.png){kind=logo}
Apr 2026
This article was originally published in Decoding, our monthly briefing on the latest trends in government technology. Sign up here to receive future editions directly in your inbox.
.png){kind=logo}
When we launched Decoding one year ago, digital sovereignty was a niche concept; considered alarmist by some, seen as isolationist by others and not considered a priority by too many. In January this year, the European Parliament adopted a resolution on European technological sovereignty with 471 votes in favour. This month, the European Commission awarded its first sovereign cloud tender: €180 million to four European providers. Something has shifted, and digital sovereignty is now part of national security strategies across the EU.
This edition of Decoding will focus on trust in Digital Public Infrastructure (DPI) and why the definition of what counts as DPI is fundamental for the discussion on digital sovereignty.
Digital infrastructure must be seen as physical infrastructure in terms of control, maintenance and resilience. Trust in digital public infrastructure is no longer only about citizens trusting digital governance. It is also about governments increasingly needing infrastructure they themselves can trust, amid geopolitical pressure, shifting alliances, and a world order less predictable than before.
In this edition, you’ll read about:
How a government defines Digital Public Infrastructure (DPI) determines what is protected, what gets procured carefully and what is determined by the market. The choices governments make about DPI are not just a technical question but also a political one.
The most commonly cited definition describes DPI as the foundational digital systems that enable societies to function, such as identity, payments, and data exchange. In practice, the boundaries are more contested than the definition suggests, shaping everything from procurement rules to sovereignty frameworks.
The DPI Map is one of the most systematic attempts to map what actually counts as DPI across countries, and what the evidence shows about how it is being built and governed. The project surfaces a recurring challenge: the same infrastructure can look entirely different depending on who owns it, who operates it, and under whose legal jurisdiction it sits.
DPI is not just infrastructure that happens to be digital. It is infrastructure that exists to serve a public purpose, and that distinction has consequences for how it should be governed, funded and held accountable. A research paper by the Institute for Innovation and Public Purpose at UCL argues that no infrastructure is neutral and that DPI is shaped by the values embedded in its design, funding, and governance. Those values are not always made explicit, and in the context of digital sovereignty, that matters. When the principles embedded in DPI design go unstated, they tend to reflect the logic of whoever built or funded the system. Making those values visible allows governments and citizens to hold digital infrastructure accountable and ensure DPI serves the public, rather than the interests of those who built it.
On 17 April, the European Commission awarded its first sovereign cloud tender – € 180 million over six years – open to all EU institutions, bodies and agencies. Four European providers were selected: Post Telecom (with CleverCloud and OVHcloud), StackIT, Scaleway, and Proximus (partnering with S3NS, Clarence, and Mistral). The selection was based on the Commission's Cloud Sovereignty Framework, which assesses sovereignty across eight dimensions: strategic, legal, operational, and environmental considerations, as well as supply chain transparency, technological openness, security, and compliance with EU law. Central to the framework is a five-level assurance scale:
To be eligible, providers were required to achieve a minimum SEAL-2 score. Of the four awarded consortia, three reached SEAL-3, and one reached SEAL-2.
One detail deserves attention: The Proximus consortium includes S3NS, a joint venture between the French defence company Thales and Google Cloud. The Commission acknowledged that non-European technologies, when operated within a strict framework, can meet the minimum sovereignty threshold. This position could be seen as a pragmatic and necessary one, given the current state of European cloud capacity, but it also illustrates how the values embedded in what counts as sovereign infrastructure have consequences on the procurement choices being made. If the Commission's framework allows a US hyperscaler to qualify as sovereign through a joint-venture structure, the question of who ultimately controls the infrastructure and under whose legal jurisdiction it falls remains open.
Notably, the Commission acknowledges that before this framework was developed, it was not possible to measure digital sovereignty, which made it difficult to introduce it as a procurement requirement. The framework represents a shift from abstract principles to concrete metrics and is now available for other public-sector organisations to adopt.
The Commission is applying the developed sovereignty criteria to assess and enhance sovereignty across the digital services that it provides to its departments and other Union entities. The Commission will also publish an updated version of the Sovereign Cloud Framework based on lessons learned from this tender.
🇪🇺 EU: Euro-Office launches as sovereign alternative to Microsoft Office
In March, a coalition of European technology companies, including Nextcloud, Proton, and Ionos, launched Euro-Office, an open-source office suite for public-sector organisations seeking alternatives to Microsoft Office. Analysts note growing interest but caution that full migrations remain limited. The launch was complicated by a dispute with OnlyOffice, the underlying open project, which accused Euro-Office of licensing violations and suspended its partnership with Nextcloud. The 1.0 release is expected this summer.
🇫🇷 France: Digital sovereignty in policy, Microsoft in practice
While France's DINUM announced a government-wide Linux migration mandate this month, the Ministry of National Education renewed its Microsoft framework contract until 2029, covering nearly one million workstations and servers across ministries, universities, and research centres. The contract sits in direct tension with the French state's own "cloud au centre" doctrine, which requires sensitive data to be stored on SecNumCloud-certified infrastructure – a standard Microsoft cannot meet as a US company subject to the Cloud Act. The Ministry itself had reminded school rectors of this requirement just days before the renewal was signed. A parliamentary deputy leading an inquiry into digital dependencies summarised the problem plainly: vendor lock-in creates a cycle where every contract renewal makes switching harder.
🇸🇪 Sweden: First EU country to sign Pax Silica
In March, Sweden became the first EU member state to sign the Pax Silica Declaration, a US-led initiative launched in December 2025 to secure supply chains for emerging technologies, including semiconductors, AI infrastructure, and 5G. The decision has drawn criticism as Sweden signed before the European Commission had established a common EU position. The Swedish opposition has called for a parliamentary account of what the agreement entails. Finland is expected to sign the declaration shortly, despite similar concerns being raised by Finnish MEP Aura Salla, who has argued that the EU Commission's forthcoming Tech Sovereignty package should come first.
🇩🇪 Germany: Digital identity integrated into healthcare infrastructure
Germany is expanding its electronic patient record system to require digital identity verification, with a phased approach set out in a draft from the Federal Ministry of Health. From January 2027, patients will be able to authenticate via the EU Digital Identity Wallet, with full integration into the healthcare system planned for December 2028. The system will enable a centralised digital entry into care, covering initial assessments and appointment booking. Data use is governed by strict protections, with commercial exploitation explicitly excluded, though health insurers will have more scope for data-driven applications under a new experimental clause. The national agency for healthcare digitalisation, Gematik, is set to take on a broader steering role as the backbone provider for digital healthcare components.
🇧🇷 Brazil: One of the world's most comprehensive online safety laws is now in effect
Brazil's Digital ECA, the Digital Statute for Children and Adolescents, came into force in 2025 following more than 100 consultations with industry, civil society, and government. The law requires app stores and operating systems to conduct age verification at account creation, and places additional obligations on higher-risk platforms, including social media and adult content sites. Content is classified as inappropriate, prohibited or illegal, with protection proportional to risk. Key principles include data minimisation, user privacy, and auditability. Enforcement begins in January 2027.
🇹🇭 Thailand: Data portability as the third layer of DPI
Thailand has a functioning national digital ID and a real-time payments system with 92 million registered accounts. The missing layer is data portability, a consent-based framework that allows individuals and businesses to share their own financial data across institutions. Without it, users remain financially invisible despite being part of the digital system. The Bank of Thailand is developing national standards for data sharing and a digital loan system using verified transaction histories as credentials. For governments building DPI, the case illustrates that identity and payments alone are not enough — data governance is the layer that determines whether infrastructure delivers inclusion.
While much of the sovereignty debate happens at the policy level, Denmark has a working example of what trusted digital infrastructure looks like in practice.
Computerome, the national supercomputer operated by the Technical University of Denmark (DTU), was established in 2014 to provide clinicians and researchers with a specialised platform for sensitive health data. It has since expanded to serve public institutions, government agencies, and private companies, to use its computing capacity for AI models and data processing, with one defining characteristic: users retain complete control over their data, which stays on Danish soil.
The model is built around four principles of digital sovereignty:
This matters because the alternative is the dominant model: platforms whose business models are built on harvesting and utilising user data, often without full transparency or consent.
A report on the role of big tech as digital infrastructure by the Danish government’s expert group on big tech found that the decoupling of digital infrastructure from democratic control, oversight, and common rules is a fundamental problem — one with economic, democratic, and security consequences.
For public sector leaders navigating procurement decisions, Computerome illustrates what sovereign infrastructure means in practice: nationally located, transparently governed, and structured so that the institution, not the vendor, remains in control. Compared to the EU Commission's Cloud Sovereignty Framework, Computerome's model – own hardware, own staff, own jurisdiction, full data portability – aligns with the highest-level principles of full digital sovereignty. The centre is NIS2 compliant, making it one of the first infrastructures in Denmark to meet the combined requirements of digital sovereignty, GDPR, and NIS2. That combination is increasingly relevant as compliance obligations tighten across the public sector. 42 Danish municipalities and three regions have chosen Computerome to host open source AI solutions for the public sector. This is a signal that sovereign infrastructure is not only feasible at scale but is also being actively chosen.
The Danish government's expert group on tech giants reinforces an argument made in previous issues of Decoding: we do not accept the disconnection of water supply or road networks from democratic control and accountability, yet we have accepted exactly that when it comes to our digital infrastructure. As we explored in June and October last year, digital public infrastructure is too foundational to democracy to be left to market logic alone.
Computerome does not solve the whole problem, but it shows that a sovereign alternative exists and is worth building on.
→ Read more about Computerome here.
For questions, comments, or suggestions regarding this article, please contact Emilia Lindén Guíñez.
Enjoyed this edition of Decoding? Subscribe here to receive future insights on digital public services directly in your inbox.
.png){kind=logo}
