The Architecture of Autonomy: Digital Sovereignty and the EuroStack#
Even though most of my hobby projects are meant for personal use, the current geopolitical climate made me wonder about what is done on a European level. Working at a local government made me realise that change on compliance subjects in the IT space is rarely met with enthusiasm. It is mostly seen as a burden and that is why it is important to have legislation in place. Subjects like privacy, security, continuity and now sovereignty are all part of a bigger compliance theme. Whereas privacy and security have had a lot of attention, continuity and sovereignty are new themes for me.
1. Defining Digital Sovereignty in 2026#
Digital sovereignty in the European context#
Digital Sovereignty is defined as the autonomous ability of a person or organization to govern its infrastructure, software, and data flows. In the current geopolitical landscape, digital sovereignty is no longer a vague policy aspiration, we are vulnerable to a foreign government flipping a kill switch and shutting down or threatening IT infrastructure. Primary examples are the Starlink incident in Ukraine in 2022, instigated by its owner Elon Musk. An example of a foreign government pressuring a company to interrupt a service is the incident in 2025 with the International Criminal Court, when it lost access to Microsoft services following US sanctions, prompting the organization to migrate to OpenDesk.
To achieve digital sovereignty in the European context, it relies on these 3 pillars:
- Data Sovereignty: The guarantee that information is subject only to the laws of the territory where it is collected (e.g., protection from the US CLOUD Act.).
- Infrastructure Sovereignty: Reducing reliance on foreign hardware and hyperscale cloud providers(For example Google, AWS or Microsoft).
- Technological Sovereignty: The ability to innovate and audit the “code layer,” often through open-source standards, to prevent “black box” dependencies.
Digital sovereignty in a private context#
For a private person, and especially for children, social media companies are constantly vying for our attention. Digital sovereignty is the only effective defense against what has been called “Surveillance Capitalism”. Relationships, health, and private thoughts are turned into data points for external profit. Our kids should have the right to grow and experiment in private, without a permanent digital ledger recording every thought, choice and mistake.
On a personal level it can be summarised by these pillars:
- Agency: a person should have control over how their data is used.
- Protection: Insulation from predictive algorithms designed to “nudge” behavior for profit.
- Privacy: The right to grow and experiment in private, without a permanent “digital ledger” being sold to future employers or insurers.
2. From Rules to Reality#
EU Regulations#
The EU has recently pivoted from a “regulatory” stance to an “architectural” one. In previous decades, the EU tried to influence companies worldwide to adhere to EU laws. Now it seems that foreign governments will always try to influence companies based in their countries. The most significant shift came with the Interoperable Europe Act, which, as of January 2025, mandates Interoperability Assessments for all trans-European public services. This law ensures that the “wires” of the European states remain open and interconnected, rather than being trapped in proprietary, foreign-owned “black boxes.”
Supporting this is the SEAL (Sovereignty Effectiveness Assurance Level) framework, which provides a 0-to-4 rating system. It allows IT managers and procurers to measure not just how reliable a service is, but how immune it is to foreign state interference.
Protecting the children#
For private citizens there has not been any sweeping EU regulations yet. Several European nations are considering action: France is debating bills for a ban on those under 15, while the UK government has launched a consultation on restricting access for those under 16. Following Australia’s lead, which banned social media for under-16s in December 2024, these measures would reduce data gathering and protect children from nudging algorithms. Children are especially susceptible to these algorithms.
3. Building the “EuroStack”#
The practical response to digital colonization is the EuroStack, a federated ecosystem of European technology. Rather than relying on a single “hyperscale” provider, organizations are now moving toward a “Lego-brick” architecture of interoperable, sovereign-native services.
Infrastructure providers like Hetzner, OVHcloud or IONOS combined with a workspace like OpenDesk or Nextcloud, an organisation can try to emulate what hyperscale providers like Microsoft or AWS offer, albeit less integrated.
Working with a federated eco-system requires IT departments and their suppliers to transition from licence purchasers to be able to handle interoperable IT architecture. It will be much more complicated to find the right tool for the job at hand and making sure all the parts can talk to each other.
There are some local European governments that have made the transition toward sovereignty, here are some examples:
- Schleswig-Holstein, Germany: This state is transitioning 30,000 government workstations to a full open-source environment featuring Linux, LibreOffice, and Nextcloud.
- The French National Government: Several ministries have deployed “La Suite,” a sovereign digital workplace based on Nextcloud and other open tools, to millions of public sector users.
- Munich, Germany: The city has launched a “Sovereign Workplace” initiative utilizing the OpenDesk suite and a dedicated five-point open-source plan to reduce vendor dependency.
- Dortmund, Germany: Operating under a “Public Money? Public Code!” mandate, the city utilizes shared open-source infrastructure like OpenProject and Nextcloud for its municipal services.
- The Spanish Government: Through its “Digital Spain 2026” agenda, the country is prioritizing the development of a sovereign public administration stack built on open standards and local cloud partnerships.
For private persons there aren’t any widespread movements or regulation yet. There are some movements to buy European alternatives for products, but it seems these movements remain relatively small.
4. Challenges to overcome#
Before an entire continent starts this massive transition a lot of questions will have to be answered. The move towards a sovereign infrastructure has value but also comes with great costs. It doesn’t have to be an all or nothing change either. The SEAL framework shows that you can rate vendors, you can decide in what parts of your organisation or personal IT infrastructure it is necessary to take measures. This can be achieved by applying risk management principles.
Financially there will be a big shift from large licensing fees to staff required to design the new infrastructure. The Schleswig-Holstein example actually showed a lowering in cost due to fewer licensing fees and the organisation finally felt in control of its IT budget again.
IT personnel is hard to recruit as is, will enough skilled personnel be available to get us through these changes. Will these open source offerings be able to keep up with US and eventually Chinese tech companies? Is this fractured IT landscape going to offer something to the rest of the world or are we just building this for ourselves? And are people going to spend the effort to consciously choose who they do business with?
5. Conclusion#
To conclude, I don’t have all the answers to these questions. Personally, I would welcome the shakeup as a challenge; building an interoperable sovereign ecosystem sounds much more interesting than configuring a hyperscale vendor’s interface. The transition won’t be easy, and the costs are real. But remaining not in control of our most vital infrastructure is not the way forward in these trying times. We will see what the future holds.
