In May 2025, the Chief Prosecutor of the International Criminal Court lost access to his Microsoft 365 account. The cause was a sanctions order, not a cyber-attack, not a breach, not a failure of any system to work as designed. The infrastructure did exactly what it was built to do, it complied with its legal obligations. The court is now migrating 1,800 workstations away from Microsoft entirely.

Nobody acted with malice toward the court’s IT infrastructure and no decision was made with the intention of disrupting a legal institution. A compliance mechanism, operating automatically, encompassed email accounts along with everything else it was required to reach.

That is not a theoretical risk. That is a Tuesday.

Microsoft has not ignored European concerns. Since January 2024, commercial and public sector customers can store and process their data entirely within EU and EFTA regions. The EU Data Boundary project was real and valuable and it deserves acknowledgement. However, it does not solve the problem.

Data residency and sovereignty are not the same thing. Storing your data in Frankfurt does not change who controls the infrastructure or who decides what the terms look like next year. And it does nothing about the CLOUD Act, US legislation that allows American authorities to compel US companies to produce data stored anywhere in the world, including inside those Frankfurt data centres. The residency commitment and the CLOUD Act sit in the same infrastructure simultaneously. The ICC’s data was presumably compliant with every applicable regulation, but the prosecutor still lost his email. Residency tells you where your data sits. It says nothing about who holds the keys.

Germany’s openDesk project is worth understanding, because it illustrates both the right instinct and the scale of what is missing. OpenDesk is a suite of open source collaboration tools, document editing, file storage, video conferencing, project management. All assembled and maintained by Germany’s Center for Digital Sovereignty and backed by the Federal Ministry of the Interior. Launched in October 2024, it is designed as a public sector alternative to Microsoft 365. The Bundeswehr, Germany’s armed forces, has signed a seven-year framework agreement to adopt it. Over 1,500 public bodies have made enquiries. The intent is exactly right but the investment is not equal to the problem.

Germany has put approximately €45 million into openDesk over several years. Microsoft’s annual R&D budget is $30 billion. Those numbers belong in the same sentence, not to dismiss openDesk, but because the distance between them is the distance between European and British ambition and what it would actually take to get there.

Valve, the games company behind the Steam platform, understood this distinction when they built Proton. Linux, the open source operating system used by most of the world’s servers had always struggled on the desktop, particularly for gaming. The problem was not that gaming couldn’t work on Linux. Wine, an open source compatibility layer, had existed for decades. The problem was that Wine was underfunded, inconsistent, and nobody had taken responsibility for the whole experience. Valve did not solve this by packaging Wine and shipping it. They hired engineers, they funded deep technical work, contributed across the entire software stack, and took ownership of the outcome rather than the components. The result went from aspirational to genuinely competitive. openDesk, as currently funded, is Wine. Europe and the UK need someone willing to build Proton.

The standard responses do not work. They have been tried.

Individual national migrations fragment rather than consolidate. Munich spent thirteen years migrating to Linux and open source, then reversed course. There is no single European or British public sector employer large enough to justify the investment required to build something world-class, and twenty-seven separate sovereign stacks are twenty-seven times the problem.

Europe and the UK have spent fifteen years trying to regulate their way to digital sovereignty, through GDPR, the Digital Markets Act, and the AI Act, and equivalent domestic frameworks in the UK. The result is a Microsoft presence in EU public sector procurement that sits somewhere between 72 and 91 percent. Regulation matters but on its own it is not sufficient.

Commercial challengers will not emerge organically either. No private investor has a twenty-year horizon and a public mission obligation. The moment a European or British open source productivity platform starts generating real commercial revenue, it becomes an acquisition target. Red Hat, an American open source software company, built a billion-dollar business on exactly the open-core model that would power a sovereign European and British stack. IBM bought it for $34 billion. You cannot solve a dependency problem by building something that gets purchased by the dependency the moment it gets interesting. Structural protection from acquisition is not a design preference, it is the entire point.

What Europe and the UK need has been built before. Not in software, but in aerospace.

In 1967, France, Germany, and the United Kingdom founded Airbus. The goal was explicit: prevent European commercial aviation becoming entirely dependent on American manufacturers. It required treaty-based commitment, GDP-scaled contributions from member governments, and the discipline to fund an organisation across a horizon that outlasted individual governments. No single country could have done it alone.

Airbus now has a revenue in excess of €70bn and competes globally with Boeing as a true European competitor. The initial public investment was the prerequisite for everything that followed.

The governance model that works is a European and British Public Service Trust: treaty-backed, binding multi-year contributions scaled to GDP, engineering leadership hired at market rates, insulated from political interference by charter in the same way central bank independence is written into law. CERN, the intergovernmental research organisation behind the Large Hadron Collider, has operated on this model since 1954, annual budget around 1.4 billion Swiss francs, contributions protected by treaty through seven decades of recessions and changing governments, member states with no authority to direct its scientific decisions. It also produced the World Wide Web as a byproduct, which tends to settle the return-on-investment argument.

This institution must own its AI capability entirely. Not license it. Not route its intelligence through someone else’s infrastructure and call it sovereign. A productivity platform that calls a frontier lab API for its AI layer has reproduced the dependency problem at a higher level of abstraction. It does not need to compete with the frontier AI labs to avoid this. DeepSeek demonstrated that focused engineering on a specific problem can produce open-weight models, models whose underlying code is publicly available and auditable, that are competitive with systems built on far greater compute. A European and British trust needs to build productivity intelligence that runs on European and British infrastructure, trained on European and British data, in European languages, under European and British legal jurisdiction. That is a solvable engineering problem. It has not been done because no one has been funded to do it properly.

A trust structured this way cannot be acquired. There are no shareholders. The assets sit with member states under treaty. Commercial revenue from organisations that need sovereignty guarantees the hyperscalers structurally cannot offer flows back into the platform. Not to an acquirer. Back into what Europe and the UK built.

This would cost billions. It would take a generation. It is competing against organisations that spend more on R&D annually than most European and British nations spend on defence.

That is precisely why nothing less ambitious will work.

But the ambition is not only defensive. Europe and the UK have world-class engineering talent. They have the capital. What they have not had is the institutional vehicle to deploy that talent at the right scale, on the right problem, with the right time horizon. A trust of this kind does not just reduce dependency, it anchors that talent here. It creates a platform on which European and British companies can build. The engineers who currently leave for Seattle stay. The startups that currently have no choice but to build in America have an alternative. The public bodies paying compounding licence fees to a foreign vendor start building equity in something they collectively own.

The half-measures have produced the Munich example. They have produced fifteen years of regulation aimed at an industry that grew around it. They have produced a market share figure that tells you everything about how the current approach is working.

There is a version of this argument about geopolitics, Washington and Brussels, trade, strategic competition. That version is real, but it is not the most important one.

The most important version is simpler. Democratic societies should not run their critical public infrastructure, the courts, the hospitals, the government departments, the services citizens depend on, on systems controlled by private shareholders in another jurisdiction, accountable to different laws, subject to political decisions made with entirely different interests in mind. This is not a complaint about any particular country. It would be true no matter the country, and the current political moment has made this impossible to ignore.

Public infrastructure should be accountable to the public it serves. Not because markets are bad. Because some things are too important to be someone else’s commercial decision.

The ICC’s Chief Prosecutor got his email back. The next institution may not be so fortunate. And the one after that will face the same question every democratic society is quietly asking: who actually controls the systems we depend on, and what happens when their interests and ours stop being the same?

Building the answer is the work. It will be expensive and slow. It will also be the most important technology investment Europe and the UK could make.

I write about AI, cybersecurity, and technology every Friday. Subscribe to get it in your inbox.

This is the first in a series on European and British digital sovereignty. Future pieces will explore the governance model, the phased build, and what serious investment in sovereign AI actually looks like in practice.

Share

Sources & Further Reading

Compass Lexecon for the Open Cloud Coalition. (2025, July 24). Quantifying EU Public Sector Dependence on Productivity Software. Open Cloud Coalition. https://opencloudcoalition.com/wp-content/uploads/2025/07/OCCEU-methodology-and-results-report.pdf

IBM. (2019, July 9). IBM closes landmark acquisition of Red Hat for $34 billion. https://www.redhat.com/en/about/press-releases/ibm-closes-landmark-acquisition-red-hat-34-billion-defines-open-hybrid-cloud-future

Microsoft. (2025, April 30). New European digital commitments. Microsoft On the Issues. https://blogs.microsoft.com/on-the-issues/2025/04/30/european-digital-commitments/

Open Cloud Coalition. (2025, July 24). Microsoft dominates 80% of public sector productivity software market in EU. https://opencloudcoalition.com/microsoft-dominates-80-of-public-sector-productivity-software-market-in-eu-raising-competition-concerns-according-to-new-report/

openDesk / ZenDiS. (2024). The office and collaboration suite for public administration. https://www.opendesk.eu/en

The Register. (2025). ICC ditches Microsoft after US sanctions, chooses open source instead.

https://www.theregister.com/software/2025/10/31/international-criminal-court-dumps-microsoft-office/680564

United States Congress. (2018). Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Pub. L. 115-141.

Airbus SE. (2025, February 20). Full-Year 2024 results. https://www.airbus.com/en/newsroom/press-releases/2025-02-airbus-reports-full-year-fy-2024-results

CERN. (n.d.). Our governance. https://home.cern/about/who-we-are/our-governance