The Path to European Digital Resilience

Open source software, data sovereignty, cloud repatriation, and interoperability

Increasing geopolitical uncertainties are driving the European Union’s (EU) efforts to reduce dependencies on non-European vendors and achieve European digital resilience. For nations and organizations that operate within the EU, overall success depends on establishing three strategic pillars: data sovereignty, cloud repatriation, and interoperability. Open source software provides the foundation for all three pillars, making its widespread adoption across Europe critical to achieving the digital resilience the region is working toward.

This push for resilience is not recent. Starting with the General Data Protection Regulation (GDPR) in 2018, which governs how personal data of European residents can be processed, protected, and transferred, the EU has consistently introduced legislations that reinforce its commitment to independence, and protecting European nations and citizens from the laws and regulations of non-European governments. Subsequent regulations include the Interoperable Europe Act, the EU Data Act, and most recently, the EU AI Act. Many of these directly or indirectly promote open source technologies, signalling how central they are to the EU's resilience agenda.

The European Commission and individual member state governments have also made significant financial commitments to build the infrastructure that organizations need to achieve these three pillars. These include the €3bn investment in Gaia-X and data space projects; the 10-year, €300bn EuroStack initiative; and the €200bn EU AI Continent Action Plan.

The three strategic pillars of European digital resilience

Data sovereignty

One of the biggest barriers to achieving digital resilience is data sovereignty: where data is stored, who can access it, and which legal jurisdiction it falls under. The EU cannot claim true data sovereignty if European data is stored in a foreign country, or if a foreign country can access, or have legal jurisdiction over this data.

The primary challenge is that approximately 70% of the European cloud market today is controlled by the three US hyperscalers: Amazon (AWS), Microsoft (Azure), and Google (GCP). These organizations are governed by US laws such as the US CLOUD Act and FISA 702, which grant US authorities access to European data held by US cloud providers even if the data is stored on infrastructure that is physically located in the EU, which create the significant risk of European data being exposed to the US government.

While regulations such as GDPR and the EU Data Act aim to provide protective mechanisms around who can access European citizen data, and under what circumstances, the reach of foreign surveillance laws such as the US CLOUD Act and FISA 702 creates a legal deadlock, and cannot guarantee complete data sovereignty while the data holder is subject to foreign laws.

Increasing AI usage complicates this further as transferring data to GenAI models (e.g., LLMs) hosted outside the EU or on foreign-owned clouds within the EU can violate GDPR if the data is personal data or is considered “high-risk” use of AI under the EU AI Act.

Cloud repatriation

Cloud repatriation refers to moving sensitive data workloads from cloud environments subject to foreign jurisdiction to on-premises infrastructure or sovereign clouds that fall exclusively under EU law. Data sovereignty and cloud repatriation are closely linked: in many cases, true data sovereignty is not achievable without it.

Another key benefit of cloud repatriation not only in Europe, but also globally, is that it enables enterprises to implement better controls over their infrastructure costs. While hyperscalers offer usage-based pricing models, these are generally complex to calculate and estimate and can lead to high and unpredictable cost increases that become prohibitive over time. This is becoming increasingly apparent in the AI era, where large amounts of computing power is required to run AI workloads “with hyperscalers costing about three times to six times as much as specialized competitors”. Repatriating their workloads to on-premises data centers or smaller regional cloud providers therefore, allows enterprises to have more control and predictability over their infrastructure costs, and gives them more value from their investments.

The EU has launched several initiatives to build the sovereign infrastructure that makes cloud repatriation possible: 

1. Gaia-X: A transparent ecosystem of cloud service providers and users that makes data shareable and available across the ecosystem, while giving users complete control over their data.
2. EuroStack: A strategic initiative to build a complete, European-made digital infrastructure ranging from sovereign clouds, to open source AI models, to digital public infrastructure.
3. The Sovereign Cloud Stack: An open, transparent and vendor-neutral cloud ecosystem running exclusively in Europe, guaranteeing data sovereignty.
4. Cloud and AI Development Act: Associated with the AI Continent Action Plan, the Cloud and AI Development Act aims to “at least triple the EU’s data centre capacity within the next 5 to 7 years and fully meet the needs of EU businesses and public administrations by 2035”.
5. Apply AI Strategy: A strategy to increase AI adoption and AI-based innovation across Europe, and strengthen the EU’s technological sovereignty.

Europe’s push for data sovereignty and the risk it poses to their European business, have led AWS, Azure, and GCP to rethink their business strategy in the region. Each hyperscaler has established their own European sovereign clouds in recent years that are owned and operated by entities established under EU laws, or by European partners. This strategy helps these hyperscalers circumvent US jurisdiction, and provide cloud solutions that are only subject to EU jurisdiction. However, these clouds are still priced under hyperscaler pricing models and aren’t ideal options for enterprises exploring cloud repatriation to implement better cost controls.

Interoperability

Interoperability is the ability for organizations to seamlessly exchange data with one another regardless of the underlying technology or software they use. The objective is to align on specific technical and non-technical standards across the EU, allowing organizations to easily share data with one another, and also protect themselves from vendor lock-in. Interoperability enables digital resilience, as it allows European organizations to easily move from software that risks being subject to foreign jurisdiction to software under EU jurisdiction.

The Interoperable Europe Act, while focused on public sector organizations, has introduced the European Interoperability Framework (EIF) that can be a blueprint for any European organization to follow. The EIF outlines four areas that public sector organizations need to standardize in order to enable interoperability: legal, organizational, semantic, and technical.

Technical interoperability is especially important for digital resilience as it covers the open technical standards that software must support in order to enable seamless data exchange and communication between software, regardless of the vendor that built the software. Requirements for technical interoperability include support for general open standards like REST and SOAP APIs, authentication protocols like OAuth 2.0 and OpenID Connect (OIDC), and industry-specific open standards like HL7 FHIR for exchanging health data. The act also promotes the use of open source software over proprietary software, as open source software is auditable and portable by nature, guaranteeing technical interoperability.

Technical interoperability is also covered in the EU Data Act, which mandates that cloud providers must allow “consumers to easily transfer data and switch between cloud providers”. Interoperability, therefore, ties into cloud repatriation as well as it enables organizations to easily switch from cloud offerings subject to foreign jurisdiction to clouds under EU jurisdiction.

Open source software: the foundation for all three pillars

Data sovereignty, cloud repatriation, and interoperability define what European digital resilience requires. Open source software is what makes achieving all three practical. 

With proprietary software, you have no visibility into the source code. You can't verify how your data is being processed, or whether it's leaving your jurisdiction, restricting digital resilience and causing regulatory compliance risks. They are also a barrier to cloud repatriation and interoperability as they generally restrict the deployment options and open standards they support as this helps drive vendor lock-in.

Open source software is designed to be flexible and customizable. Its guiding principles of openness and fairness inherently support data sovereignty, cloud repatriation, and interoperability, protect organizations from vendor lock-in, and drive true digital resilience.

How open source software drives digital resilience

• Data sovereignty: The ability to deploy software on any infrastructure (public cloud, sovereign cloud, on-premises, or hybrid) enables European organizations to deploy in environments that are subject to EU jurisdiction only, and achieve data sovereignty.
• Cloud repatriation: Support for any deployment option also enables organizations to easily move their data workloads from cloud offerings subject to foreign jurisdiction to on-premises data centers, or sovereign clouds under EU jurisdiction. Repatriating workloads from hyperscalers also enables enterprises to implement better cost control.
• Interoperability: Support for open standards (such as REST, SOAP, OAuth 2.0, OIDC, and HL7 FHIR) enables seamless interoperability between software and protection from vendor lock-in. Additionally, the underlying open source project on top of which open source software is built is community-governed, and compliance with open standards is both enforced by the community, and verifiable by auditing the source code.
• Regulatory compliance: Full visibility into the source code enables organizations to understand how the software is designed to use and process their data, audit it to ensure it adheres to compliance requirements, and modify the code if needed to meet compliance requirements without vendor approval or involvement.
• No vendor lock-in: An organization’s code always belongs to them, and not to the software vendor. Organizations are free to take their code and run it anywhere they want with or without a subscription from the vendor, protecting the organization from vendor lock-in, and ensuring business continuity.

Simply put, open source software is essential to achieving true digital resilience, and it is clear the EU agrees. This is evidenced through regulations such as the Interoperable Europe Act, the Data Act, the EU AI Act, and the Cyber Resiliency Act, which either directly or indirectly mandate the use of open source software. Initiatives such as Gaia-X and the Sovereign Cloud Stack also either promote open standards or are built on open source technology. There is also an increasing push to build more European open source AI models, enabling European organizations to innovate using sovereign and open AI.

Where WSO2 fits 

WSO2 is one of the few independent software vendors with a single portfolio offering open source software across API management (APIM), integration, identity and access management (IAM)—three areas of enterprise software that any modern organization requires.

WSO2’s open source model provides organizations with complete deployment flexibility, enabling them to run software and data workloads on public cloud, sovereign cloud, on-premises, or hybrid infrastructure, and achieve complete data sovereignty and regulatory compliance, while avoiding vendor lock-in and reducing costs. This deployment flexibility also enables cloud repatriation by allowing organizations to easily move their sensitive data workloads onto sovereign cloud or on-premises infrastructure if needed. WSO2 is also a strong promoter of open standards, offering full support for REST, SOAP, HL7 FHIR, GraphQL, OAuth 2.0, OIDC, XML, JSON, and more to enable seamless interoperability.

WSO2 is soon releasing WSO2 Agent Manager, and recently released the WSO2 Engineering Platform, which together with WSO2’s API, integration, and IAM products give organizations a unified, open platform to build, manage, and run APIs, integrations, AI agents, and GenAI apps safely in production, all with built-in governance, security, and observability. These capabilities also allow organizations to use open source and/or sovereign AI models, and run AI agents and GenAI apps on sovereign infrastructure.

Additionally, WSO2 has strong European roots through its ownership by EQT, a leading Swedish private equity firm. The company also has a large presence across Europe with offices in Germany, Spain, and the UK, and over 300 customers ranging from national and local government agencies to those in highly regulated industries such as finance and healthcare.

Conclusion

With geopolitical tensions increasing, organizations that are not yet aligned with achieving digital resilience through data sovereignty, cloud repatriation, and interoperability need to do so now. Failure to do so risks continued dependence on non-EU vendors, exposure to foreign laws and regulations, and prohibitive cloud infrastructure costs.

There are also compliance deadlines approaching in late-2026 and 2027 for EU regulations including the EU Data Act, the EU AI Act, and the EU Cyber Resilience Act, and non-compliance faces the real threat of significant fines (regulators have issued over €7.1bn in fines since 2018 for GDPR alone).

Open source software is not a workaround or a compromise; it is the foundation the EU itself has identified as essential to digital resilience. Organizations that build on open source now are better positioned to meet compliance requirements, reduce infrastructure risk, and retain control over their data and their technology choices.