On 3 June 2026 the European Commission unveiled its technological sovereignty package — a set of policies meant to reduce Europe's dependence on proprietary technology from outside the EU. For IT managers in public administration and in the private sector, this is more than a Brussels declaration: it gradually reshapes the criteria by which software is assessed and procured.
What the package contains
The package has four main parts:
- Chips Act 2.0 — strengthening semiconductor capacity for AI needs.
- Cloud and AI Development Act — developing EU cloud and AI infrastructure, including a single framework to assess cloud and AI sovereignty.
- Open Source Strategy — scaling up open-source alternatives in priority areas and supporting their wider use in public administrations.
- A strategic roadmap for digitalisation and AI in the energy sector.
The notable shift is the standing of open source. For the first time the Commission frames it at a strategic level as an instrument of digital independence, not merely a cheaper alternative. Under the strategy, the public sector is meant to act as an anchor consumer of open solutions.
Why open source is a sovereignty question
Sovereignty is not only about where servers physically sit. It is control over who can access the data, who decides on changes, and whether you can keep the system running without a single vendor.
- Your data stays with you — in a self-hosted deployment it lives in your database, not in a third-party cloud outside your jurisdiction.
- No vendor lock-in — open code and open formats mean that migrating or switching partners is not a hostage of the licensing model.
- Auditability — the code can be reviewed, which is a real advantage for sensitive infrastructure and for the NIS2 requirement on supply-chain management.
What it means for an IT manager
The signal from Brussels points toward open, EU-operable solutions being favoured in public procurement, with a single sovereignty-assessment framework giving the process clearer boundaries. That is reason enough to look at your own software portfolio soberly:
Three questions to start with
- Where does our data actually reside, and who holds administrator access to it?
- Which systems could we keep running if a vendor changed licensing terms or discontinued the product?
- Do we have a real exit strategy for our key tools, or just a migration promise in the contract?
ITSM as a practical first step
Sovereignty is not introduced through one large project but in layers. Service management is a good place to start — the whole organisation's operations run on it, yet it is bounded enough to be replaced without upheaval.
An open-source platform such as GLPI is one example: it can be hosted on your own infrastructure, the data stays in your database, and it covers asset inventory, incidents and changes. That same inventory is also the basis for asset and supplier management under NIS2. Instead of another dependency, you get a tool you can control and audit.
The June 2026 package does not change the rules overnight, but it sets a direction. Organisations that map their dependencies now will be in a stronger position — both in compliance and in day-to-day operations.