The push for ‘Buy European’ software mandates, while well-intentioned, fails to address the fundamental nature of digital dependency. True European digital sovereignty will not be achieved by simply favoring locally headquartered vendors; it requires a sophisticated strategy that focuses on the complex, global supply chains, software licensing, and infrastructure dependencies that underpin the modern technology stack.
Geopolitical instability, exposing outsourced infrastructure risks, has been underscored by recent discussions on digital sovereignty at KubeCon 2026 EU. Concurrently, new European Union legislative proposals, such as the forthcoming Cloud and AI Development Act (CAIDA), are poised to reshape the regulatory environment. As business leaders reportedly begin to claw back control over their data and infrastructure, the decisions made now will determine Europe's technological autonomy for the next decade.
Understanding the Limits of 'Buy European' Software Mandates
‘Buy European’ policies, championed by member states like France, aim to bolster the domestic tech industry, reduce reliance on foreign powers, and shift investment toward local companies while ensuring compliance with EU regulations. The launch of initiatives like Euro-Office, positioned as a “true sovereign office suite” to compete with American giants, exemplifies this strategy to create homegrown champions that can displace dominant foreign players.
However, this focus on a product’s national label often obscures a more complicated reality. In practical terms, a software product’s country of origin is a poor proxy for its actual sovereignty. As an analysis from euobserver.com points out, the real story of Europe's digital sovereignty is found in licensing agreements, component dependencies, and supply chain integrity. A piece of software developed in Berlin may run on cloud infrastructure hosted by an American company, utilize open-source libraries maintained in another country, and depend on hardware manufactured in Asia. Each of these layers represents a potential point of external leverage or failure.
European digital assets often do not remain European, as shown by Skype, a European innovation acquired and shut down by its American owner, and Oracle’s acquisition of Sun Microsystems, which transferred control of critical technologies like Java and MySQL. These examples reveal fluid corporate ownership: a ‘Buy European’ label offers no guarantee against future acquisition, nor does it insulate an asset from its globalized components. Unless policy embraces licensing and supply chain security complexities, it risks creating a false sense of security.
The Counterargument: Addressing Geopolitical Risk and Market Imbalance
The push for these mandates stems from significant risks in the current technology landscape, particularly the profound market imbalance in cloud computing. U.S. hyperscalers like Amazon Web Services, Microsoft Azure, and Google Cloud command an estimated 70% of the European cloud market, according to thenextweb.com. This concentration of critical infrastructure in a few foreign entities creates a powerful strategic dependency.
This dependency is not merely economic; it is geopolitical. Thierry Carrez, General Manager of the OpenInfra Foundation, recently highlighted the potential for governments to compel their national tech companies to deploy ‘kill switches’ on critical infrastructure used by other nations, as reported by The Register. Carrez argues that sovereignty is about building resilience against such threats, whether they manifest or not. The mere potential for a foreign government to disrupt essential services is a risk that European policymakers are right to address. From this perspective, favoring domestic providers is a rational step toward mitigating that specific vulnerability.
These policies intend to cultivate a stronger domestic tech ecosystem by directing public and private sector procurement toward European firms, fostering innovation, creating high-skilled jobs, and retaining economic value within the EU. The argument states that without a protected home market, European tech firms struggle against the network effects and massive capital advantages of their U.S. counterparts. While valid, these points treat market dominance as a symptom, not fully diagnosing the underlying disease of systemic, multi-layered dependency.
The Real Challenge: A Global Web of Interconnected Dependencies
In my analysis, the fundamental flaw in the ‘Buy European’ approach is its failure to grapple with the nature of modern software. A piece of software is not a discrete, monolithic product like a car or a piece of furniture. It is an assembly of countless globally sourced components, running on infrastructure that is itself a complex supply chain. True sovereignty, therefore, is not about isolation but about resilience within this interconnected system.
The software supply chain extends deep into physical infrastructure; Europe's cloud economy fundamentally depends on energy stability and foreign-designed hardware. Data centers are massive energy consumers, with global energy use projected to double by 2030, largely driven by AI. This ties Europe’s digital ambitions directly to volatile global energy markets and supply chains for processors and servers, which are dominated by non-European companies. Relying on external cloud providers means Europe effectively imports the geopolitical risks embedded in their energy and hardware dependencies.
Rather than pursuing full "AI sovereignty," which some analysts suggest is an illusion for most nations, a more pragmatic path forward is "AI resilience." This strategy focuses on minimizing strategic dependencies where it matters most, identifying critical chokepoints in the tech stack, and ensuring Europe has alternatives or direct control over them, while still participating in the global ecosystem. It represents a targeted, risk-based approach, not a blanket national preference.
A European software company running services on AWS remains subject to U.S. law, U.S. infrastructure vulnerabilities, and U.S. foreign policy, making its headquarters location a secondary detail. A more sovereign solution involves a European company using open-source software on hardware located in a European data center, under a transparent licensing agreement that guarantees control. This requires a far more complex assessment than simply checking a vendor’s address.
What This Means Going Forward
The path to meaningful digital sovereignty requires a strategic shift away from simplistic procurement labels toward a comprehensive, risk-based assessment of the entire technology supply chain. The era of unquestioning reliance on a few cloud vendors is ending, but it must be replaced by a more sophisticated strategy than mere technological nationalism.
Going forward, policymakers and enterprise leaders should focus on three key areas:
- Supply Chain Transparency: Policy should incentivize and eventually mandate a deep understanding of the tech stack. This means scrutinizing not just the primary software vendor, but also their cloud provider, critical open-source dependencies, hardware origins, and data routing. Regulations like the EU Commission’s Cloud Sovereignty Framework are a start, but they must evolve to reflect this multi-layered reality.
- Promotion of Open Standards and Licensing Control: The most effective way to combat vendor lock-in is to champion open standards and open-source software. This ensures interoperability and gives organizations the freedom to switch providers without being trapped by proprietary technology. Furthermore, procurement should prioritize licensing agreements that grant European entities irrevocable rights to use, modify, and maintain critical software.
- Strategic Investment in Infrastructure: While building a complete, parallel tech stack is impractical, targeted investment is essential. This includes supporting European data center innovation focused on energy efficiency, fostering a competitive European cloud infrastructure market, and contributing to the security and maintenance of critical open-source projects that underpin the global digital economy.
Ultimately, regulation will be the deciding factor. As one industry expert noted, companies will stick with established, dominant vendors unless the cost and complexity of switching are addressed through clear policy. The upcoming Cloud and AI Development Act presents a crucial opportunity to implement a smarter framework. A resilient Europe is not one that builds a digital wall around itself, but one that understands its dependencies, mitigates its most critical risks, and strategically asserts control over its technological future.
