The trigger was a sentence in the French Senate, on Tuesday, 10 June 2025. Senator Dany Wattebled, rapporteur of the Commission d’enquête on public procurement costs, had Microsoft France’s Anton Carniaux in front of him. Carniaux was Microsoft France’s Director of Public and Legal Affairs. Beside him sat Pierre Lagarde, the company’s Director of Technical Services for the Public Sector. Lagarde had just explained that since January, European customer data contractually no longer left the EU.

Wattebled asked Carniaux whether he could guarantee that French citizens’ data would not be transmitted to US authorities following a US government order. Carniaux did not equivocate. “Non, je ne peux pas le garantir, mais, encore une fois, cela ne s’est encore jamais produit” — no, I cannot guarantee it, but again, this has never yet happened.

The sentence circulated for ten months. On Wednesday, 8 April 2026, the Direction interministérielle du numérique and three partner agencies — the Direction générale des entreprises, the cybersecurity agency ANSSI, and the State Procurement Directorate DAE — published a joint press release. Every ministry, every operator of the state, every affiliated body would be required to file a written plan to reduce its extra-European digital dependencies. The deadline was autumn. The plans would cover seven categories: workstations, collaborative tools, antivirus, artificial intelligence, databases, virtualisation, and network equipment. DINUM itself would pilot the Windows-to-Linux migration first.

Anne Le Hénanff, the Delegate Minister for Artificial Intelligence and Digital, summarised the position in a single line: “La souveraineté numérique n’est pas une option.” Digital sovereignty is not an option. David Amiel, the Minister of Public Action and Accounts, signed off on the plan.

What the press release actually requires

Each ministry must produce a roadmap. The seven categories are non-negotiable; the timelines within each are. The aggregate ambition is a substantial migration of state IT infrastructure by 2030.

The Caisse nationale d’Assurance maladie — France’s national health insurance fund — is already the largest visible commitment. 80,000 of its employees are moving onto Tchap, Visio, and FranceTransfert. La Suite, the French sovereign productivity platform, had reached about 40,000 regular users before the directive made it the default. The first concrete inter-state milestone after the press release is a set of “Rencontres industrielles du numérique” scheduled for June 2026, at which DINUM intends to formalise public-private coalitions for the transition.

Why this is not Munich

The Munich LiMux project, abandoned by the city in 2017 after a decade, is the canonical European reference for “this is harder than it looks”. Munich’s failure had several technical causes; its political cause was that successive municipal administrations could walk away from previous commitments because there was no enforceable timeline at central level. The French directive is designed against that pattern.

The mandatory written plans raise the political cost of rolling back. A change of administration cannot walk away from a documented roadmap without explicit reversal — and that reversal becomes a press story. The seven-category scope is also deliberate. Previous European migrations addressed workstations and ignored AI tooling, databases, and virtualisation. Within five years, those gaps re-anchored vendor dependency at deeper layers. France is naming most of the stack at the outset.

The empirical reference case behind the methodology is the Gendarmerie nationale, a military police force which has run roughly 100,000 machines on Linux for two decades, with reported cumulative licence-cost avoidance of around €500 million. The Gendarmerie’s migration is the only widely-citable European public-sector Linux migration that is unambiguously a success. DINUM is replicating its methodology, not improvising on the basis of theory.

Carniaux’s June 2025 sentence is the political mortar. Without an admission from Microsoft itself, on the record, in a national legislature, the operational layer of French government would not have produced an interministerial directive of this scope this quickly. The Senate moment converted an architectural argument into a political fact.

What the directive does not fix

Even on the most optimistic reading, the directive addresses one layer of the dependency. Several deeper layers remain unaddressed.

Linux on 2.5 million government desktops would close a large exposure. It would not close the upstream supply chain — the kernel, the toolchains, the package repositories — most of which are hosted on US infrastructure, primarily GitHub. It would not close the cryptographic trust chain: certificate authorities and DNS root servers remain US-dominated. It would not close the hardware layer. The CPUs are Intel or AMD silicon with US export-control exposure, on firmware that is largely closed.

The directive’s seven-category list includes network and telecoms infrastructure, which is more than previous European efforts addressed. The upstream open-source supply chain on which everything else depends is not in scope. The directive is necessary, not sufficient, for the sovereignty it is claimed to deliver.

There is also an industrial-policy reading that public coverage has under-weighted. If France succeeds at this migration, two clusters of vendors win materially: Dassault Systèmes through Outscale, which hosts Visio, and a smaller constellation of French open-source service companies. The directive is, in commercial terms, a domestic procurement programme worth low single-digit billions over five years. That is not necessarily a problem — but it is industrial policy as well as sovereignty policy, and the two are not identical.

What this article is not

It is not a claim that France has solved the problem. The directive begins a six-year programme, and the autumn 2026 ministry plans are the first measurable test.

It is not a claim that this is replicable in other member states. France is institutionally distinctive — the Gendarmerie’s twenty years of Linux experience does not exist anywhere else in the EU.

It is not a claim that Linux is the answer to sovereignty. Linux on the workstation is one layer. The upstream supply chain on which Linux itself depends is another, and DINUM has not announced a plan for that layer.

What the autumn plans will say

The base rate for European public-sector Linux migrations of this scope is failure. The base rate for migrations designed this way — written plans with deadlines, seven-category scope, working replacement tools, an empirical reference case in the Gendarmerie, and an on-the-record Microsoft admission as political mortar — is not known. No European administration has tried this combination at this scale.

What is known is that France’s 2027 presidential election will arrive before the autumn 2026 ministry plans have been fully delivered against. A different political constellation could deprioritise the directive without legally reversing it. The directive is administrative, not parliamentary.

The first measurable signal is the autumn ministry roadmaps. If they arrive concrete — naming vendors, timelines, budget lines, transition staff — France has done methodologically what Munich failed at, and the question becomes whether the political environment will let the methodology run its course. If they arrive vague, the directive joins the long list of European sovereignty announcements whose half-life was the news cycle that produced them.

Until then, the line that opened the file is the line that opened it: no, I cannot guarantee it.

Sources

Topic overview: Digital Sovereignty in Europe Related articles: Linux in the Public Sector, Limits of Digital Independence