Open Source Licensing Emerges as Key Fault Line in EU Cloud Sovereignty Debate
European cloud policy has become the focus of a new Open Source sovereignty argument after Dries Buytaert, founder of Drupal, called for software licensing to be treated as a baseline requirement rather than a minor scoring factor in the European Commission’s procurement framework. In a blog post published on 1 April 2026, Buytaert argued that the Commission’s current model gives Open Source too little weight to function as a credible measure of long-term software control.
That argument matters because the Commission’s existing Cloud Sovereignty Framework could influence the proposed Cloud and AI Development Act, which is expected to extend similar policy logic beyond EU institutional procurement and into the wider European cloud market. Buytaert’s intervention therefore goes beyond a procurement technicality. It raises a larger policy question about whether sovereignty should be judged by where software comes from, where it is hosted, or whether users retain the right to keep using, modifying, and maintaining it over time.
In the post, Buytaert says Open Source is effectively undervalued in the current framework. Technology sovereignty accounts for 15% of the total sovereignty score, and open licensing is only one of four factors inside that category. By his calculation, that leaves Open Source contributing roughly 4% to the final score, which he argues is too low for a characteristic that determines whether software remains usable and forkable even after ownership changes or vendor decisions.
Buytaert proposes that licensing should be moved out of the weighted scoring system and into the framework’s Sovereign Effectiveness Assurance Levels, or SEAL levels, where minimum thresholds already operate as pass-fail gates. Under that approach, higher-assurance deployments such as SEAL-3 and above would require Open Source licensing, especially for mission-critical systems with high switching costs. Lower-risk procurement could still allow proprietary software where replacement remains practical.
He also argues that regional ownership and hosting location do not provide the same durability as licensing. To make that case, the post contrasts proprietary software on a European cloud with Open Source software on a non-European provider with European data centres. Buytaert’s conclusion is that infrastructure dependencies can be changed more easily than a proprietary licence model, and that the strongest sovereignty position remains Open Source software deployed on a sovereign European cloud.


