.png)
If you want chips manufactured, you go to Taiwan. Want to use Windows? It’s a U.S. product. Need a new monitor? Probably made in South Korea. Globalization has led to different countries becoming exceptionally good at building and operating specific products and technologies. And, if governments keep their heads and maintain good relations, everything ticks along nicely.
Until it doesn’t.
International relations are under strain, and while politics typically don’t interest the average software developer or IT manager, the impact of laws and regulations is forcing change upon them. For example, your cloud compute may be assigned to a European region, and you may consider your data and software, or that of your customers, to be protected from prying eyes thanks to European laws. But are they?
Digital sovereignty under threat
Love or loathe GDPR, it’s supposed to provide data protection here in Europe. That protection is, however, threatened by the U.S. CLOUD Act. Enacted in 2018, it allows their law enforcement agencies to gather consumer data from U.S. companies (AWS, Azure, and GCP), even if that data is located abroad[1]. This places European digital sovereignty under threat.
The knee-jerk response is to pull everything onto a local cloud hypervisor, but this only applies a sticking plaster to a larger issue. Your data and applications may now be sovereign, but what about the software stack they run on? The hypervisor is merely a component, not a strategy to solve digital autonomy.
Digital sovereignty can be examined through the “data <-> infrastructure/cloud <-> regulation” triangle. Data and infrastructure/cloud covers the physical and logical components, regardless of on-premises or cloud, ranging from hardware, such as servers and storage, to operating systems, virtualization, and network infrastructure. Of course, you won’t be sourcing EU-manufactured CPUs, GPUs, and storage soon, but initiatives such as the EU Chips Act[2] aim to bring the required advanced silicon process nodes needed to manufacture such products to Europe.
Then there is the software. Rather than rely on foreign entities and proprietary solutions, businesses need access to technologies created, maintained, and supported locally. Open source projects are essential to this, fostering innovation and collaboration. With this in place, these pieces can be deployed in a manner that also fulfills local regulations.
Have we minimized the risks?
Striving for digital sovereignty is one thing, but it can’t be to the detriment of service and performance, and it needs to be affordable. European businesses have this challenge on their radar, with many already plugged into, or planning to use, a sovereign cloud solution. However, this change is costly and time-consuming, demanding that organizations redesign some of their internal processes as they decide what data and workloads demand a sovereign solution.
Initiatives such as the launch of NeoNephos by the Linux Foundation Europe[3] can help advance digital autonomy in Europe, with its focus on open cloud infrastructure and next-generation technologies. Serving as a vendor-neutral hub and fostering collaboration, it should unite organizations around open source solution development that meets Europe’s data protection requirements and regulations.
The merger of the Linux Foundation and the Open Infrastructure Foundation (OpenInfra) should also deliver more trusted open-source solutions that help accelerate data center modernisation[4].
While such news can be seen as a silver lining during times of global turmoil, they must deliver results. Gaia-X[5] was formed to standardize infrastructure ecosystems and provide a model defining trust, governance, and interoperability for sovereign data exchange. However, with its complexity and many stakeholders, it already feels outdated and unnecessarily over-engineered. Hopefully, the OSB Alliance’s (Open Source Business) Sovereign Cloud Stack (SCS) project[6] can turn it into a free, federated cloud and container infrastructure, as they propose.
Will challenging times force Europe’s digital sovereignty?
Microsoft has announced a new “European digital commitment” that includes efforts to protect European data privacy, which is guaranteed in their contracts with European national governments and the European Commission. There will even be a digital oversight board to challenge government requests for customer data[7]. This should be seen as a positive development, and no doubt EU lawmakers can be satisfied that their laws are forcing change on non-EU businesses.
Here at ape factory, we’re focused on using the best technology for the task at hand, an approach we have in common with most of our industry colleagues. And, like others, we have little time for politics, but politics is being forced upon us. If we can’t guarantee the safety and security of our clients’ data using cloud services, infrastructure, and software from specific providers, we will move to a regulations-compliant alternative.
Currently, this is harder than it needs to be, as here in Europe, we’re not as sufficiently prepared in cloud and edge infrastructure or AI as North America. Thankfully, Europe has recognized what’s missing in implementing digital sovereignty. We need, however, to be sure that the billions of proposed investments deliver solutions and an upskilled workforce and aren’t sunk solely into talking shops devoid of decisions that actually deliver software that contributes to our community and digital autonomy.
-------
[1] https://www.rocket.chat/blog/cloud-act
[2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-chips-act_en
[3] https://neonephos.org/press/2025/the-linux-foundation-announces-the-launch-of-neonephos-to-advance-digital-autonomy-in-europe/
[4] https://www.zdnet.com/article/the-linux-foundations-latest-partnership-could-shake-up-open-source-ecosystems-heres-why/
[5] https://gaia-x.eu/
[6] https://osb-alliance.de/sovereign-cloud-stack-scs
[7] https://blogs.microsoft.com/on-the-issues/2025/04/30/european-digital-commitments/
