We circulated a blog with our preliminary reactions based on the leaked version of the EC’s European Tech Sovereignty Package on 29 May (see The Commission’s Tech Sovereignty Package). Now the final version is out (see https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1187).
We do not re-examine the whole document (hundreds of pages of sprawling Euro-speak). Our main focus is on what has changed, tellingly, even relative to the leaked version of 27 May; and then some big picture considerations on lessons so far, and where many of us in EuroStack see the effort going.
1. EC has been “walking things back” under pressure
It is apparent the Commission has “walked back” a number of items even just from the position stated a week prior. Bluntly, this reflects the reality of an institution subjected to massive pressure in the final days by the hyperscalers’ lobby, but also reportedly from Member States with disparate positions who wanted “room for manoeuvre”. This is bad news in itself. While legislative proposals are always the product of a compromise in the EC setting, it was clear that the EC team were subject to unprecedented levels of pushback from hyperscalers and US government representatives, weaponizing all sorts of propaganda to scare the bureaucracy into submission – from waving the threat of WTO repercussions to tariff reprisals. Member States which are not uniform in their support for tech sovereignty (to say the least) were actively weaponised in the same way. No wonder the EC team caved, but as a result the positive political signalling value of this document is much reduced (see Section 2).
The main areas of retreat are in CADA and in the Open Source Strategy. For both, it is highly regrettable that while the sprawling set of documents which form the “Package” acknowledges at some point the benefit of “anchor customers”, there is NO “European Preference” anywhere to be seen. Notable also that the expression “sovereignty washing”, previously explicitly mentioned as part of the sovereignty risk assessment, has been scrubbed from the document as well.
Steering even just a portion of European public sector demand for tech services to European suppliers was not likely to make a massive difference in volume/value terms, but was going to send an important signal (even to the private sector) that one way or another, the EC was behind the need to use “demand” also as an industrial policy tool to power up the European tech industry. We ended up with nothing of the sort.
Not only that: we only have the weakest level of “maybe, with the wind behind”. In cloud procurement, we had welcomed the approach of DG DIGIT which at least set out its own Cloud Sovereignty Framework based on 4 levels of achievable “sovereignty”, and then assigned contracts for its own procurement based on those levels. Not exactly “Buy European”, but a way to operationalise a similar sentiment we could stand behind. Because DIGIT decided this is what it was going to DO, no ifs and buts.
What CADA does for public procurement across the Continent is MUCH weaker. It sets out similar criteria for Member States to adopt, BUT it is all left to their ultimate discretion: sellers need to self-certify compliance and provide their own auditors, Member States need to identify an appropriate body to implement whatever level of sovereignty they wish to pursue, for whatever use cases they may want to consider. And this even before this whole thing goes through further mangling in the European Parliament and Council. In short, the weakest possible tea, in which implementation is deferred by years and there will be endless opportunities for delay and circumvention. A nothing-burger.
Open Source is the other area where the most troubling “walkback” from the 27 May version has taken place. While the leaked version contained a major welcome focus on Open Source being elevated to key instrument of tech sovereignty in Europe (at least in principle), two key principles have been significantly softened in the brief space of a week.
First, in Article 41 of CADA Section V the principle of “Open Source first” has been reduced to an obligation to “encourage”, with broad derogations. The title of the article preserves its ambitious framing (“Promoting Open Source solutions and Open Source first”), but in the body of the text Member States are only required to “take the necessary measures to encourage” public sector bodies to use and facilitate the reuse of Open Source components, “when building their cloud and AI ecosystem or stack”, “taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria”. (Note that this formulation reproduces, word for word, Article 16 of the French Loi pour une République numérique (2016) which has delivered nothing much operationally over ten years). In more detail:
The verb is “encourage”, not “require”. The obligation borne is to “take the necessary measures to encourage” — the most classical soft law formulation. The scope is restricted to the “cloud and AI ecosystem or stack”, so the “encouragement” does not apply to all software acquired or used by European public administrations, but only to the components of the cloud and AI. The derogations are very broad: the text allows derogation from the “encouragement” on the basis of “functionalities, including security, total cost, and other relevant, duly justified objective criteria”. This last open–ended clause allows a contracting authority to justify ex post almost any of its decisions.
Second, in Article 42 public money, public code is reduced to a conditional cataloguing obligation. The draft circulated in late May presented the public money, public code principle as an obligation imposed on public administrations to make the software they purchase or develop available for reuse. The adopted CADA text imposes on no entity an obligation to make available under an Open Source licence a software financed with public money; it only defines the cataloguing modality when such a decision is taken, where applicable pursuant to other pre-existing European instruments (Interoperable Europe Act, internal doctrines, etc.). And the scope is limited to software for which the entity itself holds the intellectual property rights. Software developed on public funds by contractors that retain the rights — a frequent case in European public procurement — remains outside the scope of the obligation.
These are troubling developments because the upshot is no enforceable obligation either to purchase Open Source software or to publish under an Open Source licence the software developed with public funds. For more details, read this.
2. The big picture
The issuing of this Tech Sovereignty Package is in principle a big deal for anyone paying any attention to the Brussels bubble, and related developments in the Member States. The avalanche of comments on social media is a clear witness to this. That said, the EuroStack Industry Initiative has emphasised from the start that while public policy can be potentially useful – sending signals and creating frameworks – bureaucracies and public institutions are not going to build us a European tech industry.
Private capital and enterprises are what’s needed to truly accomplish change. The drivers for market making are demand, supply and capital allocation. The public sector can contribute to the demand-side by directing a portion of taxpayer money to European suppliers, and this can be useful also as a signal to the private sector. But they do not drive private demand: that depends on incentives and business cases. For investments which require large pools of patient capital, the public sector can also fulfil the role of anchor investor. But the key point is that money is available in Europe, in vast pools which are activating and beginning to pay attention to European tech. We do not need the European Commission to build investment funds and place multiple restrictions on private capital. Capital allocators are already moving and gauging opportunities.
The position of many in EuroStack remains that while public sector has its role to play, INDUSTRY and PRIVATE CAPITAL will make or break the rebuilding of at least part of Europe’s tech industry. Europe’s learned helplessness, “let’s wait for the Commission (or the government) to do this”, is a drag on the aggressive, existential effort we must make as a continent. Not to the exclusion of others, as we always say, but as a major surge of effort and capital, building on our substantive assets, for Europe’s growth.
Predictably, with the Package the Commission has delivered a sprawling text with a strong regulatory mindset. We anticipate private capital will look past all this and decide whether anyone is worth investing in, given our new geopolitical reality. Does powering up Europe make good business sense? This is the spirit, let’s move.
EuroStack is pursuing multiple initiatives on the supply side, the demand side (activating demand) and the funding side (promoting capital allocators to support European tech). What the public sector can do is welcome, but we believe – as an Industry Initiative – that there can be no building of Europe’s tech industry without the private sector playing the major driving role. Reliance on this package (weak, it will take years) is alas greatly exaggerated.
