Entrusting your corporate data to a closed system is like renting an apartment. You can use the space and certainly have some rights, but you don’t have control. The landlord can raise the rent, impose new rules, decide not to make improvements, or, in the worst-case scenario, evict you. In a corporate context, data sovereignty represents exactly this concept: the vital need to maintain absolute control over your information, deciding independently what to do with it, where it resides, and who can access it.
Data sovereignty is not just for industry insiders, and it is not merely a technical issue. It is a strategic choice that affects business survival. Today, the only real guarantee of independence for companies and for Europe as a whole lies in the adoption of open source software. Only when code is accessible, transparent, and not tied to a single vendor can an organization truly be considered the master of its own digital destiny.
According to the official definition by the Open Source Initiative, free software must guarantee access to the source code and the freedom of redistribution without discrimination. Without these pillars, your company risks getting trapped in rigid ecosystems, losing the ability to innovate and adequately protect your customers’ data.
This article is designed to guide business decision-makers, managers, and non-technical professionals on a path toward awareness. The goal is to provide practical tools to navigate between true open solutions and the false commercial promises that crowd the market. We will discover together why choosing open source is not just about saving on license costs, but represents life insurance for your company’s information assets.
What does it really mean to own your data?
Owning your data means having exclusive and permanent control over where information is stored, who can access it, and how it is processed, without depending on a single technology vendor. This operational independence ensures that the company can move its systems freely, protecting the business from sudden price hikes, license changes, or external interference.
Europe, the United States, and the race for sovereign cloud
The management of digital information has become a central theme in global geopolitical dynamics. Historically, the technology market has been dominated by United States vendors, whose internal regulations often conflict with strict European privacy laws. In fact, the U.S. government is actively opposing European data sovereignty initiatives, fearing the loss of strategic and commercial control over global information flows. This tension has pushed the European Union to seek greater independence, sparking a real race toward autonomous digital infrastructures.
Major technology players have quickly understood this market demand. Beyond the announcement of the AWS European Sovereign Cloud, we are seeing the birth of similar initiatives like Google S3NS and Project Bleu (a joint venture between Capgemini and Orange based on Microsoft Azure technology), demonstrating how proprietary cloud giants must adapt to the demand for physically and legally separate infrastructures for Europe.
However, there is an important distinction worth making, which allows us to view these announcements through the right lens. These offerings may reduce legal risks related to information residency, but they do not provide true technological sovereignty.
A cloud operated by a non-European hyperscaler remains, by its very architecture, controlled and strategically aligned outside of Europe.
In light of these limitations, what exactly is a company looking for when evaluating a truly sovereign cloud? There are three fundamental requirements:
Data residency: information must remain physically within European borders, protected by local regulations and inaccessible to foreign governments.
Access control: only the owning company and authorized European personnel must be able to view or manage the stored data.
Operational independence: the infrastructure must be able to function in total autonomy, ensuring business continuity even in the event of disconnection from the main vendor’s global systems.
The role of regulations and the impact of the Cyber Resilience Act (CRA)
European regulations define precise rules for technological independence. The Cyber Resilience Act (CRA) is the new European law created to ensure the security of digital products connected to the network. This regulation establishes rigorous requirements for software and hardware manufacturers, obligating them to provide continuous security updates and to promptly declare any vulnerabilities.
The impact on companies will be tangible and cross-sectoral. For example, a company that produces connected medical devices will no longer be able to ignore security flaws in integrated software. Similarly, consider industrial IoT sensors used in factories, but also consumer devices (such as smart TVs, routers, and smartphones).
All these companies will have to integrate security from the initial design phases, the so-called security-by-design approach. They will also have to ensure that the software receives timely security updates throughout the product’s useful life.
The legislative landscape is increasingly and officially recognizing open code as a fundamental pillar for collective security. When source code is visible and verifiable by thousands of experts and developers around the world, defects are identified and corrected much faster than in closed and secret systems.
Transparent cybersecurity is the first, indispensable step to avoid being held hostage by third-party vendors. If you cannot inspect the software that manages your data, you must blindly trust the vendor’s promises. Conversely, the open approach allows for independent audits and verification that there are no hidden backdoors.
In this way, compliance with regulations like the CRA becomes a collaborative and transparent process, strengthening the true digital sovereignty of organizations.
To check the impact of this regulation on your business, we have prepared a practical guide to understand if your product falls under the CRA.
Why is open source the engine of European digital sovereignty?
Open source is the engine of digital sovereignty because it eliminates dependence on a single vendor, allowing companies to inspect, modify, and move their software freely. This technological transparency ensures total control over data, reducing migration costs and fostering secure, collaborative, and constraint-free innovation.
Beyond code: independence and reducing vendor lock-in
Have you ever wondered how much it would cost your company to migrate its entire management system if your current vendor decided to double their rates overnight? To understand the risk of relying on closed systems, imagine buying a high-quality camera, only to discover that its lenses work exclusively with that brand. If you wanted to change camera bodies one day, you would have to rebuy the entire set of lenses from scratch. In the software world, this expensive trap is called vendor lock-in.
Adopting open source solutions allows companies to change cloud providers or technology partners without having to rebuild the entire infrastructure. This freedom applies at all corporate levels. For example, developing solid open source intranet applications ensures that internal processes are not paralyzed if a vendor decides to change contractual terms.
Furthermore, using open source auditing software ensures absolute transparency in verification processes, an essential requirement for true independence. This freedom to innovate also extends to cutting-edge technologies. To understand how this philosophy is transforming complex sectors, we recommend reading our deep dive on AI for developers: the open source software revolution.
Open innovation is the only way to adopt new technologies while keeping the helm firmly in your own hands, giving managers true decision-making power.
The difference between proprietary SaaS and open solutions
The proprietary software as a service model has simplified access to many digital tools, but it has a hidden price: the loss of control. In a closed SaaS, your data resides on another company’s servers, which unilaterally dictates the rules for export and usage. Conversely, open alternatives allow you to host the software on your own servers or on a cloud of your choice.
Today, companies are looking for flexibility in every sector. In e-commerce, for example, evaluating open e-commerce platforms (such as those based on Drupal) compared to rigid SaaS ecosystems allows for customizing the shopping experience without artificial limits. This need for control covers every daily business requirement, from document drafting to accounting.
Think of historic office suites like Apache OpenOffice or LibreOffice, which have shown how it is possible to manage complex documents without paying recurring licenses. Even at a more strategic level, adopting open source ERP and CRM systems (like Odoo or Dolibarr) allows companies to manage accounting, inventory, and customers while maintaining absolute ownership of their corporate history. Let’s also consider Drupal, the leading open source CMS for enterprise and institutional contexts.
Choosing these tools means investing in a technological asset that grows with the company, rather than paying perpetual rent to third-party vendors.
Furthermore, it is important to highlight how the validity of open source alternatives is confirmed by the growing adoption of such solutions by governments and public institutions (for example, the French government’s transition from Microsoft 365, Teams, and Zoom to LaSuite).
Not all open source is the same: the scale of sovereignty
Not all open source software offers the same level of independence; there are different nuances. True sovereignty depends on the project’s governance and the degree of freedom afforded to the user. Solutions managed by neutral foundations guarantee total control, while projects led by a single company expose organizations to the risk of sudden license changes or usage restrictions.
The different levels of software openness
It is fundamental to understand that the concept of openness is not a simple on/off switch, but a spectrum with different nuances. To navigate this landscape, it is extremely useful to refer to the recent article in which Dries Buytaert, the creator of Drupal, formalized this concept by proposing the so-called “Software Sovereignty Scale”.
This scale helps decision-makers evaluate the real level of independence offered by a technology. The crucial difference lies in who holds the decision-making power: a project led by a single company, which holds the registered trademark, can change its license at any time for profit motives. Conversely, a project governed by a neutral foundation protects users from these commercial drifts, ensuring stability.
We can summarize the main levels of the scale as follows:
- Total community control: The software is governed by a non-profit foundation. Decisions are made democratically, and no single actor can privatize the code. This is the maximum level of sovereignty.
- Corporate control with open license: The code is accessible, but a single company decides the fate of the project and holds the trademarks. The risk of commercial shifts is always present.
- Proprietary software: The code is closed, secret, and totally controlled by the vendor. The user’s sovereignty over their tools is non-existent.
Drupal as a prime example of an open ecosystem
When we talk about the maximum level of sovereignty, Drupal represents the perfect example. Often reduced to the simple label of a content management system, Drupal is actually an extremely powerful and flexible framework and ecosystem, used by the world’s largest organizations.
What makes Drupal unique is its distributed governance. There is no single corporate owner that can decide to shut down the project or make it paid overnight. Its evolution is guided by the Drupal Association, a non-profit foundation, and supported by a global workforce of thousands of developers and partner agencies.
This organizational structure guarantees organizations that adopt it true long-term independence. If the agency that developed your site closes or no longer meets your needs, you can easily find another vendor. The code is open and belongs to the community: no transfer is blocked.
This solid and secure architecture is ideal for building complex digital platforms, government portals, and critical business systems without ever ceding control of your data. Choosing a platform with this level of openness means investing in a technology that puts user interests above the profits of a single vendor.
At SparkFabrik, we don’t just use this technology; we actively participate in the forums where the future of the ecosystem is defined. In the most recent events, the dimensions of sovereignty and open source have emerged: themes that concern public administrations, as discussed at Drupal4GovEU, as well as the strategic evaluations of CTOs in private entities, as explored in our article on Drupal, AI, and platform engineering.
Thanks to this direct involvement in the ecosystem, and our vertical expertise in Cloud Native, AI, and supply chain security, we design and develop modern Drupal platforms optimized for performance, scalability, and security. With over a decade of experience, we are the reference technology partner in Italy. Discover our Drupal development and consulting services.
How to recognize (and defend against) the phenomenon of openwashing?
Openwashing is a deceptive marketing practice where proprietary companies promote their products as open source to attract customers, while maintaining exclusive control over the code. To defend themselves, companies must verify who holds the rights to the project and prioritize software governed by independent and neutral foundations.
What is openwashing and how to recognize it
The open software label sells well because it is synonymous with trust, security, and innovation. Unfortunately, this has generated the dangerous phenomenon of openwashing. It is a deceptive marketing practice where fundamentally proprietary companies use the open label to attract customers, while maintaining closed control over the core code, advanced features, or user data.
For non-technical managers, the risk of falling into this trap is very high. You believe you are buying independence, investing time and resources in adopting a platform, only to find yourself trapped in monopoly dynamics. Recently, we have witnessed numerous cases of large companies suddenly revoking open licenses for their products, switching to restrictive commercial models, and leaving customers with no viable alternatives other than paying increased fees.
How can you defend your company from these commercial traps? Here are two practical tips:
Verify trademark ownership: try to understand if the software is managed by an independent foundation, such as the Apache Software Foundation, or if the rights belong to a single for-profit company.
Check for locked features: if essential functions for security or enterprise integration are only available for a fee and their code is closed, you are facing a clear case of openwashing.
True commitment: SparkFabrik’s approach to the ecosystem
True digital sovereignty is not achieved simply by consuming free code downloaded from the internet. It is built by actively participating in communities, contributing to the continuous improvement of tools, and supporting the foundations that guarantee their neutrality both financially and operationally.
This is the principle that guides our daily choices. From our direct experience in developing complex enterprise portals, we have seen how adopting open standards drastically reduces time-to-market and ensures real scalability.
Our company’s concrete commitment translates into direct participation in the ecosystems that shape the future of technology. We are proud to belong to prominent international organizations such as LF Europe, the European division of the Linux Foundation, and the OpenSSF, the foundation dedicated to open software security.
But the commitment does not stop at memberships. We actively contribute to the code of the open source ecosystems we use, invest in spreading technical culture through articles and social content, and organize webinars and events like the Cloud Native Days Italy and the DrupalCamp Italy, which bring global communities on cloud native and Drupal to Italy. (Discover all our events!)
To learn more about our vision, we invite you to discover our manifesto and our commitment to the global community, an approach that is also reflected in our recent contributions to Drupal and AI in 2025.
This level of involvement is not just a badge to wear, but translates into a direct and tangible advantage for our clients. Working with a partner that sits at the tables where technological standards are defined ensures the adoption of high and constantly updated security protocols. Above all, it ensures that the proposed architectural solutions are truly free from hidden commercial constraints, putting the protection and sovereignty of corporate data first.
What are the next steps to ensure data sovereignty?
Data sovereignty is not just a technical problem, but a fundamental strategic decision that falls to management. Entrusting your information assets to open standards governed by neutral foundations is the only true antidote to vendor lock-in, ensuring freedom of innovation and long-term security.
At this point, one concept should be clear: entrusting your information assets to closed systems is equivalent to handing over control of the company’s future to third parties. The long-term economic and operational risks are concrete and difficult to reverse.
Adopting open standards, strictly governed by neutral foundations and supported by large global communities, represents the only true antidote to vendor lock-in today. This choice guarantees the freedom to innovate, compliance with strict European security regulations, and the certainty of being able to change technological course without suffering commercial blackmail. From the cloud to business applications, to content management systems, free and secure alternatives exist and are ready for enterprise-level challenges.
This path toward independence does not mean demonizing Big Tech. Without the enormous investments of players like Google, Microsoft, Amazon, or Red Hat, the current open source ecosystem simply would not exist.
The problem is not who built the tools, but who governs them.
Today, Europe contributes significantly to the development of open code, but invests very little in its ecosystem. The real challenge for our companies is to become leading actors in this technology, not just passive users.
Critically evaluating the state of your infrastructure is the first step toward building true independence. Is your data truly yours? Are you free to move it tomorrow morning without blocking business processes? To answer these questions and plan a secure transition toward true digital independence, it is essential to rely on expert technology partners like SparkFabrik.
Talk to our experts and discover how we can help you protect the value of your business by putting transparency, security, and freedom first.
