Glossary: Sovereignty & Open Source

Glossary

Key terms explained in plain language. Terms marked with a dotted underline throughout the site show a tooltip on hover and link here.

CLOUD Act

The Clarifying Lawful Overseas Use of Data Act is a US federal law signed on 23 March 2018 as part of the Consolidated Appropriations Act. It amends the Stored Communications Act (SCA) of 1986 and allows US law enforcement to compel US-based technology companies to produce data stored on their servers, regardless of whether the data is stored in the US or abroad.

The law also created a framework for bilateral agreements between the US and foreign governments. The UK–US bilateral data access agreement was the first such agreement, entering into force in October 2022. The EU has not concluded a similar agreement.

Providers can challenge (“quash”) orders that conflict with foreign law, but the burden of proof lies with the provider. For European organisations, the CLOUD Act creates a fundamental tension with GDPR requirements, as complying with a US order may violate EU data protection law. This is one of the core arguments for hosting data with European providers that are not subject to US jurisdiction.

Full text: H.R.4943 — CLOUD Act

Vendor lock-in

A situation where switching to a different provider or technology becomes difficult and expensive — due to proprietary data formats, APIs, contracts, or accumulated know-how tied to a specific system. Lock-in can be technical (data cannot be exported), contractual (long-term commitments with penalties), or practical (staff trained only on one system).

In cloud computing, lock-in often occurs through proprietary services that have no equivalent elsewhere (e.g., AWS Lambda, Google BigQuery). The Data Act (EU 2023/2854), which applies from 12 September 2025, introduces obligations for cloud providers to facilitate switching and prohibits certain contractual barriers.

Open Source software and open standards are the primary mitigation strategies. Initiatives like Gaia-X and SCS aim to define interoperability standards that reduce lock-in at the infrastructure level.

Open Source

Software whose source code is publicly available and can be used, modified, and redistributed under a license that meets the Open Source Definition maintained by the Open Source Initiative (OSI). The definition includes 10 criteria, including free redistribution, access to source code, and permission for derived works.

Common licenses include the MIT License, Apache 2.0, GNU GPL, and AGPL. The choice of license significantly affects how the software can be used commercially. Copyleft licenses (GPL, AGPL) require derivative works to be released under the same license; permissive licenses (MIT, Apache) do not.

Not to be confused with open-weight models (AI models where weights are published but training data may not be), or “source-available” software (code is visible but the license restricts use, modification, or redistribution). The distinction matters because source-available software does not provide the same freedoms and protections against vendor lock-in.

Open-weight models

AI models where the trained model weights are publicly released, allowing others to run, fine-tune, and deploy them. Unlike full open source, the training data, training code, and data processing pipelines are typically not published.

Notable examples include Meta’s LLaMA family, Mistral’s models, and Alibaba’s Qwen. Licensing varies significantly: Meta’s LLaMA license permits commercial use but restricts it for applications with more than 700 million monthly active users. Mistral publishes some models under Apache 2.0, while others have custom licenses.

The EU AI Act treats open-weight foundation models differently from proprietary ones in some respects, recognising that openness supports research and competition. However, providers of open-weight models classified as “general-purpose AI with systemic risk” still face compliance obligations. The debate about whether open-weight truly qualifies as “open source” led the OSI to publish the Open Source AI Definition in October 2024.

Groupware

Software for collaborative work within organisations — typically includes shared calendars, contacts, email, task management, and sometimes document collaboration and project management. The term was coined in 1978 by Peter and Trudy Johnson-Lenz and gained mainstream recognition with Lotus Notes (1989). It remains relevant as organisations evaluate alternatives to dominant cloud suites.

The main proprietary groupware platforms are Microsoft 365 (Exchange, Outlook, Teams) and Google Workspace (Gmail, Calendar, Drive). European open-source alternatives include EGroupware, Nextcloud (with Groupware add-ons), Open-Xchange, and Zimbra (note: Zimbra has changed ownership four times — Yahoo, VMware, Telligent Systems, Synacor — raising questions about long-term governance stability; since Zimbra 9, no official open-source binaries have been provided).

Choosing groupware is one of the highest-impact decisions for digital sovereignty, as it determines where email, calendar, and contact data are stored and processed. Integration with Single Sign-On and an Identity Provider is an important consideration for larger organisations.

Single Sign-On (SSO)

An authentication method that allows users to log in once and then access multiple applications without re-entering credentials. SSO reduces password fatigue, lowers helpdesk costs, and centralises access control — making it easier to enforce security policies and revoke access when needed.

The most common protocols are SAML 2.0 (2005, XML-based, widely used in enterprises), OpenID Connect (2014, built on OAuth 2.0, JSON-based, dominant in modern web applications), and OAuth 2.0 (strictly an authorisation framework, but often used in combination with OIDC for authentication).

SSO requires an Identity Provider (IdP) as the central authentication authority. The security benefit is significant: instead of N passwords for N applications, users have one strong authentication — ideally combined with FIDO2 hardware keys or passkeys.

Identity Provider (IdP)

A service that authenticates users and issues security tokens or assertions that other applications (called “relying parties” or “service providers”) trust. The IdP is the single source of truth for user identity within an organisation or ecosystem.

Examples: Keycloak (open source, CNCF incubating project), Authentik (open source), Microsoft Entra ID (formerly Azure AD), Okta, and Google Identity. When you use “Sign in with Google,” Google acts as your IdP.

For digital sovereignty, the choice of IdP is critical — it controls who can access what. Self-hosted solutions like Keycloak provide full control over authentication data and policies. Keycloak supports SAML 2.0, OpenID Connect, OAuth 2.0, and LDAP/Active Directory integration, making it a common choice for organisations migrating away from cloud-based identity services.

eIDAS

The Electronic Identification, Authentication and Trust Services regulation (EU 910/2014) established a framework for cross-border electronic identification and trust services (digital signatures, seals, timestamps) across the EU. It entered into force on 17 September 2014.

eIDAS 2.0 (EU 2024/1183), adopted on 11 April 2024, significantly expands the original regulation. Its centrepiece is the European Digital Identity Wallet (EUDIW), which every EU member state must offer to its citizens by 2026. The wallet allows citizens to store and present identity credentials, driving licences, diplomas, and other verifiable attributes digitally — both online and offline.

The regulation mandates that very large online platforms (as defined by the Digital Services Act) must accept the EUDIW for user authentication. This creates an interoperable, government-backed alternative to private identity providers like “Sign in with Google/Apple/Facebook.” The technical architecture is based on the Architecture and Reference Framework (ARF) developed by the European Commission.

FIDO2 / WebAuthn

An open authentication standard developed by the FIDO Alliance and the W3C that replaces passwords with public-key cryptography. FIDO2 consists of two components: WebAuthn (the browser/server API, a W3C standard) and CTAP2 (the protocol between the browser and the authenticator device).

Authentication is tied to a physical device — either a hardware security key (e.g., YubiKey, SoloKeys) or a platform authenticator (fingerprint sensor, Face ID). The private key never leaves the device, making phishing practically impossible. All major browsers and operating systems support FIDO2 since 2019.

Passkeys (introduced 2022–2023 by Apple, Google, and Microsoft) are a user-friendly implementation of FIDO2 that syncs credentials across devices via cloud accounts. While passkeys improve usability, the reliance on cloud sync means they may not meet the same sovereignty requirements as hardware-bound FIDO2 keys. For high-security use cases, hardware keys remain the recommended approach.

API

An Application Programming Interface is a defined way for software systems to communicate with each other. APIs define what data can be requested, what operations can be performed, and in what format the exchange happens. In the context of web services, this typically means REST APIs (using HTTP/JSON) or GraphQL.

Open, well-documented APIs enable interoperability — the ability for different systems to work together. Proprietary or undocumented APIs create vendor lock-in, as switching providers requires rewriting all integrations. The EU’s Data Act (2023) and the eIDAS 2.0 regulation both mandate open APIs for certain use cases.

Standards bodies like the OpenAPI Initiative (part of the Linux Foundation) provide specifications for describing REST APIs in a machine-readable format, enabling automated documentation, code generation, and testing.

Sovereign Cloud Stack (SCS)

An open-source cloud infrastructure stack that defines standards for compute, storage, networking, and identity management. The project was initiated in 2021 and received funding from the German Federal Ministry for Economic Affairs and Climate Action (BMWK) through the Gaia-X funding programme until the end of 2024.

SCS is built on established open-source components: OpenStack for IaaS (Infrastructure as a Service), Kubernetes for container orchestration, and Keycloak for identity and access management. The project defines interoperability standards and certification criteria, so that workloads can be moved between SCS-compliant clouds without modification.

Cloud providers using SCS include plusserver, REGIO.cloud, Wavecon, and others listed on the SCS website. After the end of federal funding, the project transitioned to community governance under the Open Source Business Alliance (OSBA).

Gaia-X

A European initiative launched in 2019 by France and Germany to define standards and rules for a federated, transparent data infrastructure. Gaia-X is not a cloud provider itself, but a framework for interoperability, portability, and sovereignty requirements that cloud services can certify against.

The Gaia-X Association AISBL (based in Brussels) develops the Gaia-X Trust Framework — a set of rules and technical specifications that describe what makes a service “Gaia-X compliant.” This includes requirements for data protection, transparency, and the ability to switch providers.

The initiative has faced criticism for slow progress and the involvement of hyperscalers (AWS, Microsoft, Google became members), leading to concerns about whether Gaia-X can genuinely reduce dependency on these providers. Supporters argue that setting common standards benefits the ecosystem regardless of who participates. The Sovereign Cloud Stack is one of the concrete technical implementations aligned with Gaia-X principles.

Hyperscaler

Cloud providers operating at massive global scale with data centers across many regions. The term typically refers to the three dominant providers: AWS (Amazon Web Services, launched 2006), Azure (Microsoft, launched 2010), and GCP (Google Cloud Platform, launched 2008). Together, they hold approximately 65–70 % of the global cloud infrastructure market.

Their scale enables low prices, a vast catalogue of managed services, and a global presence that smaller providers cannot easily match. However, this dominance raises concerns about vendor lock-in, data sovereignty (all three are US companies subject to the CLOUD Act), and market concentration.

European alternatives include OVHcloud (France), Hetzner (Germany), IONOS (Germany), Scaleway (France), and providers certified under the Sovereign Cloud Stack. The trade-off is typically fewer managed services and smaller global reach in exchange for European jurisdiction and greater data sovereignty.

Bare metal

A dedicated physical server that is not shared with other customers, unlike virtual machines or containers in the cloud. The term “bare metal” means the customer has direct access to the hardware without a hypervisor layer.

Bare-metal servers offer full hardware control, predictable performance (no “noisy neighbour” problem), and the ability to run any operating system or hypervisor. They are commonly used for database servers, high-performance computing, CI/CD build infrastructure, and workloads with strict compliance requirements.

European providers like Hetzner (Germany) and OVHcloud (France) offer bare-metal servers at competitive prices — often significantly cheaper than equivalent hyperscaler instances. For organisations pursuing digital sovereignty, bare-metal servers in European data centres provide the maximum level of infrastructure control.

End-to-end encryption (E2EE)

A communication method where messages are encrypted on the sender’s device and can only be decrypted on the recipient’s device. No intermediary — not the service provider, not the network operator, not a government — can read the content, even if compelled by law or compromised by an attacker.

E2EE is based on public-key cryptography. Common protocols include the Signal Protocol (used by Signal, WhatsApp, and Google Messages), the Matrix protocol Megolm/Vodozemac (used by Element), and the MLS (Messaging Layer Security) standard (IETF RFC 9420, published 2023), which is designed for large-group messaging.

E2EE is a key technology for digital sovereignty because it ensures data confidentiality independently of where it is stored or who operates the server. However, E2EE is subject to ongoing political debate. Some governments argue it hinders law enforcement; the EU’s proposed “chat control” regulation has been controversial in this regard. The current legal situation under GDPR considers E2EE a strong technical safeguard for personal data protection.

Fork

When a software project’s source code is copied and developed independently from the original. Forking is a fundamental right granted by open-source licenses — it ensures that no single entity can hold a community hostage by changing direction or licensing terms.

Notable forks include: LibreOffice from OpenOffice.org (2010, after Oracle’s acquisition of Sun Microsystems), Nextcloud from ownCloud (2016, over disagreements about open-source commitment), MariaDB from MySQL (2009, during Oracle’s pending acquisition of Sun Microsystems), and Valkey from Redis (2024, after Redis Labs changed the license to non-open-source).

Forks often occur when the original project changes its license to a more restrictive one, or when the community loses trust in the project’s governance. The ability to fork is considered a crucial safeguard against vendor lock-in in open-source ecosystems — even if a fork never happens, its possibility constrains the original maintainer’s behaviour.

CNCF

The Cloud Native Computing Foundation (cncf.io) is a vendor-neutral foundation, part of the Linux Foundation, that hosts open-source projects for cloud-native computing. Founded in 2015 alongside the donation of Kubernetes by Google.

CNCF projects go through three maturity stages: Sandbox (early stage), Incubating (growing adoption), and Graduated (proven production use). Graduated projects include Kubernetes, Prometheus, Envoy, Helm, and Argo. Keycloak (relevant for identity management) is a CNCF incubating project.

The CNCF Landscape provides an overview of the cloud-native ecosystem with over 1,000 projects and products. For organisations building sovereign infrastructure, CNCF projects form the core of the Sovereign Cloud Stack and many European cloud offerings.

EU AI Act

The Artificial Intelligence Act (EU 2024/1689) is the world’s first comprehensive AI regulation. Proposed by the European Commission in April 2021, it was adopted on 13 June 2024 and entered into force on 1 August 2024. Implementation is phased: prohibited practices apply from February 2025, obligations for general-purpose AI from August 2025, and the full regulation from August 2027.

The Act classifies AI systems into four risk categories: unacceptable risk (banned — e.g., social scoring, real-time biometric identification in public spaces with exceptions), high risk (regulated — e.g., AI in hiring, credit scoring, law enforcement), limited risk (transparency obligations — e.g., chatbots must disclose they are AI), and minimal risk (no requirements).

For foundation models and general-purpose AI (GPAI), the Act introduces a tiered approach. All GPAI providers must provide technical documentation and comply with copyright law. GPAI models with “systemic risk” (currently defined as models trained with more than 10²⁵ FLOPs) face additional requirements including adversarial testing and incident reporting. Open-weight models receive some exemptions, though not for systemic-risk models.

Digital sovereignty

The ability of an organisation, government, or individual to maintain control over their own digital infrastructure, data, and processes — without undue dependency on any single external provider, jurisdiction, or technology stack.

The concept gained political traction in Europe after the Snowden revelations (2013), the invalidation of the EU-US Safe Harbor agreement by the Court of Justice of the EU (Schrems I, 2015), and the subsequent invalidation of Privacy Shield (Schrems II, 2020). It has since become a central theme in EU digital policy, reflected in legislation like the GDPR, the Data Act, the EU AI Act, and initiatives like Gaia-X.

Digital sovereignty does not mean autarky or rejecting all foreign technology. Rather, it means ensuring meaningful alternatives exist, data can be migrated, and dependencies are conscious choices rather than unavoidable constraints. Key building blocks include open source software, open standards, European hosting providers, and self-hosted identity management.

LLM (Large Language Model)

A type of AI model trained on large amounts of text data that can generate, summarise, translate, and reason about text. LLMs are a subset of foundation models — specifically those focused on language. They are based on the Transformer architecture, introduced in the paper “Attention Is All You Need” (Google, 2017).

Major LLMs include: GPT-4 (OpenAI, closed-source, cloud-only), Claude (Anthropic, closed-source, cloud-only), Gemini (Google, closed-source), Mistral and Mixtral (Mistral AI, some models open-weight), LLaMA (Meta, open-weight), Qwen (Alibaba, open-weight), and DeepSeek (DeepSeek, open-weight, MIT licence since R1/January 2025; earlier models used a custom permissive licence).

For digital sovereignty, the key question is whether LLMs can be self-hosted. Open-weight models like LLaMA and Mistral can run on private infrastructure, keeping data within the organisation. Cloud-only models require sending all input data to the provider’s servers, which may conflict with GDPR requirements or confidentiality needs. The compute requirements for running larger models locally are significant but decreasing, with quantised models running on consumer-grade GPUs.

EU-US Data Privacy Framework

An adequacy decision adopted by the European Commission on 10 July 2023, providing a legal basis for transferring personal data from the EU to US companies that have self-certified under the framework. It is administered by the International Trade Administration (ITA) within the US Department of Commerce. The list of certified companies is available at dataprivacyframework.gov.

The Framework is the third attempt to provide a legal basis for EU-US data transfers, after Safe Harbor (2000–2015, invalidated in Schrems I) and Privacy Shield (2016–2020, invalidated in Schrems II). Both predecessors were struck down by the Court of Justice of the EU because US surveillance law did not provide adequate protection for EU citizens’ data.

The current Framework relies on Executive Order 14086, signed by President Biden in October 2022, which introduced proportionality requirements for US signals intelligence and a Data Protection Review Court (DPRC) for EU citizens to challenge surveillance. Critics, including privacy advocate Max Schrems (noyb), have long warned that an executive order can be revoked by a future president and that the DPRC lacks true judicial independence. While EO 14086 itself was not revoked when the Trump administration rescinded many other Biden-era executive orders in January 2025, the administration terminated the Democratic members of the PCLOB (Privacy and Civil Liberties Oversight Board), leaving it without a quorum and unable to perform its statutory oversight of EO 14086 safeguards. European DPAs have advised businesses to prepare alternative transfer mechanisms. A legal challenge (Schrems III) is widely expected. The long-term stability of this framework remains in serious doubt.

See also: GDPR, CLOUD Act, Digital sovereignty

Foundation model

A large AI model trained on broad data that can be adapted for many downstream tasks through fine-tuning or prompting. The term was coined by the Stanford Institute for Human-Centered Artificial Intelligence (HAI) in a 2021 paper. It encompasses large language models (LLMs) but also image generators (Stable Diffusion, DALL-E), audio models (Whisper), video models (Sora), and multimodal models (GPT-4o, Gemini).

Training a foundation model from scratch requires enormous compute resources — estimates for GPT-4-class models range from $50–100 million in compute costs alone. This creates a concentration of capability among a few well-funded organisations: OpenAI, Google DeepMind, Anthropic, Meta, and Mistral AI in Europe. The open-weight movement (Meta’s LLaMA, Mistral’s models) partially counteracts this concentration by allowing others to use and adapt models without repeating the training cost.

The EU AI Act regulates foundation models under the “general-purpose AI” category, with additional requirements for models deemed to pose “systemic risk.” The Act’s impact on European AI development and the availability of open-weight models is an active area of policy debate.

See also: LLM, Open-weight models, EU AI Act

openDesk

A sovereign workplace initiative funded by the German government through the Zentrum für Digitale Souveränität (ZenDiS — Centre for Digital Sovereignty), a subsidiary of the German Federal Ministry of the Interior. openDesk integrates multiple independent open-source projects — including Nextcloud (file sync), Open-Xchange (email/calendar), Collabora Online (document editing), Jitsi (video conferencing), Element (Matrix-based messaging), and others — into a unified digital workplace for the German public sector.

openDesk 1.0 was released in 2024. The ambition is to provide a Microsoft 365-equivalent workplace suite under full European control. The approach raises real questions: integrating independently developed projects into a coherent user experience is technically demanding, and support responsibilities across multiple upstream projects can be complex. At the same time, the initiative represents one of the largest government commitments to open-source workplace infrastructure in Europe.

Open-Xchange (OX)

A German open-source software company founded in 2005, headquartered in Nuremberg. Open-Xchange develops an email, calendar, contacts, and cloud storage platform (OX App Suite) that is widely used by European internet service providers and hosting companies — including 1&1, Rackspace, and Comcast. OX powers the backend for tens of millions of mailboxes worldwide, though most end users never see the Open-Xchange brand.

Within the European sovereign workplace landscape, Open-Xchange provides the email and calendar component for openDesk. Schleswig-Holstein completed its migration to Open-Xchange for all 30,000 government workstations in October 2025.

Open-Xchange competes with other open-source groupware solutions like EGroupware and Nextcloud’s groupware add-ons, as well as proprietary platforms like Microsoft Exchange and Google Workspace.

Self-hosting

Running software on your own servers (on-premises or in a rented data centre) rather than using a cloud-hosted service managed by a third party. Self-hosting gives an organisation full control over its data, configuration, and update schedule — but requires in-house expertise for installation, maintenance, security updates, backups, and monitoring.

Common self-hosted alternatives to cloud services include: Nextcloud (file sync, replacing Dropbox/OneDrive), Matrix/Element (messaging, replacing Slack/Teams), Mattermost (messaging — note: with v11 in October 2025, Mattermost replaced the MIT-licensed Team Edition as default free tier with a proprietary “Mattermost Entry” tier under a commercial licence, with usage caps and feature restrictions; the AGPLv3 source code remains available for self-compilation), Keycloak (identity, replacing “Sign in with Google”), and mail servers (replacing Gmail/Outlook). The operational cost of self-hosting is often underestimated — see Total Cost of Ownership.

Self-hosting is a spectrum: from running software on a server in your own office, to using dedicated (bare metal) servers in a European data centre, to deploying containers on a managed Kubernetes cluster. Each level offers different trade-offs between control and operational effort.

Deliverability

In email, deliverability refers to whether an email sent from your server actually reaches the recipient’s inbox — as opposed to being silently dropped, bounced, or sorted into spam. It is one of the most challenging aspects of self-hosting an email server.

Deliverability depends on multiple technical factors: SPF (Sender Policy Framework — which servers are authorised to send for your domain), DKIM (DomainKeys Identified Mail — cryptographic signature proving the email hasn’t been tampered with), DMARC (Domain-based Message Authentication, Reporting & Conformance — policy for handling authentication failures), and IP reputation (whether the sending IP address has a history of spam).

Large providers like Google and Microsoft apply aggressive filtering. A new or low-volume mail server will often have poor IP reputation by default, causing legitimate emails to be flagged as spam. Building and maintaining reputation requires consistent sending patterns, proper authentication records, and monitoring of blacklists. This is why many organisations choose managed European email providers (e.g., Mailbox.org, Posteo, Proton Mail) rather than running their own mail servers.

Decentralized

A system architecture where no single entity controls the entire network. Instead of all communication flowing through one provider’s servers (centralised model — e.g., Slack, Teams, WhatsApp), a decentralised system allows multiple independent servers to communicate with each other using an open protocol.

Email is the oldest decentralised system in wide use: anyone can run a mail server, and servers from different providers exchange messages via SMTP. The Matrix protocol applies this principle to instant messaging: organisations can run their own Matrix server and still communicate with users on other Matrix servers (called “federation”). Mastodon (social media) and XMPP (messaging) follow the same principle.

The advantage is resilience and autonomy: no single provider can shut down the network, change terms of service for everyone, or be compelled to hand over all data. The trade-off is complexity: ensuring consistent user experience, end-to-end encryption across servers, and spam prevention is harder in a decentralised system.

Open standards

Technical specifications that are publicly documented, freely implementable without licensing fees, and maintained through a transparent, collaborative process — typically by standards organisations such as the IETF (Internet standards), W3C (web standards), OASIS (business standards), or ISO.

Examples: HTML/CSS (web pages), SMTP/IMAP (email), CalDAV/CardDAV (calendar/contacts sync), OpenDocument Format (ODF) (documents — used by LibreOffice), OAuth 2.0 / OpenID Connect (authentication), and WebDAV (file access). Open standards enable interoperability — the ability to switch between implementations without losing data or functionality.

Open standards are the foundation of data portability and the strongest safeguard against vendor lock-in. The EU actively promotes open standards through the European Interoperability Framework and procurement guidelines that increasingly require standard-based solutions. The contrast: proprietary formats (e.g., Microsoft’s .docx, which is nominally standardised as OOXML but in practice contains undocumented extensions) create dependencies that open standards avoid.

Total Cost of Ownership (TCO)

The full cost of a technology over its entire lifecycle — not just the purchase price or licence fee, but also implementation, migration, training, maintenance, support, and eventual decommissioning. TCO analysis is essential for honest comparisons between proprietary and open-source solutions.

Open-source software has no licence fees, but is not “free” in the total-cost sense. Costs include: staff time for installation and configuration, ongoing maintenance and security updates, training (especially when migrating from familiar tools), integration with existing systems, and potentially commercial support contracts. Proprietary solutions bundle many of these costs into the subscription price, making them appear simpler — but also hide vendor lock-in costs that become visible only when switching.

A realistic TCO comparison should include: direct costs (licences, subscriptions, hosting, support contracts), indirect costs (staff time, training, productivity impact during migration), risk costs (lock-in, regulatory compliance, provider stability), and opportunity costs (what could be done with freed budget). Many “Open Source is free” claims and many “Microsoft is more expensive” claims fail because they ignore parts of this equation.

LibreOffice

A free and open-source office suite developed by The Document Foundation (TDF). It was forked from OpenOffice.org in 2010 after Oracle’s acquisition of Sun Microsystems raised concerns about the project’s future. LibreOffice includes Writer (word processing), Calc (spreadsheets), Impress (presentations), Draw (vector graphics), Base (databases), and Math (formula editing).

LibreOffice uses the OpenDocument Format (ODF) (ISO/IEC 26300) as its native file format — an open standard that ensures long-term accessibility of documents. It can also read and write Microsoft formats (.docx, .xlsx, .pptx), though complex formatting may not always convert perfectly.

LibreOffice is the most widely deployed open-source office suite in European public administration. Notable deployments include the German state of Schleswig-Holstein (30,000 PCs), the Italian military (150,000 workstations), and numerous EU institutions. For browser-based collaborative editing, Collabora Online provides a LibreOffice-based alternative to Google Docs.

Collabora Online

A browser-based document editing suite built on LibreOffice technology, developed by Collabora Productivity (a UK-based company). It provides real-time collaborative editing of documents, spreadsheets, and presentations directly in the web browser — similar to Google Docs or Microsoft Office Online.

Collabora Online can be self-hosted and integrates with file platforms like Nextcloud, ownCloud, and openDesk. This makes it possible to offer browser-based document editing entirely within European infrastructure, without sending data to US cloud providers. It is one of the core components of the openDesk sovereign workplace initiative.

The trade-off compared to Google Docs or Microsoft Office Online: Collabora Online has improved significantly but may still lag in real-time collaboration performance and the breadth of integrated features (e.g., no native equivalent to Google Sheets’ AI features). For organisations prioritising data sovereignty, it is currently the most mature open-source option for browser-based document editing.

OnlyOffice

An open-source office suite developed by Ascensio System SIA (Latvia). Unlike LibreOffice, OnlyOffice was designed from the start for browser-based collaborative editing, with a focus on high compatibility with Microsoft Office formats (.docx, .xlsx, .pptx).

OnlyOffice Docs (the document editing component) can be self-hosted and integrates with platforms like Nextcloud, Seafile, and others. The desktop application is available for Windows, macOS, and Linux. The core editor is open source (AGPL v3), while the enterprise-focused OnlyOffice Workspace (with CRM, mail, project management) uses a proprietary licence for some features.

For organisations choosing between document editing solutions, the practical comparison is: OnlyOffice offers better Microsoft format compatibility; Collabora Online offers better ODF support and the backing of the LibreOffice ecosystem. Both can be self-hosted. Neither fully matches the collaborative editing experience of Google Docs or Microsoft 365 — though the gap is narrowing.

Matrix (protocol)

An open, decentralised communication protocol for real-time messaging, voice, and video — developed by the Matrix.org Foundation (a UK non-profit). The protocol is an open standard, and anyone can run a Matrix server (called a “homeserver”) that federates with other Matrix servers, similar to how email works.

The most widely used Matrix client is Element (formerly Riot.im), developed by Element (the company, formerly New Vector Ltd). Matrix supports end-to-end encryption by default for direct messages and can be enabled for group chats.

Matrix has seen significant adoption in European public administration: the French government uses it as the basis for Tchap (messaging for all government employees), the German Bundeswehr uses it for BwMessenger, and the German healthcare system (gematik) has adopted it for the TI-Messenger. These deployments demonstrate that Matrix can scale to hundreds of thousands of users in high-security environments. The protocol specification is maintained at spec.matrix.org.

Workflow automation

Software that connects different applications and automates sequences of tasks — reducing manual work and enabling processes to run across multiple systems without human intervention at each step. In the context of digital independence, workflow automation tools can help decouple business logic from specific applications, making it easier to replace individual components without rebuilding entire processes.

Notable workflow automation tools include: n8n (visual workflow builder, source-available under the Sustainable Use License — marketed as “fair code” but not open source by the OSI definition, self-hostable), Node-RED (flow-based programming, originally by IBM, now a Linux Foundation project, Apache 2.0 licence), and Apache Airflow (data pipeline orchestration, widely used in data engineering). Camunda is a process automation platform focused on BPMN (Business Process Model and Notation) workflows — more structured than n8n/Node-RED and aimed at enterprise process orchestration. Note: Camunda 8 switched to a proprietary licence (Camunda License 1.0) starting with version 8.6 (October 2024); the core engine including Zeebe is now non-production only without a paid licence, though client libraries and SDKs remain Apache 2.0. Camunda 7 community edition reached end of life in October 2025; community forks (CIB seven, Operaton) have emerged.

The trade-off: while workflow automation can reduce dependency on any single application, the automation platform itself becomes a dependency. Migrating complex workflows between automation tools is non-trivial. Choosing an open-source, self-hosted tool with open standards support (e.g., BPMN for Camunda) mitigates but does not eliminate this risk.

Data portability

The ability to move data from one system or provider to another in a usable format, without losing information or functionality. Data portability is a prerequisite for avoiding vendor lock-in and a fundamental principle of digital sovereignty.

The GDPR (Article 20) grants EU citizens a “right to data portability” for their personal data — the right to receive data in a “structured, commonly used and machine-readable format.” The Data Act (EU 2023/2854, applicable from September 2025) extends portability requirements to cloud services, requiring providers to support data export and prohibiting contractual barriers to switching.

In practice, data portability depends on open standards: if your email is stored in standard IMAP mailboxes, migration is straightforward. If your project management data is in a proprietary format with no export function, migration may require extensive manual effort. Key standards for portability include: IMAP (email), CalDAV/CardDAV (calendar/contacts), ODF (documents), CSV/JSON (structured data), and SQL dumps (databases). When evaluating any tool, the practical test is: “Can I export all my data and import it into a different system within a reasonable timeframe?”

Interoperability

The ability of different software systems, developed by different vendors, to exchange data and work together without special effort. Interoperability is the practical result of open standards — and the absence of it is a primary mechanism of vendor lock-in.

Levels of interoperability: Syntactic (systems can exchange data — e.g., both speak JSON over HTTPS), Semantic (systems interpret the data the same way — e.g., both understand what a “calendar event” means), and Organisational (different organisations agree on processes and governance for data exchange). The European Interoperability Framework (EIF) defines these levels and provides guidance for public administration.

In the digital independence context, interoperability means: your calendar in Nextcloud can sync with any CalDAV-compatible client, your documents in LibreOffice can be opened in any ODF-compatible editor, and your identity system (Keycloak) can authenticate users for any SAML/OIDC-compatible application. When interoperability is strong, switching individual components becomes feasible. When it’s weak, you’re locked into the entire stack.

Munich Security Conference (MSC)

The world’s largest annual conference on international security policy, held in Munich since 1963. Organised by the MSC Foundation under the chairmanship of Christoph Heusgen (since 2022). Attendees include heads of state, defence ministers, senior military officials, and security experts.

The MSC does not make binding decisions, but sets topics on the international security policy agenda. In February 2025, Chancellor Friedrich Merz used his opening speech to classify Europe’s technological dependency as a strategic failure on a major security policy stage for the first time.

ESTIA

The European Sovereign Tech Industry Alliance was founded in November 2025 at the Berlin summit on European digital sovereignty. Founding members include Airbus, Dassault Systèmes, Deutsche Telekom, Orange, OVHcloud, and Sopra Steria.

The alliance aims to build sovereign cloud services and European digital infrastructure. Its official launch is planned for 2026. ESTIA will be judged by whether it delivers concrete products where Gaia-X largely remained at the level of standards and position papers.

LaSuite

The sovereign digital workplace of the French government, developed by DINUM. LaSuite consists of open-source modules for messaging, video conferencing, document editing, and collaboration — built as custom forks with a consistent UI.

Crucially, LaSuite can federate with openDesk. A French civil servant can collaborate with a German colleague on a document without the data passing through US cloud services. The Netherlands is developing MijnBureau, a third platform combining components from both systems.

LaSuite on the EU OSOR

See also: openDesk, DINUM, MijnBureau, Fork

MijnBureau

The sovereign digital workplace of the Dutch government, combining components from openDesk and LaSuite into an independent platform. MijnBureau is being developed as part of the European collaboration for sovereign government workplaces and can federate with the German and French platforms.

Public Money, Public Code

A campaign by the FSFE with a clear core demand: software developed with public money should be released under free licences as open source. The initiative is supported by over 200 organisations and administrations.

The European Parliament adopted the principle in January 2026 with its “Open Source first” resolution in the report on technological sovereignty — by 471 votes to 68.

Eurostack

A strategic vision for an end-to-end European digital infrastructure — from semiconductors to cloud to software and AI. The term was used in the European Parliament’s report on technological sovereignty (January 2026) to describe the goal of developing European alternatives at every layer of the digital value chain, built on open standards.

Eurostack is not a single project but a reference framework: Europe should not be entirely dependent on non-European providers at any layer of digital infrastructure. Concrete building blocks include the Sovereign Cloud Stack, openDesk, LaSuite, and the ESTIA alliance.

Digital Commons-EDIC

A European Digital Infrastructure Consortium (EDIC) for digital commons, initiated by Germany, France, the Netherlands, and Italy at the Berlin summit on digital sovereignty in November 2025.

EDICs are an instrument of the EU’s Digital Decade Policy Programme (Decision 2022/2481), enabling groups of at least three member states to jointly invest in digital infrastructure. The Digital Commons-EDIC aims to promote the development and maintenance of open-source software and open standards as digital commons — infrastructure available to all and controlled by no single provider.

FSFE

The Free Software Foundation Europe is a non-profit organisation that has championed free software rights in Europe since 2001 — through policy work, legal support, and public awareness. It is independent from the American FSF.

The FSFE’s best-known campaign is “Public Money, Public Code”. It also supports initiatives for open standards in public administration, provides legal advice on licensing issues, and contributes to EU legislative processes with position papers on digital sovereignty.

DINUM

The Direction interministérielle du numérique (Interministerial Directorate for Digital Affairs) is the French government agency responsible for the digital transformation of public administration. It reports to the Prime Minister and coordinates IT strategy across all ministries.

DINUM develops LaSuite, the sovereign digital workplace of the French government, and runs the “communs numériques” (digital commons) programme. It is the French counterpart to Germany’s ZenDiS (Centre for Digital Sovereignty), which develops openDesk.

Data Act

The Data Act (EU 2023/2854) regulates access to and sharing of data in the EU. It was adopted on 13 December 2023 and applies from 12 September 2025.

Key elements: users gain a right to access data generated by their connected devices (IoT). Cloud providers must actively support switching and may not charge prohibitive switching fees. Certain abusive contractual clauses on data sharing are prohibited. Requirements for interoperability of data spaces are defined.

For digital sovereignty, the Data Act is significant because it addresses vendor lock-in at the cloud level through regulation — a provider may no longer contractually or technically block a customer’s departure.

Snowden revelations

In June 2013, former NSA contractor Edward Snowden began providing journalists with classified documents that revealed the scale of global surveillance programmes operated by the US NSA and the British GCHQ.

The revelations exposed programmes including: PRISM (direct access to data held by Google, Apple, Microsoft, Facebook, and other US companies), XKeyscore (real-time searching of global internet communications), and the systematic surveillance of European government communications — including the mobile phone of Chancellor Angela Merkel.

The revelations were a turning point for European awareness of digital sovereignty. They triggered the Schrems I case, which in 2015 brought down the Safe Harbor agreement, and accelerated the adoption of the GDPR.

Value chain

The sequence of stages through which a product or service is created — from basic research through development and production to distribution and support. The concept was introduced in 1985 by Michael E. Porter.

In the digital context, the value chain encompasses: semiconductors (chip design and manufacturing), hardware (servers, networking, end devices), operating systems, cloud infrastructure, platforms and middleware, application software, and services. Europe is heavily dependent on non-European providers at several of these layers — particularly in semiconductors (TSMC, Samsung), cloud (hyperscalers), and application software (Microsoft, Google).

Chancellor Merz defined digital sovereignty at the Berlin summit in 2025 as “the ability to shape technology across the entire value chain in line with European interests and needs.” The Eurostack approach aims to create European alternatives at every layer.

Brain drain

The emigration of highly skilled professionals — developers, AI researchers, founders — from Europe to countries with better conditions, particularly the US. The European technology sector thereby loses not only human capital but also the innovation potential needed for digital sovereignty.

Evidence: according to a study by the European Investment Fund (EIF), European tech founders emigrate disproportionately to the US, attracted by higher salaries (median software developer pay in the US roughly 50% above Western Europe), easier access to venture capital, and a culture that rewards entrepreneurial risk rather than regulating it.

The European Innovation Council (EIC) aims to counter this with funding programmes. However, structural disadvantages like the regulatory burden and fragmented European capital markets cannot be offset by subsidies alone.

Regulatory burden

The cumulative burden on companies and organisations from the totality of EU regulation — not any single regulation, but their sum. In the digital sector, this includes the EU AI Act, the Data Act, the GDPR, the Digital Services Act (DSA), the Digital Markets Act (DMA), and the NIS2 Directive.

Each individual regulation has its merits. In aggregate, they create an environment where compliance costs — legal advice, data protection officers, documentation requirements, certifications — consume significant resources. A European Court of Auditors study found that regulatory fragmentation puts European companies at a disadvantage compared to US and Chinese competitors.

That the Berlin summit on digital sovereignty itself called for a 12-month postponement of the AI Act’s high-risk provisions is a quiet admission of this contradiction: Europe regulates technology faster than it develops it.

UI (User Interface)

The user interface is the layer through which people interact with software — screen layouts, menus, buttons, forms, and visual design. In the context of digital sovereignty, UI is relevant because user acceptance often determines whether a switch from proprietary to open-source software succeeds.

A consistent UI was a central design goal of LaSuite: the various open-source components (messaging, video conferencing, document editor) were developed as custom forks with a consistent look and feel, so that users experience a coherent working environment. openDesk takes a different approach, integrating upstream projects with their respective interfaces.

EUCS (EU Cloud Certification Scheme)

The European Union Cloud Certification Scheme is a cybersecurity certification framework for cloud services, developed by ENISA (EU Agency for Cybersecurity) under the EU Cybersecurity Act (EU 2019/881).

EUCS defines three assurance levels (Basic, Substantial, High) against which cloud providers can be certified. The High level is intended for sensitive data and critical infrastructure, and includes requirements related to operational sovereignty (e.g., legal jurisdiction, access controls, immunity from non-EU law). The question of how to handle the CLOUD Act exposure of US-owned providers has been the central political controversy in EUCS development — earlier drafts included explicit immunity-from-foreign-law requirements that were subsequently softened under industry and US government pressure.

EUCS is distinct from national schemes like France’s SecNumCloud, which has stricter sovereignty requirements, including mandatory EU legal entity control.

SecNumCloud

A French national cloud security qualification scheme administered by ANSSI (Agence nationale de la sécurité des systèmes d’information). SecNumCloud is one of the most demanding cloud security frameworks in Europe, with strict requirements for operational security, data residency, and — crucially — legal sovereignty: the cloud provider must be a EU-controlled legal entity not subject to non-EU laws (such as the US CLOUD Act).

This last requirement effectively excludes subsidiaries of US hyperscalers from SecNumCloud qualification, even if they operate European data centres. French public administrations handling sensitive data are increasingly required to use SecNumCloud-qualified providers. Qualified providers include OVHcloud and other European-headquartered operators.

The scheme has influenced the debate around EUCS — France advocates for SecNumCloud-equivalent sovereignty requirements at the EU level, which has met resistance from providers and some member states.

See also: EUCS, CLOUD Act, Digital sovereignty

FranceConnect

The national digital identity federation of the French government, operated by DINUM. FranceConnect allows French citizens to authenticate to public administration services using their existing credentials from trusted identity providers (tax authority, social security, La Poste, etc.) — instead of maintaining separate accounts for each government service.

FranceConnect+ is a higher-assurance variant that uses identity proofing with physical document verification, meeting the requirements of eIDAS Level of Assurance High (LoA High). Together with LaSuite, FranceConnect is part of the French sovereign digital identity stack. It demonstrates the viability of government-backed identity federation as an alternative to “Sign in with Google/Apple/Facebook” at national scale.

DigiD

The Dutch national digital identity system, operated by Logius (part of the Ministry of the Interior). DigiD (short for Digitale Identiteit — Digital Identity) is used by over 14 million Dutch citizens to authenticate to more than 900 government services, including tax filing, healthcare, and social security.

DigiD uses a stepped assurance model aligned with eIDAS levels. The DigiD app (introduced 2019) provides Level of Assurance High via facial recognition matched against the passport register. The Netherlands is developing DigiD Wallet to align with the upcoming European Digital Identity Wallet (EUDIW) mandate under eIDAS 2.0.

DigiD is widely cited as a reference implementation for national digital identity at scale — alongside FranceConnect in France and the EUDIW initiative.

Active Directory (AD)

Microsoft’s proprietary directory service for managing users, groups, computers, and access policies in Windows-based networks. First released with Windows 2000, Active Directory has become the de facto standard for identity and access management in enterprises worldwide — particularly in organisations running Microsoft 365 and Windows desktops.

AD provides centralised authentication (Kerberos, NTLM), Group Policy management (GPO), and LDAP-based directory services. Its deep integration with Windows and Microsoft 365 is both its strength and a significant source of vendor lock-in: migrating away from AD requires replacing not just the directory, but the authentication protocols, group policies, and application integrations built on top of it.

Open-source alternatives include FreeIPA (Red Hat, based on 389 Directory Server + Kerberos + SSSD) and Samba AD (which implements the AD protocol directly, allowing Linux servers to act as AD domain controllers). Both have matured substantially but do not cover all AD-specific features — particularly complex Group Policy scenarios.

LDAP (Lightweight Directory Access Protocol)

An open, vendor-neutral protocol for accessing and managing directory information — user accounts, groups, organisational structures, permissions. LDAP is the underlying protocol used by Active Directory, OpenLDAP, 389 Directory Server, and FreeIPA.

Originally defined in RFC 4511 (2006, based on X.500 from 1993), LDAP is one of the oldest and most widely deployed protocols in enterprise IT. It provides a hierarchical data structure (Distinguished Names, Organisational Units) that maps naturally to corporate structures.

For identity sovereignty, LDAP matters because it is an open standard: any LDAP-compliant directory can be replaced with another. This is in contrast to proprietary extensions built on top of LDAP (such as AD’s Group Policy), which create lock-in. Keycloak and Authentik both support LDAP federation, allowing organisations to migrate from AD incrementally.

OpenStack

An open-source cloud computing platform for building and managing public and private clouds. Originally launched in 2010 by NASA and Rackspace, OpenStack is now governed by the OpenInfra Foundation and deployed by hundreds of organisations worldwide.

OpenStack provides the infrastructure layer — compute (Nova), networking (Neutron), storage (Cinder/Swift), identity (Keystone) — that hyperscalers like AWS build as proprietary services. It is the foundation of the Sovereign Cloud Stack (SCS) and is deployed by European cloud providers including OVHcloud, IONOS, and Open Telekom Cloud (Deutsche Telekom).

The significance for digital sovereignty: OpenStack enables organisations and providers to build cloud infrastructure with the same capabilities as hyperscalers, without dependency on proprietary platforms. The trade-off is operational complexity — running OpenStack requires substantial expertise, which is why managed OpenStack offerings and the SCS reference implementation exist.

Kubernetes (K8s)

An open-source container orchestration platform for automating the deployment, scaling, and management of containerised applications. Originally developed by Google (based on its internal system Borg), Kubernetes was donated to the CNCF in 2014 and graduated in 2018. It has become the de facto standard for running applications in cloud environments.

Kubernetes abstracts away the underlying infrastructure: the same application deployment works on AWS, on a European cloud provider, on bare-metal servers, or on-premises. This infrastructure portability makes Kubernetes a key enabler for cloud sovereignty — workloads deployed on Kubernetes can be moved between providers without rewriting the application, directly addressing vendor lock-in.

The Sovereign Cloud Stack (SCS) uses Kubernetes as its container orchestration layer, alongside OpenStack for infrastructure. Most European cloud providers (Scaleway, IONOS, OVHcloud) offer managed Kubernetes services.

Bletchley Declaration

The Bletchley Declaration was signed on 1–2 November 2023 at the first global AI Safety Summit at Bletchley Park, United Kingdom, by 29 countries — including the US, China, EU member states, the UK, Japan, India, and Brazil. It was the first time the US and China jointly signed a document on AI risks.

The declaration acknowledges that advanced AI poses “significant risks, including serious, even catastrophic, harm” and calls for international cooperation to address these risks. It led to the creation of the UK AI Safety Institute and inspired similar initiatives in the US, Japan, and Singapore. Follow-up summits took place in Seoul (May 2024) and Paris (February 2025).

The political significance of the Bletchley Declaration lies in the fact that it documented an international consensus that has since been partially abandoned: the US revoked its binding AI safety measures at the federal level in January 2025, pivoting to economic competitiveness over the risk mitigation agreed at Bletchley.

AI Safety Institute (AISI)

The AI Safety Institute is a UK government body established in November 2023 as a direct outcome of the Bletchley Summit. It is the world’s first state institution dedicated exclusively to evaluating and mitigating risks from advanced AI models.

The institute employs over 100 technical staff and has an annual budget of £66 million. It has agreements with leading AI companies — including Anthropic, OpenAI, Google DeepMind, and Meta — for pre-deployment access to new models before their public release to conduct independent safety evaluations.

AISI’s work includes: evaluating AI models for dangerous capabilities (e.g. assistance with biological or chemical weapons, autonomous cyberattacks), developing evaluation methodologies, and publishing research findings. The US established its own US AI Safety Institute under NIST in November 2023, but its mandate was significantly curtailed when Executive Order 14110 was revoked in January 2025.

Executive Order (US Presidential Directive)

An Executive Order (EO) is a directive from the US President to the federal bureaucracy, issued without Congressional approval. Executive Orders carry the force of law for the executive branch but can be revoked or modified by any subsequent president at any time — unlike statutes, which can only be repealed by Congress.

This fragility is central in the AI and data protection context: President Biden’s EO 14110 on AI safety (October 2023, 36 pages) was replaced on his successor’s first day in office by EO 14179 (2 pages, zero safety requirements). Similarly, the EU-US Data Privacy Framework rests on EO 14086, which could theoretically be revoked at any time.

For European businesses, this means: any US assurance based on an Executive Order rather than a statute is contingent on the current administration. The instrument is fragile by design — fundamentally distinguishing it from the binding legislation of the EU AI Act.