When It Comes to Tech’s Software Dependency, What Does ‘Buy European’ Even Mean?

Europe’s push for digital sovereignty has centered on where data lives and which companies own the cloud services, yet the real threat lies in the software’s licensing and its underlying supply chain. When a proprietary product scores high today, a future acquisition can instantly nullify that score, leaving public agencies dependent on a new owner’s policies. Open‑source licensing, by contrast, embeds a legal right to fork and continue development, ensuring that critical code remains under the control of its users regardless of corporate changes.

Recent incidents illustrate the fragility of current approaches. The Oracle‑Sun merger threatened MySQL’s future, but the GPL license allowed Monty Widenius to fork it into MariaDB, preserving a sovereign alternative. Conversely, the 2024 WordPress.org‑WP Engine dispute and GitHub’s sanctions‑related restrictions exposed how single‑point delivery infrastructures—often controlled by U.S. firms—can abruptly disrupt global software ecosystems. When the delivery pipeline is monopolized, even open‑source code can become effectively hostage, highlighting the need for diversified, European‑based registries and mirrors.

To translate these insights into policy, the forthcoming Cloud and AI Development Act should make open‑source licensing a mandatory eligibility criterion for mission‑critical procurements and mandate rigorous supply‑chain resilience assessments. By requiring federated or mirrored European alternatives for irreplaceable dependencies, the EU can build a cloud ecosystem that survives ownership changes and geopolitical shocks. Such measures would not only protect public services but also stimulate a vibrant European open‑source industry, turning sovereignty from a checklist into a durable strategic asset.