Europe's Digital Awakening: Reclaiming Identity Control Amidst Geopolitical Tensions

## I. The Harsh Reality of Digital Dependence Throughout 2025 and the initial months of 2026, the intensifying geopolitical landscape has dismantled the perception of cloud services as inherently 'neutral utilities.' The European Commission's 2025 State of the Digital Decade report unequivocally confirmed a concerning truth: Europe's pervasive reliance on non-European providers across its entire digital ecosystem. The sheer magnitude of this dependence is alarming. Cristina Caffarra, founder of the Eurostack Foundation, estimates that a staggering 90% of Europe's digital infrastructure, encompassing cloud services, computing power, and software, is controlled by foreign entities. The Australian Strategic Policy Institute's comprehensive analysis of 64 critical technologies further underscores this reality, revealing that Europe leads in none, with China dominating 57 and other nations holding sway over the rest. This paints a stark picture of a continent that has largely ceded technological leadership. As Mario Draghi cautioned in his pivotal September 2024 report on European Competitiveness, this systemic reliance not only jeopardizes productivity but also threatens Europe's fundamental operational autonomy. Without decisive action to regain technological capabilities, Draghi warned of a "slow agony" leading to eroded sovereignty. ### The Identity Bottleneck This vulnerability is most pronounced in the realm of Identity and Access Management (IAM). Unlike passive data storage, authentication forms the bedrock of control within any digital system. When the authority to authenticate users resides within infrastructure subject to foreign legal jurisdictions, an organisation's operational continuity becomes vulnerable to decisions made in distant capitals. Identity, therefore, transcends mere security; it represents a critical single point of failure where jurisdictional risk converges with technical fragility. ### From Regulation to Operational Imperative Europe's response has been decisive. With the full implementation of the NIS2 Directive and the application of DORA, identity management has been formally designated as critical infrastructure. These regulations now mandate that Operators of Essential Services (OES) demonstrate "Offline Functional Continuity." For vital sectors such as energy grids, hospitals, and financial institutions, relying on authentication flows susceptible to foreign legal reach is no longer merely a risk – it constitutes a compliance failure. The pressing question is no longer *why* sovereignty is necessary, but *how* these regulatory mandates can be translated into tangible operational reality. ## II. Regulatory Imperatives Drive European Initiatives ### The Regulatory Imperative The enforcement of the NIS2 Directive and the Digital Operational Resilience Act (DORA) has transformed digital sovereignty from an abstract political aspiration into a concrete legal obligation. These legislative frameworks compel Operators of Essential Services and financial institutions to ensure operational continuity, independent of third-party dependencies, crucially including the ability to maintain authentication capabilities even during external service disruptions. This regulatory push is catalysing practical action across Europe. According to The Register's December 2025 investigation into European infrastructure migrations, public authorities are actively transitioning from mere compliance assessments to significant architectural transformations. ### European Initiatives Gain Momentum As highlighted by The Register's December 2025 report on Europe's infrastructure shifts, a wave of tangible projects is underway. From Austria to Germany, and from France to international organisations, public entities are executing targeted migrations away from foreign-controlled infrastructure, with a particular focus on identity and authentication systems. #### Austria: A Ministerial Precedent Austria's Federal Ministry for Economy, Energy and Tourism successfully migrated 1,200 employees to Nextcloud, a European open-source collaboration platform, within a mere four months. This decision was driven not by cost savings but by compliance requirements. As Florian Zinnagl, the ministry's CISO, explained to The Register, "It was never about saving money. It was about maintaining control over our own data and our own systems." Several other Austrian ministries have since initiated Nextcloud implementations. #### Germany: State-Level Digital Transformation In Schleswig-Holstein, Germany is undertaking an even more ambitious endeavour. The state is in the process of migrating 30,000 civil servants from proprietary systems to European open-source alternatives, including LibreOffice, Nextcloud, Open Xchange, and Thunderbird. By late 2025, over 24,000 employees had already completed this transition. The success of this project has fostered broader European cooperation. In July 2025, Germany, France, Italy, and the Netherlands established the European Digital Infrastructure Consortium for Digital Commons, aimed at jointly developing and scaling sovereign digital tools such as OpenDesk, an open-source office and collaboration suite delivered by the German Centre for Digital Sovereignty (ZenDiS). #### International Institutions Take Action Even international bodies are acknowledging the vulnerability inherent in relying on foreign infrastructure. The International Criminal Court in The Hague announced in late 2025 its migration to OpenDesk. This decision followed an incident where the court's chief prosecutor temporarily lost access to critical communication systems – an intolerable operational vulnerability for an institution operating in such a politically sensitive environment. #### France: Strategic Infrastructure for Sensitive Data France's Ministry of Economics and Finance completed NUBO, an OpenStack-based private cloud initiative specifically designed for handling sensitive data and services. Unlike general-purpose cloud migrations, NUBO represents a focused strategy: retaining control over the most critical assets while potentially leveraging external providers for less sensitive workloads. #### A Growing Grassroots Movement These examples demonstrate that while a complete departure from foreign hyperscalers may not be immediately feasible, targeted migrations for specific, high-risk applications, especially identity and authentication infrastructure, are not only viable but are actively being pursued across Europe. The pattern is clear: organisations are moving beyond rhetoric to execution, from mere compliance exercises to genuine architectural transformation. What began as isolated initiatives is now evolving into a continent-wide trend, driven not by political ideology but by the practical realities of operational risk, regulatory obligations, and the fundamental recognition that authentication infrastructure cannot be treated as a mere commodity service. ## III. RCDevs: Enabling Sovereignty Through Infrastructure **European • On-premise • AD-native** With over 15 years of specialisation in identity and access management, Luxembourg-based RCDevs delivers on-premise solutions meticulously designed for European digital sovereignty. Their flagship products, WebADM and OpenOTP, seamlessly integrate with existing identity infrastructure, including native Active Directory support, while ensuring that authentication authority remains under the organisation's direct control. ### European Technology, Architectural Commitment RCDevs has engineered its identity and access management solutions specifically for on-premises deployment. This is more than a technical preference; it represents a core architectural commitment to fostering sovereignty. When RCDevs' Identity hub, WebADM, is deployed within an organisation: ### European Jurisdiction, Complete Control * Authentication infrastructure operates on the organisation's servers, within its data centres, and under European law. * There is no foreign cloud provider involved in the critical authentication path. * No exposure to extraterritorial legislation such as the Cloud Act or FISA. * Cryptographic secrets (including passwords, MFA tokens, and biometric data) remain within the organisation's infrastructure, under its direct physical and legal control. ### Operational Independence from Foreign Cloud Dependencies * Authentication decisions are made locally, without routing through foreign-controlled services. * Should cloud IAMs hosted in foreign jurisdictions become unavailable, critical systems can continue to authenticate using local credentials. * VPN access, infrastructure logins, and sensitive applications operate independently of external connectivity. ### NIS2 and DORA Compliance by Design * Demonstrates jurisdictional independence for Operators of Essential Services. * Provides the "offline functional continuity" mandated by resilience frameworks. * Maintains a local "root of trust" as required for critical infrastructure. ### Hybrid Architecture Without Dependency WebADM does not necessitate an immediate abandonment of cloud IAMs. It facilitates federation with Microsoft Entra ID, Okta, Google Workspace, and other cloud providers, yet crucially places the ultimate authentication authority within the organisation's own perimeter. Users can continue to reside in Entra ID for Microsoft 365 and SaaS applications. However, when they authenticate to the organisation's VPN, factory systems, financial infrastructure, or other critical applications, that authentication flow is handled by the local WebADM deployment. The cloud IAMs thus become federated sources rather than controlling authorities. Organisations can leverage their services where convenient, but without operational dependence on their availability or their adherence to foreign legal orders. ### Prepared for Connectivity Disruptions This architecture is specifically designed for a scenario that European decision-makers must now anticipate: what happens if connectivity to foreign cloud services is disrupted, whether due to cyberattack, infrastructure failure, or political decree? With WebADM deployed on-premise: * Factories maintain operations. * Banks continue to function. * Hospitals retain access to critical systems. * Government services remain functional. This is because authentication occurs locally, entirely independent of external dependencies. Security thereby transforms into a resilient European asset rather than a vulnerable foreign dependency. ## IV. Operational Advantages Beyond Sovereignty Beyond mitigating jurisdictional risks, establishing on-premise European identity infrastructure offers tangible operational benefits. ### Enhanced Resilience During Cloud Provider Outages When cloud IAM providers, particularly those hosted in foreign jurisdictions, experience outages – which they do, regularly – organisations reliant on these services for authentication can find themselves locked out. WebADM's architecture ensures continuity even when cloud IAM providers become unavailable. Through local password synchronisation and federated identity management, organisations maintain authentication capabilities during transatlantic connectivity failures or cloud service outages. VPN access, network authentication, and critical systems continue to operate using locally-maintained credentials and MFA flows, independent of external cloud IAM availability. This "fail-safe" design means that essential services like factories, banks, and public services are not held hostage by the operational status of foreign cloud providers. Security becomes an independent asset rather than a vulnerable dependency. ### Migration Efficiency Through Token Portability One of the often-overlooked costs in IAM consolidation projects is the extensive process of MFA re-enrollment. When migrating users between identity providers, whether from on-premises AD to Entra ID, or from Okta to another platform, organisations typically face significant support burdens as thousands of users must re-register their authentication tokens. WebADM addresses this challenge through token portability. Because MFA tokens are stored and managed within WebADM's meta-directory rather than individual IAMs, users can retain their existing TOTP or FIDO tokens throughout migrations. A user can seamlessly transition from AD to Entra ID, or from Okta to Google Workspace, without needing to re-enroll, significantly reducing user impact and helpdesk strain during large-scale IAM transformations. ### European Ecosystem Interoperability RCDevs has engineered WebADM around open standards such as RADIUS, LDAP, SAML, and OpenID Connect. This design ensures compatibility with other European technologies that uphold sovereignty principles, whether it's Nextcloud for collaboration, European cloud providers, or other solutions developed within Europe. This approach avoids vendor lock-in to monolithic foreign stacks. Instead, it enables the construction of a modular European technology foundation where components can be interchanged without causing systemic disruption. ## V. Conclusion: Safeguarding the Enterprise's Foundation In 2026, the critical question for European decision-makers is straightforward: if connectivity to foreign cloud providers were to be severed tomorrow, would your organisation still possess the capability to authenticate its users and maintain its systems? RCDevs provides the architectural bedrock to confidently answer "Yes." By deploying authentication infrastructure on European soil, organisations can retain operational control even while leveraging global cloud services. The authority to authenticate, and thereby to grant or deny access, remains firmly within the organisation's direct command. True resilience lies in the ability to preserve operational autonomy when external conditions shift.