Industries · Public sector & government

For government, sovereignty isn't a feature — it's the requirement.

Public bodies are moving off Microsoft and VMware to keep data and infrastructure under EU control. We build and run that sovereign estate — an EU-operated open stack, data under EU jurisdiction, security mapped to NIS2 — for the data citizens never chose to entrust to a foreign platform.

Talk to us about sovereign IT What we run →

Public-sector digital sovereignty means keeping public data and the infrastructure that holds it under EU jurisdiction and public control — not merely stored in the EU, but operated by an EU entity and free of exposure to foreign legal compulsion. Many public bodies have concluded that residency commitments from providers controlled outside the EU are not enough, and are moving off Microsoft and VMware onto sovereign, open alternatives, with the Danish government and the German state of Schleswig-Holstein among the visible examples. Argus Root builds and runs that sovereign estate: an EU-operated open stack, the security mapped to NIS2 where it applies, and the data kept under your control rather than a vendor's.

In short

Sovereignty is residency + control + jurisdiction — for public data all three matter, and a residency promise from a non-EU-controlled provider answers only the first.
Public administration is a NIS2 sector, though NIS2 excludes defence, national security, public security, law enforcement, the judiciary, parliaments and central banks.
Governments are moving off Microsoft for sovereignty — the Danish government and Schleswig-Holstein are visible examples.
The VMware/Broadcom licensing cliff makes the same moment a chance to leave a proprietary US stack for an open one (Proxmox/KVM) — sovereignty and cost point the same way.
An open-source, EU-operated stack usually costs the same or less in steady state, with sovereignty gained rather than paid for as a premium.

What does sovereignty actually mean for a public body?

Sovereignty is used loosely enough that it is worth being precise. It has three layers, and a public body needs all three. Residency is where the data physically sits; control is who operates the infrastructure and can make decisions about it; and jurisdiction is whose law governs it and who could compel access to it. A hyperscaler's commitment to store European data in European regions answers the residency question well, but if the operating entity is ultimately controlled outside the EU, the control and jurisdiction questions remain open — the data is in Europe, but not beyond the reach of foreign legal demands made on the parent company.

For a private company that distinction may be an acceptable risk. For a public body it usually is not, because the data it holds — citizens' records, public administration, services people are compelled to use — is precisely the data that ought to remain under public control and domestic law. That is the reasoning behind the visible moves away from non-EU platforms: not a rejection of the technology, but a judgement that residency alone does not deliver sovereignty, and that for public data the gap between the two matters. Closing it means changing not just where the data sits but who runs the infrastructure and under whose law.

Why are governments leaving Microsoft and VMware?

Two exits are happening at once, and they reinforce each other. The move off Microsoft is driven by sovereignty: bodies including the Danish government and the German state of Schleswig-Holstein have decided that public data should not depend on a platform controlled outside the EU, and are shifting toward sovereign and open alternatives. The move off VMware is driven by Broadcom's ending of perpetual licences and steep price rises, which hit budget-constrained public bodies hard — but leaving a proprietary, US-controlled virtualisation stack for an open one such as Proxmox or KVM serves the same sovereignty aim. For many public bodies the licensing cliff and the sovereignty case arrive together, which turns the renewal date into the natural moment to rebuild on foundations they control.

The public-sector move is a dual exit onto a single sovereign stack: off Microsoft for control of public data, off VMware for cost and an open foundation, both landing on infrastructure operated by an EU entity under EU law.

The reassuring part is that the destination is mature. Open-source virtualisation, sovereign collaboration platforms and the standard infrastructure layer are production-ready and already run workloads at national scale. The realistic path is a staged migration that proves each step before committing the next, with the small number of deeply embedded specialist applications given a transition plan rather than a forced overnight swap. We are candid about which workloads move easily and which need care, because a sovereignty programme that overpromises on day one is how public projects earn their reputation, and we would rather earn the opposite one.

Does NIS2 apply to public administration?

For much of the public sector, yes. NIS2 names public administration among its sectors, so many government bodies carry its cybersecurity risk-management and incident-reporting obligations alongside the sovereignty considerations. But the scope has deliberate edges that matter for government: NIS2 does not apply to activities in defence, national security, public security, law enforcement or the judiciary, and it excludes parliaments and central banks. Exactly how public administration is drawn into scope also varies between member states' national transpositions, so the precise obligation depends on which body it is and which country it sits in.

That nuance is worth getting right rather than asserting a blanket rule, and we treat the regulatory question and the sovereignty question as separate. NIS2 sets a security floor for the bodies it covers; sovereignty applies on its own merits, and often most strongly to the very bodies NIS2 leaves out, because data tied to national security or justice is exactly what should not rest under foreign control. The check below is the kind we run to establish a body's posture across both dimensions — where the data lives, who operates it, and whether it is exposed to foreign compulsion.

sovereignty posture — public-sector estate (illustrative)

# where does public data live, who runs it, and who can compel access?
$ check residency --estate gov-prod
data: EU (DE/NL) · operator: EU entity · non-EU sub-processors: 0
$ check jurisdiction --foreign-compulsion
exposure to non-EU legal demands: none
$ check stack --proprietary-lock-in
hypervisor: Proxmox/KVM (open) · mail: sovereign EU · lock-in: none

sovereign · citizens' data stays under EU control
# residency + control + jurisdiction — the public cannot opt out of any

We run EU-operated infrastructure Off-Microsoft migration Off-VMware (Proxmox/KVM) NIS2-mapped security Open foundations Tested DR

What we run for the public sector.

We bring the sovereignty programme together as one estate rather than a set of disconnected projects. The foundation is EU-operated managed cloud and infrastructure where the control and the jurisdiction sit with you, not a foreign parent. The two exits run through our migration practices: off Microsoft through Microsoft 365 migration to sovereign mail and collaboration, and off VMware through virtualization and VMware exit onto an open Proxmox or KVM stack. The security is hardened and mapped to NIS2 where it applies through managed security, and operational continuity is engineered in through backup and disaster recovery.

Tying it together is the sovereignty argument itself, carried by our compliance and sovereignty practice, so the posture a public body can demonstrate to its oversight, its auditors and its citizens is a documented fact rather than a vendor's assurance. We work within procurement constraints and around the line-of-business and citizen-facing systems that must keep running, migrating in a staged sequence that proves each step. The result is a public estate built around one principle: the data the public is compelled to entrust to you stays under your control and EU law. Because the migration runs alongside live public services rather than in a lab, we sequence it so that citizen-facing systems never go dark for the sake of the move, and we keep the oversight bodies informed at each stage rather than presenting a finished fact.

Sovereign because the public cannot opt out.

The reason sovereignty is a harder requirement in the public sector than anywhere else is that the people whose data is at stake have no alternative. A customer unhappy with how a company handles their data can take their business elsewhere; a citizen cannot choose a different tax authority, health service or municipality. That removes the usual market check and replaces it with a duty: the body holding data people are compelled to provide owes them a higher standard of control over it, not a lower one. Sovereignty is how that duty is met in practice.

Meeting it means running the infrastructure as a fact rather than a label, which is what we do. We build on open foundations, operate the estate ourselves inside the EU with no resale layer and no default path to a foreign platform, and keep the data under EU jurisdiction and your control. It is the same principle behind everything Argus runs — a European operator that builds and runs the thing itself and tells you the truth about it — applied to the sector where the obligation to keep data sovereign is not a preference but a public trust. That is also why we would rather show a public body a staged plan with the hard parts named than a glossy promise that unravels at the first specialist application: in the public sector, the credibility of a sovereignty programme is itself part of the duty, and an honest migration that proves each step is worth more than a bold claim that cannot survive contact with a real estate.

Questions public-sector buyers ask.

What does digital sovereignty mean for a public body?

More than data residency. Residency is where data is stored; sovereignty also asks who controls it and under whose law a provider could be compelled to hand it over. For a public body, all three matter: the data should sit in the EU, be operated by an entity under EU jurisdiction, and be free of exposure to foreign legal demands. A residency commitment from a provider ultimately controlled outside the EU answers the first question but not the other two, which is why a growing number of governments treat it as insufficient on its own.

Does NIS2 apply to public administration?

Yes, public administration is one of the sectors NIS2 covers, so many government bodies carry its cybersecurity and incident-reporting obligations. There are important exclusions, though: NIS2 does not apply to activities in areas such as defence, national security, public security, law enforcement or the judiciary, and parliaments and central banks are also outside its scope. How public administration is brought into scope varies between member states' national transpositions, so the precise obligation depends on the body and the country.

Why are governments moving off Microsoft?

Sovereignty. A number of European public bodies have concluded that storing public data on a platform ultimately controlled outside the EU is a risk they no longer wish to carry, regardless of residency commitments. The Danish government and the German state of Schleswig-Holstein are among the most visible examples of bodies moving away from Microsoft toward sovereign and open alternatives. The driver is control and jurisdiction over public data, sharpened by wider debates about strategic dependence on non-EU technology providers.

Why move off VMware as well?

Two reasons that point the same way. Since Broadcom acquired VMware, the end of perpetual licences and steep price rises have made the platform far more expensive, which matters acutely for budget-constrained public bodies. And the move off a proprietary US-controlled virtualisation stack onto an open one such as Proxmox or KVM advances the same sovereignty goal as leaving Microsoft. For many public bodies the licensing cliff and the sovereignty case arrive together, which makes the renewal date a natural moment to rebuild on open foundations.

Can a sovereign open-source stack really replace what we have?

For the great majority of public-sector workloads, yes. Open-source virtualisation, mature collaboration platforms and the standard infrastructure layer are all production-ready and run national-scale workloads elsewhere. The honest caveat is that a few deeply embedded, specialised applications may need a transition plan rather than a like-for-like swap, and we say so rather than pretending everything moves overnight. The realistic path is a staged migration that proves each step before committing the next, not a single risky cutover.

How do you handle procurement and existing systems?

We work within public-procurement constraints and around the systems you already run rather than demanding a clean slate. The aim is to put a sovereign, EU-operated foundation under your estate and to migrate off the proprietary platforms in a planned sequence, integrating with the line-of-business and citizen-facing systems that have to keep working throughout. Sovereignty is achieved by changing where and how the infrastructure is run and controlled, which does not require discarding every application on day one.

Does sovereignty cost more?

Not necessarily, and often less over time. The move off VMware in particular tends to reduce licensing costs rather than raise them, and an open-source foundation removes the per-seat and per-core meters that inflate proprietary bills. There is a migration cost to plan for, but the steady-state running cost of an open, EU-operated stack is frequently lower than the proprietary subscriptions it replaces — with the sovereignty gained rather than paid for as a premium.

What about the systems NIS2 excludes, like defence or the judiciary?

Those bodies sit outside NIS2's scope, but the sovereignty and security case for them is usually stronger, not weaker — data tied to national security, justice or law enforcement is exactly the data that should not rest under foreign control. We treat the regulatory obligation and the sovereignty requirement as separate questions: NIS2 sets a floor for the bodies it covers, while the control and jurisdiction argument applies on its own merits, often most forcefully to the bodies the directive leaves out.

Why run public-sector IT with an EU operator like Argus Root?

Because for public data the chain of control is the whole point, and a European operator that runs the infrastructure itself keeps that chain inside the EU. We build on open foundations, operate the estate ourselves with no resale layer and no default path to a foreign platform, and keep the data under EU jurisdiction and your control. For a public body answering to citizens who cannot opt out of trusting it with their data, that is the difference between sovereignty as a claim and sovereignty as a fact.

Build a public estate that stays under public control.

Tell us what you run and where your sovereignty and NIS2 obligations sit, and we will map a staged path off the proprietary platforms onto an EU-operated open stack, show you what moves easily and what needs a plan, and set out the security and resilience around it. You get a clear, honest picture of the sovereignty programme, before any commitment.

Talk to us about sovereign IT See compliance & sovereignty →