This FAQ accompanies the manifesto “Sovereignty is not a license — A manifesto for a real European technological autonomy”. It is written to address both those who are discovering the topic and those who wish to debate the theses. The answers refer to the documentary annexes when the question calls for precise factual elements.
I. Understanding the project#
What is this manifesto about?#
The manifesto rests on a simple diagnosis: you can be fully open source and fully dependent. The technological sovereignty of an organisation cannot be reduced to the license of the code it uses. It also depends on who hosts that code, who controls its distribution chain, who funds its maintenance, which jurisdiction governs its coordination, and who can change its rules. The manifesto documents this confusion between legal freedom of the code and real autonomy, and proposes a positive programme along four axes: invest in the maintenance of open foundations, build the European infrastructure of the chain, measure real sovereignty, guarantee continuity through transparency. See Assumed limits to understand which of these axes the device actually operationalises today.
Why now?#
Several recent facts converge and create a moment when the topic can no longer be evaded. The license flips by major publishers (Hashicorp, Redis, Elastic, MongoDB) reminded us that permissive free licenses are revocable for future versions. The Linux Foundation’s removal of Russian maintainers in October 2024 showed that an American foundation applies American foreign policy, even when the strict legal obligation is contested. The fragility of the open source supply chain has been made visible by the XZ Utils, IngressNightmare, Heartbleed, and Log4Shell cases. And the arrival of artificial intelligence agents capable of auditing code at scale changes the historical equation between defenders and attackers. Together, these facts give the manifesto an empirical substance it would not have had five years ago.
Who is it addressed to?#
To three complementary audiences: European CIOs and CISOs who must assess their real technological dependency; European publishers and service providers who want to position their offering on the sovereignty axis without flying blind; public decision-makers and legislators who must arbitrate between support to national industry, European standardisation, and investment in the digital commons. Beyond them, the manifesto addresses anyone interested in the concrete conditions of a real European technological autonomy.
What is your relationship with open source?#
We are practitioners of open source, not adversaries. Several of the signatories have used, contributed to, and maintained free projects for years. The manifesto is not anti-open source: it is anti-confusion. The confusion between free license and sovereignty serves the dominant players — who can claim the “open source” label while concentrating governance, intellectual property, and control of the distribution chain. Lifting that confusion serves the free movement rather than harming it.
What is technological sovereignty really for? Is it not an experts’ debate?#
No. Technological sovereignty is not an end in itself, and it is not a technical debate reserved to experts. It is the instrument of a fundamental right: the guarantee for any organisation — a business, an administration, an individual — to be able to continue operating its data and conducting its operations, whatever happens.
Consider what can interrupt the use of an information system today: the commercial failure of a key provider, a geopolitical conflict that triggers sanctions, a unilateral license flip, the acquisition of a trusted partner by a foreign power, an extraterritorial requisition that compels a provider to cooperate with a non-European court, a simple service outage. In each of these cases, what is at stake is not a debate about open source or licenses. It is the concrete capacity of an organisation to access its data — which is, for most of them, their only real strategic value.
GDPR established in law that personal data belongs to those who produce it. The Data Act extended this principle to industrial data. Technological sovereignty is what allows this right to be turned into operational reality. Without it, formal ownership of data is not enough to guarantee its effective use when circumstances change.
That is why the manifesto addresses more than experts alone. It addresses any organisation that depends on software and services to exist — that is, today, practically all of them.
II. Answers to objections#
You attack open source, when it is our best ally?#
On the contrary. Our thesis is that open source is necessary but not sufficient. A free license is a condition for sovereignty; it is not a guarantee. An open source project can be controlled by a single player who changes its license overnight for future versions (Hashicorp case). It can be hosted in an infrastructure governed by a foreign jurisdiction that decides who may contribute (Linux Foundation case 2024). It can depend on a monopolistic American distribution chain (npm, GitHub, PyPI cases). Recognising these limits is not criticising open source — it is doing it a service by distinguishing legal freedom of the code from strategic mastery of its ecosystem.
Are you advocating European protectionism?#
No. We advocate strategic autonomy, which is not the same thing. Protectionism consists in closing markets. Strategic autonomy consists in giving oneself the means to make independent choices, including the choice to use non-European technologies when that is relevant. The manifesto does not call for the exclusion of American or Chinese solutions; it calls for an end to mistaking the open source license for an autonomy it does not provide, and for building the missing European capabilities. An autonomous player can choose dependency; a dependent player cannot choose autonomy.
Without the Americans, Europe has nothing. You ignore that fact?#
We state it explicitly. Family 5 of the annexes (“positive counter-examples”) honestly acknowledges the asymmetry of scale: the German Sovereign Tech Fund distributes 17 million euros per year, against the tens of billions invested in the American ecosystem. Codeberg hosts about 117,000 projects, against more than 100 million on GitHub. Our thesis is not that complete autonomy already exists; it is that it is technically, legally, and economically possible, and that we must decide to build it. The positive programme of the manifesto takes note of the current asymmetry and proposes the levers to correct it.
IRN (Indice de Résilience Numérique) already exists. What use is yet another manifesto?#
IRN, launched in January 2026 by the French Ministry of Finance with the aDRI association, is an evaluation framework operating through labelling. It plays a useful role in the French ecosystem. Our manifesto does not compete with it: it pursues a different objective. IRN evaluates products or services individually; the manifesto offers a political and structural analysis of open source sovereignty at the European scale. IRN is an instrument; the manifesto is a thesis. The two can coexist and complement each other — the manifesto provides the intellectual framework, IRN one possible evaluation tool among others.
Are you not over-reading the Linux Foundation’s removal of Russian maintainers in 2024?#
The maintainer Felipe Contreras and the Software Freedom Conservancy publicly contested the strict legal necessity of that decision: approving a patch is not obviously a “transaction” in the sense of American sanctions, and the exact reach of OFAC over unpaid contributions remains legally open. We carry that nuance in our annexes. But the objection misses the heart of our argument. Whether the decision was legally compelled or merely defensive, its practical effect is the same: an American foundation excluded foreign contributors on the basis of arbitrations stemming from Washington’s foreign policy. For technological sovereignty, the legal posture of caution of an American entity produces the same consequences as a formal obligation. It is precisely this structural character — which exceeds the question of strict obligation — that justifies the manifesto.
License flips do not revoke versions already published. Are you exaggerating the risk?#
You are right on the legal point: versions published under a free license remain free forever. Nobody can retroactively revoke the GPL or BSD on already distributed code. We make that explicit in our annexes. But this technical precision is no practical comfort: a user frozen on an obsolete free version progressively loses security fixes, new features, and compatibility patches. Legal freedom over past code becomes useless when one must use present code. This is what we call the “revocable for future versions” character of the free license — not a retroactive revocation, but a de facto revocation for anyone who wants to stay current.
You present Project Mythos as a structuring event. Is this not yielding to an Anthropic communications stunt?#
It is a legitimate critique, and we integrate it explicitly in our annexes. Part of the security community — notably the analysis published by Tom’s Hardware — considers that Anthropic’s claims are largely a commercial argument, and that the announced capabilities rely on 198 manual reviews whose full independence has not yet been validated. We reproduce these objections. Above all, we make clear that even if Mythos were overrated, thesis 9 of the manifesto remains valid for reasons predating that event: the documented fragility of the open source supply chain (XZ, Heartbleed, Log4Shell, IngressNightmare) is enough to establish the defensive asymmetry between attackers and defenders. Our argument does not depend on a single recent event.
Why target Hashicorp, Redis, Elastic and not other examples?#
Because these cases are the most documented, the most recent, the most pedagogical for illustrating the mechanisms we describe. We could have included others (Cockroach Labs, Sentry, Akka). The choice aims at clarity, not exhaustiveness. The documentary annexes amount to about thirty cases and cover seven different families of mechanisms. Anyone who wishes to add or contest a case can contact us — the manifesto is a starting point, not a closed text.
What is more sovereign: an open source brick under foreign governance, or a French proprietary brick?#
This is probably the most important question the manifesto raises, and it deserves a precise answer rather than a slogan. The honest answer is: it depends on which property of sovereignty one privileges.
Sovereignty is not a simple property. It is a bundle of properties that may reinforce or oppose each other: jurisdictional independence (not being subject to a foreign policy), auditability (knowing what the code actually does), reversibility (being able to change provider without rewriting one’s applications), continuity (being able to use the software in ten years), economic mastery (not being subjected to the prices of a dominant player), contribution to a commons (enriching a shared heritage), alignment with European standards (natively integrating GDPR, NIS2, DORA, AI Act).
On some of these properties, the French proprietary brick is more sovereign: jurisdictional independence (subject to French and European law, not to the CLOUD Act or to OFAC), native alignment with European standards (the publisher being itself European, it integrates them by construction). On others, the open source brick is more sovereign: auditability (the code is readable), reversibility (the code is forkable in law), contribution to a commons. On still others, the result is mixed: economic mastery depends as much on active policies as on the open source or proprietary nature of the software; a French publisher can be predatory on prices, a managed open source service can lock in its users as effectively as a proprietary product.
But above all, the question opposes two options where there are four:
- Proprietary under foreign governance (the great majority of the global B2B market)
- Proprietary under European governance (Cegid, Sage, BlueMind, Dassault Systèmes, certain German industrial bricks)
- Open source under foreign governance (the majority of the CNCF ecosystem, Apache Software Foundation, Linux Foundation)
- Open source under European governance (PostgreSQL, Odoo, Forgejo/Codeberg, Eclipse Foundation since 2021, projects supported by NLnet and the Sovereign Tech Fund)
The real sovereignty hierarchy is: 4 > 2 and 3 depending on which properties take priority > 1. The European strategic trap is to think only in terms of the open source / proprietary opposition, which obscures the real discriminating variable: governance, funding, control.
This is exactly the thesis of the manifesto. The license is not enough. What matters is who controls, who funds, who decides. This question arises as much for proprietary solutions as for open source ones. A French proprietary brick whose governance remains French and whose funding is European can be a fully legitimate sovereignty choice, sometimes superior to an open source project whose foundation is American. Our positive programme calls for simultaneous investment in European digital commons, in European legal structures, and in the differentiated measurement of sovereignty dimensions — without prejudging the open source or proprietary nature of the solutions, which is secondary to effective mastery.
How can a provider — publisher, hosting provider, or distributor — reassure clients on the sovereignty dimensions?#
This is the complementary question to the previous one, and it commands axis 4 of the positive programme (“Guarantee”). Sovereignty is not played out only at the level of the software publisher: it plays out across the entire chain, from code to hosting and distribution. A French proprietary publisher whose product is hosted on AWS, or a so-called “sovereign cloud” provider that in fact resells American infrastructure under a white label, cannot claim sovereignty regardless of its marketing discourse. Symmetrically, a publisher that publicly assumes its dependencies and offers precise contractual guarantees becomes a credible player in technological autonomy.
Rather than proposing a heavy regulation that would only enrich audit firms and exclude small European players, we propose a simple instrument: the Sovereignty Profile. The provider publishes, on its own site, at a standardised location (/sovereignty.json), a file that answers a limited number of concrete questions — strategic third-party components, contingency plans, supply chain dependencies, data hosting, continuity, governance and capital, commitments and assumed limits. This declaration is freely verifiable, publicly contestable with evidence, and updated yearly.
The format draws on the Nutri-Score (public calculation, voluntary display, the opacity of those who do not publish becomes suspicious) and on the SBOM (Software Bill of Materials, now standard in the United States for federal suppliers). No label, no certifier, no membership cost. The rigour holds in the structured publication and in the possibility for anyone to contest with evidence.
To make producing a Profile easier, the site provides a web generator at the page /en/profile/ which runs entirely in the browser. No data entered transits to a server. The provider downloads its sovereignty.json file locally and publishes it itself on its own site. The generator’s code is under a free license, auditable and forkable.
The page /en/profile/about details this device and explains the seven domains it covers. Providers who adopt the approach are visibly distinguished from the others, without going through a costly procedure — which is precisely the point, especially for European small and mid-sized publishers.
How do individual profiles serve a collective interest?#
This is an essential dimension of the device that is often misunderstood. Sovereignty profiles are not only useful to the buyer who consults the profile of its provider — aggregated, they are also an instrument of collective observation of European technological dependency.
When fifty publishers declare depending on the same American brick without a tested alternative, this is no longer an individual risk — it is a major strategic signal. An identifiable, measurable gap, justifying a public investment or a private consortium to develop a European alternative. When an entire type of service (for instance managed analytical databases, or CI/CD tools) has no credible European alternative, the aggregation of declarations makes it visible.
The manifesto commits to publishing and maintaining a gaps observatory, fed by the aggregation of indexed declarations and by qualitative analysis of available public sources. This observatory does not judge providers individually; it makes visible the concentrations of dependency, the bricks without alternative, the under-invested strategic layers. It is designed as a risk-prevention tool for CIOs and a decision-aid tool for public authorities and investors.
The public index at /en/profile/index shows the current state of indexed declarations, in reverse-chronological order of update, without score or ranking.
How does this tool concretely help prevent risks?#
The Sovereignty Profile + gaps observatory device serves at several levels of prevention.
For a CIO or CISO, it allows the upstream evaluation of an organisation’s real exposure to disruptive events. Rather than waiting for a provider to change its terms or disappear, one can consult its profile, identify the critical dependencies, and anticipate the necessary migration plans. It is a concrete and readable risk-analysis tool, complementing without replacing the traditional IS mapping.
For a public or private buyer, it allows the objective comparison of several providers on the sovereignty dimension, and avoids choosing a solution that looks “French” on the brand but, on examination, rests entirely on a chain of foreign dependencies. Transparency about the full chain prevents the false comfort of seemingly sovereign purchases.
For a provider itself, the exercise of producing the profile is a salutary internal audit. Many publishers discover on this occasion critical dependencies they had not measured, or contractual fragilities they can correct before they become crises.
For an investor or a public decision-maker, the aggregated observatory allows the identification of the zones where investment would have the greatest impact — those where the absence of a European alternative creates a documented collective risk.
The objective is simple: turn technological sovereignty into a measurable and anticipatable dimension, rather than a topic only addressed once a crisis has occurred.
You criticise the concentration of contributions to Linux and Chromium, but are these not the natural consequences of who does the work?#
This objection is valid descriptively and we mention it in our annexes. A liberal economist may legitimately reply: “Google contributes to 94% of Chromium because nobody else does, this is not capture but a market effect”. Our reply is not to contest that observation. It is to draw a political conclusion from it: if Europeans want to influence global technological standards, they must devote to it the contributory mass that does not exist today. Concentration is not a conspiracy, it is a state of affairs. The manifesto does not accuse anyone; it invites that state to be transformed.
The manifesto is too long, too technical, too French.#
The manifesto is about 1,500 words, which is short for a text that tries to avoid political simplification. The documentary annexes are long because we want each claim to be verifiable. On the French dimension: the text is written in French but its frame of reference is explicitly European, and an English version is in preparation. On the technicality: we wagered that a serious manifesto on technological sovereignty cannot do without a certain technicality, on pain of falling into incantation. Those who judge the text too technical are precisely those whom dominant players can continue to instrumentalise through the confusion between free license and sovereignty.
III. Methodology and rigour#
How did you verify the facts cited?#
Each case documented in the annexes was checked against first-hand sources: official statements of the entities concerned, technical reports (CVE, security audits), academic publications, and coverage by reference technical media. Sources are systematically linked at the end of each sheet. When a fact could not be confirmed directly, we signal it with a careful formulation rather than a categorical assertion. The dossier counts more than a hundred first-hand sources.
What about the cases where your argument may seem weak?#
We signal them. Several prefaces in the annexes honestly document the limits of our demonstration: the asymmetry of scale between the European counter-examples and the American ecosystems they claim to substitute (family 5), the recent character of events such as Project Mythos whose structural reach will only be known with several months of hindsight (family 7), legal nuances on the reach of American sanctions applicable to open source foundations (family 2). A manifesto that acknowledges its own argumentative limits is more solid than a manifesto that masks them.
See Assumed limits of the device for the consolidated list of recognised argumentative limits, of the device’s assumptions, and of the gap between the manifesto and the tool.
Will you update the manifesto if new facts emerge?#
Yes. The manifesto is publicly versioned. Each substantive modification is documented. If facts later than publication invalidate a thesis or an analysis, we note it and we correct. If a documented alternative analysis changes our reading of a case, we integrate it. The manifesto is a starting point for a debate, not a sacred text. Our commitment is not to the current conclusions but to the rigour of the process.
Do you accept public criticism?#
Fully. Anyone who wishes to contest a fact, an analysis, or a thesis can contact us — by email, by public publication, by contribution to the open discussion tools we will set up. Argued criticisms will be cited and, when justified, integrated into later versions. Criticisms that fall under bad faith or personal attack will not receive a public response.
IV. Practice#
Who carries this manifesto?#
At this stage, the manifesto is carried individually by Nicolas Martinez, through NIM-HQ (a French SAS) — see the legal notice for the effective contact details. This stewardship is explicitly transitional: a collective structuring (association, AISBL, foundation, or editorial collective) will be arbitrated when the dynamic of declarants justifies it. The posture is assumed — a single steward before extending, rather than claiming a collective legitimacy that does not yet exist. See also Assumed limits.
How can I publish my declaration?#
The central gesture proposed by the manifesto is to publish one’s declaration rather than sign a text. You write your declaration through the public generator at /en/profile/, which runs entirely in your browser — no data entered transits through a server. You obtain a sovereignty.json file that you host yourself on your own domain, at a stable URL. You then notify the manifesto from the same page. A moderation team checks that the URL responds, that the JSON conforms, and that the declarant is the holder of the domain (DNS, HTTP, or git challenge), then enters the declaration into the public index at /en/profile/index.
What is a Sovereignty Profile?#
It is the communicational designation used for technology providers (publishers, hosting providers, distributors) who fill in all seven domains of the declaration: strategic third-party components, contingency plans, supply chain dependencies, hosting and data, continuity on failure, governance and capital, commitments and assumed limits. The underlying technical format is sovereignty.json. A Sovereignty Profile allows a buyer — CIO, CISO, head of procurement — to assess a provider’s posture quickly without going through a heavy audit.
What is a commitments declaration?#
It is the communicational designation used for declarants who fill in only domain 7 — commitments and assumed limits — without documenting the entire technical chain. Typical cases: a user organisation that publicly assumes the principles of the manifesto without being a provider itself; an individual who makes their professional commitments public; an administration that formalises its policy. The technical format is exactly the same as for the Sovereignty Profile: a single sovereignty.json file. Only the coverage of the domains differs.
How is my declaration verified?#
On notification, the manifesto runs three checks: the canonical URL responds, the JSON validates against the sovereignty-v1 schema, and the declarant proves it controls the domain through a challenge mechanism of its choice: a DNS TXT record, an HTTP file at a standardised URL, or a signed git tag on a public repository. Once these checks pass, the moderation team examines the submission against public criteria (no duplication, no impersonation, no off-topic or unlawful content) then validates or refuses. A daily automatic check then verifies that the canonical URL still responds and that its content remains compliant; a declaration that becomes inaccessible is marked as such for thirty days, then withdrawn if it has not been restored.
What happens to my email?#
You provide a moderation email solely to allow the team to contact you in case of a correction request. This email is deleted immediately upon validation, in a non-circumventable way. The deletion date is traced by an emailDeletedAt timestamp. No email is retained after validation. No mailing is sent. No tracking cookie, no third-party analytics, no transfer outside the EU. The privacy page details the full policy.
How can I contribute beyond the declaration?#
Several routes are possible. You can relay the manifesto in your professional and academic network. You can signal documented cases we may have missed or factual errors. You can propose a translation in your language. You can contribute to the operational instantiation of thesis 10 of the manifesto — measuring sovereignty is precisely what the Profile and the public index are building. For all these contributions, contact us through the About page.
How can I support the project financially?#
No donation channel is open at this stage, by choice. The manifesto prefers to structure a collective frame (cf. the previous question on stewardship) before opening a financial channel — opening a fundraising pot without a structure to receive it would be incoherent with the device’s grammar of transparency. The most useful support today is to publish your sovereignty declaration, to relay the manifesto in your network, and to signal documented cases we may have missed.