Cloud, AI, open source: Europe is accelerating its sovereignty strategy. There remains a key issue: transforming Open Source First into a real technological arbitration mechanism.
On June 3, 2026, the European Commission took a new step in its digital sovereignty strategy by unveiling its Package for European technological sovereignty. This system brings together several major texts – the Cloud and AI Development Act (CADA), the Chips Act 2.0, the European Open Source Strategy and a roadmap dedicated to AI and energy – with the same ambition: to reduce the Union’s technological dependencies and strengthen its control of critical infrastructures.
A dependence now assumed
Despite European ambitions in terms of digital sovereignty, the cloud market remains largely captured by American hyperscalers, who occupy a dominant position in both the public and private sectors. This pre-eminence not only creates technological dependence; it also exposes Europe to legal and geopolitical constraints that escape its control. The Cloud Act is the most emblematic illustration of this: this legislation allows American authorities to request access to data held by companies under their jurisdiction, including when this data is stored outside the United States. Under these conditions, the localization of data on European territory no longer constitutes, in itself, a sufficient guarantee of sovereignty.
Open Source First: a strong signal, but a mechanism still incomplete
Open source has now become a major political issue. Transparency, auditability, technological mastery: these three qualities are essential today in a context marked by structural digital dependencies.
However, this development does not start from scratch. In 2016, France led the way with the law for a digital Republic, which established a framework encouraging the use of free software in the public sector. What was then an incentive policy is now part of a much more ambitious approach to structuring on a European scale.
It is in this context that the European legislative package introduces the Open Source First principle. The political message is unambiguous but its impact will depend entirely on its implementation. However, in its current wording, the Cloud and AI Development Act remains based on an incentive logic. Open source is placed at the same level as other decision criteria, such as cost, performance or security. However, it is precisely when decisions are made that the real impact of this policy comes into play. In the absence of an obligation to study and document an open source alternative before any major technological choice, open source remains one option among others, and not a step in the decision-making process. In fact, this approach perpetuates existing balances. Public organizations continue to move towards already dominant solutions, driven by the combined effects of inertia, standardization of tools and asymmetry of resources compared to large suppliers.
What is missing: an enforceable arbitration mechanism
A credible development would consist of imposing, for any large-scale technological project: a systematic evaluation of relevant open source alternatives; a formalized analysis of these different options and a documented, traceable and auditable justification when a choice creates or reinforces additional dependence. The objective is not to exclude non-European players but to make the strategic consequences of technological choices visible and measurable.
At a time when European administrations are already massively consuming non-European cloud services, the absence of procedural obligations largely neutralizes the effect sought by these new guidelines. Sovereignty then risks remaining a stated objective, without real translation into decision-making mechanisms.
A European ecosystem that is gaining maturity
The European ecosystem is no longer limited to a defensive logic centered on software. It is gradually starting to cover the entire technology chain, from the cloud to hardware. Companies like SUSE occupy a leadership position at the system layer level, with Linux and Kubernetes environments deployed in mission-critical hybrid cloud architectures. At the other end of the chain, initiatives like Openchip aim to reinternalize part of European sovereign computing capacities thanks to RISC-V architectures and the design of processors intended for artificial intelligence and high-performance computing (HPC) workloads. In between are infrastructure partners like FocusNet that expand deployment possibilities beyond traditional hyperscalers and enable distributed and multicloud strategies. These actors do not constitute a homogeneous whole, but they gradually draw up a coherent and usable architecture. SUSE intervenes on the system and orchestration layer, FocusNet on the cloud infrastructure layer and Openchip on the hardware layer. This stratification profoundly transforms the notion of sovereignty. This is no longer based on a single player or on the direct replacement of hyperscalers, but on the ability to recompose a complete, coherent and controlled technological stack.
Regulation, technology, enforcement: the still incomplete triangle
European digital sovereignty is now based on three pillars: regulation, technology and enforcement. The first two are progressing. Regulatory frameworks are strengthening and technological building blocks are gaining maturity, whether cloud infrastructures, open source software or new European hardware initiatives. The real weakness lies elsewhere: in the execution. The way in which decisions are actually made within administrations and large organizations remains the most fragile link. Purchasing policies, technical arbitrations and architectural choices continue to be largely dictated by habits, standardization and historical dependencies.
The European Technological Sovereignty Package undoubtedly marks a strategic turning point. But as long as open source remains a simple recommendation rather than an obligatory step integrated into public decision-making mechanisms, Europe will only adjust its dependencies, without really tackling their root causes.