The digital domain normally knows no borders. However, geopolitical tensions have suddenly made their real-world origin more relevant than ever. This is also true for SUSE, a European infrastructure specialist and potential tip of the spear for digital sovereignty. We discuss the topic with Dirk-Peter van Leeuwen, CEO of SUSE.
This week, SUSE was named a Leader in Gartner’s Magic Quadrant for Container Management, alongside rival Red Hat, the three American hyperscalers, and Huawei and Alibaba.
It’s not just important to buy local when going for groceries. Supporting one’s own market is more than just a good-to-have, with American tariff barriers, sanctions against Russia, and a volatile relationship with China as key concerns for the global market. European policymakers are increasingly concerned with digital sovereignty, however they may wish to define it. Software’s too complex for everyone to develop it in-house, making the most sovereign option (read: autonomous, self-sufficient) a partnership with a local company. “As a European company, you automatically have a head start,” DP van Leeuwen tells us in regard to such potential partnerships.
As CEO of SUSE since May 2023, Van Leeuwen has already seen several storms up close. While competitor Red Hat cut back on its open-source access in the summer of that year, the SUSE executive has long advocated the benefits of open software for business self-reliance. Last year, also in an interview with Techzine, he stated that only open-source solutions can be truly secure. Even now, with scare tactics and charm offensives coming from all directions, Van Leeuwen tends to return to this trait of openness with good reason.
No limits
“The beauty of open source is that there are no borders,” says the SUSE CEO. “You can check all the code yourself.” It is the only category of software where trust can be enforced by both parties. However, most SUSE customers, from users of multi-Linux to SUSE AI or Rancher (or all of the above), will not always look too deeply at all the inner workings, trusting the likes of SUSE to do their job for them. As Van Leeuwen already remarked in 2024, SUSE’s business model revolves around checking and maintaining the software used, thus saving their customers time.
Security, however, is a basic requirement that goes beyond sovereignty. But the two are indeed closely linked. Van Leeuwen points out, for example, that Microsoft’s code is completely inaccessible to end users; no one outside Redmond knows exactly what the program in question does. It’s a tricky subject, we realize, because without proof of backdoors, suggesting their existence comes across as fearmongering. We are not saying any American company is misusing the trust clients place on them. Nevertheless, it is realistic to say that the closed nature of the software used by American hyperscalers poses a problem for sovereignty.
SUSE’s CEO therefore sees a lot of buzzwordy PR talk surrounding this topic. Microsoft, AWS, and Google Cloud intend to deliver targeted sovereign clouds to European customers, whether they are government agencies or just companies with highly sensitive data. The question Van Leeuwen raises is this: “Where are the people who provide support? Could they be located anywhere else in the world?” Probe the American players a little deeper, and it soon becomes clear that there are scenarios in which the entirely European nature of the offering disappears. “They can give the sovereignty claim a commercial spin, but you can’t change the facts,” says the SUSE executive.
An entirely European stack?
We bounce this question right back to Van Leeuwen. Why doesn’t SUSE collaborate more closely with other digital sovereignty initiatives, such as NeoNephos from the Linux Foundation? It’s clear that SUSE supports sovereign infrastructures, if anything it enables it. But what we mean specifically is that European companies can work together to build a genuine EU alternative, fully integrated and yet flexible for the end user, just like the public clouds provided by American companies.
We notice in our conversation that this type of offering is not in SUSE’s nature. Van Leeuwen insists that customers want flexibility above all else. According to him, the strength of SUSE’s platform approach is that new technologies do not need to come as a surprise. Instead, innovations such as the Model Context Protocol can be integrated with SUSE AI, allowing an additional Linux distribution to be rolled out for a specific use case, and integrations with proprietary tooling can be built as desired thanks to open source.
Van Leeuwen: “In the past, you could enjoy a new technology for years. When your contract expired, you could choose something new. If you do that now, you’re shooting yourself in the foot.” So if you want to keep up with the speed of innovation, you have to think in terms of shorter time frames than years. That means going for anything monolithic is bound to keep you stuck in the past.
Safe and secure
All the discussions we have had about digital sovereignty in recent years can be placed on a spectrum. This is one with basic facts on one end, and feelings or vibes on the other. How much focus does a vendor, customer, or expert place on the concrete security of data? If this is not a strong emphasis, the focus is almost always on a feeling. It feels wrong to hand over data to a third party without being able to verify their contractual promises regarding data privacy. It is actually unsafe to pass on private data to an online chatbot; parties such as OpenAI and Google explicitly train on the data received by ChatGPT and Gemini respectively (unless otherwise stated, but even that is only a promise). Neither one is necessarily the right or wrong way of looking at the topic, but this spectrum does allow for fundamentally distinct criteria for sovereignty to exist. That muddies the water a little.
The reason we’re saying this, is that sovereignty doesn’t always come down to practical considerations. Van Leeuwen shows us his company cannot reside on the ‘feeling’ side of the spectrum. SUSE customers regularly demand to know exactly who is providing support, where their data is going, and, yes, how they are applying AI securely. Organizations in possession of sensitive data have already started using SUSE AI, for example, to provide private AI to employees. This means they don’t have to go online to get help from GenAI or AI agents, risking critical data in the process. It’s perhaps not surprising that we don’t get to hear exactly who these customers are; like their AI use, that’s private.
The advantage for SUSE at this point in time is that, as a European company, it also appeals to European policymakers on that other end of the sovereignty spectrum. We hope to see more of how this is being translated into practical applications, although Van Leeuwen has already hinted at various use cases. Perhaps there will be time for more to be shown next year at SUSECON.
Read also: SUSE AI is safe and mature, but not plug-and-play for all