different obstacle entirely. After multiple large-scale sovereign workplace deployments, his primary lesson is that the technology is rarely the obstacle. “It is about enabling people,” he said during the press roundtable. His operational advice was consistent: never attempt a big bang migration. Start with isolated features, phase the roll-out, invest heavily in change management, and ensure that leadership actively communicates the strategic rationale. Organisations that skip those steps lose users in the first weeks and build internal resistance that is harder to reverse than the original migration problem.

Frank Karlitschek, CEO of Nextcloud, brought the decision-making dynamic into sharper relief with an anecdote from a TEDx panel he attended in Berlin the previous day. Two IT managers from mid-sized German companies described being in the middle of a risk assessment for supplier lock-in and kill switch scenarios. His response was pointed. “You have a bridge and you know that 10% of it is broken,” he told the audience. “You don’t build a trust relationship with a broken bridge. You fix the bridge.” The risk assessment, in other words, has become its own form of delay.

The Netherlands offers a case where institutional momentum has turned into legislative consequence. Ron Trompert, senior consultant at Surf, the IT cooperative serving Dutch higher education, described how an internal pilot project among a small group of universities became a national plan endorsed by the directors of every member institution.

The day after Surf’s public announcement, a motion was passed in the Dutch parliament directing the government to cooperate with the education sector on digital sovereignty. That is an unusually direct line from an institutional pilot to a parliamentary mandate, and it happened because the sector stopped waiting for someone else to act first. “Everyone wants an answer from Surf,” said Trompert. “So, we just started.”

Words versus procurement

This is exactly the gap Muto warned about: loud declarations, but procurement stays US-first. The German procurement picture, raised during the afternoon panel discussion, is a concrete example of that gap. Holger Pfister, vice-president for Dach at Suse, cited upcoming tenders from the IT department of the German armed forces, totalling roughly €1bn over three years, with approximately €600m allocated to IBM, €400m to Microsoft, and €40m to VMware. That represents around 95% of the budget going to US-origin suppliers.

The tenders, said Pfister, look like business as usual. No visible shift towards open source or European providers. “I would ask the politicians to look into what their IT departments are actually doing, and whether the lip service is landing,” he said.

That gap between declaration and procurement decision is precisely what Muto identified as the determining variable. Pfister made the same argument in historical terms in the closing keynote. He traced Europe’s current position directly to purchasing decisions taken 15 years ago. At the time, kernel-based virtualisation was a viable open source alternative to VMware. However, nobody chose it. Hundreds of millions in proprietary development later, customers are now approaching Suse asking whether they can migrate. “What do you expect [from] 15 years with very little investment? Is it really something you expect to be as good now?” he said.

What distinguishes the present moment, across nearly every voice at the Nextcloud Summit, is that the alternatives are now genuinely competitive. Muto was direct on this point. Some 20 years ago, she said, demanding open source adoption in the public sector was not a realistic ask because the offering was not there. That has changed. Whether the procurement directive captures that shift in enforceable form, and whether the next 12 months of lobbying in the European Parliament and Council weaken or strengthen the relevant text, is what practitioners said they will be watching.

Related Articles

Latest Articles