Across Europe, the question of who controls our technology has become more urgent than ever. Digital sovereignty is no longer a theoretical concept discussed in policy papers, it defines how we protect our values, our economies, and our democracies in a connected world.
Europe’s ability to act independently depends on something fundamental yet often overlooked: code. Who writes it, who owns it, who controls it, and who can access the data behind it?
Today, most of Europe's digital infrastructure is still based on technologies that are governed by US law. Software that we rely on every day, in government, education, healthcare and business, can, under certain circumstances, be used to violate our own principles of privacy, transparency and accountability.
This is not a theoretical risk. Even when data is stored in a secure data centre in the heart of Europe, it may still fall within the jurisdiction of U.S. authorities.
The invisible influence of U.S. law
Imagine storing confidential data in a European data center: GDPR-compliant, ISO-certified, physically protected. And yet, through U.S. legislation such as the CLOUD Act, Patriot Act, and Foreign Intelligence Surveillance Act (FISA), that same data can be requested and accessed by American agencies.
These laws apply not only to U.S. companies but also to their European subsidiaries and partners.A single corporate link across the Atlantic is enough to trigger legal obligations, often without the knowledge or consent of the affected organisation.
The result is a subtle restriction of sovereignty: European organisations that rely on U.S. cloud providers effectively relinquish control over their own data.In hearings before the French Senate, Microsoft confirmed that it cannot guarantee that European public sector data will remain beyond the reach of U.S. authorities. Similar concerns have been raised in the Netherlands and Denmark, where government audits found that contractual safeguards alone cannot prevent potential data access under foreign law.
Why this matters
Confidentiality, compliance and legal certainty are essential for public authorities, critical infrastructures and regulated industries.
If access to sensitive data can be enforced under foreign law, digital sovereignty and thus democratic autonomy is at risk.This dependency is not only a legal problem, but also a strategic vulnerability.
As other countries consolidate their technological spheres of influence, Europe must ensure that its own infrastructure remains trustworthy, controllable and resilient.Digital sovereignty is therefore both a question of security and competitiveness.The EU has already recognised these challenges.
Initiatives such as NIS2 and the Cyber Resilience Act define clear requirements for secure and resilient digital infrastructures.National strategies like Germany’s “Deutschland-Stack” or the proposed EuroStack aim to translate these principles into practice – yet between policy vision and operational reality, a gap remains.
Sovereignty is not a question of symbolism. It is the practical ability to design, operate, and develop Europe’s technological foundations in accordance with European law and in line with European values.
The proven European alternative
For decades, Europe’s open source community has been building exactly what is needed: transparent, interoperable, and verifiable alternatives to proprietary technologies.From operating systems and cloud infrastructure to collaboration and communication tools, open source provides the technical foundation for genuine independence.
Equally important, it represents a governance model aligned with Europe’s principles – openness, accountability, cross-border collaboration, and respect for privacy.It allows institutions to retain full control over their architecture, data, and direction – without hidden dependencies or vendor lock-ins.
Across the continent, open source foundations,research projects,and companies contribute daily to secure,interoperable digital infrastructure.Together, they show that technological sovereignty is achievable through cooperation, not isolation.
From strategy to implementation
The transition from political ambitions to concrete results is already visible in some European regions.
In Schleswig-Holstein, the state government has introduced the open source video conferencing platform OpenTalk, which is operated entirely locally in a BSI-certified data centre and is used jointly by all ministries and authorities. After a six-month pilot phase, more than 2,000 public sector employees now use a data protection-compliant and sovereign alternative for their daily communication.
In Thuringia, the administration took a similar approach during the pandemic. By involving state ministries early on in the development of new features and applying the principle of ‘public money, public code’, the project created reusable results that other administrations can adopt.
Berlin also recently took an important step towards open source. In December 2025, the Berlin Senate officially adopted an open source strategy that defines open source not only as a technological decision, but as a strategic lever for strengthening the digital sovereignty of public administration.
Comparable approaches can be found beyond Germany. In 2025, Lyon announced a shift away from proprietary U.S. software in order to reduce dependencies and strengthen digital sovereignty. Lyon is replacing Microsoft with open source solutions, operated in regional data centres and awarded primarily to French and regional companies.
These examples show that sovereignty is not achieved through theory alone, but through collaboration, common standards and long-term commitment.
What needs to change
Real sovereignty comes only through transparency, verifiability, and shared ownership – principles that define open source. Europe now needs political alignment and clear procurement criteria that make the open source model the default for public infrastructure.
Germany’s “Deutschland-Stack” initiative reflects an important ambition: to rebuild the state’s digital foundation on open standards, interoperability, and transparency.The direction is right, but execution still lacks focus and consequence.
Europe now needs clear priorities and the courage to act: use existing open source solutions instead of reinventing them, keep Big Tech lobbyists out of public infrastructure, and accelerate implementation.The geopolitical situation does not wait for perfect concepts, it demands readiness.
The Heinlein Group demonstrates how this vision can already be implemented in practice.With mailbox, OpenTalk, and OpenCloud, the company delivers open source-based platforms that are designed to strengthen digital sovereignty in Europe.
The broader vision
Digital sovereignty begins with conscious decisions: identifying which systems are mission-critical, assessing dependencies, and building partnerships with providers who share European values.It is not achieved through isolation but through collaboration. Collaboration across borders, sectors,and communities.Open source enables exactly that: transparency where trust is essential, cooperation where resources are limited, and resilience where dependence would otherwise prevail.
Europe’s open source ecosystem already provides a strong foundation – mature technologies, capable providers, and a collaborative community.What is needed now is confidence and coordination to build upon it – and a clear, binding open source strategy – in Germany and across Europe.
About the Author
Jutta Horstmann is a computer scientist, entrepreneur, and open source expert. Since September 2025, she has been Co-CEO of the Heinlein Group, which enables companies and public institutions to achieve digital sovereignty, security, and sustainability.With more than 25 years of experience in IT and leadership, she is committed to digital resilience and open source technologies.