🠄 Back to blog

Position Paper: A Structured Framework for Europe's Digital Sovereignty: Technological Building Blocks for the Public Digital Infrastructure and Internet Commons

2025-05-01

As part of a ongoing discussions within the NGI Commons initiative, the EuroStack Initiative, and the broader European digital ecosystem, we have drafted this position paper to outline a structured framework for Technological Building Blocks (TBBs) that can support Europe's digital sovereignty, Public Digital Infrastructure (PDI), and the Internet Commons. The framework is designed to provide clarity and direction for policymakers, technologists, and the Open Source community.

This is a draft. Your feedback is welcome. Please send your comments to sf@fermigier.com.

[Update 2025/05/05]: the initial draft was updated following email discussions with Duncan Cunningham and Jens Finkhaeuser.

Title: Position Paper: A Structured Framework for Europe's Digital Sovereignty: Technological Building Blocks for the Public Digital Infrastructure and Internet Commons
Author: Stefane Fermigier (Abilian SAS)
Contributors:
Date: 2025-05-01
Version: 1.1
History:
- 1.0 (2025-05-01) - Initial draft
- 1.1.(2025-05-05) - Integrated OS/Browser roles; added emphasis on the cross-layer nature of Identity/Authentication/Trust and the need for foundational R&D in communication protocols; added cross-cutting concern #14 (Strategic Dependency & Autonomy Risk) following feedback from Duncan Cunningham and Jens Finkhaeuser.

Abstract

In an effort to take back control of its digital future, Europe is aiming for greater digital sovereignty, robust Public Digital Infrastructure (PDI), and a thriving Internet Commons. The NGI Commons initiative rightly identifies the need to understand and leverage Technological Building Blocks (TBBs), particularly those rooted in Open Source, to achieve these goals. This position paper proposes a structured, layered framework for TBBs to provide essential clarity for policymakers, technologists, and the Open Source community. By integrating insights on fostering Open Source ecosystems and addressing strategic needs like trust and resilience, this framework offers a pragmatic pathway to operationalize the vision for a sovereign, interoperable, and sustainable European digital ecosystem. It also highlights the need to look beyond integrating existing components towards fostering fundamental research and development into next-generation infrastructure to ensure long-term European leadership and autonomy, directly supporting initiatives like the potential Open Internet Stack (OIS) and the goals of the Digital Decade.

1. Context: The Need for a Structured Approach to TBBs

Technological Building Blocks are recognized as fundamental digital capabilities powering Europe's PDI, potentially based on Digital Commons. They enable sustainable development, sovereignty, and aligning with EC initiatives like the OIS. However, the note also points out the existing ambiguity – definitions range from broad societal functions to specific software modules.

This lack of a common, operational understanding hinders strategic planning, investment, and collaboration. To effectively guide policy, target funding, mobilize the Open Source community, and ensure TBBs meaningfully contribute to the Digital Decade targets and PDI, a clear, shared framework is indispensable. It must be useful for high-level policy discussions and detailed enough for technical implementation and community engagement, while also informing strategic directions for future innovation.

2. A Layered Framework for Technological Building Blocks

To address this need, we propose the following structured framework, organizing TBBs into logical layers and identifying cross-cutting concerns. This structure aids comprehension (respecting cognitive limits like Miller's Law) and reflects typical technology stack dependencies.

  • Foundation Layers: (The bedrock infrastructure and protocols)

    • (1) Network Infrastructure & Connectivity
    • (2) Compute & Storage Infrastructure
    • (3) Core Internet & Web Protocols/Standards

  • Enabling Capabilities: (Essential services and tools built upon the foundation)

    • (4) Digital Identity, Authentication & Trust
    • (5) Cybersecurity & Resilience
    • (6) Data Management, Processing & Analytics (incl. AI/ML foundations)
    • (7) Infrastructure & Service Management/Operations
    • (8) Software Development Tools, Frameworks & Platforms

  • Interaction & Application: (Higher-level services delivering value and facilitating interaction)

    • (9) Communication & Collaboration Services
    • (10) Digital Market Platforms & Services (e.g., Payments, e-ID linkage)
    • (11) Domain-Specific Applications & Public Services

  • Cross-cutting Concerns: (Pervasive factors influencing all layers)

    • (12) Emerging Technologies (Lens)
    • (13) Standards & Interoperability (Principle & Practice)
    • (14) Strategic Dependency & Autonomy Risk (Analysis & Mitigation)

This layered framework provides the necessary structure to categorize existing solutions, identify gaps, guide future development, and facilitate discussions between diverse stakeholders.

3. Connecting TBBs to Europe's Strategic Needs

This TBB framework directly addresses the pressing needs identified for achieving digital sovereignty, as highlighted in our previous 3C Position Paper:

  • Trust: Is fundamentally addressed by dedicated systems in TBB #4 (Digital Identity, Authentication & Trust) and security measures in TBB #5 (Cybersecurity & Resilience). However, establishing and maintaining trust is inherently a cross-layer concern, deeply dependent on the security and integrity of foundational layers (#1, #2, #3), robust interoperability (#13), and the transparent management of dependencies and associated risks (TBB #14). Data integrity aspects also link to #6 (Data Management).
  • Decentralization: While a cross-cutting architectural principle, it is enabled by specific TBBs. #3 (Core Protocols) includes P2P protocol standards; #1 (Networks) can support decentralized topologies; #7 (Operations) includes edge computing frameworks; and #13 (Standards) is vital for interoperability between decentralized components. Furthermore, understanding strategic dependencies (#14) is crucial to ensure decentralization efforts do not inadvertently introduce new forms of centralized control via external reliance.
  • Transactions Across Multiple Actors: Enabled by #10 (Digital Market Platforms) for economic exchange, #4 (Identity) for participant verification, #6 (Data) for potentially privacy-preserving techniques (ZKPs, etc. applied here), and crucially #13 (Standards) for common formats and protocols ensuring interoperability. The security and trustworthiness of these transactions also depend on managing the risks associated with the underlying TBBs (#14).
  • Resilience and Digital Autonomy: Directly addressed by #5 (Cybersecurity & Resilience) including HA/DR, and supported by #7 (Operations) for scalable architectures. Digital autonomy via self-hosting is facilitated by mature Open Source TBBs across multiple categories, especially #7 (Operations - e.g., Kubernetes), #8 (Dev Tools) providing the means to build/deploy, and self-hostable options in #9 (Comms/Collab). Local-first principles can be implemented within applications built using #8. TBB #14 (Strategic Dependency & Autonomy Risk) provides the overarching framework to systematically analyze and mitigate risks to resilience and autonomy stemming from technical, operational, and strategic dependencies across the entire stack.

4. Leveraging Open Source and Digital Commons via the TBB Framework

The proposed TBB framework is instrumental in mobilizing European Open Source communities:

  • Mapping the Landscape: The framework will allow mapping existing European Digital Commons and Open Source projects onto specific TBB categories, identifying strengths, weaknesses, and areas needing investment.
  • Targeted Funding: Agile mechanisms like cascade funding can be more effectively targeted towards developing or maturing Open Source solutions within specific TBB categories identified as strategic priorities (e.g., a gap in sovereign TBB #4 solutions).
  • Facilitating Collaboration: The framework provides a common language. Collaboration platforms, networks, and regional hubs (as proposed in the 3C paper) can organize activities around specific TBB categories, fostering focused exchange and integration efforts.
  • Skills Development: Education and training programs can be structured around the competencies needed to develop, implement, and manage TBBs across the different layers, addressing skills gaps identified in the 3C paper.

5. Overcoming Hurdles to Cooperation

The TBB framework can help mitigate hurdles mentioned in our 3C position paper:

  • Reducing Rigidity: By defining modular blocks, the framework encourages combining best-of-breed solutions rather than monolithic, top-down projects. It supports flexibility and allows focusing on specific needs.
  • Simplifying Funding Focus: While not simplifying processes themselves, the framework clarifies what needs funding, making it easier for SMEs and developers to align proposals with strategic EU goals represented by TBB needs.
  • Bridging Communication Gaps: The framework provides shared terminology and structure, facilitating clearer communication between policymakers, technical communities, and funders. Defining interfaces via #13 (Standards) within the TBB context is key to reducing integration friction.

6. Recommendations for Action

Building on our 3C position paper's recommendations and integrating the TBB framework, we propose the following actions for the European Commission and relevant stakeholders:

  1. Adopt and Promote the TBB Framework: Officially recognize and disseminate this (or a refined version) layered TBB framework as a common reference for PDI, OIS, and Digital Commons initiatives.
  2. Align Funding with TBBs: Utilize the TBB framework to identify strategic priorities and target funding (including agile/cascade funding) towards developing, maturing, and maintaining Open Source TBBs, particularly where European sovereignty is key.
  3. Foster TBB-Focused Collaboration: Support the creation of collaboration platforms, networks, and potentially a European Open Source Coordination Body/OSPOs network, encouraging them to use the TBB framework to structure activities and knowledge sharing.
  4. Develop TBB-Relevant Skills: Invest in education and training programs tailored to the skills required across the TBB stack, from foundational infrastructure to application development and operations, emphasizing Open Source methodologies.
  5. Prioritize Open Standards within TBBs: Actively promote the development, adoption, and enforcement of open standards and interoperability profiles (#13) within and between TBB categories to ensure a cohesive and non-locking ecosystem.
  6. Establish TBB Evaluation Criteria: Develop KPIs and evaluation criteria for funded projects focused not just on creation, but on the long-term sustainability, security, community health, adoption, and interoperability of the resulting TBBs.
  7. Streamline Compliance for TBBs: Provide guidance and support to navigate regulatory compliance (e.g., CRA, GDPR, Interoperable Europe Act) specifically in the context of developing and deploying TBBs, particularly Open Source ones.
  8. Invest Strategically in Foundational R&D: Recognize the limitations of relying solely on existing technologies and dedicate significant, long-term funding towards fundamental research and development (reaching higher TRLs).

7. Conclusion

Operationalizing Europe's vision for digital sovereignty requires moving beyond high-level goals to concrete, actionable structures. The proposed layered framework for Technological Building Blocks provides this necessary structure. It offers a clear lens to understand the components of our Public Digital Infrastructure, map the contributions of Digital Commons and Open Source, and strategically direct investment and collaboration for both immediate needs and future capabilities. By adopting this framework, aligning actions – particularly those supporting the vital European Open Source ecosystem – and crucially, investing in the fundamental R&D needed to architect the next generation of trustworthy infrastructure, the EU can effectively build a resilient, interoperable, innovative, and genuinely sovereign digital future reflecting European values.

Annex: the Stack in Details

This framework categorizes Technological Building Blocks (TBBs) into logical layers, representing how foundational elements support enabling capabilities, which in turn support development and ultimately the applications and interactions users engage with. Cross-cutting concerns influence all layers. While presented in layers for clarity, many concerns have implications and dependencies across the entire stack.

Foundation Layers: These categories represent the fundamental infrastructure and protocols upon which everything else is built.

(1) Network Infrastructure & Connectivity

  • Core Concept: Provides the basic pathways for data transmission between computing systems.
  • Scope & Elaboration: This includes the physical and logical elements required for network communication, from local networks to the global internet. It encompasses hardware (cables, fibre, routers, switches, mobile network antennas - 5G/6G, Wi-Fi access points), core network services (IXPs - Internet Exchange Points), and foundational networking protocols that manage data flow across networks (e.g., BGP, MPLS, basic IP routing). Network virtualization technologies (SDN/NFV components) also fit here.
  • Examples: Physical fibre optic networks, 5G base station technology, core internet routers, network switches, SDN controllers, IXP infrastructure software.
  • PDI Relevance: Essential for Digital Decade goals of ubiquitous connectivity; provides the foundation for all online services and cross-border data flows.

(2) Compute & Storage Infrastructure

  • Core Concept: Provides the processing power to run software and the means to store data persistently or temporarily.
  • Scope & Elaboration: This layer covers the hardware and foundational virtualization that executes code and holds data. It includes server hardware (CPUs, GPUs, TPUs, RAM), storage hardware (SSDs, HDDs), different storage abstractions (block storage, object storage, file systems), the immediate virtualization layer (hypervisors like KVM/Xen, bare-metal provisioning), and the foundational Operating Systems (typically server OS like Linux variants) managing these resources. This forms the basis for IaaS (Infrastructure as a Service).
  • Examples: Server racks, high-performance computing (HPC) clusters, cloud VM instances (the underlying capacity), distributed storage systems (like Ceph), SSD arrays, GPU accelerators.
  • PDI Relevance: Underpins all digital services, data processing, and AI capabilities. Sovereign control over compute/storage is key to digital autonomy.

(3) Core Internet & Web Protocols/Standards

  • Core Concept: Defines the fundamental, standardized rules and formats enabling communication and data representation across diverse systems on the internet and web.
  • Scope & Elaboration: This focuses on the established or emerging, open protocols and standards that ensure interoperability at a basic level. Includes core network transport (TCP/IP suite), naming/discovery (DNS), web interaction (HTTP/1.1/2/3, QUIC, WebSockets), security foundations (TLS/SSL), fundamental data structures and presentation (HTML, CSS, basic XML/JSON standards), core identity protocols (specifications for OAuth 2.0, OpenID Connect, SAML), basic communication protocols (SMTP, IMAP, POP3 for email), and the rendering engines (e.g., Blink, Gecko, WebKit) adhering to HTML/CSS standards, which form the core of modern web browsers. The inherent security and trust models (or lack thereof) in these protocols significantly impact the entire stack.
  • Examples: Implementations of TCP/IP stacks, DNS resolver software, web server implementations of HTTP protocols, TLS libraries (like OpenSSL core functions), rendering engines adhering to HTML/CSS standards.
  • PDI Relevance: Ensures the openness and interoperability of the internet; reliance on open standards prevents lock-in and supports a unified digital market.

Enabling Capabilities: These categories provide essential services and tools built upon the foundation, enabling the development, security, management, and operation of digital services.

(4) Digital Identity, Authentication & Trust

  • Core Concept: Manages and verifies the identities of users, devices, and services, establishing trust for interactions.
  • Scope & Elaboration: Covers dedicated systems for creating, managing, and validating digital identities. Includes authentication mechanisms (passwords, MFA, biometrics), authorization frameworks (controlling access), digital credentials (including Verifiable Credentials/DIDs), Public Key Infrastructure (PKI), and Trust Services as defined by regulations like eIDAS (e.g., Qualified Electronic Signatures/Seals, Timestamps). Federating identities across domains is also key. While categorized here, the effectiveness and trustworthiness of these systems rely heavily on the security and integrity of underlying layers (#1-#3, #5) and standards (#13). Furthermore, the distinction between technical identity managed here and legal/human identity (e.g., EUDI Wallet) must be clearly managed at the interaction points.
  • Examples: Keycloak, OpenID Connect providers, SAML Identity Providers, certificate authorities, MFA systems, Verifiable Credential wallets/issuers, eIDAS nodes.
  • PDI Relevance: Critical for secure access to public and private services, enabling cross-border recognition (e.g., EU Digital Identity Wallet), and establishing trustworthy digital interactions.

(5) Cybersecurity & Resilience

  • Core Concept: Protects digital assets from threats and ensures services can withstand and recover from attacks or failures.
  • Scope & Elaboration: Encompasses a wide range of tools and practices for threat prevention, detection, response, and recovery. Includes network security (firewalls, IDS/IPS), endpoint security, security information and event management (SIEM), vulnerability scanning/management, applied cryptography (encryption of data at rest/in transit), incident response platforms, backup and disaster recovery systems, security monitoring, and DDoS mitigation services. The effectiveness of this layer depends significantly on the security posture of lower layers.
  • Examples: Firewalls (software/hardware), Wazuh, Suricata, OpenVAS, encryption libraries/tools, backup solutions (like Bacula), SIEM systems, WAF, DDoS protection services.
  • PDI Relevance: Fundamental for protecting critical infrastructure, citizen data, and ensuring the trustworthiness and availability of digital services.

(6) Data Management, Processing & Analytics (incl. AI/ML foundations)

  • Core Concept: Handles the entire lifecycle of data, including storage, organization, governance, processing, and extracting insights, including foundational AI/ML capabilities.
  • Scope & Elaboration: Covers databases (SQL, NoSQL), data storage solutions beyond raw blocks/objects (data warehouses, data lakes), data integration tools (ETL/ELT), data pipelines, data governance and cataloguing tools, stream processing engines, and platforms/libraries for large-scale data processing and AI/ML model training/deployment (but not necessarily the domain-specific AI applications themselves).
  • Examples: PostgreSQL, Apache Hadoop/Spark ecosystems, Kafka, Flink, data catalogue tools (Amundsen), AI/ML frameworks (PyTorch, TensorFlow, Scikit-learn), data transformation tools (dbt).
  • PDI Relevance: Essential for data-driven decision-making, managing public sector data assets, enabling AI innovation, and supporting data spaces outlined in EU strategy.

(7) Infrastructure & Service Management/Operations

  • Core Concept: Provides the tools and practices for automating the deployment, configuration, monitoring, and operation of infrastructure and applications.
  • Scope & Elaboration: Focuses on operational efficiency, reliability, and scalability. Includes OS configuration, patching, and image management, container orchestration, configuration management, Infrastructure as Code, monitoring and observability platforms, CI/CD pipeline tools, API gateways, and service meshes. Understanding operational dependencies is key.
  • Examples: Kubernetes, Docker, Ansible, Terraform, Prometheus, Grafana, ELK Stack, GitLab (especially CI/CD), Kong Gateway, Istio...
  • PDI Relevance: Enables efficient and reliable delivery of digital services at scale, supports DevOps practices, and ensures the maintainability of complex PDI systems.

(8) Software Development Tools, Frameworks & Platforms

  • Core Concept: Provides the environment, libraries, frameworks, and tools developers use to create, build, test, and package software applications.
  • Scope & Elaboration: This is the developer's toolkit. Includes Integrated Development Environments (IDEs) or code editors, version control systems, build automation tools, package managers, testing frameworks, runtime environments (including Operating Systems like Linux variants, Windows, macOS, Android, iOS, and common IoT OSes providing APIs and execution environments), and the web browser acting as a primary runtime platform for web applications. It also includes web/application frameworks, software development kits (SDKs), and low-code/no-code development platforms.
  • Examples: Eclipse, VS Code, Git, GitLab/GitHub/SourceHut (source control features), Jenkins (as build orchestrator), Maven, npm, uv, ruff, React, Django, Spring Boot, Node.js runtime, Python runtime, JUnit, Playwright...
  • PDI Relevance: Directly supports the creation of innovative applications and services, including public digital services; fostering a strong open-source development ecosystem contributes to digital sovereignty and skills.

Interaction & Application: These categories represent the higher-level services and applications that directly deliver value or facilitate interaction.

(9) Communication & Collaboration Services

  • Core Concept: Enables interaction and information sharing between people and systems.
  • Scope & Elaboration: Covers platforms and services designed for real-time or asynchronous communication and collaborative work. Includes email systems, instant messaging/chat platforms, video conferencing solutions, collaborative document editing tools, forums, and notification systems.
  • Examples: Email servers (Postfix/Dovecot), Matrix/Element, Jitsi Meet, Nextcloud/OpenCloud/Abilian SBE (collaborative features), Discourse, mailing list managers...
  • PDI Relevance: Supports collaboration within public administrations, citizen engagement, and communication infrastructure for businesses and individuals.

(10) Digital Market Platforms & Services

  • Core Concept: Provides foundational building blocks specifically aimed at enabling secure and interoperable digital economic activity and cross-border services within the single market.
  • Scope & Elaboration: This includes components facilitating digital transactions and trust in commerce. Examples are payment gateway integrations, e-invoicing platforms/standards (like Peppol), secure data exchange mechanisms for businesses (potentially building on data spaces), services linking Digital Identity (Cat 4) to commercial or administrative processes, and potentially components enabling initiatives like Digital Product Passports.
  • Examples: Implementations supporting SEPA payments, Peppol access points, platforms for secure business data sharing, components enabling trusted attribute verification using eIDs.
  • PDI Relevance: Directly supports the creation of a unified single digital market, facilitates cross-border e-commerce and e-government transactions, and enhances trust in the digital economy.

(11) Domain-Specific Applications & Public Services

  • Core Concept: Represents the end-user-facing applications or specialized backend services designed for specific sectors or functions, particularly those delivered by public administrations.
  • Scope & Elaboration: This is a broad category encompassing the final applications built using many of the underlying TBBs. It includes government portals for citizens/businesses, specific e-health applications, online learning platforms for education, transportation management systems, environmental monitoring applications, digital library services, etc.
  • Examples: National e-government portals, specific tax declaration software, university online learning systems (like Moodle), open data portals (like CKAN), electronic health record system components.
  • PDI Relevance: The ultimate delivery mechanism for Digital Public Services, making government more accessible and efficient; represents the tangible outcomes of PDI investments.

Cross-cutting Concerns: These aspects are relevant across multiple layers and categories.

(12) Emerging Technologies (Lens)

  • Core Concept: Serves as a perspective or lens to evaluate how novel and potentially disruptive technologies impact or could be integrated into other TBB categories. It's not a block itself but a factor in strategy and evolution.
  • Scope & Elaboration: Includes considering the implications of advanced AI/ML (beyond foundational platforms), Quantum Computing, sophisticated IoT ecosystems, new generations of wireless tech (beyond current 5G/6G roadmaps), Metaverse-related technologies (persistent virtual worlds, advanced XR), and potentially novel cryptographic methods or distributed ledger technologies where they offer fundamentally new capabilities.
  • PDI Relevance: Ensures the PDI framework remains future-proof and can strategically leverage technological advancements for public good and competitiveness.

(13) Standards & Interoperability (Principle & Practice)

  • Core Concept: Encompasses the use of open standards, protocols, data formats, and API specifications, as well as participation in standardization processes, to ensure TBBs can work together effectively and avoid vendor lock-in.
  • Scope & Elaboration: This is about how TBBs are designed and interact. It involves adhering to relevant standards (W3C, IETF, ETSI, ISO, OASIS, etc.), defining clear interoperability profiles (e.g., within healthcare - HL7/FHIR, finance - specific formats), using common data formats (JSON, XML, RDF, Arrow), designing well-defined APIs (using OpenAPI/AsyncAPI), and contributing to standards development. Additionally, as argued in Some Thoughts on Interoperability, this TBB must address the limitations of a strictly prescriptive approach by introducing and developing the concept of "Enforceable interoperability". Effective standards are essential for managing complex cross-layer interactions.
  • PDI Relevance: Absolutely critical for building a cohesive and reusable PDI, enabling cross-border services, fostering competition, allowing combination of different TBBs, and achieving the goals of the Interoperable Europe Act.

(14) Strategic Dependency & Autonomy Risk (Analysis & Mitigation)**

  • Core Concept: Provides the framework and practices for identifying, analyzing, and mitigating risks to European strategic autonomy arising from dependencies across technical, operational, and strategic levels within the PDI ecosystem.
  • Scope & Elaboration: This involves:
    • Technical Level: Mapping software supply chains (SBOMs), hardware component origins, and service interdependencies.
    • Operational Level: Identifying reliance on specific managed service providers, operational tooling vendors, and single points of failure in deployment/operations.
    • Strategic Level: Analyzing vendor lock-in risks (technical, contractual, data egress), geopolitical dependencies (hardware manufacturing, cloud provider jurisdiction, software origin), reliance on critical open-source projects with fragile maintenance models, skills availability dependencies, and assessing the overall health and sovereignty implications of the TBB ecosystem.
    • It includes developing methodologies for risk assessment specifically tailored to digital autonomy and proposing mitigation strategies (e.g., promoting multi-vendor approaches, investing in European alternatives, contributing to critical OS projects, developing required skills).
  • PDI Relevance: Directly underpins the goal of Digital Sovereignty by making risks explicit and informing strategic decisions about TBB selection, investment, development, and policy interventions to ensure long-term resilience and autonomy for Europe's PDI.