For decades, many believed the information technology (IT) sector was neutral. In the 1990s, code was often seen as existing beyond borders or politics. Earlier HiPEAC conferences focused almost exclusively on technical issues, but a keynote by Nextcloud CEO Frank Karlitschek at HiPEAC 2026 shifted attention to the political and existential dimensions of technology.
“In the ’90s, IT was not political,” Karlitschek told the assembly of European engineers and researchers. At the time, he said, most politicians viewed it as something that “comes out of the wall socket, similar to electricity or water.” Today, however, that utility has been weaponized.
His presentation, called “Digital Sovereignty, or How We Can Take Back Control Over Our Digital Lives,” described how software now acts as an instrument of power. He argued that Europe’s reliance on American tech giants has become a serious risk.
www.eic.net.cn
Eurostat/Synergy Research Group industry estimates
Geography of the new oil
Karlitschek used the common saying “data is the new oil,” but emphasized its capacity to generate conflict rather than its promise of economic opportunity. He compared today’s battles over digital infrastructure to the 20th century’s fights over oil.
This imbalance is now a genuine concern for European CIOs. A recent Gartner survey found that 61% of IT leaders in Western Europe plan to move workloads to local or regional providers to reduce geopolitical risk.
This concern was apparent at the last Gartner IT Symposium/Xpo in Barcelona, Spain. Former EU Commissioner Margrethe Vestager attended as people discussed the European Commission’s review of U.S. cloud contracts.
Triad of vulnerability
In his HiPEAC keynote, Karlitschek broke down the risks of this dependency into three main areas: availability, cost, and security. The most significant risk is availability, which is threatened by unstable legal rules governing data transfers across continents.
Karlitschek explained that both the Safe Harbor agreement and the Privacy Shield failed. He predicted the current Data Privacy Framework (DPF) would also fail.
A key rule in the DPF is that the U.S. Privacy and Civil Liberties Oversight Board checks how things are run. But on Jan. 27, most board members were dismissed, leaving only one with a small legal team. A judge said firing two of the board members was unlawful.
“You can just declare that something is legal, which is obviously not legal,” Karlitschek said, referring to the attempts to paper over the conflict between U.S. surveillance and EU privacy rights. “We can really wait for the day when giving data to U.S. cloud services becomes illegal again.”
Alongside legal risks, monopoly power is another problem. Many European organizations rely on Microsoft and Google, a dependency that has caused substantial price increases. Karlitschek noted that Microsoft increased prices by as much as 40% in early 2025, followed by an additional 33% rise later the same year.
“I don’t know a lot of businesses that can just raise their prices by 40%, and nothing happens,” Karlitschek said. “Obviously, Microsoft can do this because it has a monopoly, so people cannot easily migrate away.”
The third risk, security, has moved from mere concern about spying to real industrial threats. As generative AI integrates into cloud platforms, foreign companies could gain access to sensitive information stored in Europe, Karlitschek said. “You can totally assume that Boeing is interested in knowing what Airbus is doing, or that Tesla is interested in knowing what BMW is doing.”
Mechanisms of lock-in
The presentation described the technical and business barriers that big tech companies use to stop European organizations from switching to local options. Karlitschek talked about “interoperability roadblocks” and “vendor lock-in” tactics that keep the market closed.
He gave the example of Microsoft bundling Teams with Office 365. By offering Teams for free, Microsoft hurt the market for other standalone products before regulators could act. Even when regulators get involved, technical barriers still exist.
Karlitschek cited the difficulty of exporting chat histories from Teams and the lack of documentation for key APIs as deliberate strategies to hold customer data hostage. “We are happy to use them and give them all our information, but if you want to move away to some other solution, you cannot really get the data out anymore,” he said.
These barriers also affect mobile platforms. Karlitschek shared a story about Google and the Nextcloud Android app. Google revoked the app’s “All Files Access” permission, which is required for syncing, citing security. However, Google gave the same permission to its own Google Drive and Dropbox. Nextcloud only got the permission back after going to the press. “If you were like a two-person home developer … you cannot do what Google doesn’t like,” Karlitschek said.
Architecture of sovereignty
In response to these challenges, Karlitschek presented Nextcloud as more than just a product. He described it as a solution to the problems of centralized cloud systems. The company recently announced a €250 million investment in the “Sovereignty 2030” initiative and focus on giving users complete local control.
Nextcloud’s main advantage is that it separates the software from the service provider. Unlike SaaS models, where the vendor keeps the data, Nextcloud runs on the customer’s own systems, whether on-site, in a local data center, or completely offline.
Attendants at the last Nextcloud conference (Source: Nextcloud)
“We at Nextcloud build the software,” Karlitschek said. “We don’t have any data.” Because the software is 100% open-source under the AGPLv3 license, the code belongs to thousands of contributors rather than a single corporation. This structure ensures that the license cannot change to a proprietary model in the future, providing long-term certainty for government and enterprise clients. “No one can change the license away from open source,” he said.
To solve the problem of isolated self-hosted servers, Nextcloud uses a “federated” setup. This works like email, letting users on different servers communicate easily without a central authority.
“There is no central email server in the world … and this is exactly what we are doing here at Nextcloud,” Karlitschek said. This federation allows a university in Berlin to share sensitive research data directly with a facility in Paris, peer to peer, without the data ever transiting through a third-party hub in the U.S.
Technical evolution and AI
To address past performance complaints, Karlitschek shared details about the upcoming “Nextcloud Hub 26 Winter” release. The update has a new files backend-built in Rust and Go. The Accelerated Direct Access system lets users download files straight from storage, avoiding server slowdowns and allowing the platform to support millions of users.
The company is also responding to Microsoft Copilot by launching its own Nextcloud Assistant. To support digital sovereignty, the Assistant processes data locally on the user’s server. Its Context Chat uses Retrieval-Augmented Generation to answer questions using the user’s private documents, emails, and chats, without sending data to an outside AI model.
“This is a feature that might be a little bit scary if this comes from Google or Microsoft because they’re reading all your data,” Karlitschek said. “But again, this happens completely locally on your machine.”
Reclaiming the future
With new regulations, higher costs, and better technology, Europe faces a key moment for digital sovereignty. As previously reported by EE Times, moving away from big tech providers is difficult, and Gartner analysts say it could take 10 years. Still, staying dependent on foreign infrastructure, with its risks of tariffs and political shutdowns, is becoming less acceptable.
Karlitschek believes the way forward requires two things: vigorous enforcement of EU rules, such as the Digital Markets Act, to break up monopolies, and a new focus on open-source development to create real alternatives.
“We can just give up and say … we don’t do IT anymore in Europe,” Karlitschek said. “Or we actually do something to go against these business practices … to build good alternatives … so this is the only way forward.”
Geopolitics forces large European organizations to abandon U.S. hyperscale cloud reliance.
www.eic.net.cn
EU Bolsters Cybersecurity with NIS2 Directive
The EU enacted the Network and Information Systems 2.0 Directive, known as NIS2, in 2022, a sweeping overhaul of its cybersecurity regulations. The full implementation across member states started this year.
Pablo is a seasoned engineer with 30+ years of experience. For over 10 years, he's been a contributing editor for EE Times (where he edits the Supply Chain section). He also wrote for EPSNews, InformationWeek, EBN, LightReading, Network Computing, and IEEE Xplore. His coverage spans Supply Chain, Semiconductors, Networks, IoT, Security, and Smart Cities. He holds an MEng, Electrical and Electronics Engineering from The Ohio State University.Follow Pablo on LinkedIn
Leave a Reply
You must Register or Login to post a comment.