Eleven days after the European Technological Sovereignty Package landed on 3 June, it has set off precisely the fight you would have predicted. Washington, which has spent the year threatening Section 301 trade retaliation over Europe’s digital rules, treats the package as one more of them; industry groups called it protectionist and discriminatory the same day; Brussels insists, in the words of its tech sovereignty chief, that sovereignty does not mean protectionism and that the tests are technology-neutral; the hyperscalers it targets are quietly building European joint ventures to qualify; and from the other flank, two dozen European cloud providers warn that the whole thing risks “sovereignty washing” — that it may not go far enough to dislodge the incumbents. Even sympathetic economists caution that Europe is mimicking its rivals’ protectionism rather than out-competing them.

It is a genuine argument, and it will run for a year. But step back from the volume and notice what every one of those positions has in common. The American complaint, the European-provider complaint, the Commission’s defence, the economists’ warning — all of them are arguing about the same axis: who owns the system, where it sits, and which flag it flies. That is one way to read the word sovereign. It is the shallowest way, and — as the draft criterion currently stands — it is most of what the test measures. The question that will decide whether the package delivers anything durable is the one nobody is fighting over: not whether sovereignty is assessed, but how deeply.

The centrepiece, the Cloud and AI Development Act, commits the Union to a single framework for assessing the sovereignty of cloud and AI services, with four sovereignty tiers and real consequences — services that fail the highest tier can be kept out of the most sensitive public contracts. As drafted, those tiers measure what you would expect at the surface: where the infrastructure sits, who owns and controls the provider, and whether a foreign law can reach it. That is a real criterion, and it is pitched almost entirely at the shallowest reading of the word. What the next year of trilogue between Parliament and Council will settle is whether it is deepened or left there — whether “sovereign” comes to mean something structural or stays at “European-owned.” The package did not forget to write the test. It began to — and, as the reaction shows, it is on course to stop one layer too early.

The instinct is correct

Begin with what the Commission got right, because it is most of the work. Executive Vice-President Henna Virkkunen framed the goal plainly: to ensure that no provider of Europe’s critical workloads holds a kill switch over them. Strip away the geopolitics and that is a precise engineering demand. Europe wants the ability not to be shut off, not to be silently altered, and not to be locked in by a party whose decisions it cannot see and cannot overturn. It wants to inspect the infrastructure it runs on, to leave a provider that fails it, and to reproduce what it depends on rather than rent it on terms set elsewhere. Those are the properties of a system that stays correctable by the people who depend on it — and they are the right properties to demand.

The package builds real instruments toward them. The Cloud and AI Development Act turns “trustworthy” into a graded, enforceable classification rather than a slogan, and Virkkunen was candid that providers under foreign legal compulsion will find the top tier hard to reach — the honest version of the argument. The Open Source Strategy is the part that matters most, and the part the open-source community has spent two decades working toward: for the first time, open source sits at the centre of European digital policy, named not as a procurement saving but as a structural lever of sovereignty — the thing that lets a public administration read, modify, and keep running the systems it depends on without a vendor’s permission. The Free Software Foundation Europe, which has campaigned on exactly this, reads the package as a possible adoption of its long-standing “Public Money? Public Code!” principle, and notes that the Development Act carries a “Free Software first” rule for public cloud and AI procurement. The diagnosis underneath all of it is not in dispute: Europe depends on non-European providers for more than eighty percent of its key digital products, services, and infrastructure; it makes under a tenth of the world’s chips; and American hyperscalers hold the majority of its cloud market.

So the package earns its confidence. The argument here is not that it goes too far, and not that it goes too little far. It is that the criterion at its heart can be finished — and that the current fight, for all its heat, is being conducted almost entirely at the depth where finishing it badly is easiest.

What a sovereignty test should measure

A sovereignty assessment can be drawn at three depths, and the difference between them is the whole game.

The shallowest test asks where the infrastructure sits and who owns the company. It is the easiest to administer and the easiest to satisfy without changing anything that matters: a European-owned, European-hosted service can still be a black box to the administration that runs it and to the citizen it makes decisions about. A test pitched here certifies a change of landlord.

A deeper test asks whether the system can be inspected and reproduced — whether its code, and for AI its models and the data and procedures that shaped them, are open enough that the administration can audit what it deploys and continue to run it if the supplier walks away. This is where the Open Source Strategy already points, and it is the right second layer. Openness here is not all-or-nothing; it is layered, and a workable assessment can grade it. The components that shape a deployed AI system’s behaviour — its logic and inference code, its weights, the data and training procedures behind them, and the operative categorical schema it actually uses to classify the world — can each be disclosed and assessed in turn. For an AI system the inspection question reaches one level inward: not only whether the model is open, but whether the categories it uses to classify a citizen are themselves disclosed and contestable, or proprietary and fixed. That is the deepest form of the inspection question — and it is already the hinge to the next one.

Because inspection, however deep, is not the end of the test, and this is the distinction the whole debate elides. Openness solves a problem of visibility, not of authority. A system can be fully inspectable and reproducible and still leave the people subject to its decisions no practical route to challenge them. Open source can tell you what the machine is doing; it does not, by itself, determine who can stop it, correct it, or reverse it. Openness is a precondition for sovereignty, not sovereignty itself. The question it leaves unanswered is whether authority remains contestable after inspection — whether the people a system decides about retain the capacity to induce correction when it is wrong.

That is the third and deepest layer, and it deserves a name. Europe is already fluent in the shallower vocabulary — a decade of data sovereignty, and now, with this package, infrastructure sovereignty — but both name the same instinct: control over where the data and the machines sit, and who owns them. What the continent has no word for is the layer past ownership entirely. Call it decision sovereignty: not a right to appeal granted on paper, which a system can render unenforceable in practice, but whether the authority to challenge, reverse, and correct a decision is a structural property of the infrastructure that makes it. It is the same property Europe is demanding at the level of the state — that no party hold an uncorrectable power over it — owed to the citizen one level down. A kill switch no foreign party can reach removes an uncorrectable power held from outside; this third layer removes the one held from within. And it carries a condition the openness layers do not: correction is only real if it can reach a decision before that decision becomes irreversible, which means the system’s capacity to act unilaterally must itself be bounded enough for correction to catch up.

A system you can inspect but cannot contest is an open loop, not a sovereign one.

A test that stops at ownership and openness certifies that Europe controls the machine; a test that reaches contestable, correctable decisions certifies that the control is worth having.

The reaction has already chosen its depth

Here is what makes the next year so precarious, and it is visible in the response to the package rather than in the package itself. Sort the eleven days of reaction by the depth at which each party is arguing, and the result is a near-perfect natural experiment in how far “sovereign” gets read when it is left to the people who own and build the systems.

The entire trade fight sits at the first depth. The American objection is that origin tests are discriminatory; the European-provider objection is that origin tests can be gamed; the Commission’s defence is that its origin tests are neutral. Every one of these is an argument about ownership and location. The most revealing of them is the European providers’ warning of sovereignty washing: the parties who most want maximal sovereignty are themselves saying that a test pitched at ownership can be passed without delivering it. That is the first depth confessing its own insufficiency, from the inside. When even the maximalists tell you the ownership criterion can be washed, they are making the case for writing it deeper — they simply locate “deeper” at reserved procurement shares rather than at anything structural.

The second depth has one organised constituency, and it is the open-source camp. OpenForum Europe, which co-authored the most considered response, calls the strategy a landmark that finally puts open source to the test — the test, in their framing, being implementation. A coalition of European open-source companies, from Nextcloud and Collabora to OpenNebula and Element, had already pressed Brussels for an Open Source First procurement rule under which every public purchase must first evaluate whether a qualified open alternative exists, and that evaluation must be documented and auditable. SUSE, articulating the camp’s sharpest version, insists the question has to be about architecture, not geography — that only open source makes the foundational layer genuinely portable and maintainable by anyone, not solely the original vendor. This is the genuinely deeper reading, and it deserves the credit it is owed: it is the one part of the response that moves past the flag on the building to whether anyone inside can open the walls.

The third depth has no constituency at all.

Stack the whole reaction — Washington, Brussels, the hyperscalers, the European providers, the economists, the open-source community — and not one of them asks whether the decisions a system makes about a person remain contestable by that person. The closest anyone comes is the open-source camp’s “can the administration inspect it,” which is a question the operator asks on the operator’s behalf. Nobody is asking the question the governed party would ask: can I be told a decision was made about me, can I contest it, can I have it reversed. It is empty in the reaction for the same reason it tends to be empty everywhere — because the people who own and build systems read “sovereign” as far as their own interests reach, and the people the systems decide about are not in the room.

The argument the open-source camp is already making for you

The open-source response is worth dwelling on, because it carries, one storey down, the exact principle the deepest layer needs. The camp’s central anxiety is not really about ownership; it is about verifiability. “Public Money? Public Code!”, “documented and auditable”, the alarm over open washing — these are all a single claim, that a disclosure which cannot be independently checked and enforced is worth nothing. An openness commitment the public body cannot verify is, in practice, indistinguishable from no commitment. That is correct, and it is the most important thing the community has contributed to the debate.

It also generalises one step further than the community has taken it. Ask auditable by whom, and the open-source answer is: by the procuring administration. That is real progress, and it is still an operator verifying on the operator’s behalf. The same logic, carried one party outward, is the third depth precisely: a system’s correctability must be documented and auditable by the governed — not asserted by the operator, not certified to a regulator, but checkable by the person the decision was about, who must retain the capacity to induce correction when it is wrong. An unverifiable constraint is structurally indistinguishable from absolute operator control, whether the constraint is an openness pledge or a promise that a decision can be contested. The open-source camp has already won this argument at the second depth. The third depth is the same argument, owed to the party one step further out than the administration that does the procuring.

The mechanism is already in the package

None of this requires a new instrument, which is what makes it tractable rather than aspirational. The Development Act’s “Free Software first” rule already obliges procurement to document and audit whether an open alternative was considered before a proprietary one is chosen. That is an auditable procurement criterion, sitting in the package, doing exactly the kind of work the third depth needs — it simply audits the second depth. The same criterion can be written to reach the third depth: to require, for a system that decides something consequential about a person — whether they are eligible for a benefit, flagged as a fraud risk, scored by a policing model, or cleared at a border — that the decision remain one the person can contest and have corrected. A tiered, declare-and-audit disclosure standard keyed to the consequence severity of a system is not hypothetical — it has been worked out in the literature on epistemic infrastructure, and the criterion can take its shape. The machinery for grading and enforcing a disclosure obligation has been built. The only open question is what it is made to measure.

The same gap, one storey down

It is worth seeing that this is not a peculiarly European gap, because that is what makes the opportunity general rather than parochial. The standards work building the agent and identity layer underneath all of this has spent the past year constructing a near-complete apparatus for an operator to govern its own systems — to authenticate them, bound them, observe them, and produce a record it can show a regulator — and has stopped, by its own account, at the point where the person a system acts on might reach back into a decision. The sovereignty package makes the identical move one storey up: it builds the assessment that serves the institution and leaves unwritten the part that would serve the governed. The pattern is consistent enough across the protocol layer, the regulatory layer, and the reaction to both that naming it is useful, not accusatory: inspection is a property the operator holds; contestability is a channel the governed must be able to enter; and systems keep being certified on the first while the second goes unspecified. Europe has the chance to be the first to write the second into a procurement instrument with teeth.

Three objections arrive on cue, and the argument already answers them. That European law grants a right to contest an automated decision is true and beside the point — the question is not whether the right exists but whether the sovereignty test measures it, and as written it does not. That citizen contestability belongs to constitutional law rather than to sovereignty certification mistakes the shape of the claim — this is the internal form of the same non-domination logic the package already asserts against an external party that could shut Europe off. And that reaching the third depth is mission creep beyond infrastructure misreads what infrastructure sovereignty already contains: legal control and operational control, to which the contestability of a system’s decisions is simply the next layer.

Finish the test

The Commission has shown it understands the demand exactly — it made the demand on its own behalf, and built real instruments to meet it. The Open Source Strategy gives it the inspectability layer, and a mobilised community ready to defend it. What remains is to finish the criterion so that “sovereign” measures not only who owns and hosts a system, and not only whether it can be opened and rebuilt, but whether its decisions remain contestable and correctable by the people they are made about. That is a definable standard, much of it already drafted in the open-source and standards communities, and the next year is exactly when it gets decided — by whether anyone fills the third depth, or whether the test is declared finished one or two storeys above the citizen.

A kill switch that no foreign party can reach is the right thing to want. A system whose decisions the governed can challenge and reverse is the same thing, owed to the same people one level down. Europe asked the right question on 3 June, and began to answer it. The whole world has spent eleven days answering a shallower one. Decision sovereignty is the layer the test hasn’t finished yet — and there is a community, and a standard, ready to help finish it.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility, with preprints on SSRN: Corrigibility as a Structural Precondition for Digital Public Infrastructure and Epistemic Capture and the Action Boundary.

Share Layer 8 by Anivar