The story that should have ended this debate
On 25 April 2026, Follow the Money published Woo documents showing the Dutch Ministry of Justice and Security bought Palantir software in 2014, used by the Royal Marechaussee to screen passenger data on non-Schengen flights. The data model is fully redacted on grounds of state security. Justice Minister David van Weel told parliament last year his ministry had not used Palantir. He had.
This is the current state. A foreign-owned platform with CIA origins, aligned with American actors hostile to European institutions, processing data on every Dutch border crossing, contractually gagging the Dutch state.
Identity is next
Solvinity, operator of the Netherlands’ DigiD identity platform (17 million users), is being acquired by US firm Kyndryl. Logius’s own chief privacy officer Pieter van Oordt warned via Volkskrant that under the US Cloud Act the takeover would expose all DigiD users’ data to US authorities and let Washington shut down access. The Tweede Kamer voted against contract renewal on 21 April. State Secretary Eric van der Burg announced a two-year extension on 24 April; the decision was actually taken on 27 March, before parliament voted. Van Oordt was fired the same week, filing a criminal complaint against the Logius director for misinforming the cabinet. Same pattern as Marechaussee, same week.
France is doing something real
The French Linux migration looks symbolic. It is not. Every M365 install authenticates against Microsoft licensing; keys can be revoked, accounts suspended remotely. Microsoft has done it: the ICC’s Karim Khan case is the proof. Linux and LibreOffice remove the lever. France is doing one right thing. The others are below.
The €264 billion problem
Per the Asterès study for Cigref (flagged by Niels Claeys), EU spending on US cloud and software runs €264 billion per year, equivalent to the EU’s annual energy bill. Eighty per cent of that value is created in the United States. Reclaiming 15% by 2035 puts 463,000 jobs and €100 billion back in Europe. The largest recoverable economic value the EU has yet to seriously contest.
The paper dragon
Europe has the right tool, neutered. The Commission’s Cloud Sovereignty Framework (October 2025) defines five Sovereignty Effectiveness Assurance Levels (SEAL), 0 (no sovereignty) to 4 (full EU supply chain, chips to software), scored across eight legal, technical, and operational objectives. SEAL 3 means immune to non-EU disruption. SEAL 2 means EU law applies but material non-EU dependencies remain. The Commission set its €180 million tender bar at SEAL 2. A Proximus/S3NS bid on Google Cloud cleared it. The framework is not a paper dragon by design. It becomes one at this threshold.
Priority 1: Mandate disclosure
You cannot score what is not declared. Every government contract should declare every non-EU vendor in the stack, refreshed annually, accessible to parliament without an FOI fight. Gag clauses against the state’s own legislature should be unenforceable for any tier 1 system.
Priority 2: Kill switch infrastructure
Systems where loss of access stops the state. Electronic identity (DigiD, itsme, France Connect, eIDAS roots). Border and migration data (SIS II, API/PNR, Entry Exit, ETIAS). Military command and control, intelligence, defence cloud. Payment rails (TARGET2, SEPA). Encrypted government and judicial communications. Energy grid control. SEAL 3 minimum across all eight objectives, SEAL 4 target, with hard exit clauses on every contract. SEAL covers cloud only; analytics SaaS like Palantir sits outside scope, a gap that needs closing.
Priority 3: Cross cutting enablers
EU jurisdiction trust roots, PKI, code signing. Update and patch distribution (the CrowdStrike lesson). Open source supply chain integrity (SLSA, Sigstore, attestation). I wrote an article on that. Encryption key custody held only by entities under EU law.
Priority 4: Second order systems
Healthcare records, prescription systems, tax and benefits, court case management, civil registries. Severe disruption but recoverable. SEAL 2 minimum, SEAL 3 preferred.
Priority 5: Desktop and ecosystem
Public money to non-EU vendors that does not return to the local economy. Ecosystem lock-in around proprietary stacks. And the licensing kill switch France just removed.
The objections, taken seriously
Feature lag. The functionality most public sector workloads need has existed for over a decade. A five-year functional gap on systems that authenticate citizens and route forms is a marketing argument.
Cost premium. Sovereign cloud sits 15 to 20% above hyperscaler pricing. Small against €264 billion leaving every year. 15% more on a fraction of that to keep value compounding inside Europe is a redirection.
Capability gap. Bilawal Sidhu, a former Google Maps PM, built WorldView in a weekend: a geospatial command centre fusing flight tracking, satellite orbits, and CCTV feeds onto Google’s 3D tiles, coordinated through multiple AI agents. The Palantir co-founder responded within a week. Systems intelligence contractors charge governments tens of millions to build are now in range of one motivated builder over a weekend. The capability is here. What is missing is willingness and contractual discipline.
The point
Europe has a framework for digital sovereignty. Now we need brave politicians and conscientious implementations, otherwise what's left is another paper dragon.