Across Europe, governments are waking up to an uncomfortable truth: the software running their courts, hospitals, and parliaments is often controlled by a handful of foreign companies. This dependence on closed, proprietary platforms leaves critical institutions exposed to the whims of their creators and the jurisdictions governing them.

In an era where access to digital tools can be granted or revoked by way of a single keystroke from Redmond or Silicon Valley, the concept of digital sovereignty has moved from an abstract policy goal to a matter of national resilience. And increasingly, public bodies are embracing open source technology to reclaim control.

The matter fell sharply into focus back in February, when President Donald J. Trump issued an executive order imposing sanctions on the International Criminal Court (ICC) and its staff. The reason? The ICC had issued an arrest warrant for Israel's Prime Minister Benjamin Netanyahu, and former defence minister Yoav Gallant, over alleged war crimes in Gaza.

The ICC had also previously targeted key US personnel for alleged war crimes related to Afghanistan, though that investigation was later narrowed down to focus on the Taliban and Islamic State specifically.

This history with the ICC — combined with the new probe into a strong US ally in Israel — spurred President Trump to retaliate, all guns blazin’.

The executive order noted:

The ICC has, without a legitimate basis, asserted jurisdiction over and opened preliminary investigations concerning personnel of the United States and certain of its allies, including Israel, and has further abused its power by issuing baseless arrest warrants targeting Israeli Prime Minister Benjamin Netanyahu and Former Minister of Defense Yoav Gallant.

The ICC has no jurisdiction over the United States or Israel, as neither country is party to the Rome Statute or a member of the ICC.

The first target of Trump’s sanctions was Karim Khan, a British lawyer and the ICC’s chief prosecutor, who reportedly lost access not only to his UK bank account, but his email account, with Microsoft forced to cut off access.

A New York Times’ report from June noted that some ICC staffers are now using ProtonMail, an encrypted email service from Swiss company Proton. Microsoft said at the time that it had since enacted “policy changes” to protect customers embroiled in similar geopolitical conflicts; however, this was the clearest sign yet that Trump was prepared to weaponize US tech dominance against perceived adversaries — even those operating from allied nations like the Netherlands, where the ICC is based.

One Member of the European Parliament (MEP), Alex Agius Saliba, raised several questions with the European Commission (EC) in the aftermath, urging the EC to consider diplomatic and legal responses to what he called “digital sabotage.”

“Trump’s executive order threatens any person, institution or company with fines and prison time if they provide Khan with ‘financial, material, or technological support’,” Saliba said. “That is why we want to raise several questions in relation to the digital sabotage targeted at an international organisation based in the EU.”

With many of these questions unresolved, several European technology companies are already positioning themselves to meet the demand for sovereign, locally controlled digital infrastructure, turning open source into both a strategic and a commercial advantage.

Enter the matrix

Back in July, Germany’s healthcare system, Gematik, went live with TI-Messenger, a long-gestating project with the goal of providing secure, standardised messaging across the country’s myriad healthcare entities, including hospitals, clinics, and insurers.

Unlike a single proprietary platform run by one company, TI-Messenger is an open, federated standard that lets multiple certified providers interoperate, avoiding lock-in and keeping data under local control.

TI-Messenger is built atop Matrix, an open source, open standards protocol for decentralised communication. The protocol’s main commercial backer is London-based Element, a company founded by Matrix’s creators, which develops the core software and offers enterprise-grade hosting and support for organisations that need guaranteed performance, security, and regulatory compliance.

Matthew Hodgson, CEO of Element and technical co-founder of Matrix, told Resilience Media that some 95% of its revenue comes from the public sector, with customers including segments of the US Department of Defense, the UK and French Governments, NATO, United Nations, and the German Armed Forces.

“Governments, public sector organisations and NGOs have the most interest in digital sovereignty,” Hodgson told Resilience Media. “It’s absolutely incumbent that governments ensure they have complete ownership and control of their technology, particularly in the sharpened geopolitical climate.”

Hodgson added that the ICC email shutdown is just “one of many real-life proof points” that underscore why digital sovereignty is so important. He also pointed to the case of US satellite mapping company Maxar Technologies, which was compelled to suspend Ukrainian access to US government–commissioned satellite imagery, under a broader Trump administration directive against intelligence sharing with Ukraine.

Access was restored days later after renewed agreements between Washington and Kyiv, however these cases together illustrate how critical infrastructure controlled by foreign vendors leaves governments around the world dangerously exposed.

Just this week, Canadian video platform Rumble — host to President Trump’s Truth Social — signaled plans to acquire German AI cloud provider Northern Data, which would represent a shift of key European infrastructure into foreign hands.

“The world has generally been in a beautifully benign state for the last couple of decades, which coincided with a general move towards vendor-controlled cloud systems,” Hodgson continued. “What we’re now seeing are governments realising that has left them hugely vulnerable, especially with the likes of NATO urging countries to get themselves onto a war footing; protecting submarine cables becomes a moot point if another government can simply demand a vendor halts its cloud service.”

‘We’re done with Teams!’

Europe has made no secret of its desire for a sovereign tech stack, with plans for its own large language models (LLMs) and even a constellation of satellites to rival Elon Musk’s Starlink.

In the more immediate term, however, governments across the bloc are in the midst of removing omnipresent Microsoft software from official workplaces, making way for open source alternatives.

“We're done with [Microsoft] Teams!" Dirk Schroedter, digitalisation minister for the German state of Schleswig-Holstein, told the AFP back in June.

Schleswig-Holstein has been looking to phase out Microsoft software for a while, replacing Word and Excel with the likes of LibreOffice, supplanting Outlook’s email and calendars with Open-Xchange, and ditching SharePoint for Nextcloud.

And now, the state is replacing Microsoft Teams with open source alternatives such as Jitsi.

The long and short of all this is that next to no civil servant, police officer or judge in Schleswig-Holstein will be using Microsoft programmes at work, representing roughly half of the state’s public servants. Some 30,000 teachers are set to follow suit in the coming years, a transition that will reportedly lead to the state dropping Windows entirely for Linux.

Schleswig-Holstein isn’t alone, either. The City of Lyon in France recently revealed that it’s replacing Microsoft Office with OnlyOffice; Windows with Linux; and Microsoft SQL Server with PostgreSQL. And it’s a similar story across Denmark, where several cities are reducing their dependency on Microsoft.

In actual fact, this switch was already firmly on the European agenda long before President Trump’s ICC vendetta. The European Commission (EC) has been pursuing Microsoft on antitrust grounds over the way it bundles Teams with its other business software, while new regulations such as the Interoperable Europe Act mandates that public sector bodies across the bloc must ensure their vast array of national IT systems play ball with each other — an endeavour that’s easier to achieve with open source software.

However, recent political movements have accelerated matters, according to Schroedter, who said that there are clear parallels between Europe’s energy reliance on Russia, and its digital reliance on foreign tech giants.

"The geopolitical developments of the past few months have strengthened interest in the path that we've taken," Schroedter told the AFP. “The war in Ukraine revealed our energy dependencies, and now we see there are also digital dependencies.”

Sovereign tech’s commercial opportunity

This movement could prove a boon for open source-aligned startups, such as Germany’s Nextcloud, which offers an array of open source, self-hostable tools across the productivity and collaboration spectrum.

Nextcloud founder and CEO Frank Karlitschek told Resilience Media that around 25 percent of its customers hail from the public sector, though demand (i.e. in-bound inquiries) has tripled in the first-half of 2025 across all sectors.

“We are seeing the greatest demand from European countries, but also a significant increase in global inquiries, for example from Canada, Latin America, India and the US,” Karlitschek said in an interview. “Many organizations we talk to are specifically asking for a migration from Microsoft or Google.”

Karlitschek reckons the shift is being driven by a mix of factors, ranging from steep price hikes from the incumbent software giants, to growing concerns over data privacy.

“Organizations want to avoid vendor lock-in, which makes them dependent on single companies that can then increase their prices while making migration difficult,” Karlitschek continued. “Another reason is data privacy. With the ongoing digital transformation in the public sector, the challenge of privacy and security becomes ever bigger. Public sector organisations can’t be seen to leak citizens’ data, or be subject to pressures of big tech companies or foreign governments.”

The ability to maintain full control over data by self-hosting is one of the reasons why any organization — public sector or otherwise — might want to use an open source product. Still, not every entity has the resources and technical nous to do this, which is why commercial open source companies such as Element and Nextcloud also sell hosted services on top of their core open source products.

“Smaller public sector organizations, more often, opt for hosted offerings from a local, trusted provider,” Karlitschek said. “Larger, federal agencies tend to prefer to keep data in their own data centers. For example, we see a fair bit of interest in the US for deploying Nextcloud in air-gapped [i.e. isolated offline network] environments. Those are, by their nature, self-hosted.”

This emphasis on self hosting is something echoed by Emily Omier, open source startup consultant and co-creator of the Open Source Founders Summit. She notes that while some governments do have mandates to use open source where possible, the stronger driver behind such shifts is the desire to control where and how systems are hosted, rather than the specific license attached to the software.

“To be completely fair, I think this is often not just about open source, but about on-prem — often open source companies offer the only option in their ecosystem to self-host,” Omier said in an interview with Resilience Media. “Many open source companies have dedicated sales organizations for the public sector.”

Of course, open source software comes with many additional perceived benefits beyond the ability to self-host, such as transparency, interoperability, cost savings, and — many argue — security. However, Omier insists that the core benefit sought by public sector entities is control — over both their infrastructure and their data. Whether it makes them more secure, she cautions, depends entirely on their ability to maintain and protect the systems themselves; without the right skills and resources, open source can expose as many risks as it helps mitigate.

“Whether or not open source is more secure is debatable — if you have the skills to secure it, it can be, but open source can also be more vulnerable,” Omier said. “However, it is undeniably the best choice for control over your environment and for control over your data. Whether or not this makes governments more resilient depends on a lot — you can be more vulnerable with open source if you do not have the skills to maintain it and run it securely. However, it undeniably makes governments more independent, because they no longer are at the mercy of private companies.”

Visibility and influence

Passbolt, an open source password management provider based in Luxembourg, also counts a number of public sector customers, including France’s Ministère de l’Intérieur. Remy Bertot, Passbolt’s co-founder and CTO, said that while most of the company’s conversations with the public sector tend to be with people who are already open source advocates within their respective institutions, there has been a marked shift in terms of their influence around procurement decisions.

“What has changed over the past couple of years is that these open source champions seem to have gained more visibility and influence internally,” Bertot told Resilience Media. “Their voices are maybe more credible and their arguments better received, as they often come to us with clearer mandates.”

But selling into the public sector is notoriously slow, with Bertot noting that procurement cycles and trust-building means that deals can take time to close.

“Breaking into this space takes time and persistence,” he said. “Passbolt being a credential manager, and consequently handling very sensitive data, [means that] building trust can be a slow process. Frequent changes in contact points and lengthy procurement cycles can make it challenging to move quickly.

“In some cases, we’ve been in conversation with institutions for over a year before they commit. Some discussions are still ongoing after two years. So yes, the uptick is happening — but in true public sector fashion, it’s happening in slow motion.”

Regulation time: locking in local control

Recent attempts to weaponise US technology against global institutions and foreign allies has added weight to a broader conversation in Europe about digital sovereignty, not just concerning who operates critical services, but the open source infrastructure itself (e.g. operating systems, frameworks, databases), much of which is maintained by small, often overstretched teams.

In a blog post published this week, Dries Buytaert, founder and project lead of open source content management system (CMS) Drupal, argued that open source is now public infrastructure, and thus it should be funded as such.

“It [open source software] runs government services, supports national security, and powers everything from public health systems to elections,” Buytaert wrote on LinkedIn. “Yet most of it is maintained by a small group of contributors, which makes the software we all rely on more fragile than most people realize.”

This argument resonates strongly in Europe, where the digital sovereignty debate is already influencing procurement policy and public funding. With governments increasingly concerned about keeping control of the software that underpins their critical services, calls to treat open source as essential infrastructure are gaining traction.

“Recent geopolitical tensions and policy unpredictability have made governments more aware of the risks of relying on foreign-controlled, proprietary software,” Buytaert writes. “Around the world, there is growing recognition that they cannot afford to lose control over their digital infrastructure.”

A few weeks ago, GitHub called for a dedicated EU‑Sovereign Tech Fund to shore up Europe’s open source ecosystem.

The Microsoft subsidiary commissioned a feasibility study, conducted by OpenForum Europe, Fraunhofer ISI, and the European University Institute, that builds a compelling case: open source is vital digital infrastructure, yet remains critically underfunded compared to physical infrastructure.

“Open source software is open digital infrastructure that our economies and societies rely on,” wrote Felix Reda, GitHub’s director of developer policy. “Nevertheless, open source maintenance continues to be underfunded, especially when compared to physical infrastructure like roads or bridges.”

Debates over who maintains Europe’s digital foundations inevitably intersect with questions about who ultimately controls them.

Back in June, Anton Carniaux, director of public and legal affairs for Microsoft France, testified under oath before the French Senate that Microsoft could not guarantee European data sovereignty because of the reach of the US Cloud Act, a federal law that allows American authorities to demand access to data held by U.S.-based providers, even if that data is stored outside the United States.

While Carniaux added that Microsoft challenges requests it deems unlawful, and uses contractual and technical safeguards to protect customer data, this admission served as a stark reminder to European policymakers that true data sovereignty is impossible if the infrastructure is ultimately controlled by a foreign jurisdiction.

If this underscores the risks of foreign control, the EU’s own growing body of regulation shows how Europe is trying to address them.

The long-established General Data Protection Regulation (GDPR), and newer legislation such as the European Data Governance Act (DGA), not only push to keep sensitive data within EU borders and under EU authority, but also create a competitive opening for open source startups, whose self-hostable, locally deployable tools are often better suited to meeting these requirements than SaaS-centric alternatives controlled by Big Tech.

“Every time there’s a regulation that requires companies to control where data is stored, or keep data within national borders, this is an opportunity for open source companies,” Omier said. “It makes it harder for pure SaaS companies to compete.”