This is the English translation of the original French manifesto. It aims to faithfully render the original voice and argumentation. The French version remains the canonical reference for any disputed reading.
To be able to continue to operate one’s data and conduct one’s operations, whatever happens. That is technological sovereignty. Everything else—licenses, contracts, certifications—is only a means to serve that end.
Preamble#
You can be fully open source and fully dependent.
This sentence, which ought to be a commonplace, still needs saying. For twenty years, Europe has built its relationship with the digital on a lazy equation: that adopting free software would suffice to reclaim our technological independence. The equation is comfortable. It allows one to tick a box, to sign a press release, to promise a sovereignty that commits to nothing. It is also false.
Free software remains, in the great majority of cases, the best choice for those who care about transparency, auditability and long-term independence. To give up open source in favour of captive SaaS would be a sovereign suicide. But to use free software is not to be sovereign—no more than buying proprietary software from a European publisher is enough to be sovereign. The license, open or closed, is not a guarantee: it is a legal attribute of the software. Sovereignty, by contrast, is an attribute of the entire chain that produces, maintains, and distributes it. Free software makes one eligible for sovereignty—provided that one invests in everything that makes it genuinely free. The European proprietary publisher makes one eligible in the same way—provided that one audits the chain (capital, jurisdiction, hosting, continuity) with the same rigour.
Yet this investment, we do not make. We use free projects whose code is versioned on American forges, whose binaries are distributed by American registries, whose foundations are legally anchored in the United States, whose principal maintainers are salaried by American corporations, and whose roadmap is arbitrated by the sponsors who fund them. We call this sovereignty. It is disguised dependency.
This chain runs through the code we write, the tools that compile it, the registries that distribute it, the foundations that govern it, the companies that pay the maintainers, and the human skills that keep all of it alive. No single link is enough to guarantee it. Each one can be enough to break it.
This manifesto calls for an exit from the illusion. Not to denounce free software—without it, there is not even a debate to be had. But to demand that sovereignty be thought, measured and funded at the level of what it truly requires. We call upon the organisations, the communities, the public authorities and the businesses that share this diagnosis to recognise the theses that follow, to incorporate their requirements into their own frameworks, to publish their commitments for technological sovereignty, and to take part in building the open instruments that flow from them.
So long as we conflate the use of free software with the conquest of independence, we will offer purchase to a strategy that no longer hides itself: the one that consists in turning free software into an instrument of normative domination. This nuance is not a rhetorical detail. It is the difference between a state that believes itself to be sovereign and a state that is sovereign.
The thirteen theses#
Diagnosis#
1. Digital sovereignty has become a watchword without a grammar: everyone invokes it, no one agrees on what it requires.
2. European digital dependency is not reducible to the choice of a provider; it runs through the code we write, the tools that compile it, the registries that distribute it and the foundations that govern it.
Critique of the dominant responses#
3. Adopting free software does not make us sovereign, and buying proprietary software from a European publisher does not make us any more sovereign. The license, open or closed, is a legal attribute of the software—not a guarantee of sovereignty. Each of the two paths makes one eligible for sovereignty provided that one invests in what makes it real: for free software, in what makes it effectively free (maintainers, foundations, distribution infrastructures); for proprietary software, in what makes the chain auditable and continuable (capital, jurisdiction, hosting, escrow).
4. A foreign foundation is not a European infrastructure, even when it governs projects used across the whole of Europe.
5. An open source project whose contributions, artefacts or roadmap depend on a single sponsor is a revocable free project.
Deeper analysis#
6. The technological sovereignty of a piece of software is measured on its entire chain: production, maintenance, distribution, governance, funding, skills. None of these links is sufficient; each can be enough to break it.
7. To distribute free software through registries and networks subject to a foreign jurisdiction is to grant that jurisdiction a right of oversight and of severance over what we believe ourselves to own.
8. Technological autonomy rests less on licenses than on people: without a critical mass of maintainers paid to keep the critical bricks alive, free software becomes a technical debt funded by parties other than ourselves.
Turning point#
9. When artificial-intelligence agents can audit at scale the code that we publish, the transparency of free software ceases in itself to be a defensive asset: to remain so, it requires means of audit and response commensurate with the new offensive capabilities.
Requirement#
10. Measuring sovereignty requires evaluating separately the code, the governance, the funding, the distribution and the skills—and refusing any score that aggregates these dimensions to the point of obscuring their weaknesses.
11. A serious European digital sovereignty policy is recognisable by its investment in the foundations, the maintainers and the distribution infrastructures—not by its declarations on the percentage of free software deployed.
12. So long as European providers position themselves as distributors of bricks under foreign governance, they deprive sovereign alternatives of the customers, the capital and the critical mass that would allow them to exist.
13. Technological sovereignty is not an end in itself. It is the condition under which an organisation—a business, an administration, an individual—can continue to operate its data and conduct its operations, whatever happens: provider failure, geopolitical conflict, sanctions, hostile takeover, unilateral flip by a publisher. It is a right, not a comfort.
Positive programme#
The thirteen theses set out above sketch a diagnosis. That diagnosis calls for concrete commitments, at several levels and for several audiences. We propose four axes of action, each of which presupposes the mobilisation of public decision-makers, of user organisations, and of open source communities. None of these axes is sufficient on its own; none can be delegated.
Axis 1 — Investing in the foundations of autonomy#
Sovereignty is not declared, it is funded. Without structural and lasting investment, everything else remains rhetoric.
For European and national public decision-makers. Create a lasting European fund dedicated to direct funding of the maintainers of open source bricks critical to the continent’s infrastructure, on the broadened model of the pioneering national programmes in this area. Recognise the maintenance of software infrastructure as a mission of general interest, eligible for the same support mechanisms as fundamental research or physical infrastructures. Equip the defenders of critical bricks with means of audit and response commensurate with the new offensive capabilities, in particular those made possible by artificial-intelligence agents. Make conditional on sovereignty criteria the public procurement of software—criteria that include the production and distribution chain, and not the apparent license alone.
For user organisations. Set aside a documented fraction of their software budgets for the funding of the projects on which they depend, through direct sponsoring, salaried contributions from their teams, or payments to the European foundations that host them. Publish, in time, the mapping of their critical dependencies and the support commitments that follow from it.
Axis 2 — Building the European infrastructure of the chain#
So long as the distribution chain is captive to a foreign jurisdiction, the free code that passes through it is captive too. We must build the rails we do not have.
For public-sector players and industrial consortia. Build European registries for packages, containers and artefacts—as mirrors of the dominant registries when that is enough, as autonomous alternatives when it is no longer enough. Develop a European forge of significant scale for source code, capable of hosting the continent’s strategic projects outside extraterritorial jurisdiction. Support the existing European open source foundations through stable funding mechanisms, and facilitate the migration of strategic projects to those foundations.
For European open source communities. Favour European hosting for new strategic projects. Document publicly the effective jurisdiction of the infrastructures used, so that users may evaluate, in full knowledge, the sovereignty commitments presented to them.
For European providers of digital services. Invest a share of their technical capacity in the production, maintenance or co-funding of software bricks whose governance they control, rather than in the mere distribution of external standards. Favour, at functional equivalence, bricks under European governance in the offerings presented to European customers, and make this preference readable in their catalogues.
Axis 3 — Measuring in order to steer#
Without an instrument of measurement, autonomy remains a slogan. Without an open methodology, the measurement becomes a captive market. We need both.
For the field as a whole. Adopt a multi-dimensional evaluation methodology that distinguishes the code, the governance, the funding, the distribution and the skills, and refuse any score that aggregates these dimensions to the point of obscuring their weaknesses. Treat the evaluation of sovereignty as a methodological commons, freely consultable, modifiable and auditable, under licences genuinely open in the sense of the recognised open source standards. Complete the existing market methodologies by integrating into them, explicitly, the dimension of the production and distribution chain, and the propagation of dependencies between providers.
For organisations. Conduct annually a public evaluation of their sovereign exposure, distinct from their regulatory compliance and more demanding than it. Make visible the gap between the apparent sovereignty and the real sovereignty of their systems—a gap that constitutes, in itself, an indicator of progress.
Axis 4 — Guaranteeing continuity through transparency#
Not all sovereignty runs through open source. A substantial share of European software solutions is and will remain proprietary, and that is legitimate—a publisher can serve the technological autonomy of its customers without publishing its code. But sovereignty is not played out at the publisher level alone: it is played out across the entire chain, from the software to the hosting and the distribution. To heavy regulatory devices that enrich only the audit firms and exclude the smaller players, we prefer a simple instrument, free, public and verifiable by all: the Sovereignty Profile. The Profile does not distinguish open source from proprietary: it distinguishes providers who make their chain readable from those who obscure it.
For European providers—proprietary publishers, open source publishers, hosting providers, cloud providers, distributors and integrators. Adopt a public self-declaration format that makes readable, at a standardised location, the strategic third-party components, their governance jurisdictions, the contingency plans in case of failure, the supply-chain services whose discontinuation would block the product, the hosting of the data, the conditions of continuity in case of provider failure, and the capital structure of control. Update this declaration annually. Publicly assume blind spots rather than mask them—transparency on weaknesses is in itself a signal of reliability.
For proprietary publishers in particular. Where open source structurally guarantees continuity of use—public code, possibility of fork, independence from the survival of the publisher—proprietary software must guarantee it contractually. The Profile—and more precisely its domains 5 (continuity) and 6 (governance)—is the place where these guarantees are declared: software escrow with a trusted European third party or a public release commitment to release the code under a free license under named triggering circumstances (bankruptcy, liquidation, non-EU acquisition); a standard reversibility clause written into the contract (open formats, export scripts, deadlines); a minimum notice period before end of support or unilateral flip; a continuity arrangement (organised transfer, sector guarantee fund, mutual takeover agreement); statutory clauses of protection against a hostile takeover (shareholders’ agreement, European pre-emption rights). Without these conditions explicitly declared, the proprietary publisher cannot lay claim to the same sovereignty guarantee as an open source publisher—not because its model would be illegitimate, but because the guarantee calls for mechanisms that remain to be formulated.
For public and private buyers. Require this self-declaration as a prerequisite for being listed in procurement, and give a preference to providers who publish it over those who do not. Demand the profiles of the entire chain: publisher, hosting provider, integrator—a single non-transparent link is enough to compromise the sovereignty of the whole. Make the absence of declaration a negative signal as explicit as its presence is a positive one.
For the field. Maintain an open reference schema, a public and auditable web generator, a neutral index of the providers who have published their profile, with no certification, no labelling, no membership cost. Allow the public, argued contestation of declarations that prove misleading, and publish those contestations. Let the format evolve collectively as new risks emerge.
For European public authorities and investors. Draw on the aggregation of the profiles to map publicly the concentrations of dependencies—the strategic bricks used massively without a tested alternative, the layers of the digital infrastructure where Europe is in a situation of collective risk, the foreign providers whose failure would simultaneously affect hundreds of European organisations. This mapping is not a ranking but an inventory: it makes the gaps visible so that they may be filled by public investment, by private consortia, by the European open source community. Make this observatory of gaps a European methodological commons, fed by voluntary declarations and complemented by qualitative analysis of public sources.
In conclusion#
Initiatives are beginning to measure European digital dependency and to propose common languages. They are necessary, and we salute those that have committed to this path. This manifesto is not meant to replace them but to complete them where they stop: at the precise point where open source is counted as a line in a grid, when it ought to be analysed as an entire chain.
Beyond technical considerations, this manifesto has a purpose that exceeds sovereignty itself. The mastery of the software chain is not a matter for experts. It is the condition under which a European organisation—a business, an administration, an individual—can continue to operate its own data and conduct its own operations, whatever happens. When a provider fails, when a geopolitical conflict triggers sanctions, when a publisher unilaterally changes its terms, when a hostile takeover turns a trusted partner into a subsidiary of a foreign power: what must remain accessible is the data and the capacity to use it. Everything else—licenses, contracts, certifications—is only a means to serve that end.
We call upon the organisations, the communities and the public authorities that share this diagnosis to publish their commitments for technological sovereignty, to incorporate its requirements into their own frameworks, and to take part in building the open instruments that flow from them. European technological sovereignty is not decreed in press releases. It is built, line after line, foundation after foundation, maintainer after maintainer—or it remains a word whose meaning we will eventually have forgotten.
Version 4—open to commitments and to revision.