The Announcement
Digital sovereignty is rapidly emerging as a strategic enterprise architecture priority as organizations reassess technology resilience, workload portability, and long-term control of critical infrastructure. Recent discussions at SUSECON and across the broader industry have highlighted how sovereignty is evolving beyond data residency requirements into a broader conversation around technology independence, operational flexibility, and digital resilience.
The discussion comes as the European Commission released its new EU Cloud and AI Development Act, a regulatory package that includes a dedicated focus on open source technologies. At the same time, SUSE announced a partnership with CloudBase and its Coriolis migration platform to help organizations migrate VMware-managed virtual machines, transition Linux distributions, and relocate workloads to alternative hosting environments. Research discussed by SUSE, based on more than 300 interviews across Japan, India, the United States, France, and Germany, found that approximately 93% of organizations are either actively investing in or have already established a sovereignty transformation strategy. Digital sovereignty is no longer solely a European policy discussion—it is increasingly becoming a global enterprise IT priority.
The Bigger Picture
Sovereignty Is Becoming a Board-Level Risk Discussion
Digital sovereignty has crossed the threshold from regional compliance requirement to executive-level business risk. The shift is significant. A few years ago, sovereignty conversations happened at the director or VP level, typically in the context of data residency rules or sector-specific regulation. Today, C-suite leaders are driving them, because the calculus has changed. Failing to migrate off closed, proprietary platforms now creates compounding risks: regulatory non-compliance under incoming EU law, escalating vendor pricing, reduced auditability, and strategic dependency on infrastructure controlled by foreign jurisdictions.
SUSE’s research finding that nearly half of surveyed organizations are actively investing in sovereignty transformation strategies, with 43% already having a formal strategy in place, signals that this is an operational reality, not a future aspiration. The verticals moving fastest are the ones where failure carries the most consequence: public sector, mission-critical infrastructure (power grids, utilities, harbors), healthcare, defense, and banking and telecommunications. These are sectors where a sustained outage doesn’t just disrupt a business, it can stop a country.
What ITDMs Need to Understand About the EU Cloud and AI Development Act
The EU’s Cloud and AI Development Act, released in the days immediately preceding this conversation, is the most consequential development in European technology procurement in years. It is not yet a mandate with hard enforcement teeth, but its direction is clear. Open source is explicitly identified as the preferred foundation for public sector technology procurement. Dual-vendor strategies are recommended. Open Source Programme Offices (OSPOs) are positioned as key governance actors within organizations, analogous to enterprise architects but specifically chartered to evaluate open source alternatives.
For ITDMs in Europe and for any multinational operating across European jurisdictions, this creates a procurement planning requirement now, even before the regulation’s debates conclude and enforcement mechanisms are finalized. Organizations that have renewed VMware contracts for two more years and deferred modernization decisions are not buying time. They are accumulating technical debt against a regulatory deadline that is moving toward them.
The economics are straightforward. Vendor lock-in carries a pricing premium. It also now carries a compliance risk premium. Open source alternatives that are auditable, inspectable, and locally hosted reduce both. ECI Research has found that organizations with the highest FinOps maturity are distinguished not by the most advanced tools, but by the most integrated teams, and the same principle applies to sovereignty: the organizations that will navigate this transition most effectively are those aligning procurement, engineering, legal, and finance around a coherent strategy rather than treating it as a platform migration project.
What Developers Need to Understand About the Technical Transition
The CloudBase Coriolis partnership is worth unpacking for practitioners. What SUSE is offering is not simply a lift-and-shift path off VMware. It’s a three-axis migration: VM hypervisor (vSphere to SUSE Virtualization), Linux distribution (any distribution to SUSE-managed Linux), and destination (from centralized or hyperscaler hosting to local or sovereign hosting providers). All three transitions can execute simultaneously on a single workload.
For platform and infrastructure engineers, the important architectural point is that SUSE Virtualization allows VMs and containers to be managed within the same operational philosophy, side by side. That matters because most enterprises are not in a position to abandon virtual machines entirely. ECI Research analysis of the cloud market shows that the average enterprise now uses more than two public cloud platforms, with Kubernetes, Snowflake, and GenAI often coexisting across a patchwork of teams, workloads, and tools. Adding a sovereign hosting layer to that complexity without a unified management plane would be operationally untenable. SUSE’s approach attempts to reduce that friction by treating the VM-to-container continuum as a managed spectrum rather than a hard cutover event.
Portability is the other critical technical variable. SUSE’s research shows that organizations are not uniformly repatriating workloads from hyperscalers. Many are instead prioritizing the ability to move workloads when necessary, maintaining hyperscaler presence for global or commodity workloads while bringing mission-critical systems closer to jurisdictional control. This is the dual-vendor model that telecommunications companies have used for years, now being adopted by enterprises across regulated industries.
Competitive Positioning and the Open Source Ecosystem
SUSE’s position in this market is structurally differentiated from both the major hyperscalers and from proprietary virtualization vendors. As the largest European open source provider, it can credibly claim alignment with the regulatory direction the EU is setting. Its coalition of more than 100 European companies lobbying for auditable, inspectable open source mandates gives it policy influence that a US-headquartered vendor cannot replicate.
The risk for SUSE is execution speed. The market is early. Many organizations are still completing their final VMware contract cycles. The window for capturing customers who are actively planning their next infrastructure decision is relatively narrow, and it requires not just product capability but a partner ecosystem (migration services, regional hosting providers, managed service partners) that can deliver at scale across multiple geographies. The Focusnet partnership in Germany is an example of that motion; replicating it across additional markets will determine how much of this opportunity SUSE converts versus competitors who are watching the same regulatory signals.
What’s Next
Open Source Mandates Will Tighten, and the OSPO Will Matter
The EU Cloud and AI Development Act in its current form recommends rather than mandates open source. That will change. The legislative process will produce more prescriptive language, and the SUSE-led coalition of European companies is actively pushing for auditable, enforceable open source-first requirements. ITDMs at organizations operating in or selling into European markets should treat the current period as preparation time, not wait time.
The practical implication is that OSPOs, currently a niche organizational construct, will become a standard governance function within regulated enterprises over the next two to three years. Organizations that build OSPO capability now, with clear criteria for evaluating open source alternatives across their stack, will have a structural advantage when procurement requirements harden. Those that don’t will face the same scramble that caught many organizations flat-footed when GDPR enforcement began.
Workload Stratification Will Replace Single-Vendor Cloud Strategy
The trend toward stratified workload management, distinguishing between mission-critical, business-critical, and commodity workloads and applying different sovereignty and hosting requirements to each, will become the dominant enterprise cloud strategy model within three to five years. This is not a reversal of cloud adoption. It is a maturation of it.
ECI Research has found that enterprises that successfully operationalize FinOps achieve faster product delivery, improved cross-functional alignment, and more predictable financial outcomes without compromising innovation velocity. The same outcome profile applies to sovereignty strategy when it’s done well: organizations that develop clear workload classification frameworks and align their infrastructure decisions accordingly will spend less on unnecessary hyperscaler exposure, reduce regulatory risk, and retain the operational flexibility to respond to future geopolitical or market shifts. Those that treat sovereignty as a binary (fully repatriated or fully on hyperscaler) will find neither posture serves them well as the regulatory and competitive environment continues to evolve.
Stay Ahead of Application Development Trends
Get weekly analyst insights, research notes, event coverage, and AppDevANGLE updates delivered directly to your inbox.
Subscribe for Weekly Insights
Join technology leaders, practitioners, and GTM teams following the trends shaping modern software delivery.
Looking for deeper research access?
Explore ECI Research reports, survey insights, and market analysis through the ECI Research Portal.
