If you're talking to EU politicians about tech sovereignty, there are a couple of things I hope you'll ask them to consider:
One of the problems with the US tech giants is that they are too big to regulate. They have grown so big that they are more powerful than most countries. Only China and the EU are big enough to even consider trying to regulate them (this is one of the many reasons Brexit was a disaster). You don't want to replace a nominally American company that you can't regulate with a nominally French (or German, or whatever) company that is too big to regulate. It is far better to have a thousand billion-Euro companies than one trillion-Euro company:
- The smaller companies can exert less political pressure on governments.
- A thousand companies will spread out their hiring far more than one company, brining jobs to more regions.
- A billion-Euro company failing is bad for the economy, but a trillion-Euro company failing is a disaster.
- A thriving competitive environment with a dozen companies providing similar products and services gives better consumer outcomes than a single monopoly (or a duopoly like iOS and Android).
Pivoting from big US tech to big EU tech would retain most of the same problems.
And this leads nicely into the second point. Open source was popular in companies because second sources were a well-understood concept. If your business depends on X, you want to be able to buy X from two or more competing suppliers. With open source, in theory, it's easy for a new supplier to provide exactly the same thing. But big open source projects have the same problem as big corporations: they become too big to fork.
As a concrete example, the Chromium team refuses to take patches to support any OS that Google doesn't ship Chrome on. This has knock-on effects such as Electron (and therefore apps that use Electron) officially supporting only platforms that have enough market share for Google ads to care about them (or that Google uses in products or internally).
Open source, in theory, means that anyone can come along and be a second source for Chromium. But Chromium averages about one security vulnerability per day or two. If you are a week behind in upstream merges, you are pretty much guaranteed to have exploitable vulnerabilities. This makes maintaining a fork impossible. Other big projects do take patches but have codebases that undergo rapid continuous refactoring that makes it hard for third parties to build the expertise in the system. Or they have poor onboarding documentation and code comments and so the only way to learn the codebase is to work for the company that sells products around it.
Pivoting from big US tech to big open source projects also retains a lot of the same problems with respect to lock in. Governments should consider the number (and size) of companies that are willing and able to support a codebase when considering whether it meets procurement requirements. If only Google or Oracle (for example) can provide support (new features that the customer wants, merged upstream or maintained for 10 years in a fork) then it should not be considered. If a smaller consultancy such as Igalia can do the same (especially if they can and it's not a project that they have supported for another customer) then it's far more likely to be something that will remain a useful shape as requirements evolve.
Many small companies, supporting many small projects, should be the goal. As soon as a project becomes an essential part of an ecosystem, that should be a signal to fund alternatives.
