When a government chooses to rebuild its own development infrastructure to escape tech giants, it serves as a reminder that digital sovereignty is not a political posture, but an architectural discipline. Recently, the government of the Netherlands decided to design its own source code hosting platform, gradually freeing itself from GitHub, which is owned by the American giant Microsoft. This initiative, highlighted by several European analysts, sheds light on a growing global awareness: technological dependency is not just a matter of data storage, it touches the very heart of software production tools.
For public institutions and large enterprises, this transition marks a historic turning point. For decades, the centralization of development tools within a few American platforms was accepted in the name of convenience and efficiency. Today, the risks associated with the extraterritoriality of laws, unilateral changes to terms of service, and software supply chain vulnerabilities demand a complete reassessment of these strategic choices.
The underpinnings of an invisible yet risky dependency
To fully understand the scope of the Dutch decision, we must analyse the mechanisms of software dependency. When an organization uses third-party services to host its code or run its applications, it exposes itself to several vulnerability factors. On one hand, the software supply chain has become a prime target for cyberattacks. According to a report by the European Union Agency for Cybersecurity (ENISA), attacks targeting software dependencies and third-party code repositories are rising sharply. A vulnerability in a single external library can compromise thousands of downstream applications.
On the other hand, the advent of AI-generated code has introduced new risks. The current trend of "vibe coding", which involves rapidly producing applications through simple prompts sent to language models without auditing or structure, is increasingly being singled out by security experts. The UK National Cyber Security Centre (NCSC) recently issued strict warnings on this matter, emphasizing that unmonitored code generation using AI tools can introduce critical vulnerabilities, obsolete dependencies, or plaintext security secrets in the code.
Digital sovereignty is therefore not limited to physical server hosting. It requires total control over the execution environment, a reduction of the attack surface, and a guarantee that organizational data does not transit through foreign jurisdictions subject to intrusive laws, such as the US Cloud Act. It is in this context that the concept of sovereignty by architecture takes on its full meaning.
Sovereignty by architecture: The ProductivIA perspective
The Dutch initiative demonstrates that it is not enough to consume sovereign technologies; organizations must possess sealed production environments. This is precisely the philosophy guiding the design of the Quebec-based ProductivIA platform and its virtual operating system, ProductivIA. Rather than imposing heavy frameworks and complex external dependencies, the platform relies on a streamlined architecture that runs directly in the user's browser.
This approach provides a concrete response to security and compliance requirements, particularly under Quebec's Law 25 regarding the protection of personal information. ProductivIA's multi-silo architecture ensures that each organization has a completely sealed logical space. Data is never mixed or shared, and every stored file is directly accessible and exportable by the user via the Nuage application. This total transparency eliminates the "black box" effect typical of major public clouds.
Furthermore, to counter the risks of vibe coding and unsecure code, ProductivIA offers a structured no-code model. Through the Fabrique application, users can design custom tools using natural language, while the code writing, auditing, and publishing are entirely managed and secured by the platform. The generated code runs in an isolated sandbox, reducing the attack surface to the absolute minimum. End users never handle raw code, preventing the accidental introduction of security vulnerabilities or unmanaged dependencies.
Toward sustainable digital autonomy
The Dutch approach, much like the architectural direction of ProductivIA, demonstrates that technological autonomy is possible without sacrificing modernity or productivity. By combining sovereign artificial intelligence models, such as the Matania model hosted locally in Quebec, with controlled execution infrastructures, public and private organizations can finally break free from tech monopolies.
The question is no longer whether to adopt artificial intelligence or rapid application development, but how to integrate them into a framework that respects the confidentiality, security, and longevity of the organization's digital assets. The answers lie in transparent, modular architectural choices resolutely focused on the local control of technology.