France Bets on Linux for 2.5 Million Devices: Bold Sovereignty Play or Costly Gamble?
In Part 1 I laid out the real risks behind EU data sovereignty fears — the CLOUD Act, Schrems II, and the difference between fear and genuine compliance exposure. In Part 2 I worked through the practical options: self-hosting, EU cloud providers, Azure.local, and the hybrid approaches most organisations actually end up taking. Now we have a concrete case study. On April 8, 2026, the French government announced it's migrating 2.5 million civil servant workstations from Windows to Linux — and that's just the start of a much broader push to cut dependencies on American software. So let's ask the uncomfortable question: is this a wise decision?
What France Actually Announced
Let's start with the facts, because the headlines have been doing a lot of heavy lifting. On April 8, 2026, DINUM — the French government's Interministerial Digital Directorate — held a seminar with ministries, public operators, and private sector partners, then published an official press release committing to a set of concrete steps to reduce France's dependency on non-European digital solutions.
The desktop migration is real. DINUM announced it's switching its own systems away from Windows to Linux. More significantly, every ministry and public operator must submit a detailed migration plan by autumn 2026, covering seven technology categories: desktop operating systems, collaboration tools, antivirus software, AI platforms, databases, virtualisation, and network equipment. France's Minister of Public Action, David Amiel, put it plainly in the press release: "L'État ne peut plus se contenter de constater sa dépendance, il doit en sortir" — the state can no longer simply acknowledge its dependency; it must get out of it.
This builds on moves already in motion. In early 2026, France announced all 2.5 million civil servants would stop using Zoom, Microsoft Teams, Webex, and GoTo Meeting by 2027, replacing them with Visio — a government-developed platform built on the open-source Jitsi framework, hosted on Outscale (a subsidiary of French company Dassault Systèmes). The health data platform is also migrating to a "trusted solution" by the end of 2026. And Caisse nationale d'Assurance maladie just announced it's moving 80,000 agents to the interministerial suite: Tchap, Visio, and FranceTransfert.
The timeline for the full Linux desktop rollout runs to 2030 at the earliest. No distribution has been chosen yet — Ubuntu, Debian, and a custom French government build are all on the table. The actual cost of the transition hasn't been officially disclosed; analyst estimates range from €1.5 billion to €3 billion over five to seven years.
The Case for Doing This
I've been fairly blunt in Parts 1 and 2 about sovereignty theatre — the kind of posturing that doesn't actually reduce legal or technical risk. France's move is not that. There are real, defensible reasons for this decision.
The CLOUD Act problem is real. As I covered in Part 1, US companies operating under the CLOUD Act can be compelled to hand over data stored anywhere in the world to US authorities. When France's critical health data, judicial records, or military supply chains run on Microsoft infrastructure, that's a genuine legal exposure. Switching to locally hosted, auditable, open-source software on French government hardware eliminates a significant attack surface for foreign legal intervention. This isn't paranoia — it's the same logic behind why French military communications don't run on commercial American infrastructure.
That said: CLOUD Act requests target specific individuals or organisations based on specific, documented legal grounds — criminal investigations, intelligence leads, sanctions compliance. The civil servant processing school maintenance requests or filing quarterly budget reports isn't in the same exposure category as classified defence systems or judicial case files. The risk is real enough to justify structural changes at the sensitive end of the stack. Whether it justifies migrating 2.5 million desktop workstations is a harder argument to make.
Strategic dependency is a learned lesson. As I noted in Part 2, Europe already walked into this mistake with energy (Russian gas) and semiconductors (TSMC shortage). Cloud infrastructure is structurally similar. If US-EU relations deteriorate to the point where software licences become leverage — a scenario that sounds melodramatic until you remember 2022 — France doesn't want to find out that its civil service can't function because a foreign company flipped a switch. The political will to avoid that scenario is legitimate.
The CrowdStrike incident changed the conversation. In July 2024, a faulty update from CrowdStrike — a single American security vendor — crashed 8.5 million Windows devices simultaneously. Banks, airlines, hospitals, governments. France's national cybersecurity agency ANSSI cited this systemic risk explicitly in its security rationale. When a single proprietary vendor can accidentally take down critical national infrastructure, the "why are you using a single proprietary OS" question becomes a lot harder to dismiss.
The cost argument is real, just not as clean as the headlines suggest. France reportedly spends somewhere between €500 million and €800 million annually on Microsoft Windows and 365 licensing for 2.5 million users (industry estimates — the government hasn't published the actual figure). The Visio switch alone is projected to save €1 million per year per 100,000 users. That's €25 million annually from one application. Scaling that across the full migration, analysts estimate annual savings of €300–500 million once complete.
The Kill Switch Wasn't Hypothetical
In Part 1, I outlined the theoretical risk: a US company operating under the CLOUD Act could be compelled by US government action to cut off service for a foreign organisation or individual. I framed it as a genuine but bounded legal risk. Then, in May 2025, it stopped being theoretical.
In February 2025, Trump issued an Executive Order sanctioning the International Criminal Court, targeting chief prosecutor Karim Khan — who had issued arrest warrants including for Israeli Prime Minister Benjamin Netanyahu. As part of those sanctions, Microsoft disconnected Khan's email access. Associated Press reported that Microsoft "cancelled" the account. Brad Smith responded by saying Microsoft's actions "did not in any way involve the cessation of services to the ICC itself" — but the disconnection of Khan's account was not disputed. The ICC continued operating. Its chief prosecutor lost access to email on an American platform because a foreign government ordered it.
Worth being precise about what this was. Khan faced a targeted executive order sanctioning him personally — not France's government, not a European civil service. Microsoft acted under compulsion of US sanctions law applied to a specific named individual. Brad Smith's framing — that this "did not involve cessation of services to the ICC itself" — is technically accurate, even if it reads as lawyerly hair-splitting to everyone watching. The harder question is whether Microsoft would restrict service to an EU government under a broader trade sanctions or geopolitical confrontation scenario. That question remains unanswered, and it's more relevant to France's policy calculus than the ICC case directly.
According to German magazine WirtschaftsWoche, what followed was revealing about how Microsoft had redrawn its own position. The magazine reported that Microsoft's lawyers had adopted a new internal framing: Microsoft provides a "technical platform" and the customer determines employee access — and that Microsoft would not intervene in similar scenarios going forward. At the end of April 2025, Brad Smith separately offered European governments a contractual clause committing Microsoft to challenge in court any future suspension orders, and offered to store source code copies in a Swiss vault.
The contractual clause deserves more credit than it usually gets. A legally binding commitment to challenge US suspension orders in EU courts — with breach-of-contract remedies available to European government customers — is real accountability. Not the same as not being on the platform at all, but meaningfully different from hoping a vendor acts in good faith. The Swiss vault, by contrast, is closer to theatre: storing source code offsite doesn't help a civil servant whose account has been suspended.
The timing matters: Smith's contractual sovereignty pledges came after the ICC incident, not before. This is what Dutch software expert Bert Hubert captured sharply: "A few weeks ago, they issued all these grand statements... And now it happens anyway."
As for the Swiss vault offer: Ludo Baauw, director of Dutch cloud provider Intermax, was direct about its practical value — "What use is that to me as a customer? None."
The Dutch response matters because the Netherlands has historically been one of the most Atlanticist EU member states — traditionally sceptical of sovereignty arguments that looked like EU protectionism dressed up as security. That started shifting in May 2025. At least ten vital Dutch public sector organisations contacted Intermax and similar providers to explore reducing US cloud dependency. The Dutch parliament petitioned the government to source 30% of cloud services from Dutch or European providers by 2029. The Ministry of Interior announced it was reviewing French and German alternatives.
There's a structural problem that makes this harder than it sounds. The Dutch government's interministerial collaboration platform — Beter Samen Werken (roughly: Better Working Together) — adopted Microsoft Teams as its shared standard in 2023. Four ministries are now integrated around it. Migration from deeply embedded services takes six months to three years. Marietje Schaake, author of The Tech Coup, described it bluntly: Microsoft had spent years strategically positioning itself as a government partner, with a revolving door between Microsoft and government institutions. The Dutch public sector adopted Teams in 2023 and is now, two years later, reconsidering what that dependency actually means when geopolitics changes.
France is — reasonably — trying to avoid ending up where Dutch ministries are now: discovering the dependency only after it's deeply embedded. The window where migration is a planned process rather than an emergency scramble closes fast. The uncomfortable question is whether full platform replacement is the only credible response to that risk — or whether Microsoft's new contractual commitments, combined with targeted data residency for genuinely sensitive workloads, could close most of the same exposure at a fraction of the cost and organisational disruption.
Where I'm Skeptical
The direction is understandable. Whether the execution makes sense — and whether the people living with the consequences had any say in it — is a different question, and I have real doubts in several areas.
The Desktop Migration Is the Easy Part
Here's the thing that gets lost in all the Linux coverage: switching 2.5 million workstations from Windows to Linux is actually the least complicated piece of the sovereignty puzzle. It's photogenic. It generates headlines. And it's genuinely achievable in a way that, say, replacing Azure AI Services or Microsoft Entra ID is not.
But the CLOUD Act risk that France is supposedly addressing doesn't primarily come from what OS is running on a civil servant's laptop. It comes from where the data lives and who controls the systems processing it. A French civil servant running Linux on their desktop but signing into a Microsoft 365 account or an Azure-hosted application is not meaningfully more sovereign than before. The data still flows through American infrastructure. The legal exposure is unchanged.
France knows this — the DINUM directive does list databases, AI platforms, cloud services in its scope. But those replacements are far harder than swapping an OS. There is no French or European equivalent to Microsoft Entra ID at government scale. There is no European sovereign AI stack that can replace Microsoft Azure AI Services for anything beyond basic compute. The desktop migration is happening because it can happen. The hard parts come later.
The Enterprise Feature Gap Is Not Just About Files
The framing in most coverage is: Windows vs. Linux as desktop environments. That's the easy version of the comparison. The harder version is about the supporting infrastructure that governments have built around Windows over two decades — and what the Linux equivalent is, where it exists at all.
Smart card authentication is the clearest example. French government workers use cartes agent — physical smart cards issued by ANSSI that handle login, document signing, and encrypted email. Windows integrates smart card authentication natively via its CAPI/CSP layer, including AD-backed Kerberos certificates. Linux has OpenSC and PKCS#11 modules, which work — but the enterprise management layer (automatic card detection, PIN caching, certificate renewals, GPO-driven policy) doesn't exist out of the box. Each distribution handles this differently, and getting 2.5 million smart card logins working consistently across ministries with varying hardware is a project in itself.
Group Policy and centralised management are the second structural problem. Windows Group Policy lets IT administrators push security baselines, software installs, drive mappings, and browser settings to millions of machines from a single console. ANSSI's hardening guides are written against GPO. On Linux, configuration management uses a different stack — Ansible, Puppet, FreeIPA, or a combination — that requires different skills, different processes, and a full migration of existing policy logic. It's doable. It's not a swap.
Line-of-business applications are where migrations typically discover unpleasant surprises. French government ministries run custom applications built on legacy .NET Framework, Delphi, or occasionally WinForms stacks — none of which run natively on Linux. The options are: rewrite them (expensive, multi-year), run them in a Windows virtual machine or Citrix session (which creates a hybrid dependency, not elimination), or retire them and replace with web-based alternatives. DINUM's roadmap acknowledges this but the scoping of how many ministry-specific legacy applications exist, and what replacing them costs, hasn't been published.
Here's a quick picture of where the gaps sit in practice:
| Capability | Windows (current) | Linux replacement | Gap assessment |
|---|---|---|---|
| Smart card / PKI auth | Native CAPI/CSP, AD Kerberos, GPO-managed | OpenSC + PKCS#11 + SSSD; works but no central management layer | Significant — enterprise policy management requires full rebuild |
| Centralised config management | Group Policy + SCCM/Intune; ANSSI hardening guides written for GPO | Ansible / Puppet / FreeIPA; functional but different skills required | Moderate — viable, but existing GPO logic must be fully rewritten |
| Legacy line-of-business apps | .NET Framework, WinForms, IE-dependent internal portals | Rewrite, Citrix/RDS wrapper, or Wine (limited applicability) | High — scope unknown; DINUM hasn't published an application inventory |
| Office format compatibility | Microsoft 365 / native .docx/.xlsx round-tripping | LibreOffice; good for simple files, documented issues with pivot tables, complex macros, watermarks | Moderate to high — depends on complexity of cross-agency document workflows |
| Endpoint security tooling | Defender for Endpoint, ANSSI-approved Windows AV products | Defender for Endpoint has a Linux agent; some ANSSI-certified French tools are Windows-only | Low to moderate — Linux agents exist for major platforms; niche certified tools may not |
| VPN clients | Cisco AnyConnect, GlobalProtect, ANSSI-certified solutions with Windows installers | OpenVPN, WireGuard; Cisco/Palo Alto Linux clients exist but lag behind Windows feature parity | Low to moderate — depends on which products French agencies currently use |
| Printing at scale | Windows Print Server, driver deployment via GPO | CUPS; widespread support but driver coverage for government multifunction printers varies | Moderate — older government fleet hardware most likely to have gaps |
The pattern in the table is consistent: there's a Linux path for almost everything, but the Windows path is integrated, policy-managed, and has 20 years of operational tooling built around it. The Linux equivalent usually requires different expertise, a different management layer, and often a rebuild of the existing policies. That's not an argument against migrating. It is an argument for being honest that the cost and timeline estimates need to include all of that infrastructure work — not just the OS swap.
The Sovereign AI Gap Is Enormous
The DINUM plan calls for migrating to a "French sovereign AI stack" by 2027–2030. I'd like to know what that is, because as of 2026 it doesn't exist in a form that competes with Azure OpenAI, Google Gemini, or even a mid-tier US inference provider. Mistral AI is genuinely impressive and French-headquartered — but it's a model company, not a full AI infrastructure platform. It can't replace the operational AI tooling that modern government services increasingly depend on.
This isn't a reason not to start. It is a reason to be clear-eyed that "sovereign AI stack" in the 2026 roadmap is more aspiration than product. If France's ministries are building serious AI-dependent workflows over the next two years on Azure or AWS because the sovereign alternative isn't ready, the desktop migration doesn't help them.
Munich's Ghost Is Still in the Room
Anyone writing about government Linux migrations owes Munich an honest assessment. From 2003 onwards, Munich spent over a decade migrating ~15,000 city workstations to a custom Ubuntu-based distribution called LiMux. Initial projections were €10–15 million in savings. In 2017, the city council voted to abandon it and return to Windows, citing compatibility issues and user complaints — a decision widely made easier by the fact that Microsoft had relocated its German headquarters to Munich a year earlier.
France has reasons to think it'll be different — national mandate, simultaneous rollout, sovereignty motivation rather than cost alone. Those are genuine factors. But so does every government that eventually reversed. Munich said it had city-wide political commitment. The UK Government Digital Service had central mandate and top-level support. Austrian regional migrations had non-cost drivers. The pattern that keeps recurring isn't political will at launch; it's the accumulation of small incompatibilities — law firms still on Word, regional contractors using Excel macros that don't render in LibreOffice, a legacy database only accessible via an Internet Explorer-dependent portal — until the political case for reversing becomes easier to make than the case for enduring.
But Munich isn't just one data point. The pattern is consistent: government Linux migrations start with momentum, run into real-world friction (software compatibility with external partners, legacy applications, user behaviour), and face political pressure to reverse. France's size and top-down mandate raise the stakes. If this fails, it'll set back the European open-source agenda by a decade.
Training 2.5 Million People Is Not a Side Project
Modern Linux desktops — GNOME and KDE Plasma — are genuinely usable now. LibreOffice has improved substantially. But retraining 2.5 million civil servants is an organisational challenge that has derailed every migration I've seen underestimated. It's not about whether Linux is good enough. It's about whether the change management, helpdesk support, workflow documentation, and ongoing training programs are adequately funded and executed. The failure mode isn't technical. It's organisational.
When Your Spreadsheet Stops Opening
This whole article has been written from a policy perspective. The people who actually live this decision every day are the 2.5 million civil servants who didn't vote on it and weren't consulted. That deserves its own section.
Modern Linux desktops — GNOME and KDE Plasma — are genuinely good. That isn't the problem. The problem is that 20 years of Windows muscle memory doesn't transfer. The Start menu equivalent works differently. Keyboard shortcuts don't match. Right-click menus are in different places. File manager behaviour is subtly wrong in ways that are hard to explain but immediately irritating. None of this is insurmountable — people learn new interfaces all the time. But they learn them when they choose to, not when they're told to on a Monday morning with a deadline in the afternoon. The transition cost isn't the learning curve for one person over one week. It's the cumulative friction of 2.5 million people simultaneously adjusting, across every ministry, at different speeds, with different legacy software dependencies.
Some things are genuinely fine on Linux. The parts of work that live in a browser — which is increasingly most of it — are identical. Firefox and Chrome work. Web-based government portals, EU databases, cloud-hosted collaborative tools: all fine. The problem concentrates in the gap between "works" and "works the same way". Here's roughly how common civil servant tasks map across the transition:
| Task | Windows | Linux (GNOME / KDE) | Reality |
|---|---|---|---|
| Web browsing | Edge / Chrome | Firefox / Chrome | Effectively identical. No disruption. |
| Word processing | Microsoft Word | LibreOffice Writer | Simple documents: fine. Complex .docx with tables, tracked changes, or embedded objects: layout shifts, missing fonts, formatting drift. |
| Spreadsheets | Microsoft Excel | LibreOffice Calc | Standard use: mostly fine. VBA macros: don't run. Complex pivot tables and conditional formatting: inconsistent results. Government departments with macro-heavy reporting templates face real problems. |
| Outlook (Exchange-connected) | Thunderbird / web mail | Email itself is fine. Rules, folders, and search work. What breaks is the integration layer: calendar, contacts, and task management lose coherence. | |
| Calendar & meetings | Outlook + Teams (integrated) | GNOME Calendar + Tchap + Visio (fragmented) | No single hub. Meeting invites from external partners — banks, law firms, EU institutions — arrive as Outlook/Teams links. Accepting and joining from a Linux desktop requires workarounds that work most of the time. |
| Printing | Plug-and-play (bundled drivers) | Variable driver support | Modern network printers: usually fine via IPP. Older MFPs in government offices: require manual driver setup or don't work at all. Scanning functions frequently break. |
| Smart card / ID login | Native Windows credential provider | OpenSC + PAM (manual config) | Works, but requires IT setup per device. French civil servants use smart card authentication widely. This isn't a blocker — it's just not automatic. |
| Legacy line-of-business apps | Native Windows executables | Wine / web rewrite / none | This is the real blocker for specific departments. Ministry-specific software built for Windows in the 2000s either needs a full rewrite, runs via Wine with varying reliability, or becomes a reason for that ministry to stay on Windows longer. |
| Desktop UX | Start menu, taskbar, File Explorer | GNOME Activities / KDE Start Menu | Different paradigm. Not harder — just different in ways that cost productivity for the first few weeks. Users who've only ever used Windows find this disorienting. |
LibreOffice has improved substantially. It still has documented compatibility problems with complex .docx and .xlsx files — the kind that arrive from banks, insurance companies, law firms, EU institutions, and partner ministries still on Windows. A heavily formatted budget projection, a contract template from a notary, a grant application form from a European fund: these are the working documents of French civil servants. When they don't render correctly, the problem doesn't land on the Minister of Public Action. It lands on the administrator trying to meet a deadline.
Losing Outlook means losing calendar and meeting integration that civil servants have built workflows around for 20 years. Tchap and Visio are functional. They don't integrate with Outlook invites from external partners, banks, or contractors who aren't migrating. That friction doesn't show up in cost projections — it shows up as 15 extra minutes per person per day managing calendar conflicts and format conversions, across 2.5 million people.
The help desk load is also absent from every cost estimate I've seen. If even 5% of users need meaningful support during transition — and Munich's experience suggests the real figure is higher — that's 125,000 people calling for help at once. France's migration plans haven't published a staffing model for that scenario. Munich failed partly because nobody was adequately resourced to help users through it. Scale doesn't make that problem smaller.
The Cost Maths Is Complicated
Let me be concrete about the numbers, because the headlines tend to oversimplify this. The estimated annual savings from full migration are €300–500 million. The estimated transition cost is €1.5–3 billion over five to seven years. That means France will spend three to six years just breaking even on the investment before seeing net savings — and that's using the optimistic analyst estimate, not accounting for delays, overruns, or the productivity dip that comes with any large-scale platform change.
Government IT projects at this scale historically overrun. Not because governments are incompetent, but because 2.5 million users across dozens of ministries with thousands of legacy applications will always surface unexpected dependencies. The €3 billion upper estimate from analysts could very easily become €5 billion if the timeline slips to 2032 or 2035.
To be fair: the sovereignty and strategic arguments don't depend on the cost maths working out cleanly. If France is serious about reducing CLOUD Act exposure, the cost calculus isn't primarily financial. But the headlines leading with "France will save hundreds of millions annually" are getting ahead of a transition that will cost significantly more than it saves for years.
France vs Munich vs South Korea
| Attribute | France (2026) | Munich LiMux (2003–2017) | South Korea (2019–) |
|---|---|---|---|
| Scope | 2.5 million government workstations, national | ~15,000 city workstations, Munich only | ~750,000 government PCs, national |
| Primary motivation | Sovereignty, CLOUD Act, strategic independence | Cost savings | Cost + strategic technology independence |
| Mandate level | National government top-down | Single city administration | National government directive |
| Outcome | In progress — plans due autumn 2026 | Reversed in 2017 after 14 years | Ongoing, slower than planned but sustained |
| Political resilience | High — sovereignty framing, national security | Low — cost rationale weakened under lobbying | Medium — sustained through multiple administrations |
| Distribution approach | TBD (Ubuntu, Debian, or custom) | Custom Ubuntu-based (LiMux) | Custom (Gooroom, HamoniKR) |
| Timeline to completion | 2030 at earliest | 14 years (then abandoned) | Ongoing since 2019, slower than planned |
Why 2026 Is Different
I want to be honest about one thing: the geopolitical context genuinely changes the calculus here, and I don't think this can be dismissed as domestic French politics.
After the April 2025 Liberation Day tariffs, which imposed 25% duties on technology components, European governments woke up to how much of their critical digital infrastructure runs on American supply chains — from chips to software licences to cloud APIs. The CrowdStrike incident — 8.5 million devices, one vendor update — is exactly the kind of systemic shock that made "we are too dependent on a single foreign supplier" feel concrete rather than theoretical. And the broader trajectory of US-EU relations has made "strategic autonomy" a mainstream concern rather than a fringe one. The French government isn't the only one moving in this direction: Germany's Schleswig-Holstein migrated 44,000 employee mailboxes away from Microsoft, Austria's military switched to LibreOffice, Denmark is following. This is a pattern, not an isolated event.
France is also spending money inside Europe with this decision. Every euro redirected from Microsoft licensing to Canonical, SUSE, OVHcloud, or Scaleway circulates within the EU economy. That's deliberate industrial policy, not just a tech decision.
Contrast this with Australia, which in February 2026 signed a brand new five-year deal with Microsoft for full cloud and AI access including Copilot and Dynamics 365. Two democracies, two very different readings of the same geopolitical moment. That contrast is worth sitting with.
When the Reform Process Has a Big Tech Problem
The desktop migration is France's national story. But sovereignty isn't decided at the member-state level alone — and what's happening in Brussels right now is pulling in the opposite direction.
France migrating to Linux is real structural action: moving national infrastructure off American software, cutting CLOUD Act exposure, building internal capability. Whatever its execution risks, it reduces a measurable dependency. But a parallel process in Brussels is moving in the opposite direction — and the people steering it have a history that transparency organisations describe as a textbook conflict of interest.
In late November 2025, the European Commission published the Digital Omnibus — a proposal to "simplify" EU digital rules including the GDPR and the ePrivacy Directive. The Commission presented this as administrative burden reduction. Over 130 civil society organisations and trade unions, including Amnesty International, the European Consumer Organisation, and digital rights group EDRi, called it the "biggest rollback of digital rights in EU history." An analysis by Corporate Europe Observatory and LobbyControl mapped the proposals against Big Tech lobbying positions article by article: narrowing the legal definition of personal data, weakening consent requirements for AI training data, reducing oversight of automated decision-making, folding ePrivacy cookie rules into a more permissive GDPR framework. The fit between the Commission's text and what Meta, Google, and Microsoft had been lobbying for was — to put it plainly — a close match.
The Commission assigned lead parliamentary negotiations to Finnish MEP Aura Salla — the ITRE committee rapporteur who will steer the Digital Omnibus through Parliament. Salla speaks publicly about EU digital sovereignty and European autonomy from US tech platforms. From May 2020 to April 2023, she was Meta's Public Policy Director and Head of EU Affairs, running Meta's entire lobbying operation in Brussels — including on the specific GDPR provisions the Digital Omnibus now proposes to weaken. Meta has been fined seven times for GDPR violations: total fines, €2.6 billion. Meta's current EU lobbying budget exceeds €10 million annually. During the second Trump administration, Meta donated $1 million to Trump's inauguration fund; Zuckerberg publicly called on Trump to stop the EU from enforcing its digital rules against American tech companies.
After becoming an MEP, Salla met with Meta in lobby meetings in September 2024 and January 2025. Under Article 3 of the European Parliament's Code of Conduct, rapporteurs must declare potential conflicts of interest when taking on a file. When Salla filed her Declaration of Awareness on February 12, 2026 for the Digital Omnibus role, she did not list her three years as Meta's chief EU lobbyist as a potential conflict of interest. Seven watchdog organisations — Transparency International EU, Corporate Europe Observatory, LobbyControl, BLOOM, The Good Lobby, Observatoire des multinationales, and SOMO — wrote to the ITRE committee in February 2026 calling for her withdrawal as rapporteur.
Note: In April 2025, Follow The Money separately reported that Salla had sold stocks in a defence company following their reporting; those stocks had never been declared in her private interests declaration. No official investigation has been opened.
The question that prompted this section was: why does Salla now speak against US tech dependency, but transparency groups want her gone? The answer is that the two things aren't as contradictory as they seem. Sovereignty language has become politically safe across the EU since 2025 — you'll hear it from MEPs across the spectrum. But what matters is the content of the legislation she's steering, not the speeches. The Digital Omnibus, if passed in its current form, would weaken the GDPR in ways that directly benefit her former employer. Privacy advocates argue that an MEP who spent three years running Meta's campaign against EU data protection law is structurally ill-positioned to protect those same protections in a reform process, regardless of what she says publicly. The structural conflict, they argue, is the problem — not intent.
I'm not in a position to judge intentions here, and that's not really the point. What is worth pointing out is the gap between two things happening simultaneously in Europe: France taking genuine structural action to reduce digital dependency, while Brussels simultaneously runs a reform process — with a documented conflict-of-interest problem — that could weaken the legal foundation that makes sovereignty meaningful in the first place. The GDPR is what gives European citizens and governments actual legal teeth against foreign data extraction. A weakened GDPR isn't just a consumer privacy issue — it's a sovereignty issue. You can migrate 2.5 million workstations to Linux and still have the data those workstations generate flowing out of Europe with fewer legal protections than before.
France doing the right thing and Brussels doing the wrong thing are not mutually exclusive. And the gap between them is where European sovereignty actually gets decided.
The Bottom Line
France's sovereignty concerns are legitimate. The CLOUD Act isn't going away. Schrems II isn't resolved. The CrowdStrike incident confirmed that deep dependency on a single American vendor has real systemic consequences. None of that is in dispute.
What's worth questioning is whether full desktop migration — 2.5 million simultaneous switches from Windows to Linux — is the right response to those real concerns, or whether it's the most politically visible response rather than the most effective one. Contracts with meaningful legal teeth now exist: Microsoft's post-ICC commitment to challenge EU suspension orders in court is an enforceable obligation, not just a press release. Targeted data residency for genuinely sensitive workloads — defence, judicial, health — would address the highest-risk exposure at a fraction of €3 billion and without disrupting the working day of every French civil servant. France has chosen to go further, which is a defensible position. Whether it's the right one won't be clear until at least 2030.
France will hit friction. There will be compatibility problems, user resistance, and political opponents looking for evidence this was a mistake. Munich happened at 160 times smaller scale and still failed. The national mandate and sovereignty framing are real mitigants — they make political reversal harder. They don't solve the compatibility gap, the AI infrastructure shortage, or the daily workflow disruption for 2.5 million civil servants who didn't get a vote on the platform they now use.
If I had to bet, I'd say France completes something meaningful by 2030 — probably not full scope, probably over budget. Even a partial completion would shift the European open-source market and prove government-scale viability. That's not nothing. The question France hasn't fully answered is whether the civil servants paying the daily friction cost of this transition were given the same weight in the decision as the geopolitical calculus that drove it.
Important: This post covers an announcement from April 2026. Implementation plans from French ministries are due by autumn 2026, so we'll know significantly more about the actual distribution choice, budget allocation, and early progress by the end of 2026.
Sources and References
Sources consulted and cited in this article, in order of first appearance. Links go to primary sources or official coverage where available.
Official and Government Sources
- DINUM press release — April 8, 2026. Numérique souverain : l'État engage une transformation profonde de ses outils numériques. Interministerial Digital Directorate, French government. numerique.gouv.fr
- Clarifying Lawful Overseas Use of Data (CLOUD) Act, 2018. 18 U.S.C. § 2523. US Department of Justice. justice.gov
- Data Protection Commissioner v Facebook Ireland and Schrems (Schrems II), 2020. CJEU Case C-311/18. Court of Justice of the EU. curia.europa.eu
- ANSSI — Agence nationale de la sécurité des systèmes d'information. French national cybersecurity agency; GPO hardening guides and post-CrowdStrike systemic risk analysis. ssi.gouv.fr
- European Commission — Digital Omnibus package, November 2025. Proposal to revise GDPR, ePrivacy Directive, and related digital regulations. digital-strategy.ec.europa.eu
- Aura Salla MEP — European Parliament declarations of financial interests and lobby meeting records. European Parliament Transparency Register. europarl.europa.eu
- South Korea Gooroom Linux project. National Information Society Agency (NIA); government desktop Linux initiative. gooroom.kr
News Reporting
- Associated Press (2025). Reporting on Microsoft disconnecting ICC chief prosecutor Karim Khan's email account following the Trump Executive Order sanctioning the International Criminal Court.
- WirtschaftsWoche (2025). Reporting on Microsoft's internal legal framing following the ICC incident — describing Microsoft as a "technical platform" on which the customer controls employee access.
- Follow The Money / De Correspondent (April 2025). Reporting on Aura Salla and undeclared stock holdings in a defence company. ftm.eu
- Brad Smith / Microsoft On the Issues blog (April 2025). Statement on the ICC incident and announcement of contractual sovereignty pledges for European government customers, including the Swiss vault offer. blogs.microsoft.com/on-the-issues
Civil Society, Research, and Advocacy
- Corporate Europe Observatory and LobbyControl (2025/2026). Joint analysis mapping the Digital Omnibus proposals against Big Tech lobbying positions on GDPR and ePrivacy. corporateeurope.org / lobbycontrol.de
- Open letter to the ITRE Committee, February 2026. Signed by Transparency International EU, Corporate Europe Observatory, LobbyControl, BLOOM, The Good Lobby, Observatoire des multinationales, and SOMO, calling for Aura Salla's withdrawal as Digital Omnibus rapporteur. transparency.eu
- European Digital Rights (EDRi) and coalition letter on Digital Omnibus (2025). Signed by over 130 civil society organisations and trade unions, including Amnesty International and BEUC. edri.org
- Bert Hubert (2025). Public commentary on Microsoft's ICC response and the limits of vendor sovereignty pledges. berthub.eu
Books
- Schaake, Marietje. The Tech Coup: How to Save Democracy from Silicon Valley. Princeton University Press, 2024.
Archives
Share this:
