When a government chooses to rebuild its own development infrastructure to escape tech giants, it reminds us that digital sovereignty is not a political posture, but an architectural discipline. Recently, the government of the Netherlands decided to design its own source code hosting platform, gradually freeing itself from GitHub, which is owned by American giant Microsoft. This initiative, reported by several European analysts, highlights a global realization: technological dependence is not just a matter of data storage, it touches the very heart of software production tools.
For public institutions and large enterprises, this transition marks a historic turning point. For decades, the centralization of development tools within a few American platforms was accepted in the name of convenience and efficiency. Today, the risks associated with the extraterritoriality of laws, unilateral changes to terms of use, and software supply chain vulnerabilities require a complete re-evaluation of these strategic choices.
The Underpinnings of an Invisible but Risky Dependence
To fully understand the scope of the Dutch decision, it is useful to analyze the mechanisms of software dependency. When an organization uses third-party services to host its code or run its applications, it exposes itself to several vulnerability factors. On one hand, the software supply chain has become a prime target for cyberattacks. According to a report by the European Union Agency for Cybersecurity (ENISA), attacks targeting software dependencies and third-party code repositories are rising sharply. A vulnerability in a single external library can compromise thousands of downstream applications.
On the other hand, the rise of AI-generated code has introduced new risks. The current trend of "vibe coding," which involves rapidly producing applications through simple prompts addressed to language models without auditing or structure, is increasingly being singled out by security experts. The UK National Cyber Security Centre (NCSC) recently issued strict warnings on this subject, emphasizing that code generation unguided by AI safety tools can introduce critical vulnerabilities, obsolete dependencies, or plaintext security secrets in the code.
Digital sovereignty is therefore not limited to the physical hosting of servers. It demands total control over the execution environment, a reduction of the attack surface, and a guarantee that organizational data does not transit through foreign jurisdictions subject to intrusive laws, such as the US Cloud Act. It is in this context that the concept of sovereignty by architecture takes on its full meaning.
Sovereignty by Architecture: The ProductivIA Perspective
The Dutch initiative demonstrates that it is not enough to consume sovereign technologies; organizations must possess sealed production environments. This is precisely the philosophy guiding the design of the Quebec platform ProductivIA and its virtual operating system, mio.land. Rather than imposing heavy frameworks and complex external dependencies, the platform relies on a streamlined architecture running directly in the user's browser.
This approach provides a concrete response to security and compliance requirements, particularly under Quebec's Law 25 on the protection of personal information. ProductivIA's multi-silo architecture ensures that each organization has a completely hermetic logical space. Data is never mixed or shared, and every stored file is directly accessible and exportable by the user via the Nuage application. This total transparency eliminates the "black box" effect typical of major public clouds.
Furthermore, in response to the risks of "vibe coding" and unsecure code, ProductivIA offers a structured no-code model. Through the Fabrique application, users can design custom tools using natural language, but the writing, auditing, and publishing of the code are entirely handled and secured by the platform. The generated code runs in an isolated sandbox, reducing the attack surface to the absolute minimum. End users never manipulate raw code, preventing the accidental introduction of security flaws or unmanaged dependencies.
Toward Sustainable Digital Autonomy
The Dutch approach, like the architectural directions of ProductivIA, demonstrates that technological autonomy is possible without sacrificing modernity or productivity. By combining sovereign artificial intelligence models, such as the Matania model hosted locally in Quebec, with controlled execution infrastructures, public and private organizations can finally free themselves from technological monopolies.
The question is no longer whether to adopt artificial intelligence or rapid application development, but how to integrate them into a framework that respects the confidentiality, security, and longevity of the organization's digital assets. The answers lie in transparent, modular architectural choices resolutely focused on the local control of technology.