TL;DR: The European Commission’s Tech Sovereignty Package puts open source at the centre of Europe’s digital strategy, but Passbolt argues that declarations alone will not change procurement, dependency, or market power without binding mechanisms that enforce openness, interoperability, and portability. Policy matters only when it changes the control environment that software and identity programmes actually operate in.
NHIMG editorial — based on content published by Passbolt: About the EU Tech Sovereignty Package
Questions worth separating out
Q: How should organisations evaluate open-source platforms for identity and security use cases?
A: They should assess portability, standards support, and operational ownership first.
Q: Why does vendor lock-in matter to IAM and secrets management?
A: Because lock-in can trap access controls, secret storage, and audit trails inside one operating model.
Q: What should security teams look for in a sovereign technology strategy?
A: They should look for enforceable procurement rules, open standards, and practical exit options.
Practitioner guidance
- Map platform dependency in identity-critical workflows Identify where access, secrets, audit logging, and federation depend on a single supplier’s proprietary interfaces.
- Require portability in procurement criteria Make exportability, standards support, and reversible integration explicit evaluation criteria for identity, secrets, and collaboration tooling.
- Test the offboarding path before adoption Validate whether users, service accounts, and workload credentials can be moved or revoked without manual reconstruction.
What's in the full article
Passbolt's full article covers the policy and market detail this post intentionally leaves at a higher level:
- The open letter context and how European tech companies framed the sovereignty debate.
- The specific reasoning behind the call for open source, open standards, and European digital capabilities.
- The article's own argument about why mechanisms matter more than declarations.
- The closing position on competition, portability, and fair access to public markets.
👉 Read Passbolt's analysis of the EU Tech Sovereignty Package and open source policy →
Open source as critical infrastructure: what changes for IAM teams?
Explore further
Open source only becomes strategic infrastructure when buyers are forced to act on the policy. Europe has made similar declarations about openness and interoperability before, but declarations do not change procurement behaviour on their own. The market effect depends on whether public-sector and enterprise buyers are required to prefer portable, standards-based options. For IAM and security teams, the lesson is that strategy only matters when it changes control selection.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: How can identity teams reduce dependency on opaque platforms?
A: By preferring architectures that separate identity, secrets, and policy from proprietary application logic. That usually means federation, portable configuration, and clear offboarding procedures. The objective is not to reject vendors, but to avoid becoming unable to move when governance or risk changes.
👉 Read our full editorial: EU Tech Sovereignty Package tests whether open source becomes policy