THE EMPEROR'S NEW CLOUD

Software Stack

Five layers. American Megatrends, VMware, ICANN, Let's Encrypt, GitHub. European candidates exist at most layers.

US tech leads many parts of the software stack today. American Megatrends dominates firmware. VMware dominates hypervisors. ICANN holds the DNS root zone authority. Let’s Encrypt anchors the loss-leader certificate tier. GitHub holds most of the software supply chain.

European candidates exist at most layers. Some are production-ready today. Volume is missing at others. At one layer, the infrastructure does not yet exist.

The mandate that follows applies only to in-scope regulated workloads: DORA-regulated entities, NIS2 essential and important entities, and public-sector procurement above threshold. Consumer commerce and general European business are not bound.

Paper 2: The Sovereignty Stack carries the case in full.

Layer 1: Firmware

Every server boots with firmware. The firmware establishes the trust chain that everything above it depends on.

A compromised firmware layer can execute arbitrary code with complete control over the hardware. Firmware rootkits survive operating system reinstalls.

The NSA’s Tailored Access Operations group, documented in the Snowden releases, used firmware as a primary vector for maintaining persistence on high-value targets.

Foreign incumbents. Three American vendors hold the European enterprise UEFI firmware market. American Megatrends supplies roughly half of motherboards globally. Insyde Software supplies roughly forty per cent. Phoenix Technologies supplies most of the remainder. All three are subject to the CLOUD Act.

European capability. Exists, fragmented. OVHcloud uses Open Compute Project hardware with firmware audited or developed in-house. The coreboot project receives substantial European contributions. The German Sovereign Tech Agency funds firmware-adjacent open-source projects. Bundesdruckerei operates secure-boot key infrastructure under European jurisdictional control.

The gap. Volume to consolidate the fragmented capability at production scale. The volume comes from public procurement and from regulated cloud services. Both already exist. Both currently buy American firmware by default.

Prescription. Mandate auditable firmware at this layer, open-source where possible, with a transparent supply chain from silicon to operating system, operated under European jurisdiction.

Layer 2: Hypervisors

The hypervisor abstracts hardware so multiple operating systems share the same physical machine. This layer is dominated in European enterprise by VMware, owned by Broadcom.

In November 2023, Broadcom completed its $61 billion acquisition of VMware. Within months, customers reported licensing cost increases of 800 to 1,500 per cent.

The sovereignty of every European cloud provider running VMware was determined by a single board meeting in Palo Alto.

Foreign incumbents. VMware (Broadcom), Hyper-V (Microsoft).

European capability. Production-grade. Proxmox VE, developed by Vienna-based Proxmox Server Solutions GmbH, runs institutional workloads at scale. XCP-ng, developed by French company Vates, provides a Xen-based alternative used in production. Both are European-jurisdictional, open-source, and operationally mature for many workload classes.

The gap. Feature deltas at the most demanding workload classes. The Stack Compliance Body should publish the deltas European candidates must close to clear the higher workload classes. Investors see the deltas. The prize is the mandated customer base for whoever certifies first.

Prescription. Mandate a hypervisor under European governance, with European control over development priorities, security disclosure, and licensing. Accept what works now. Sequence the harder workloads as the deltas close.

Layer 3: Domain Name System

DNS translates domain names into IP addresses. Every network connection a European institution makes depends on it.

The thirteen root server identities are mirrors of identical root zone data. They serve the same content, distributed globally via anycast across approximately 1,500 servers.

Foreign incumbent. ICANN, a US non-profit subject to US jurisdiction, produces the root zone data under contract. The realistic threat is compelled compliance: ICANN could be required by US court order or executive directive to instruct the European root operators to do something that compromises European sovereignty.

Compelled compliance is harder to detect than malicious code, and more important to defend against.

European capability. Europe already operates two of the thirteen root server identities: I-root (Netnod, Sweden) and K-root (RIPE NCC, Netherlands). DENIC and AFNIC operate additional infrastructure. The server layer is largely solved. The unsolved layer is authority.

The gap. Authority over the root zone data and a default-routing pattern that makes Europe’s resolvers prefer European-operated infrastructure.

Prescription. Three pieces, in parallel.

Continuity. A European alternative root zone authority pre-authorised across Netnod, RIPE NCC, DENIC, and AFNIC, ready to activate if ICANN or IANA is disrupted. The operational capability already exists. The political and legal framework is missing.

Default routing. NIS2, DORA, and public procurement should require European institutions to configure resolvers to prefer K-root and I-root. Same data served, same user experience, with European institutions as guaranteed customer base. DNS4EU, launched in June 2025, is a default-routing instrument at the recursive resolver layer.

Independent assurance. ENISA should review ICANN directives to the European-operated root servers before implementation. The review should be advisory, not binding. It catches quiet capture before it propagates.

Each piece addresses a different threat: disruption, default exposure, quiet capture.

Layer 4: Certificate Authorities

Certificate Authorities issue the digital certificates that secure encrypted web traffic. The CA’s public key is the trust anchor.

The European paid-tier CA infrastructure already exists. D-Trust (Bundesdruckerei subsidiary), Telesec (Deutsche Telekom), and national qualified trust service providers across member states issue paid certificates under eIDAS.

The paid tiers are commercially profitable. The market handles them.

The gap is at the loss-leader Domain Validation tier. The basic certificate that anchors HTTPS-by-default across the open web.

Foreign incumbent. Let’s Encrypt, operated by ISRG, a US 501(c)(3). It works well. It is donation-funded public infrastructure. It is also subject to US legal compulsion.

European capability. Paid-tier QTSPs across member states. No equivalent at the DV tier.

The gap. An alternative DV CA already operating when an OFAC designation or executive directive arrives. Building it under pressure is the failure mode.

Prescription. Three pieces, in parallel.

Parallel public infrastructure. A European DV CA built as parallel public infrastructure. ACME-protocol-based, free at point of use, funded as European public infrastructure, with open-source operational software. Member states should retain the treaty-protected right to operate parallel infrastructure using the published architecture. The right to fork is the constitutional protection against capture.

Mandated paid-tier volume. The mandate should require European-issued certificates for in-scope workloads. The existing eIDAS QTSPs already operate; the mandate gives them guaranteed paid-tier volume.

European browser inclusion. Vivaldi, Mullvad Browser, GNOME Web, and downstream European Chromium and Firefox builds should ship with the European CA in their trust stores from day one. Major-browser inclusion (Mozilla, Chrome, Apple, Microsoft) follows through standard processes once volume justifies it.

Layer 5: Software Supply Chain

Most build tooling, package registries, code-hosting, and signing infrastructure runs on American-jurisdictional platforms today: GitHub (Microsoft), npm (Microsoft), PyPI (US PSF), Maven Central (US Sonatype).

Foreign incumbents. GitHub, npm, PyPI, Maven Central.

European capability. GitLab (European-headquartered but with US subsidiaries), Codeberg (German non-profit), Sourcehut (US-based but minimal). Maintainer-funding capacity through the German Sovereign Tech Agency and equivalents.

The gap. The platform layer at scale. Maintainer-funding capacity at European scale. The four-tier procurement architecture for sovereign code-hosting and packaging that uses the regulated mandated demand as anchor customer.

Prescription. Paper 24: The Open Source Sovereignty Gap carries the deep prescription: four-tier procurement architecture, a European platform foundation, and a distributed-national Sovereign Tech Agency model. Mandate European maintainers paid by European institutions, with commit access on the libraries Europe runs on.

The stack composes to the weakest layer

A stack is only as sovereign as its weakest layer. One layer at Position 4 puts the whole stack at Position 4 regardless of how strong the other layers are. This is the Stack Sovereignty principle applied to software.

Looking at sovereignty as binary, with multiple parts to each stack, we can actually begin to understand what needs to be built to get us to fully sovereign infrastructure.

US tech leads most of the layers above, and we pay them to increase their lead.

We prescribe a phased approach to fix the funding gap between Europe and the US: mandate public procurement and regulated entities to use the European stack where it is suitable. Where it is not yet suitable, the gap becomes a roadmap. The roadmap becomes investable. The mandated customer base across the three regulated verticals incentivises the free market to fund European companies.

A stack is only as sovereign as its weakest layer. We need to start incentivising a sovereign stack to be built.