599 views
 owned this note
# European Sovereignty Criteria for software and digital systems **Status:** draft. **Versions:** - current - 0.3-alpha (12 sep. 2024) - 0.2-alpha (11 sep. 2024) - 0.1-alpha (30 sep. 2023) **Author:** [Stefane Fermigier](https://fermigier.com/) **Contributors:** (Add your name here if you make a contribution and want to be credited). - André Rebentisch, Berlin --- ## Goals List a set of criteria according to which digital systems / platforms can be considered "sovereign" from the European standpoint. ## Related works - [Digital sovereignty in the context of platform-based ecosystems - The Digital Sovereignty Focus Group of the Innovative Digitisation of the Economy Platform for the 2019 Digital Summit](https://www.de.digital/DIGITAL/Redaktion/DE/Digital-Gipfel/Download/2020/p2-digitale-souveraenitaet-plattformbasierter-oekosysteme-englische-version.pdf?__blob=publicationFile&v=1) - [Etude 2021 sur la filière open source en France](https://cnll.fr/media/etude-cnll-2021.pdf) - Specially "Axe 3 – Souveraineté numérique & logiciels libres" - [The future of European competitiveness: Report by Mario Draghi](https://commission.europa.eu/topics/strengthening-european-competitiveness/eu-competitiveness-looking-ahead_en) (2024) - Denis Lafont-Trevisan's presentation at OSXP in 2022 ## Contributions Contributions to this text are welcome. However, if you do not acknowledge the concept of "digital sovereignty" or wish to replace it with alternative terms such as "autonomy," this is not be the appropriate forum for your input. The focus of this text is centered on the idea of digital sovereignty, and discussions or suggestions that diverge from this core concept are not productive or relevant. --- # Draft ## Introduction As software and digital services now shape societies, economies, and geopolitics, "digital sovereignty" has become a central concern, particularly within the European Union (EU). This concept extends beyond mere control over data and technology, encompassing the alignment of digital assets and infrastructures with European legal frameworks, ethical principles, and strategic interests. Given the complex nature of software—spanning legal, technological, operational, and economic dimensions—it is essential to establish a robust set of criteria that defines what it means for software or a digital service to be considered "sovereign" within the European context. The framework outlined below is designed to serve as a comprehensive guide for policymakers, developers, businesses, and other stakeholders. It addresses four critical pillars of sovereignty: Legal Sovereignty, Technological Sovereignty, Operational Sovereignty, and Economic Sovereignty. Each pillar is further divided into specific criteria that highlight the fundamental challenges and goals associated with achieving true digital sovereignty in Europe. This framework is not intended to serve as a simple compliance checklist, but rather to promote deeper understanding and dialogue among stakeholders. As the digital landscape evolves, these criteria may need to be updated to remain effective and relevant. Nevertheless, they provide a strong foundation for fostering a digital environment in which Europe can maintain control, protect privacy, encourage innovation, and safeguard its values. By adhering to these principles, European software and digital services can strengthen the EU’s digital autonomy, competitiveness, and leadership on the global stage. ## Definition (proposal) **Digital sovereignty** is the ability of individuals, organizations, and governments to independently control, manage, and use their digital infrastructure, data, and technologies, free from undue external influence. It involves the empowerment of stakeholders to deploy and operate digital systems in a self-determined manner, ensuring long-term protection, security, and compliance with local regulations. Digital sovereignty encompasses not only the governance of critical infrastructure but also the capacity to make autonomous decisions about the use and management of applications and technologies, safeguarding privacy, data integrity, and digital independence at all levels. ## Sovereignty Pillars For the Digital Sovereignty of Europe we consider the following LOTEC pillars: - Legal Sovereignty - Operational Sovereignty - Technological Sovereignty - Economic Sovereignty - Cultural Sovereignty Here are detailed criteria: ### **Legal Sovereignty** 1. **Jurisdictional Control**: - **Primary Data Residency**: The digital system should prioritize data residency in European legal jurisdictions. If not exclusively European, a significant majority of data should be stored and processed within the EU. - **Jurisdiction Selection**: The digital system should implement a mechanism allowing users to select the jurisdiction under which their data will be stored and processed, with European jurisdictions as default options. - *Comment*: Balancing user preferences with European legal requirements strengthens the digital system’s alignment with European regulations and builds trust by offering transparency and control to users. It also ensures compliance with legal frameworks designed to protect European data privacy and security. 2. **Compliance and Legal Isolation**: - **European Data Protection Compliance**: The digital system should be fully compliant by default with European data protection and privacy laws, such as GDPR. - **Legal Resilience**: The digital system should be able to withstand legal challenges and penalties from non-European jurisdictions by implementing robust data governance and transfer mechanisms (e.g., Standard Contractual Clauses, Binding Corporate Rules). - *Comment*: Proactive legal resilience mitigates the risks posed by extra-territorial legal claims (such as the U.S. CLOUD (Clarifying Lawful Overseas Use of Data) or FISA (Foreign Intelligence Surveillance) acts) and ensures that the digital system remains secure and compliant with European law, even in the face of international pressures. 3. **Intellectual Property (IP) Management**: - **European Jurisdiction IP**: The intellectual property of the digital system should be managed under European jurisdiction or a legal framework aligned with European laws and values. - **Open Licensing**: The digital system should encourage open-source licensing for components where possible, ensuring European IP remains protected while fostering innovation and collaboration. - *Comment*: Encouraging open-source development under European legal frameworks helps protect intellectual property while promoting collaborative innovation. It ensures that Europe remains competitive and that European values are upheld in the creation and distribution of the digital system. ### **Technological Sovereignty** 1. **Openness and Transparency**: - **Open Standards**: The digital system should support and implement only open, interoperable standards to facilitate integration and collaboration. - **Auditable Code**: The digital system’s code should be auditable, with publicly available binaries guaranteed to derive from the published source code. The system should implement a code review process to maintain quality and security. - **Open-Source Licensing**: The digital system should encourage open-source licensing whenever possible, while protecting European IP and ensuring compliance with European laws and values. - *Comment*: The use of open standards and open-source licensing ensures greater transparency, enabling both users and governments to audit and trust the digital system. This transparency fosters a collaborative environment that benefits the broader European tech ecosystem by preventing vendor lock-in and promoting innovation. 2. **Auditability and Inspection**: - **Real-Time Logging**: The digital system should implement real-time monitoring and immutable logging features to audit the behavior of its components, ensuring data integrity, and detecting anomalies. - **Transparency Reports**: The digital system should publish regular transparency reports outlining data access, usage, and sharing activities, as well as any security incidents or breaches. - **Third-Party Audits**: The digital system should facilitate and encourage independent third-party audits to verify its security, privacy, and compliance with European standards. - *Comment*: By promoting independent auditing and reporting, European organizations can maintain accountability and demonstrate adherence to data privacy and security regulations. This practice also builds public confidence in the digital system, as users can trust that its operation is continuously and transparently monitored. 3. **Skill and Resource Availability**: - **European Skills Ecosystem**: The digital system’s creators should contribute to a skills ecosystem that spans across Europe, is cost-competitive, and easily accessible. This can be achieved through education, training programs, and collaboration with European academic institutions. - **Talent Attraction and Retention**: The digital system’s owners should implement policies and benefits that attract and retain European talent, fostering a strong and diverse European tech workforce. - *Comment*: Ensuring a deep pool of European talent reduces dependency on non-European skills and bolsters Europe’s technological self-sufficiency. Building a competitive skills ecosystem enables faster growth, localized expertise, and the alignment of the digital system's development with European strategic goals. ### **Operational Sovereignty** 1. **European Operational Oversight**: - **Operational Control**: The digital system should ensure that critical operational decisions, such as updates, security patches, or system governance, are overseen by European-based entities, ensuring alignment with European regulatory and security frameworks. - *Comment*: European oversight of operational processes ensures the system remains resilient to external influences and can comply with evolving European regulatory requirements, supporting the integrity and independence of the system. 2. **Community and Ecosystem**: - **Active User Community**: The digital system’s creators should maintain a vibrant, active community of users, developers, and third-party consultants to drive innovation, identify issues, and provide feedback. - **European Co-operatives/Consortia**: The digital system’s creators should encourage the formation of European co-operatives or consortia around its development and operation to foster collaboration, share resources, and promote European interests. - *Comment*: A thriving community strengthens the digital system’s relevance and adaptability to European-specific needs. Involving European co-operatives or consortia ensures that the system's development and maintenance are aligned with national and European priorities, driving innovation and sustainability. 3. **Reversibility and Portability**: - **Documentation**: The digital system’s creators should ensure its architecture, business logic, rules, and dependencies are well-documented to facilitate understanding, maintenance, and migration. - **Data Portability**: The digital system should implement easy export and import methods to enable users to switch between services or platforms seamlessly. - **Version Control**: The digital system should provide detailed version histories and changelogs to track updates, changes, and improvements. - *Comment*: The ability to reverse changes or switch platforms enhances user autonomy and prevents vendor lock-in. Documentation and portability ensure that users and organizations can maintain control over their data and processes, even as the digital system evolves or vendors change. 4. **Security**: - **Robust Encryption**: The digital system should implement robust mechanisms for data encryption and user authentication to protect data at rest and in transit. - **Security Procedures**: The digital system should document and enforce security procedures, including incident response plans, to ensure quick detection and resolution of security incidents. - **Tiered Approach**: The digital system should offer a tiered approach for critical infrastructure, aligning with the EU’s NIS (Network and Information Security) directives, to provide enhanced security and resilience for sensitive data and systems. - *Comment*: Strong security mechanisms are essential for protecting data integrity and confidentiality, ensuring compliance with European laws, and mitigating threats. A proactive approach to security fosters trust in European digital services, particularly when handling sensitive or critical infrastructure. ### **Economic Sovereignty** 1. **European Ownership and Licensing**: - **Ownership Structure**: The digital system should have its core components, intellectual property, and critical infrastructure under the control of European entities. This can be demonstrated through ownership of the source code, operational infrastructure, or key decision-making processes by European companies, institutions, or individuals. - **Licensing Framework**: The digital system should utilize a licensing framework that ensures any extensions, modifications, or forks of the software remain within European legal and operational jurisdictions. This includes ensuring that open-source components comply with European licensing standards. - *Comment*: Ensuring the core components of the digital system are owned or controlled by European entities supports alignment with European values, reduces the risk of external influence, and enhances long-term technological independence. A licensing framework that encourages European-controlled development fosters innovation while ensuring European legal interests are represented. 2. **Collaboration**: - **European Partnerships**: The digital system’s creators should promote collaboration with other European companies that provide complementary products or services to create a strong European tech ecosystem. - **Academic Partnerships**: The digital system’s creators should foster partnerships with European academic and research institutions for continual improvement, alignment with European priorities, and talent development. - *Comment*: Collaboration within Europe strengthens the EU’s digital sovereignty by building an interconnected ecosystem of complementary technologies and shared goals. Academic partnerships ensure that cutting-edge research and innovation are tightly integrated into the digital system. 3. **Supply Chain Control**: - **Minimal Non-Sovereign Dependencies**: The digital system should rely minimally on non-sovereign components or services to reduce risks and ensure alignment with European interests. - **Regular Audits**: The digital system’s creators or operators should conduct regular audits to ensure that its dependencies are secure, aligned with European interests, and compliant with European laws and values. - *Comment*: By maintaining control over the supply chain, the digital system can mitigate risks associated with foreign dependencies and align with European security standards. Regular audits ensure the continuous alignment of the digital system with European values and reduce vulnerabilities to external disruptions. ### **Cultural Sovereignty** 1. **Multilingualism and Language Support**: - **Comprehensive Language Support**: The digital system should support all relevant European languages, including both official and regional minority languages. For broader accessibility, this includes the provision of both user interface and documentation in multiple languages. - **Localized NLP**: If the digital system incorporates AI-driven systems, natural language processing should be tailored to support European languages with proper understanding of dialects, idioms, and cultural contexts, ensuring culturally appropriate and accurate responses. - *Comment*: A key component of digital sovereignty is the ability for all European citizens to engage with the digital system in their native language, fostering inclusivity and supporting the continent’s diverse cultural heritage. 2. **Metric System and European Time Zones**: - **Metric System Compliance**: The digital system should support the metric system by default, ensuring that measurements, distances, and weights are presented in a format familiar to European users. - **European Time Zones**: The digital system should automatically adjust to European time zones and account for regional variations in Daylight Saving Time, ensuring accurate timekeeping across the continent. - *Comment*: Using culturally familiar units and time zones contributes to better user experiences and reduces potential confusion. 3. **Cultural Representation and Sensitivity**: - **European Cultural Norms in UX Design**: The digital system should provide interfaces and user experiences that respect and reflect European cultural norms, ensuring that social, ethical, and aesthetic values of European users are integrated into the design. - **Ethical AI and Automated Decision-Making**: If applicable, the digital system’s AI and machine learning models should be trained with European data and designed to align with the ethical principles and legal frameworks governing fairness, transparency, and inclusivity in Europe. - *Comment*: Aligning the digital system with European ethical values is essential to avoid biases and ensure that technology serves all citizens fairly. 4. **European Content Promotion and Autonomy in Media Platforms**: - **European Content Regulation**: If the digital system is a media platform, it should comply with European content regulations, such as quotas for European-produced media and alignment with cultural promotion policies (e.g., the Audiovisual Media Services Directive). - **Content Moderation**: The digital system should enable European governments and user communities to influence content moderation policies to ensure they align with European legal frameworks and cultural values on issues like misinformation and hate speech. - *Comment*: Promoting and protecting European content on digital platforms reinforces cultural identity and ensures a level playing field for European creators and media producers. --- ## Next steps As emphasized by Mario Draghi in his recent report to the European Commission, **digital sovereignty** is vital for Europe to secure its digital future, safeguard its values, and maintain competitiveness. The proposed framework, which now encompasses **Legal, Technological, Operational, Economic, and Cultural Sovereignty**, offers a comprehensive foundation for operationalizing digital sovereignty across key domains. Building upon Draghi’s recommendations, the path forward should be **pragmatic**, **lightweight**, and **incremental**, fostering innovation across Europe, particularly for small and medium-sized enterprises (SMEs), without imposing excessive regulatory burdens. To achieve this, the focus should be on: 1. **Voluntary Guidelines**: Develop non-binding guidelines that encourage stakeholders to adopt sovereignty principles without creating unnecessary complexity or regulatory burdens. These guidelines should serve as a flexible tool to help organizations, policymakers, and developers progressively align their systems with European sovereignty principles while maintaining agility. 2. **Open-Source Collaboration**: Promote open-source initiatives, which are essential for fostering technological transparency, interoperability, and community-driven innovation. Open-source development aligns with Europe's goals for digital sovereignty by enabling European companies and developers to build upon and contribute to sovereign technologies. A strong focus on open-source solutions will ensure that Europe can maintain control over critical digital infrastructure while reducing dependency on non-European vendors. 3. **Incremental and Practical Steps**: Implement a roadmap that provides clear, tangible steps that stakeholders can take progressively. By breaking the path to digital sovereignty into manageable actions, Europe can ensure that the framework remains relevant and accessible. These steps should focus on enhancing collaboration, adopting open standards, and gradually integrating sovereign technologies within public and private sectors, with a special emphasis on SMEs, academic institutions, and startups. --- ### Core Actions to Promote Digital Sovereignty: 1. **Identification of Key Lock-ins and Dependencies**: Conduct comprehensive audits of existing digital systems to identify key areas where European users are locked into non-sovereign solutions or where technical debt is hindering transition. Special attention should be paid to proprietary software dependencies, third-country legal vulnerabilities, and non-European-controlled infrastructure that poses risks to European digital sovereignty. 2. **Promotion of Platform Independence**: Support the adoption of platform-independent technologies, encouraging the use of **bridge technologies** and **platform-agnostic building blocks** to reduce vendor lock-in and enhance interoperability. Europe should aim to invest in technologies that ensure its digital infrastructure can operate and evolve without dependence on non-European platforms. 3. **Best Practice Development**: Foster best practices across the European tech ecosystem, particularly in areas such as: - **Development in the Open (DITO)**: Encourage projects to develop their software openly (open repositories, open discussions) to foster trust, transparency, and collaboration. - **CI/CD Pipelines and Version Control**: Emphasize modern development methodologies like continuous integration/continuous deployment (CI/CD) and strict version control to ensure that European systems are robust, secure, and adaptable. - **Open Source Licensing**: Promote the adoption of open-source licenses that align with European legal frameworks, ensuring collaboration and innovation while protecting intellectual property. - **Test-Driven Development and Issue Tracking**: Encourage test-driven development practices and the use of open issue trackers to maintain accountability and foster continuous improvement of sovereign technologies. 4. **Technical and Organizational Impossibility of Disclosure to Third Countries**: Ensure that systems developed under this framework are designed with the technical and organizational safeguards necessary to make it impossible to comply with non-European third-country legal demands for data access or encryption keys. Even when faced with subpoenas or legal threats from non-EU jurisdictions, manufacturers and operators should demonstrate the impossibility of disclosure to protect the sovereignty and privacy of European data.