By NHI Mgmt Group Editorial TeamPublished 2026-06-05Domain: Governance & RiskSource: PassBolt

TL;DR: The European Commission’s Tech Sovereignty Package puts open source at the centre of Europe’s digital strategy, but Passbolt argues that declarations alone will not change procurement, dependency, or market power without binding mechanisms that enforce openness, interoperability, and portability. Policy matters only when it changes the control environment that software and identity programmes actually operate in.


At a glance

What this is: This is an analysis of the European Commission’s Tech Sovereignty Package and its claim that open source should be treated as strategic infrastructure.

Why it matters: It matters because identity, secrets, and access programmes increasingly depend on open standards, portability, and transparent tooling choices that shape both operational resilience and vendor concentration risk.

👉 Read Passbolt's analysis of the EU Tech Sovereignty Package and open source policy


Context

The core issue is not whether Europe says it values open source, open standards, or interoperability. The issue is whether policy can change procurement and market behaviour enough to make those principles real in day-to-day technology selection, including the identity and access layers that sit underneath modern software operations.

For IAM and security teams, this is less about ideology than dependency management. When platforms and workflows become opaque, organisations lose portability, visibility, and leverage. The article argues that Europe needs mechanisms, not slogans, if open source is to function as a durable part of its digital infrastructure.


Key questions

Q: How should organisations evaluate open-source platforms for identity and security use cases?

A: They should assess portability, standards support, and operational ownership first. If a platform cannot be exported, audited, or offboarded without major rework, it creates dependency risk even if it is open source. For identity and security use cases, governance matters as much as code transparency.

Q: Why does vendor lock-in matter to IAM and secrets management?

A: Because lock-in can trap access controls, secret storage, and audit trails inside one operating model. That makes migration harder, reduces oversight, and increases the cost of change. IAM teams need systems that preserve federation, exportability, and revocation paths outside a single supplier boundary.

Q: What should security teams look for in a sovereign technology strategy?

A: They should look for enforceable procurement rules, open standards, and practical exit options. A sovereign strategy is only meaningful if it changes what buyers can select and how easily they can leave. Otherwise it remains a policy statement with limited operational effect.

Q: How can identity teams reduce dependency on opaque platforms?

A: By preferring architectures that separate identity, secrets, and policy from proprietary application logic. That usually means federation, portable configuration, and clear offboarding procedures. The objective is not to reject vendors, but to avoid becoming unable to move when governance or risk changes.


Technical breakdown

Why policy without enforcement does not change platform dependency

A policy statement can recognise open source as strategically important without changing how buyers, operators, or vendors behave. In practice, procurement rules, interoperability requirements, and portability expectations are what determine whether organisations can move away from locked-in infrastructure. For identity programmes, that distinction matters because access, secrets, and workflow dependencies often harden around whatever platform was easiest to adopt first. Without enforceable constraints, technical openness remains aspirational rather than operational.

Practical implication: security and IAM leaders should treat sovereignty claims as control requirements, not strategic language.

Open standards and portability as control levers for identity security

Open standards reduce the cost of switching and the risk of becoming trapped inside one supplier’s identity model. Portability matters because access governance, secret storage, and auditability become harder when data and workflows cannot be moved cleanly. In identity security, this is especially relevant for workload identity, secrets management, and federation patterns, where proprietary assumptions can create hidden dependency. Standards do not remove risk, but they make governance more inspectable and exit paths more realistic.

Practical implication: teams should favour architectures that preserve exportability, federation, and policy portability across environments.

Open source as infrastructure only works when governance follows

Treating open source as critical infrastructure changes the accountability question. Infrastructure is not useful simply because it is open; it is useful when it is supported by transparent maintenance, secure update paths, procurement discipline, and operational ownership. That is the same logic identity teams already apply to privileged access, certificate handling, and secret lifecycles. The policy debate is really about whether Europe will build a market where those controls are rewarded instead of ignored.

Practical implication: organisations should align open-source adoption with lifecycle governance, supportability, and auditability requirements.


NHI Mgmt Group analysis

Open source only becomes strategic infrastructure when buyers are forced to act on the policy. Europe has made similar declarations about openness and interoperability before, but declarations do not change procurement behaviour on their own. The market effect depends on whether public-sector and enterprise buyers are required to prefer portable, standards-based options. For IAM and security teams, the lesson is that strategy only matters when it changes control selection.

Vendor lock-in is an identity governance problem, not just a procurement problem. When access, secrets, and workflow dependencies are trapped inside opaque platforms, organisations lose the ability to govern migration, audit boundaries, and recover from supplier failure. That makes sovereignty relevant to identity architecture, because the same hidden dependency patterns that weaken procurement also weaken access oversight. Practitioners should treat portability as a governance attribute, not a commercial preference.

Open standards create the conditions for accountable identity control planes. Standards such as federated identity, workload portability, and transparent interfaces make it easier to inspect how access is granted and revoked across environments. Without them, identity teams inherit black-box behaviour that is difficult to certify, migrate, or reverse. The practical conclusion is that sovereignty and identity resilience depend on the same discipline: controls that remain visible outside a single vendor boundary.

Open source policy should be judged by whether it changes exit power. The real test is not whether the Commission names open source as critical, but whether organisations can leave a platform without breaking access governance, operations, or compliance. That is the same question IAM leaders ask when evaluating federation, secrets portability, and lifecycle offboarding. If exit remains expensive, the policy has not shifted leverage in a meaningful way.

Portability debt: Europe’s challenge is not lack of interest in openness, but accumulated dependency that makes switching costly and politically inconvenient. That debt shows up when organisations cannot separate data, access, and workflow controls from one supplier’s stack. The implication is that sovereignty work must be measured by how much dependency it removes, not by how persuasive the policy language sounds.

From our research:

What this signals

Portability debt: open-source strategy will matter less as branding and more as control design. If identity, secrets, and audit data cannot move cleanly, organisations inherit dependency that outlives any policy statement and becomes expensive to unwind.

With 35.6% of organisations already citing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, the sovereignty discussion maps directly to operational reality. Identity teams should assume that open standards and exit paths will become more important, not less, as platform concentration continues.


For practitioners

  • Map platform dependency in identity-critical workflows Identify where access, secrets, audit logging, and federation depend on a single supplier’s proprietary interfaces. Prioritise systems where an exit would disrupt authentication, credential handling, or privileged access oversight.
  • Require portability in procurement criteria Make exportability, standards support, and reversible integration explicit evaluation criteria for identity, secrets, and collaboration tooling. Treat these as governance controls rather than optional architecture preferences.
  • Test the offboarding path before adoption Validate whether users, service accounts, and workload credentials can be moved or revoked without manual reconstruction. The goal is to prove that offboarding is operationally possible before the platform becomes embedded.
  • Align open-source use with lifecycle ownership Assign clear ownership for patching, update validation, and dependency review wherever open source supports identity or security functions. Sovereignty depends on supportability, not just licensing or code availability.

Key takeaways

  • Europe’s open-source push only changes security outcomes if it alters procurement, interoperability, and portability in practice.
  • For IAM teams, sovereignty is an architecture question because opaque dependencies make access, secrets, and offboarding harder to govern.
  • The real measure of success is whether organisations can leave a platform without breaking identity controls or compliance obligations.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Portability and access governance are central to the article's dependency argument.
NIST SP 800-53 Rev 5AC-6Least privilege and controllable access boundaries underpin portable identity architectures.
NIST Zero Trust (SP 800-207)Zero Trust reinforces explicit verification across portable, standards-based environments.
OWASP Non-Human Identity Top 10NHI-01NHI governance is relevant where platforms manage secrets, service accounts, and workload access.

Inventory non-human identities and ensure each can be governed independently of one supplier.


Key terms

  • Digital sovereignty: The ability of an organisation or region to control the technologies, standards, and dependencies that shape critical services. In security and identity terms, it means maintaining enough visibility, portability, and leverage to change systems without losing governance or operational continuity.
  • Portability debt: The accumulated cost of being unable to move data, identities, policies, or workflows out of one platform cleanly. It grows when technical integration is built around proprietary assumptions, making offboarding, migration, and control assurance harder over time.
  • Open standards: Publicly defined technical interfaces that let different systems interact without relying on one vendor’s private implementation. For identity security, open standards support federation, interoperability, and more reliable governance because they reduce hidden dependency on a single platform boundary.
  • Vendor lock-in: A condition where switching away from a technology supplier becomes costly or operationally risky because data, workflows, or control logic are deeply tied to that supplier’s stack. In identity programmes, lock-in weakens exit options and complicates assurance.

What's in the full article

Passbolt's full article covers the policy and market detail this post intentionally leaves at a higher level:

  • The open letter context and how European tech companies framed the sovereignty debate.
  • The specific reasoning behind the call for open source, open standards, and European digital capabilities.
  • The article's own argument about why mechanisms matter more than declarations.
  • The closing position on competition, portability, and fair access to public markets.

👉 Passbolt's full article expands on the competition, interoperability, and procurement angles behind the sovereignty debate.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org