Every time an employee clicks “Sign in with Google” or “Sign in with Microsoft,” a small but significant thing happens: a US company learns when, where, and to which service that person authenticated. The identity provider — the system that confirms “yes, this person is who they claim to be” — sits at the centre of every digital interaction. It sees everything.

For organisations, the identity provider is the most strategically important piece of infrastructure most IT departments never think about. It controls who can access what. It determines whether an ex-employee’s access is revoked within minutes or lingers for weeks. It is the single point of control — and, potentially, the single point of failure.

And in Europe, identity infrastructure is overwhelmingly American. Okta — the largest dedicated identity provider — reported $2.61 billion in revenue for fiscal year 2025, serving 19,100 customers. Microsoft Entra ID (formerly Azure AD) is bundled with Microsoft 365 and is therefore the default identity provider for the hundreds of millions of organisations using Microsoft’s ecosystem. Google Identity serves a similar function for Google Workspace users.

The dependency is structural. When your identity provider is American, the authentication data — who logged in, when, from where, to what service — is subject to the CLOUD Act and US jurisdiction. This is not a theoretical concern — as the geopolitical weaponisation of software licences demonstrates. Identity metadata is among the most sensitive data an organisation produces — and among the most valuable for intelligence purposes.

The DigiD Controversy: Sovereignty in Practice

If you want to understand why identity sovereignty matters, look at the Netherlands.

DigiD is the Dutch government’s digital identity system — the equivalent of logging in to government services. With 16.5 million registered users and over 550 million logins in 2024, it is one of the most widely used national identity systems in Europe.

DigiD’s infrastructure was operated by Solvinity, a Dutch managed hosting company. In 2024, Kyndryl — the former IBM infrastructure services division, now an independent US-listed company — acquired Solvinity. Overnight, the company operating the Dutch government’s identity infrastructure was under US corporate control.

The Dutch Parliament reacted sharply. Multiple motions were adopted calling on the government to ensure that DigiD infrastructure would not be controlled by a non-European entity. The government committed to not renewing the Solvinity/Kyndryl contract beyond 2028 and to migrating DigiD to sovereign infrastructure.

The DigiD case illustrates a vulnerability that most countries have not yet confronted: identity infrastructure is often outsourced to private companies whose ownership can change through acquisition. A Dutch company today can be a US subsidiary tomorrow. If the infrastructure is already hosted there, the sovereignty ship has sailed before anyone noticed it leaving port.

eIDAS 2.0: Europe’s Answer

The EU’s response to identity fragmentation is eIDAS 2.0 (EU 2024/1183), adopted in April 2024. Its centrepiece is the European Digital Identity Wallet (EUDIW) — a government-issued digital wallet that every EU member state must offer to its citizens by 2026.

The concept is ambitious: a single wallet app, on the citizen’s phone, that can store and present:

  • Government-issued identity credentials
  • Driving licences
  • Diplomas and professional qualifications
  • Health insurance cards
  • Any other verifiable attribute

The wallet works both online and offline. Very large online platforms (as defined by the Digital Services Act) are required to accept the EUDIW for user authentication. This creates, at least in theory, a European alternative to “Sign in with Google” — backed by government-verified identity rather than a corporate account.

The Promise

The potential impact of EUDIW is substantial. If implemented well, it would:

  1. Give citizens control over their identity data. Unlike “Sign in with Google,” where Google acts as intermediary and learns which services you use, the wallet is designed to present credentials directly — without the identity provider seeing the transaction.
  2. Create interoperability across the EU. A French citizen’s digital identity would work seamlessly for services in Germany, Italy, or any other member state. Cross-border identity verification — currently a nightmare of bureaucratic attestations — would become instant.
  3. Reduce dependency on US identity providers for authentication. Organisations could accept the EUDIW instead of requiring Google or Microsoft accounts.

The Reality Check

The EUDIW timeline is aggressive. Member states must offer the wallet by 2026, based on a technical architecture (the Architecture and Reference Framework, or ARF) that is still being refined. Implementation across 27 member states, each with different existing identity systems, different legal frameworks, and different levels of digital maturity, is a coordination challenge of enormous scale.

Privacy concerns exist. A government-issued digital identity wallet, if poorly implemented, could become a surveillance tool — tracking which services citizens access, when, and from where. The architecture is designed to prevent this (selective disclosure, no central logging), but implementation details matter enormously. Civil liberties organisations are watching closely.

And there’s the adoption question. Citizens need a reason to use the wallet. If government services don’t accept it, if private services don’t integrate it, if the user experience is clunky, the EUDIW could become another well-intentioned European digital project that exists on paper but not on phones.

FranceConnect: The Success Story

France has, characteristically, not waited for the EU. FranceConnect — France’s national identity federation — has been operational since 2016 and has over 43 million users as of mid-2024, connected to over 1,800 services.

FranceConnect works as a federation layer: citizens can use their existing government credentials (from the tax office, health insurance, or other government agencies) to authenticate to any connected service. It is, in effect, a government-operated identity federation — where the authenticating entity is accountable to the citizens it serves, rather than to a foreign corporation’s shareholders.

The system demonstrates that government-operated identity federation works at scale. Its success rests on two factors: mandatory integration for government services (if you’re a French government online service, you must accept FranceConnect) and genuine convenience (citizens can use credentials they already have, rather than creating yet another account).

FranceConnect is the proof of concept that eIDAS 2.0 aims to replicate across Europe. Whether other member states can achieve similar adoption depends on whether they follow France’s playbook: mandate integration, invest in usability, and accept that citizens won’t adopt something purely because it’s sovereign — it also has to work.

Keycloak and Authentik: Sovereign Identity for Organisations

For organisations — as opposed to citizens — the identity sovereignty question has a different answer. The question is not “which government ID system do we use?” but “who operates our Single Sign-On infrastructure?”

Two open-source identity providers have emerged as the main alternatives to Okta and Microsoft Entra ID:

Keycloak

Keycloak is the heavyweight. Originally developed by Red Hat (now IBM), Keycloak is a CNCF incubating project — the same foundation that hosts Kubernetes. Over 6,400 companies use Keycloak in production.

Keycloak supports everything a modern identity provider needs: SSO via SAML 2.0, OpenID Connect, and OAuth 2.0. LDAP and Active Directory integration. Multi-factor authentication. Fine-grained authorisation policies. User self-service. Federation with external identity providers.

The practical reality: Keycloak is powerful but not simple. Deployment and configuration require expertise. The documentation has improved significantly but the learning curve is real. For organisations with competent internal IT teams, Keycloak provides full sovereignty over authentication — no data leaves the organisation, no US company knows when your employees log in. For organisations that rely on managed services, the operational overhead may be a deterrent.

Authentik

Authentik is the newer alternative — a public benefit company funded by Open Core Ventures. It takes a more modern, developer-friendly approach: easier initial setup, a cleaner UI, and a focus on usability that Keycloak has historically neglected.

Authentik follows an open-core model: the core identity provider is open source, while enterprise features (audit logging, outpost management, premium support) are paid. This is a pragmatic licensing model that balances community access with commercial sustainability.

For smaller organisations or those new to self-hosted identity management, Authentik is often the easier starting point. For large enterprises with complex federation requirements and existing Active Directory infrastructure, Keycloak remains the more proven choice.

The Replace-Okta Playbook

Organisations migrating from Okta or Microsoft Entra ID to Keycloak or Authentik typically follow this pattern:

  1. Deploy alongside, not instead of. Run the self-hosted IdP in parallel with the existing provider.
  2. Migrate applications incrementally. Start with internal applications that support standard protocols (SAML, OIDC). Leave externally facing services for later.
  3. Address Active Directory integration early. Most organisations have existing AD infrastructure. Keycloak’s LDAP federation handles this, but configuration is non-trivial.
  4. Plan for multi-factor authentication. FIDO2 hardware keys (YubiKey, SoloKeys) provide the highest security. Passkeys offer convenience. Both work with Keycloak and Authentik.
  5. Budget for expertise. The software is free. The deployment, integration, and ongoing maintenance are not.

FIDO2 and Passkeys: The Authentication Revolution

While the identity provider debate is about sovereignty, the authentication method debate is about security. And here, the landscape is shifting rapidly.

FIDO2/WebAuthn replaces passwords with public-key cryptography. Instead of a shared secret (a password that both you and the server know), FIDO2 uses a cryptographic key pair: the private key stays on your device (hardware key or phone), the public key is stored on the server. Phishing becomes practically impossible — there’s no password to steal.

The numbers are moving fast. As of late 2025, 69 % of users have at least one passkey-capable device, and 48 % of the top 100 websites support passkey authentication. Microsoft made passkeys the default sign-in method in May 2025, reporting a 120 % increase in passkey adoption.

The Sovereignty Angle

Passkeys — the consumer-friendly implementation of FIDO2 — sync credentials via cloud accounts (iCloud Keychain, Google Password Manager, Microsoft Account). This is convenient but creates a sovereignty concern: your authentication credentials are stored on Apple, Google, or Microsoft servers.

Hardware FIDO2 keys (YubiKey, SoloKeys, Nitrokey) don’t have this problem. The private key never leaves the physical device. No cloud sync, no US company holding your credentials. For high-security use cases — government, healthcare, finance — hardware keys remain the gold standard.

The European choice is therefore: passkeys for convenience (with US cloud dependency for key storage), hardware FIDO2 keys for sovereignty (with the inconvenience of physical devices), or a hybrid approach — passkeys for low-risk applications, hardware keys for sensitive ones.

Keycloak and Authentik both support FIDO2 and passkeys, making it possible to build a fully sovereign authentication stack: European-hosted identity provider + hardware security keys = zero US dependency for authentication.

The IDaaS Market: Why Sovereignty Costs Money

The identity-as-a-service (IDaaS) market is dominated by US providers. Okta alone holds roughly 27 % market share, with $2.61 billion in revenue (FY2025) and 19,100 customers. Microsoft Entra ID, bundled with Microsoft 365, is effectively free for existing Microsoft customers — making it the path of least resistance for most organisations.

Competing with “free” is hard. When identity management is bundled into a suite you’re already paying for, the marginal cost of using a different provider is perceived as a net addition — even when the total cost of ownership of the bundled solution (including lock-in costs, compliance risks, and sovereignty concerns) is higher.

Keycloak and Authentik are free as software. They are not free as deployed systems. An organisation running Keycloak needs infrastructure, expertise, monitoring, and a plan for security updates. Managed Keycloak offerings exist from European providers — but they’re niche compared to Okta’s fully managed service.

The numbers: for a 500-person organisation, a managed Keycloak deployment might cost €15,000–30,000 per year in hosting and support. Okta’s equivalent plan would cost $50,000–100,000 per year. The savings are real, but they require internal competence to realise.

What Follows

Identity is the silent infrastructure of digital life. It’s less visible than cloud servers or office suites, but more fundamental: without identity, nothing else works. You can’t access the cloud, the email, or the document editor without first proving who you are.

Europe is building alternatives at both the citizen level (eIDAS 2.0, EUDIW, FranceConnect) and the organisational level (Keycloak, Authentik). The alternatives are proven. FranceConnect’s 43 million users show that government identity federation scales. Keycloak’s 6,400+ production deployments prove that self-hosted identity management is viable. FIDO2 hardware keys prove that authentication can be sovereign.

The DigiD controversy in the Netherlands shows what happens when sovereignty is assumed rather than ensured: a single corporate acquisition can put a nation’s identity infrastructure under foreign control. The lesson is not that outsourcing is always wrong — it’s that the ownership and jurisdiction of identity infrastructure must be a conscious, monitored decision.

Where to begin depends on your current setup. The following recommendations are grouped by time horizon — start with what you can do immediately:

This month (low effort, high insight):

  1. Audit your identity supply chain. The DigiD case shows that a single corporate acquisition can put national identity infrastructure under foreign control. Map not just your software vendor, but the hosting provider, the support contractor, and their ownership structures. This is a one-week exercise that may reveal surprises.
  2. Know where your identity data lives. If the answer is “Okta’s US servers” or “Microsoft’s cloud,” that’s a sovereignty decision — make it consciously rather than by default.

This quarter (quick wins, immediate security benefit):

  1. Deploy FIDO2 for high-security users. Hardware keys eliminate the most common attack vector (phishing) and the most common sovereignty concern (cloud-synced credentials). Start with IT administrators and executives. A YubiKey costs €50; a credential breach costs orders of magnitude more.

This year (significant project, 3–6 month migration):

  1. Evaluate Keycloak or Authentik for internal applications. A typical migration for an organisation with 50 SAML-connected applications takes 3–6 months. The annual savings (€35,000–70,000 for a 500-person organisation compared to Okta) fund the migration effort within 12 months.

Before 2027 (regulatory deadline):

  1. Prepare for eIDAS 2.0. Every EU member state must offer the European Digital Identity Wallet by 2026. If you operate services that authenticate EU citizens, EUDIW integration requirements will affect you. Start your assessment no later than mid-2026 — the organisations that prepare early will shape their integration on their own terms; those that wait will be forced into last-minute compliance work with no room for architectural choices.

Sources

Topic overview: Identity & Authentication