A mid-sized German manufacturer receives a routine audit request from a state agency. The request arrives as a .odf file. The manufacturer’s IT department cannot open it properly — their Microsoft Office installation renders the tables incorrectly. They send back a .xlsx. The agency returns it: wrong format, please resubmit.

This is not a story about file formats. It is a story about a shift that has already begun — one that is turning digital sovereignty from a policy debate into an IT planning factor for organisations of all sizes.

Three forces are driving the change. All three are accelerating. And all three affect private companies as much as government agencies.

The CLOUD Act grants US authorities the power to demand data from US-headquartered providers — regardless of where that data is physically stored. For any European organisation subject to GDPR, this creates a structural conflict: your data protection obligations may be legally incompatible with your provider’s obligations under US law.

This is not new. But the enforcement landscape has changed. Transatlantic data transfer frameworks remain fragile. Sector-specific regulators — especially in healthcare, finance, and the public sector — are asking harder questions about where data actually lives and who can access it.

The Digital Services Act adds another layer: obligations around transparency and systemic risk that apply to platforms operating in the EU. Organisations relying on US-based platforms need to understand how their providers respond to these requirements — and what happens if they do not.

Compliance is no longer a checkbox. Organisations need to document — credibly — that their IT infrastructure does not expose them to jurisdictional conflicts. For regulated industries, this is already a board-level conversation.

Cost dependency is a financial risk

Vendor lock-in is usually discussed in technical terms — proprietary formats, closed APIs, data gravity. But the financial impact is often more acute: unpredictable licence cost increases, forced migration to subscription models, and support contracts that are difficult to exit without disrupting operations.

When a single vendor controls your office suite, identity layer, cloud platform, and collaboration tools, every contract renewal becomes asymmetric. The vendor knows your switching costs. You absorb whatever terms they set.

Beyond direct licence fees, there is the cost of adapting to someone else’s product decisions. Feature removals, forced version upgrades, changes to API terms — these are not bugs. They are the normal operating model of proprietary platforms. Each one generates unplanned work inside your organisation.

Schleswig-Holstein, after migrating roughly 80 % of its 30,000 government workstations to LibreOffice, reported estimated savings of €15 million per year in Microsoft licence costs alone. That number does not include reduced exposure to future price increases or improved negotiating leverage with remaining vendors.

The savings will differ for every organisation. But the calculation method is the same: map your current costs, model the exit costs, and compare against open alternatives.

Procurement mandates are changing the rules

In March 2026, Germany’s IT-Planungsrat made the Open Document Format (ODF) mandatory for all public administration — federal, state, and municipal — with ODF compliance targeted by 2027 and full Deutschland-Stack infrastructure by 2028. Microsoft Office formats are being phased out. This is binding regulation, not a recommendation.

The supply-chain effect is immediate. Organisations that exchange documents with German government agencies will need to produce and accept ODF. The same applies to tenders, official correspondence, and reporting. This is not limited to the public sector — it ripples through every supply chain that touches government.

Similar mandates are emerging across the EU. France has mandated ODF in public administration since 2009. The UK followed in 2014. Once one major economy mandates a standard, others tend to follow within 18 to 24 months.

The Public Money, Public Code principle — that publicly funded software should be publicly available — is gaining traction in procurement policies across Europe. This shifts the default from proprietary to open, creating structural demand for open-source solutions at every level of government IT.

What this means beyond government

Even if you are not in the public sector, these shifts affect you:

Document exchange. If your clients or partners are in government, ODF compliance is becoming a requirement, not a choice.

Procurement eligibility. Tenders increasingly require open-standards support or sovereign hosting as evaluation criteria.

Regulatory alignment. Sector-specific regulations are tightening around data residency, provider independence, and audit transparency.

Negotiating position. Every viable alternative to your current vendor stack improves your leverage in contract negotiations — even if you never switch.

Assessing your own exposure

Strip away the politics and the ideology, and digital sovereignty comes down to a simple question: how exposed is your organisation if a key vendor changes the rules?

Six questions can start the conversation:

1. Jurisdiction mapping. Which of your critical systems are operated by US-headquartered providers? Where is data stored? Who has legal access?

2. Licence cost trajectory. How have your licence costs evolved over the past three years? What are the projected increases?

3. Exit cost analysis. For each major vendor, what would it cost — in time, money, and disruption — to switch? Which data can you export?

4. Format dependency. How many of your documents, templates, and workflows depend on proprietary formats?

5. Regulatory exposure. Are you subject to GDPR, sector-specific regulations, or public procurement rules that reference data sovereignty or open standards?

6. Supply chain requirements. Do any of your clients or partners require or prefer ODF, sovereign hosting, or open-source components?

This is not a migration decision. It is a risk assessment. And it is the necessary first step before any strategic conversation about alternatives.

Sources

Topic overview: Digital Sovereignty in Europe Related articles: Germany Mandates Open Formats, Digital Risk Audit