European officials seeking to assert digital sovereignty face a widening gap between high-level legislative ambitions and the pragmatic realities of public sector procurement. While the European Union has enacted landmark regulations such as the General Data Protection Regulation (GDPR) and the Data Act to curb reliance on non-European cloud providers, the actual shift in infrastructure spending remains slow, according to industry observers and policy analysts.
The core of the issue lies in the transition from policy frameworks to IT purchasing decisions. European institutions and national governments often find themselves locked into long-term contracts with major non-EU cloud service providers—primarily based in the United States—due to existing legacy systems, technical interoperability requirements, and the perceived stability of established vendors. This reliance persists even as the European Commission continues to push for “digital autonomy” to protect sensitive citizen data from extraterritorial surveillance, as outlined in the European Digital Strategy.
The Procurement Bottleneck
Digital sovereignty in Europe is increasingly defined by the ability to control data flow, storage, and processing. However, the procurement process often favors vendors that offer the most comprehensive suites of software-as-a-service (SaaS) tools, which are frequently dominated by firms headquartered outside the EU. According to the European Union Agency for Cybersecurity (ENISA), security and sovereignty concerns must be integrated into the earliest stages of procurement to ensure that public sector entities do not inadvertently bypass legal standards for data residency and control.

Technical experts note that the challenge is twofold: moving away from proprietary “walled gardens” and finding viable, scalable alternatives that meet the complex functional needs of public administration. While open-source solutions provide a path toward independence, they require significant investment in local deployment, maintenance, and training that many government departments are currently ill-equipped to handle.
Legislative Intent vs. Market Reality
The EU’s legislative efforts, including the Data Governance Act, are designed to facilitate data sharing while ensuring that sensitive information remains subject to European legal jurisdiction. Yet, the practical application of these rules is often hampered by the sheer scale of global cloud infrastructure. When a government agency needs to deploy a city-wide digital service, the immediate availability of a global vendor’s platform often outweighs the longer-term strategic goal of sovereignty, leading to what some officials describe as a “procurement trap.”

The tension is also evident in the discourse surrounding the EU’s 2030 Digital Decade targets, which aim to increase cloud adoption among European enterprises. Critics argue that without specific mandates requiring public bodies to prioritize sovereign cloud providers, the market will continue to favor incumbents, regardless of the political rhetoric surrounding digital independence.
The Role of Open-Source Alternatives
Advocates for digital sovereignty frequently point to open-source software as a primary tool for reclaiming control over digital infrastructure. By utilizing open-source platforms, governments can theoretically audit code, avoid vendor lock-in, and host data on infrastructure that they directly control. However, the maturation of these technologies depends on sustained investment and a cultural shift within IT procurement offices.
The European Commission’s Joinup platform serves as a repository for interoperable e-government solutions, highlighting the ongoing effort to standardize public sector software across member states. Despite these efforts, the fragmentation of procurement policies across 27 member states complicates the creation of a unified European market for sovereign digital services, often leaving individual agencies to navigate complex compliance requirements on their own.
What Happens Next
The debate surrounding digital sovereignty is expected to intensify as the EU reviews the implementation of the Cybersecurity Act and considers further measures to regulate cloud service providers. Future procurement guidelines are likely to emphasize the importance of “sovereign cloud” certifications, which aim to provide public buyers with clear criteria for evaluating the jurisdictional and security risks associated with different vendors.

Stakeholders are currently awaiting updates from the Directorate-General for Communications Networks, Content and Technology (DG CONNECT) regarding the next phase of the EU’s cloud strategy. Public sector entities are encouraged to monitor upcoming calls for tenders that include specific requirements for sovereign infrastructure as a benchmark for future digital transformation projects. Readers interested in the evolution of these policies can track official updates through the European Commission’s digital strategy portal.
What are your thoughts on the balance between functionality and sovereignty in public IT spending? Share your perspective in the comments below.