A New Default for Public-Sector Tech
On June 3, 2026, the European Commission unveiled its Tech Sovereignty Package, four linked initiatives covering semiconductors, cloud and AI infrastructure, open source software, and energy-sector digitalisation (European Commission, 3 June 2026). The two pieces that matter most for developers and cloud customers are the EU Open Source Strategy and the proposed Cloud and AI Development Act (CADA). Together they do something the EU has never done before: write a preference for open-source software directly into the legal text governing public-sector procurement, rather than leaving it as guidance.
CADA is still a Commission proposal, not adopted law. It now needs a committee assignment, a rapporteur, and agreement between Parliament and Council under the ordinary legislative procedure — a process the European Parliament's own legislative tracker lists as still pending committee allocation (European Parliament Legislative Train). That matters: headlines describing an EU mandate are describing a proposal that could still change materially before it binds anyone.
The Steelman: A Real Dependency, Not Just Protectionism
The Commission's own framing deserves a fair hearing before it gets a rebuttal. The EU spends roughly €264 billion a year on IT products and services, overwhelmingly on non-EU proprietary software and cloud infrastructure, and US hyperscalers control more than 70% of the EU cloud market by the Commission's own accounting (Tech Policy Press). That concentration is a legitimate policy concern independent of anti-American sentiment: single-vendor dependency at the scale of a continent's public administration creates real exposure to pricing power, extraterritorial legal demands, and service discontinuity risk that has nothing to do with product quality. Open source, where code is auditable and portable across providers, is a genuinely defensible answer to vendor lock-in — the same logic that leads security-conscious enterprises, not just governments, to avoid single-vendor stacks. The Free Software Foundation Europe, no reflexive fan of Brussels bureaucracy, called the Commission's explicit embrace of the "Public Money? Public Code!" principle a potential "major step forward" (FSFE).
Where the Design Gets Risky
CADA's mechanism is a four-level cloud sovereignty assurance framework. Level 1 requires EU data residency; Level 2 adds EU-based personnel and source-code audits for foreign components; Level 3 requires EU ownership with narrow carve-outs for countries holding GDPR adequacy decisions; Level 4 requires full EU ownership with no third-country entity holding "effective control over design or development" of the software at all (Inside Global Tech). Public bodies must also weight "Union added value" — EU supply-chain contribution, EU hardware use — as a non-price procurement criterion.
The proportionate tiering is a genuine strength: Level 1 is achievable by any competent provider, and only the most sensitive public workloads would face Level 3 or 4. But Level 4's language cuts both ways. Read literally, "no third-country entity exercising effective control over design or development" would sweep in much of the open-source infrastructure the strategy is meant to promote — the Linux kernel, Kubernetes, and PyTorch are all open source, and all are substantially stewarded by non-EU-controlled foundations and companies. A rule meant to open public procurement to more code could, at its strictest tier, end up excluding the open-source projects Europe actually relies on today, unless the Commission clarifies that a governance body's location doesn't equal "control" for a genuinely open-license project. That distinction isn't yet settled in the proposal text.
The Money Doesn't Match the Ambition
The Open Source Strategy commits roughly €2 billion over seven years to open-source accelerators, a maintenance instrument, and the "Open Internet Stack" (EU Open Source Strategy). Set against a €264 billion annual dependency, that is a rounding error, and critics on both the policy-advocacy and law-firm side of this debate agree on little else. Tech Policy Press's analysis estimates the maintenance instrument alone needs roughly €350 million to function credibly, meaning the rest of the envelope is stretched thin across accelerators, skills programs, and infrastructure simultaneously. FSFE goes further, warning the strategy "still falls short on concrete goals, milestones, and secure funding" and that its "Free Software first" principle currently applies only to public cloud and AI contracts, not procurement broadly — leaving room for the kind of loopholes both organizations flag as a real implementation risk.
A Better Sequencing
The honest reading is that Brussels has gotten the sovereignty diagnosis right and the treatment badly underdosed. Writing an "open source first" principle into procurement law is a legitimate response to genuine concentration risk, not merely protectionism in a friendlier costume. But a legal preference unsupported by funding or a mature maintenance ecosystem risks becoming a compliance burden for cloud vendors without producing viable European alternatives for administrations to actually choose. If the Commission wants CADA's tiering to work as intended, it should clarify the Level 4 control test before it becomes law, and it should treat the Open Source Strategy's funding gap as a sequencing problem to fix in the next multiannual budget cycle — not a detail to paper over while the procurement mandate moves ahead of it.