
A new kind of shutdown
The digitalisation of our public institutions has created an attack surface that anti-democratic actors are starting to exploit. In August 2025, the United States imposed sanctions on judges of the International Criminal Court. Entry bans have been imposed on those affected and their close family members. They lost access to all IT services operated by US providers: email accounts frozen, cloud files unreachable, communications cut off. In December 2025, the pattern widened to the managing directors of German and British NGOs and to a former member of the European Commission.
How do these sanctions work? Under a decree issued by Donald Trump, any form of business with the sanctioned individuals is prohibited. This includes the supply of goods or services, for example, payment services or digital services such as email and collaboration tools by US hyperscalers like Microsoft and Google, which are subject to US jurisdiction.
Ways to overcome digital vulnerability
Currently, US hyperscalers dominate the digital services sector – and thus the nervous system of modern life and modern organisations. European democratic institutions depend on this digital infrastructure that can be weaponised by a foreign power. Against the backdrop of the developments described: How do we make sure our democracy cannot simply be switched off?
First, we need a clear Open Source strategy with measurable and binding targets and priority in public procurement. Replacing existing, highly integrated and familiar infrastructures is no easy task. To do so, we need to adopt pragmatic migration strategies.
Secondly, we need solutions for operational resilience: To ensure that our democracy continues to function, we must be able to keep our digital infrastructure running even under attack. This requires contingency solutions – digital parachutes, so to speak – that proactively safeguard organisations in the event of an emergency and ensure business continuity.
Open Source and “Public Money — Public Code”
To prepare your organisation for sanctions or a similar situation, four things matter: a sovereign, European-hosted communication channel that works immediately; verifiable copies of important data on controlled infrastructure in open formats under European jurisdiction; an Open Source software stack; and governance that tests all this on a schedule.
Digital sovereignty without Open Source is, in practical terms, not sovereignty. Proprietary code cannot be audited and creates vendor lock-in. If a European provider of Closed Source software is acquired by a US company, the code cannot be forked. But code under a free licence can be forked, audited and continued. Yet Open Source does not maintain itself. Public bodies serious about autonomy must treat these as public infrastructure – and invest accordingly.
“Public Money — Public Code” must become an operating principle — a binding minimum share of open source in public IT procurement, a properly resourced Open Source EuroStack. Procurement must address geopolitical risk the way it addresses security risk. Every public body should exercise a documented digital-continuity plan, based on sovereign infrastructure. NIS-2 already points this way.
Calls for digital sovereignty are growing louder at EU level, but the gap between ambition and implementation needs to be closed immediately. European Open Source businesses, organisations and initiatives, such as the German Centre for Digital Sovereignty (ZenDiS) or the EuroStack initiative, demonstrate that suitable Open Source solutions already exist, are in use and are being continuously developed and refined. What’s missing is a proper Open Source strategy with measurable targets on the national and EU level – encouraging the markets to provide Open Source solutions that fit the needs.
The market is already moving. Since the start of the second Trump administration in January 2025, demand for Open Source digital solutions has been growing among private users, public authorities and businesses. France’s strategy is encouraging: The French government has set out a proper roadmap for digital sovereignty and is taking concrete steps to move away from US hyperscalers.
It is also worth taking a look at the German state of Schleswig-Holstein: Their Open Source strategy aims not only to reduce its dependence on individual software providers, but also recognises Open Source’s inherent potential for faster innovation. As one of many concrete steps, the state has rolled out OpenTalk, Heinlein Group’s Open Source video conferencing solution, across the board.
Packing the parachute
The clearest embodiment of the mentioned parachute for operational resilience in our own portfolio is EVAC, launched by mailbox in January 2026. EVAC is a ready-to-use secondary communication infrastructure that sits in standby alongside an organisation’s primary environment and activates when a crisis makes that environment unusable — a ransomware attack, a hyperscaler outage, a natural disaster, or the withdrawal of access by a foreign jurisdiction.
Pre-configured mailboxes activate, staff receive automatic credential-reset instructions, and
communication and collaboration resumes through a web interface covering email, calendar,
contacts, video conferencing, cloud storage, online office and task management. This leads to a measurable reduction in Recovery Time Objective (RTO). A live, exercised, legally bounded secondary capability under European jurisdiction is exactly what every public institution ought to have.
A European choice, not a European fate
A free society relies on institutions that continue to function even when geopolitical conditions change. Europe has wasted decades moving democracy onto infrastructure it doesn’t control. Some argue that there is no escape from digital dependency. But I don’t believe in a narrative where there is no way out. The digital parachute for democracy is overdue — and readily available.
About the Author
Jutta Horstmann is a computer scientist, entrepreneur, and Open Source expert. Since September 2025, she has been serving as Co-CEO of Heinlein Gruppe, enabling companies and public institutions to achieve digital sovereignty, security, and sustainability. With more than 25 years of experience in IT and leadership, she is a strong advocate for digital resilience and Open Source technologies.