Europe is at a turning point, and this time we cannot afford to miss it. Digital sovereignty has become a matter of strategic urgency, and the threats are no longer theoretical. U.S. extraterritorial laws like the CLOUD Act, rising geopolitical tensions, and abrupt service suspensions are raising serious concerns. They make the risks of digital dependency impossible to ignore.
For years, many of us in the European open-source ecosystem have warned about this. Europe can no longer look away. My previous article on digital sovereignty covers the foundations. Here, I want to focus on something more urgent: how to turn sovereignty into real data governance, and why open-source software must be part of that answer.
The Franco-German Summit on European Digital Sovereignty, held in Berlin on 18 November 2025, was a landmark response to this wake-up call. Co-hosted by Germany and France, it brought together heads of state, ministers from 23 EU countries, European Commissioners, open-source leaders, civil society representatives, and tech investors. Chancellor Friedrich Merz framed the stakes clearly:
Europe’s digital sovereignty is central to our common values… to the competitiveness of our economy, to our security, and to our defense.
The summit was widely described as a “starting signal for a more independent Europe.” For once, it felt like political leaders understood what is truly at stake.
The message was clear: Europe wants to reclaim its digital future. But declarations alone won’t rewrite procurement policies or fund long-term digital commons. The real test is whether institutions can turn this vision into infrastructure.
The lingering question remains:
If we keep buying from Big Tech, are we serious about digital sovereignty?
Political alignment, real momentum
For once, the ambition felt backed by political urgency. President Emmanuel Macron urged Europe to “consistently buy its own digital infrastructure,” warning that we “cannot afford to be the only region not doing so.” German Digital Minister Karsten Wildberger pointed to upcoming digital legislation as a “litmus test” for Europe’s sovereignty and competitiveness, though some proposals, like the Digital Omnibus, remain controversial and risk undermining citizen protections if not carefully framed. Still, the message from Berlin was clear:
Europe must not just regulate tech, it must build it.
There were around 1,000 people at the event, but what struck me most was how visible the open-source community finally became. One highlight for me was the interactive pavilion called The Magic of Open Source, hosted by APELL and the Open Source Business Alliance. It used close-up magic to spark conversations about responsibility and digital control.
Open source was presented as the "magical ingredient" of sovereign IT. Seeing providers like B1 Systems, Element, Univention, SUSE, XWiki, and ZenDiS on the same stand confirmed what many of us have been saying for years: Europe already has a strong, capable open-source industry.
Open source was clearly presented as a central pillar of Europe’s digital strategy. At the “Magic of Open Source” pavilion, I saw French Minister Roland Lescure speak with Schleswig-Holstein’s Digital Minister Dirk Schröder about their full commitment to open technologies.
They weren’t just being polite. They discussed their joint commitment to full open-source adoption, including the use of XWiki, as part of their broader sovereignty strategy. Their exchange was more than symbolic. That moment captured the shift I’ve long hoped to see: open source recognized not as an alternative, but as the strategic choice.
Concrete actions followed. France and Germany pledged to broaden the use of open-source tools within their administrations. Germany committed to deploying openDesk across ministries and agencies.
From my perspective, as someone who has spent more than 20 years advocating for and building open-source tools, the Summit marked a genuine milestone. But it didn't signal a finish line. It sparked a call to action, one that can be summarized in a few points:
Public institutions must change procurement habits.
European institutions must fund and protect digital commons with the same seriousness as physical infrastructure.
Industry must invest with long-term resilience in mind.
We, in the open-source ecosystem, must keep scaling and professionalizing without losing our values.
The Summit created momentum. What comes next will determine if that momentum becomes infrastructure, or just another declaration lost in a sea of good intentions.
The contradiction Europe must confront
A dangerous paradox persists. European leaders now speak passionately about autonomy, resilience, and digital sovereignty. Yet many of the very institutions tasked with defending that vision continue to rely on foreign, opaque platforms.
Often, contracts are renewed year after year with the same vendors under the claim that alternatives don’t exist. That is simply not true.
Open-source, European-built solutions exist today across every layer of the digital stack. But procurement processes remain biased toward established vendors. Tenders are still written for specific brand names rather than outcomes. IT leaders are pressured to avoid perceived “risk,” even when the real risk is dependency.
This quiet contradiction is what’s holding Europe back.
We say we want sovereignty, but we pour public money into tools we can’t audit or modify. We talk about innovation, but systematically overlook European providers in favor of Silicon Valley defaults. We legislate for independence, but rely on platforms governed by foreign laws.
This status quo does not happen by accident. It is the product of decades of marketing, lobbying, and procurement cultures shaped by fear of change. "Nobody got fired for buying Microsoft." is still the unspoken rule in many public IT departments, and it comes at the cost of Europe’s ability to act.
Sovereignty isn’t a press release. It’s the ability to switch vendors without breaking everything. It’s the legal assurance that data stays under European jurisdiction. It’s the freedom to adapt software to national needs. Until procurement rules reward those principles, sovereignty will remain a slogan, not a strategy.
Why open-source software enables real data governance
Data sovereignty creates legal pressure. Governance enforces it. To reclaim control of its digital future, Europe must rely on tools that are sovereign by design.
Open source is the only model that provides transparency, auditability, and long-term control. Not as a promise, but by design. It allows governments to adapt, self-host, and evolve their digital infrastructure without third-party gatekeepers. Combined with strong data governance, it builds trust. Citizens can be confident that their data stays within legal boundaries defined by European values.
We already see this in practice. It’s no accident that Chancellor Merz specifically cited ZenDiS’s openDesk as proof that European solutions are viable. The state-backed collaboration suite integrates multiple European open-source projects: Nextcloud for file sharing, XWiki for knowledge management, OpenProject for project management, and more.
Used by the Robert Koch Institute and several federal ministries, openDesk even supported a full ministerial conference across all 16 German states. It has proven that open-source systems can meet the needs of large, complex institutions.
Adriana Groh, head of Germany’s Sovereign Tech Fund, put it clearly:
Open source has proven itself to be a winning strategy — not recently, but for decades.
The question is no longer whether open source can deliver. It is whether institutions will act on it.
Still, talk is only the beginning. The Summit on European Digital Sovereignty rightly put open source in the spotlight, but many organizations remain tethered to U.S. platforms. Every year, billions of euros flow to Microsoft, Google, and Amazon. European governments alone spend about €20 billion on Microsoft 365 and another €30 billion on foreign cloud services. These figures show that political ambition has not yet translated into procurement decisions.
There are, however, signs of change. Perhaps most telling was the International Criminal Court's (ICC) decision: After facing a blockade by the U.S., the ICC announced it will replace Microsoft Office with openDesk. That story went viral because it showed a global institution choosing European, open solutions in the face of pressure.
In a world of rising political and legal uncertainty, that decision shows a shift from dependency to control. It marks a move from vulnerability to autonomy. It underlines a broader truth: Organizations entrusted with sensitive data now realize that only open, transparent platforms can guarantee long-term control.
Leaders are also starting to acknowledge the gap. Chancellor Merz has argued that the state must lead the way by choosing European technology. Europe cannot afford to remain the only major region that does not consistently buy its own digital infrastructure.
European signals from Berlin: progress, pitfalls, and potential
Whether the Summit becomes a footnote or the start of a new chapter depends on what happens next. I, for one, believe this is the dawn of a new era where European open-source solutions flourish and digital sovereignty becomes not just a slogan, but our daily reality. The work begins now, and we in the community are ready to do our part.
The progress is real
For the first time, the narrative around sovereignty was not theoretical. It was concrete, operational, and backed by commitments. Media narratives followed, reinforcing that digital sovereignty has entered the mainstream.
Yet the pitfalls are obvious
Much of what was promised hinges on future regulations. There are still no concrete mandates to replace dominant Big Tech vendors. Procurement frameworks remain slow and often prioritize convenience over sovereignty. Europe’s past digital ambitions have suffered from bureaucracy and inconsistent funding. Without legislative action and deadlines, the Summit risks becoming another symbolic moment.
The potential rests on execution
The foundation is in place. What Europe needs now is execution and accountability. One key debate will be the distinction between data residency and data sovereignty. Storing data on European soil is not enough if foreign entities still control or can access it. Real autonomy requires legal and operational independence.
How XWiki helps shape Europe’s open future
Knowledge is one of Europe’s most valuable assets. If it is stored in systems that institutions cannot control, migrate, or audit, sovereignty remains partial, at best.
At XWiki, we started building for digital sovereignty long before the term became common. Not because it was fashionable, but because it was the only responsible way to build software for public and private organizations. During the 2 decades building XWiki and CryptPad, I have seen that our users need more than just features. They need guarantees: control over their data, the ability to self-host, and the freedom to leave without losing their knowledge.
XWiki gives organizations a structured, extensible knowledge management solution they can truly own. It enables them to model their processes, integrate with their existing IT stack, and migrate away from proprietary tools like Confluence. Several public institutions have already begun this transition, including the European Parliament and the French region of Nouvelle-Aquitaine. Both chose XWiki to regain control over their data and ensure long-term sustainability with open formats and European-built technology.
With CryptPad, we pushed sovereignty even further. It protects not only institutions but also individuals. The end-to-end encrypted office suite uses a zero-knowledge architecture, which means no one, not even we, can access user data. Privacy is not just promised. It is built into the system. CryptPad gives citizens, journalists, teachers, and nonprofits a secure way to collaborate online. It supports personal freedom in a world where data is often exploited. This is what individual sovereignty looks like: real control, backed by technology.
Our mission is to reduce dependency on proprietary tools and help build an open European ecosystem where public money supports auditable solutions. We develop in the open and stay committed to our community over the long term. We believe open-source collaboration is the surest way to build systems that last and remain under your control.
The path forward for Europe’s digital sovereignty
Europe must now move from ambition to execution. The technology is mature. Political support is growing. The open-source ecosystem is ready.
What’s still missing is institutional resolve. It must take shape in real-world decisions:
#1 Procurement reform
Embed open-first criteria in public tenders across all levels of government. This means going beyond simply allowing open-source options. Procurement must reward transparency, interoperability, and European ownership. And when a solid European open-source alternative exists, it should come first.
#2 Funding priorities
Rebalance European and national innovation funds to back open, scalable, and collaborative tools. Especially those serving the public interest. This includes supporting foundational open-source infrastructure, community development, and technologies like AI, cloud, and secure communications.
#3 Skills and ecosystems
Support skilled teams to build sovereign technology. Europe should invest in training, support local integrators and service providers, and build regional open-source hubs to avoid centralizing adoption around a few large vendors.
#4 Standards and measurement
Mandate open formats and protocols across institutions. At the same time, introduce sovereignty indicators to track actual progress: how much European software is in use, how many public datasets rely on open standards, how much public funding stays within the local ecosystem. What gets measured, gets improved.
A personal moment that captures the future
I consider the Summit a good day for European digital sovereignty. It showed political alignment at a rare scale. It showed that open source is now at the center of the conversation. It showed that large public deployments like openDesk are becoming role models rather than experiments.
But it is not a destination. It is a checkpoint.
The real test starts now. It will show up in budget negotiations, in procurement rules, in the technical architectures chosen for the next decade, and in whether European institutions fund their digital commons as seriously as they fund roads or energy networks.
As an open-source entrepreneur, I will remain constructive. But I will also remain demanding. Europe does not lack talent or ideas. It has often lacked consistency and long-term commitment.
If anyone still doubts whether this matters to everyday people, let me leave you with a small story.
As I was leaving Berlin after the Summit, a security officer handed a laptop back to a traveler and joked, “You should run Linux, it’s faster.” We both smiled. I replied, “I agree, I do.”
That’s how open source grows. One person to another. One conversation at a time. The Summit showed that political alignment is finally here. Now it is up to institutions, industry, and our community to turn that alignment into action.
I only wish I’d had stickers to give him. He’s definitely a member of the Open-Source Club.