The Crisis as a Wake-up Call – Digital Sovereignty and the Software Supply Chain
Part 1 of the series addressed Europe’s digital dependence on non-European providers and how the flagship GAIA-X project has done little to change this. The second part focuses on open-source software and specific initiatives that can serve as alternatives to major software products in areas where Europe’s dependence is particularly acute.
Part 2: The Crisis as a Wake-up Call – Digital Sovereignty and the Software Supply Chain
What was long a topic for experts and specialist circles has now reached the mainstream, including through programs and reports on Europe’s digital dependence on U.S. corporations in public media broadcasts. Political tensions, growing pressure from Washington, and a series of specific incidents had driven this development.
The International Criminal Court learned just how great Europe’s dependence on the U.S. in the digital sector actually is following the arrest warrants issued against Israeli Prime Minister Benjamin Netanyahu and Defense Minister Yoav Gallant. The U.S. condemned this decision, whereupon the U.S. Treasury Department imposed sanctions on six judges and three prosecutors.
This vulnerability has increased the pressure to act and triggered new initiatives, including EuroStack and the collaboration between ARD, ZDF, RTL Deutschland, and ProSiebenSat.1 to develop a shared sovereign infrastructure.
Public institutions and administrations are also taking action: The Frankfurt am Main Public Health Department, in collaboration with the Hessian Ministry of Family, Seniors, Sports, Health, and Care, has introduced the open-source data processing tool GA-Lotse, which runs on Exoscale’s European cloud infrastructure. The state of Schleswig-Holstein has migrated 80 percent of its workstations to LibreOffice, thereby saving over 15 million euros in licensing costs by 2026 (assuming no sharp rise in software costs) with a one-time investment of nine million euros. A good business case? Following the incident mentioned above, the International Criminal Court switched to openDesk, the open-source alternative to Microsoft 365, and the Austrian Armed Forces have already completed their transition to LibreOffice.
The regulatory framework is also catching up: With the Data Act, which has been in effect since September 2025, companies are required to make data from connected devices and digital services accessible in a machine-readable format, thereby facilitating switching between providers. Contract clauses that hinder data access or block switching providers will be prohibited in the future. Switching fees charged by cloud providers will be phased out and banned starting in January 2027.
The summary from Part 1 highlighted the political will—which has not yet been universally recognized as resolute—to create genuine European alternatives to overcome vendor lock-in. Political developments in recent months have noticeably strengthened this political will in parliaments, administrations, and at political decision-maker summits. This article now examines the latest progress.
The New Political Will
Berlin, November 18, 2025: German Chancellor Friedrich Merz and French President Emmanuel Macron hosted the first “Summit on European Digital Sovereignty” in Berlin. Around 1,000 guests from all member states, along with the 23 digital ministers of the European Commission, gathered. “Europe must forge its own digital path through a united effort, and this path must lead to sovereignty,” said Chancellor Merz. The summit was accompanied by a series of economic partnerships, including those with the French AI company Mistral and SAP, to develop “Europe’s first fully sovereign AI stack.”
The German Society for Computer Science (GI) had previously issued a sobering assessment of the digital policy of the previous German government. The traffic-light coalition had significantly failed to meet its own goals for digital sovereignty and open source. Dependence on digital monopolies has increased massively. Although the coalition agreement of the former governing parties already emphasized the importance of open standards, open interfaces, and open source for digital sovereignty, counterproductive contracts worth billions were concluded with U.S. digital monopolists.
It is the responsibility of European governments and the EU Commission to establish the right framework conditions, according to the German-French duo at the summit in Berlin. This would include, among other things, steps toward simplification and reducing bureaucracy to give companies more freedom for innovation. In addition, European digital solutions should be used more extensively in public administration. “As a state, we must lead the way, be resilient, and, above all, be prepared for times of crisis,” said Merz.
Macron called for both governments and companies to prioritize European products when procuring technology. The Chancellor announced that the federal administration will increasingly rely on digital products and services from Europe. Simplifying the GDPR is intended to promote AI development in Europe.
European companies plan to invest twelve billion euros to reduce their dependence on the United States and China. In addition, measures to simplify the GDPR in favor of AI in Europe are to be included in the digital omnibus package.
Brussels, one month later: A cross-party group of MEPs, including Birgit Sippel (SPD) and Marie-Agnes Strack-Zimmermann (FDP), called on the European Parliament to abandon the use of Microsoft’s ubiquitous software in favor of a European alternative. The 38 signatories of the urgent letter not only demanded the discontinuation of Microsoft programs but also pointed to monitors, keyboards, and mice from Dell, HP, and LG that are used in Parliament.
“With its thousands of employees and enormous resources, the European Parliament is best positioned to drive the push for technological sovereignty. When even old friends become enemies and their companies turn into political tools, we cannot afford this level of dependence on foreign technology—let alone continue to transfer billions in taxpayer money abroad. […] Our medium-term goal should be the complete phase-out of Microsoft products, including the Windows operating system. […] The Parliament’s vehicle fleet consists almost exclusively of European-brand cars. The same principle applies to computer hardware,” the MEPs stated. They called for the establishment of a working group comprising MEPs and Parliament staff to monitor and support the transition. “With sufficient political will, we will have freed this institution from the danger of dependence on foreign technology by the end of the legislative term.”
Despite many announcements and commitments to digital sovereignty, the Berlin summit was not without criticism: For instance, a high-ranking Palantir employee participated in the roundtables of the “EU AI Champions Initiative,” according to the Federal Chancellery, without its knowledge. Additionally, it was criticized that open-source approaches were largely overlooked as part of the solution.
The Open-Source Factor
The Digital Summit failed to meet the high expectations placed on it, criticized the German Informatics Society (GI). “Instead of a bold strategy based on open-source principles, symbolic politics were pursued. This results in Europe’s continued digital dependence, which comes with significant economic and security policy consequences.” The German Informatics Society (GI) criticized the fact that open source was not a topic at the summit regarding the development, procurement, and operation of public IT as “the most serious omission.”
In his summit speech, Merz did mention the role of the Center for Digital Sovereignty (ZenDiS) in Germany and its product openDesk, aimed at making public administration independent of Microsoft’s office software. In recent years, the federal government has invested nearly 35 million euros in the development of openDesk, with an additional 10 million euros planned for the further development of the ZenDIS suite, yet representatives of the open-source industry were not present at the summit.
A few days later, a fundamental change occurred at the regulatory level: At its 48th meeting on November 26, 2025, the IT Planning Council approved revised model contracts for public sector IT procurement: Eight of the Supplementary Contractual Terms for IT Services (EVB-IT) were amended so that the federal government, states, and municipalities can procure open-source software with legal certainty in the future. Until now, the contract templates were designed exclusively for proprietary software.
The most significant change concerns new developments: For new software projects, development and deployment as open-source software will become the standard. The plan is to publish the source code on the OpenCoDE platform, the central repository of the public administration for open-source software. The platform enables government agencies to reuse existing software solutions, share configurations, and promote mutual knowledge transfer. The revision brings an end to a period of considerable uncertainty: Many agencies had interpreted the previous EVB-IT guidelines in such a way that legally compliant procurement of open-source software was deemed impossible. As a result, open-source providers were effectively excluded from numerous procurement processes.
Dealing with the power of American IT corporations
“At the time, we decided to break away from an American corporation whose approach to power we had already experienced firsthand,” said Christian Ude, former mayor of Munich, in the ARD documentary “The Microsoft Dilemma” (2018), referring to the city administration’s failed switch to Linux in December 2013. Little has changed since then. Many companies find themselves in a classic lock-in situation, and providers like Broadcom—following its acquisition of VMware in late 2023—exploit this with price hikes ranging from 800 to 1,500 percent. Hospitals and public services were affected.
These patterns had been known in the industry for years. The Open Source Business Alliance (OSBA) and other German stakeholders had long been calling for alternatives to foreign IT services and infrastructures “that we can control and shape.” In a 2019 study for the Ministry of the Interior, auditors warned of “pain points in the federal administration” due to dependencies on Microsoft products.
Against the backdrop of these long-standing dependencies of European companies on U.S. providers, the statement that we now want to create solutions “which preserve European democratic values in the digital world,” as formulated in the summit’s final declaration, comes across as an ad hoc justification, as a normative framing for years of political inactivity.
The Path to Digital Sovereignty
There is no silver bullet for breaking free from digital dependence. The requirements for digital sovereignty vary significantly depending on size, sector, and region.
A small-to-medium-sized enterprise in a rural area faces entirely different challenges than a metropolitan city administration. An individual sovereignty analysis can help determine the specific actions needed. Here, leadership is crucial: Digital sovereignty requires (1.) a credible willingness to engage with projects that do not come as ready-made, complete packages, and (2.) to invest in open-source expertise and skilled personnel, even if this initially entails higher costs than purchasing a US license.
The transition often fails due to concerns about a lack of support. However, an ecosystem of specialized IT service providers and system integrators has now emerged in Europe. These companies, mostly small and medium-sized enterprises, handle installation, maintenance, and support. The search for the right partner is facilitated by certification programs such as the “Certified LibreOffice Partner,” “Proxmox Solution & Hosting Partner,” or “ZenDiS Distribution Partner” programs. This ecosystem is the current heart of digital sovereignty. It is often regionally operating system integrators that offer open-source “enterprise-ready” solutions to reduce dependency.
Furthermore, the risk of “sovereignty washing,” as described in Part 1, persists. When U.S. hyperscalers market a “European Sovereign Cloud” under the guise of GDPR compliance, as is currently the case, true independence is not achieved.
Terms like “sovereign” must not degenerate into a mere facade behind which technical control—or at least the ability to intervene—remains in the hands of non-European actors.
Guidance is provided by the criteria catalog “C3A – Criteria enabling Cloud Computing Autonomy” (April 27, 2026) published by the BSI, which can be used to assess whether a cloud service can actually be used in a sovereign manner.
But awareness alone is not enough. Recent surveys on digital sovereignty among companies have yielded similar results: there is simply a lack of available alternatives. A key lever here is the public sector. The state is now taking the lead as a “good customer” and could thus revitalize the market for European solutions in the first place, so that digital sovereignty takes effect where it matters most: with us, with the individual, in the concrete freedom of choice between dependence and self-determination. We are only at the beginning of a possible solution.
Author: Cüneyt Baluch