Technological sovereignty does not play out at software level alone. It also plays out at the level of hosting, capital and the distribution chain — three legal and financial dimensions which thesis 7 of the manifesto names as the “right of oversight and shutdown” that a foreign jurisdiction can exercise over what one believes one owns.
Three commitments address these dimensions.
European hosting by default (see commitment pub-008). For a provider — SaaS publisher, hosting provider, integrator — European hosting as the default position means that customer data transits through and resides in a jurisdiction that effectively protects it. This covers the physical location of datacentres, the effective jurisdiction of the operator (a French operator may be a subsidiary of an American entity, which potentially places it under the CLOUD Act), and the underlying managed services (a European PaaS that resells Google Kubernetes Engine does not offer the same guarantee as a PaaS built on a sovereign stack).
Statutory clauses protecting against non-EU acquisition (see commitment pub-012). Without a statutory lock, a French publisher can change its reference jurisdiction overnight: Aleph Alpha bought by Cohere in April 2026, Silo AI by AMD in August 2024, MariaDB taken over by K1 Investment in September 2024 — all transitions which should not have surprised customers, but which did, for lack of contractual or statutory protection. Shareholders’ agreement limiting transfers to non-EU entities; pre-emption rights for European funds; public golden share for providers of strategic interest; specific share with blocking rights. These mechanisms complement state-level arrangements (IEF in France, AWG in Germany, Golden Power in Italy) without substituting for them.
Public documentation of the supply chain’s jurisdiction on the buyer side (see commitment user-005). User organisations can — and should — make readable the effective jurisdiction of their forges, package registries, container registries, CI/CD services, and third-party infrastructure services. This documentation is not an audit: it is an inventory that lets the organisation identify its own jurisdictional single points of failure, and that contributes, at aggregate scale, to the device’s mapping of gaps.
These three commitments do not share the same target — provider, provider, user — but they address the same exposure surface: what a third-party actor’s jurisdiction can legally impose on your technical setup, outside any commercial negotiation.
For documented cases where jurisdiction shifted without useful notice, see the annex Family 2 — Foundations and jurisdiction.