There is a particular kind of vulnerability that does not announce itself until the moment it is exploited. For years, the dependence of European governments on American software was treated as a procurement detail — a line item, a licensing renewal, a question of cost rather than control. Then, in the spring of 2025, the chief prosecutor of the International Criminal Court tried to open his email and could not. What had been an abstraction about jurisdiction became, very suddenly, a locked door.

France’s decision to migrate roughly 2.5 million government workstations off Windows and onto Linux did not begin with that locked door. But it is impossible to read the timing of the more recent, more sweeping push without seeing the prosecutor’s empty inbox behind it. Sovereignty, it turns out, is not only a flag or a border. Sometimes it is a login screen, and sometimes someone else holds the password.

The Prosecutor and the Empty Inbox

In February 2025, the Trump administration sanctioned Karim Khan, the ICC’s chief prosecutor, by executive order. The court had issued arrest warrants against Israeli Prime Minister Benjamin Netanyahu and his former defense minister over alleged war crimes in Gaza, and the sanctions were Washington’s response. What followed was the part that rattled European capitals: Khan reportedly lost access to his Microsoft email, and was forced to migrate to Proton Mail, the Swiss provider, while his bank accounts were frozen.

Microsoft has disputed the framing. Its president, Brad Smith, told reporters the company’s actions “did not in any way involve the cessation of services to the ICC.” The factual details remain contested, and it is worth holding them loosely — what is established is that sanctions reached a US technology provider, and that the prosecutor ended up off Microsoft’s infrastructure and onto a European one. Whether Microsoft acted, was compelled to act, or merely could have acted is, in a sense, beside the point. The lesson European officials drew was about capability, not intent.

Because the uncomfortable truth is structural. A US company, wherever its servers physically sit, is subject to US law — including the CLOUD Act, which can compel American firms to produce data regardless of where it is stored, and including sanctions regimes that can render an account inert overnight. Dependence on US software is not merely a commercial relationship. It is a quiet extension of US jurisdiction into the daily operations of foreign governments, courts, and ministries. Most of the time that extension is invisible. The ICC episode made it visible.

France’s Long Road Off Windows

France did not arrive at this conviction overnight, and that history matters, because it separates the country’s plans from the usual cycle of governmental announcements that quietly evaporate. The French Gendarmerie has run a custom Ubuntu-based distribution — GendBuntu — since 2008. By mid-2024 it ran on more than 100,000 workstations, around 97% of the force’s estate, saving an estimated two million euros a year in licensing and cutting total cost of ownership substantially.

The Gendarmerie’s playbook is instructive. It did not rip out Windows on a Monday. It introduced Firefox and OpenOffice first, let users grow comfortable with the applications while the underlying operating system stayed familiar, and only then changed the OS beneath them. That deliberate sequencing — applications before operating system — is widely credited as the reason the migration succeeded where so many others stalled. Seventeen years on, it remains arguably the longest-sustained large-scale government open-source deployment in the world. Sovereignty, done properly, is patient.

The newer push is broader and more pointed. In April 2026, the French government reportedly directed every ministry to move away from American software and to migrate some 2.5 million civil-servant workstations from Windows to Linux, with ministries asked to have migration plans in place by the autumn. The directive reaches beyond the desktop — to collaborative tools, cloud infrastructure, even AI platforms. It follows an earlier 2026 mandate to replace Microsoft Teams and Zoom with a domestic platform, Visio, across the same population of civil servants. These are plans and timelines, not finished facts, and full implementation will unfold over years. But the direction of travel is unambiguous.

What Sovereignty Actually Buys

It would be easy to read all this as anti-American posturing, or as the open-source movement finally finding a patron with a budget. Both readings miss the deeper shift. What changed is the threat model. For two decades, European IT procurement optimized for reliability, interoperability, and price — and on those terms Microsoft was a rational choice. The variable nobody priced was political: the possibility that a supplier could be turned, by its own government, into an instrument against you.

That is the variable the ICC incident introduced into the spreadsheet. The Dutch government reportedly accelerated its examination of non-Microsoft alternatives; Germany, the Nordics, and France began openly discussing alternatives to Azure. Across the bloc, the conversation moved from “is open source good enough?” to “what happens if the lights go out and we did not build the switch?”

This is where the privacy and sovereignty lenses converge. Privacy, at the individual level, is about who can see your data and on what authority. Sovereignty, at the state level, is the same question scaled up: who can see, compel, or sever your nation’s data, and under whose law. When a government runs on foreign proprietary software, it accepts a permanent third party to its most sensitive operations — one accountable to a different legislature, a different court, a different president. Linux and LibreOffice do not make that third party benevolent. They remove it. The code is auditable, the infrastructure can sit on home soil, and no executive order in a foreign capital can reach into it.

None of this is frictionless. Migrations fail, retraining is expensive, and the European alternatives are often less polished than the incumbents they replace. There will be ministries that miss the autumn deadline, and there will be quiet reversions where the pain outweighs the principle. Sovereignty is not a purchase; it is a discipline, sustained over years, the way the Gendarmerie sustained it.

But the strategic logic is now clear in a way it was not before. The prosecutor’s empty inbox was not a glitch. It was a demonstration — that in a world where software is infrastructure, and infrastructure is jurisdiction, the question of who owns your operating system is not technical at all. It is a question of who, in the end, can lock you out.