Nukeproof: Manifesto for European Data Sovereignty
Posted by jamesblonde 3 days ago
Comments
Comment by willtemperley 3 days ago
Keeping app data purely server-side is no longer viable for customers with data sovereignty requirements, and having a toggle button saying 'Keep my data in Europe' isn't enough either because it places too much trust in the SaaS provider.
With network monitoring verifying local applications are accessing user-verified endpoints, privacy reduces to OS-level security.
Comment by concinds 3 days ago
Comment by willtemperley 3 days ago
Comment by SpicyLemonZest 3 days ago
Comment by willtemperley 3 days ago
The current best security practices can be used by any organisation. I respect the engineering that Google have done. gRPC is excellent and local first software can absolutely use it, accessing data locality verified endpoints.
Comment by SpicyLemonZest 3 days ago
Comment by whateverboat 3 days ago
Comment by concinds 1 day ago
Comment by atoav 3 days ago
We could also have everything on a cloud in a foreign country with a mad king, but what would be the benefits of that?
Comment by jszymborski 3 days ago
I think the point is that your doctor or civil servant or local sushi shop shouldn't have to reach to AWS/GCP/Oracle each time they want to look up an MRI or building permit or loyalty points card status.
"local" is a relative term here.
Comment by moi2388 3 days ago
Comment by willtemperley 3 days ago
The fundamental problem with SaaS and pure server side applications is we do not know where the data are. With local first we can verify data locality.
Comment by reeredfdfdf 3 days ago
Looking forward to Jeff deciding which party wins next year!
Comment by flumpcakes 3 days ago
Comment by willtemperley 3 days ago
Governements could and absolutely should be subsidisng home-grown data centres. And taxing the hell out of every square metre of AWS and Google data centres. Why not have a data tax for foreign companies?
Comment by jszymborski 3 days ago
Comment by Imustaskforhelp 3 days ago
Suppose I am an indian developer interested to work with European Data sovereignity because imo I value privacy personally just as much as the EU population and it would be great to be more connected and wishing to connect with them more.
So I have thought of using EU options in my servers/services if I use them for the most part and I can even swap out to completely European if need be.
So let's say to be a part of this? should I be an European company? If so, I even looked at it on how to establish a company in Europe rather easily (preferably a lean company) and It seems that Estonia seems the best way for me to create an EU company from my country without too much hassle but the costs of operation does feel like a lot for just starting out let's say.
I am also not sure about the fact that given I live in India, Some data sharing arrangement can be generated or would I have to actually migrate to say EU (which although I love EU, I currently appreciate my country as well and migration is a hassle right now)
I wish if such a manifesto could work for India and EU and a deeper integration could be made between the two countries about such tech related software or other as I have been a vocal supporter of European tech providers like hetzner,ovh etc. and they are even cheaper than american hyperscalers in many/most cases.
Comment by kevin061 3 days ago
When I worked at AWS, there was GovCloud, and only American citizens residing in American soil and connecting from American soil were able to give support to these customers. So even if you were legally authorised to work in the US and resided in the US, you couldn't work with GovCloud customers.
Or if you are an American temporarily residing in Romania or Canada, then you also can't work with GovCloud customers.
I expect the same situation will happen to you. But I am just speculating.
A European sovereign cloud is desperately needed for highly sensitive government, military, and national security workloads, and these must be thoroughly vetted to ensure compliance.
But for anything else, like personal e-mail or e-commerce? I'm sure there will be a lot of flexibility for non-European contributions, but it will probably be like it currently is: open source projects spanning the globe.
Comment by Imustaskforhelp 3 days ago
My focus was on the more of a Eu-alternatives kind of thing. I want my idea of privacy to be aligned and EU seems perfect for that. I want to provide sustainability in an idea & can establish an EU company or partner up with one.
My question is that I would still live in India for the most part starting out & I might be unable to make an EU company in the start too but if I am required, then I will do so
Aside from this, I am willing to use only EU services internally for my product as well as I mentioned.
is there any way that I can still align myself with the EU-alternatives mission?
Might sound a bit strange but I want to come into Eu but I can't because immigration is hard/expenses and I want to come to Europe when I finally figure out things/have a decent product in the first place.
Some people told me to create an EU company which holds an Indian company as a consultancy firm and you can be part of both and manage to establish a Data sharing policy given that I can access EU data from Indian soil so If I can do something about it.
I am not really familiar with EU laws tho so I am interested to hear more from people actually interested.
Comment by kevin061 3 days ago
America has had decades to privately run and develop their own software alternatives and everything (Windows, Office, Google) is extremely deeply established now and hard to compete against. I mean, can you imagine building a proprietary x86_64 operating system from scratch not based on Linux? And writing the code is just a small part of the work. You also need drivers from manufacturers like Realtek and Nvidia. You need people buying your product. You need marketing.
It's just not going to happen. Open source is the only way forward for EU, in my opinion.
And therefore, I think you will be able to contribute as much as you want to these open source efforts. Even testing and translations are already great initiatives, but if you can also write code, that's even better!
Comment by Imustaskforhelp 3 days ago
Usually I try to open source it & release it usually in permissive licenses (Full disclosure to experiment with ideas I use LLM's sometimes)
I don't really want Europe to replace America only now switching to India. Our ideals might match right now but y'know we live in a multi polarized world now and we just have to look for what's great for Europe from European perspective and so on & as an Indian, I appreciate it given that we have points of common interests regarding privacy.
So my point was that I already open source projects. But the reason I feel a lot of issues is that open source project -> actual deployment pipeline is still messy for the average person and this is the idea I was / still am targeting with firecracker vm's where someone can pay for an open source service to be deployed on vps for some time (Alright now a lot of options have come like sprites but i have been talking about from 2-3 months maybe 4 back when no implementation existed and even right now the one click button solution ui/ux I wanted to create still hasn't been created)
Like instead of being bound to your service with tos as a saas, I am hoping to treat each as a vps and the tos which would surround that which would be more permissive.
I was gonna build more on it but then ramflation happened so probably gonna have the idea internally till the bubble bursts or when its good enough (a big chunk of me not open sourcing it is that its really hacky and consists huge LLM help right now especially with gliderlabs/ssh library part & I don't want to create yet another AI slop)
I know hindi (the most widely spoken language in India) and I am down to provide some translations to Open source too
The issue with Open source without any offering is that (i have written about it) is that there is zero funding and incentive. Heck, I am the person who made a post about how to promote open source/fix this issue & After months of thinking, I kind of feel providing EU privacy friendly solution might be the best bet. (https://news.ycombinator.com/item?id=45558430) [Ask HN: Why are most people not interested in FOSS/OSS and can we change that]
A lot of it felt like a chicken and egg problem to me. People want better UI/UX but developers build for dev first and there needs to be a real incentive in most cases to have great UI/UX which might include some financial benefits plus open source still has some large issues in funding which is why I thought of the cloud idea as well (I want to establish a railway like pricing model where you get charged for what you use but its still reasonable and there can be a deploy to cloud option and developers who create open source projects gets the funding in first place or have a more flexible way to earn from their project, similar to BYOK but way more user friendly)
Anyways my point is that I feel deeply aligned with EU right now. I just want to ask for some EU laws given I am still living in Indian state right now and just more information about it.
Comment by josephg 3 days ago
I’m sure your desire to help is genuine. But Europe might need to find their own feet with an initiative like this before accepting help from foreigners.
Comment by whizzter 3 days ago
Clients of mine are on hyperscalers due to the ease of deployment,etc but they are focused on lock-in, if ease could be attained in combination with portability then an ecosystem could exist where mid-scaler providers (that exists in abundance in Europe) could have a better chance against the behemoths.
Comment by boilerupnc 3 days ago
“ Technically, IBM Sovereign Core builds on open-source technology from the Red Hat ecosystem. The software uses OpenShift, among other things, and is designed to run on existing infrastructure. Organizations can deploy the platform in on-premises data centers, regional cloud environments, or through local service providers.”
* Disclaimer: I’m an IBMer
[0]. https://www.techzine.eu/news/privacy-compliance/137981/ibm-l...
Comment by josephg 3 days ago
Yes, I think this might be the actual way to help. Write opensource software that can be used by everyone. Including commercial products in the EU.
Google, Microsoft and Amazon have a moat because of how difficult it is to build viable competitors to their products. I'd love to see more opensource libraries and applications chip away at this. How hard would it be to build a self hosted google docs competitor?
Comment by philipallstar 3 days ago
Well, if Europe existed without them, then Europe likely wouldn't have ever home-grown all the advances from the more entrepreneurially-minded countries.
Comment by alephnerd 3 days ago
The EU and India are starting to work on formalizing a data transfer mechanism similar to the EU-US Data Transfer Mechanism (DTM) as part of the EU-India TTC [0] (a US-EU TTC was a a precursor to formalizing the EU-US DTM).
Depending on how the EU-India FTA shakes out (signing after Republic Day on January 27th), it might make it easier to "India-wash" American services exports (which is already what is happening).
The fact that an EU "sovereign" cloud like STACKIT is using American-Israeli security software [1] (though they did open an office in Prague to outsource some development, but is largely done in Israel I believe) and Google Workspaces [2] as part of it's sovereign cloud initiative highlights how it's all HN bark with little-to-no bite.
That said, kudos to SpaceTime [3] for trying to leverage the momentum to build a GTM channel via NukeProof.
[0] - https://in.boell.org/en/2025/05/27/tapping-momentum-eu-india...
[1] - https://www.sentinelone.com/press/sentinelone-and-schwarz-di...
[2] - https://gruppe.schwarz/en/press/archive/2024/companies-of-sc...
[3] - https://spacetime.eu/blog/nuke-proof-alliance-launches-to-br...
Comment by Imustaskforhelp 3 days ago
But this is the first time I hear someone mention "India-wash" American services exports?
What do you mean in this context? I hope it's nothing deregoratory but I am simply confused by this term.
Personally I meant either hosting open source software or building my own open source software and hosting it for the most part imo.
I don't know what you mean by India-wash though?
Comment by alephnerd 3 days ago
For examples - should EU-US digital services be impacted by larger diplomatic spat, as much of GCP's development and leadership is colocated in HYD, if needed leadership and operations could become part of Google Cloud India Pvt Ltd [0], so an "American" BigTech company like Google Cloud can continue to operate like normal. Most American (and Israeli) tech companies have an Indian subsidiary that can do such a motion.
> Personally I meant either hosting open source software or building my own open source software and hosting it for the most part imo
You can contribute OSS on your own, but from personal experience the EU is primarily looking to it's private sector players who themselves are largely using American (but developed in India) or Israeli closed source products under the hood, or at most open-core. A Stallman or Doctorow style open source advocate isn't getting much airtime in the corridors that matter.
Heck, this initiative is itself a lead-gen initiative by closed source SpaceTime [1].
> I hope it's nothing deregoratory
It's more derogatory to EU initiatives than India. All these flashy announcements hide the fact that most businesses and organizations in the EU continue to operate using non-EU developed software and continue to do so. Yet any attempt at building a durable long term foundation a la the Draghi report is ignored, as Draghi himself pointed out a couple months back [2].
Heck, the much touted EU-Mercosur FTA has just been frozen barely a couple hours ago [3]
[0] - https://www.bloomberg.com/profile/company/2026164D:IN
[1] - https://spacetime.eu/blog/nuke-proof-alliance-launches-to-br...
[2] - https://www.france24.com/en/tv-shows/business/20250916-mario...
[3] - https://www.reuters.com/world/eu-lawmakers-vote-whether-laun...
Comment by Imustaskforhelp 3 days ago
Now it does make sense, I do think that Europe should look at Open source more too and contribute as such.
I do agree with what you are saying but supposing the geopolitical spat between America and Europe, It doesn't make sense to me why European countries might trust Indian subsidiaries of American companies.
Sure they might sound sovereign but in reality, they aren't. SO what's the point?
Why not get Independent Indian developers and the startup culture established around it (Although one of the issues I feel with this approach is that VC capital does include America, personally I wish to stay away from much of VC money)
> It's more derogatory to EU initiatives than India. All these flashy announcements hide the fact that most businesses and organizations in the EU continue to operate using non-EU developed software and continue to do so. Yet any attempt at building a durable long term foundation a la the Draghi report is ignored, as Draghi himself pointed out a couple months back [2].
Agreed.
I do feel like a reason why I wanted to establish EU company was to show my acknowledgement of Open source and privacy focus and to get more EU businesses interested. But right now, I feel like I am way more willing to have Open source or at the very least if restrictive, then creating source available software & still having an EU presence & an appreciation towards it.
But like, EU definitely needs to focus on Open source offerings more so than looking for EU alternatives in general which as you mention might be built using closed source products of American companies. It still doesn't effectively prevent the lock-in or worries in case of a geopolitical spat for EU in reality but only on the papers.
To be honest, I am open to open sourcing much of my products (ideologically) but the problems I feel in open source is that its hard to even make a developer salary comparatively even in India.
Open source definitely needs more funding. Probably EU can fund Open source without any bias could be great too?
Comment by alephnerd 3 days ago
Because most European companies are paying lip service to EU sovereignty because of how tightly coupled they are to the US. Look at how the EU-China spat led to Nexperia China's de facto decoupling which shut down the EU automotive industry for a couple months. It's even worse with regards to American dependency.
> Why not get Independent Indian developers and the startup culture established around it
Because the dependency then comes from India. An "Atmanirbhar" EU means having the capacity for self-reliance almost entirely within the EU and without a dependency on non-EU states like India or Israel.
> It still doesn't effectively prevent the lock-in or worries in case of a geopolitical spat for EU in reality but only on the papers
European companies (like all companies) don't care about open-source once they become dominant in a segment - for example ERP and SAP and SUSE Linux, and industrial systems.
> To be honest, I am open to open sourcing much of my products (ideologically) but the problems I feel in open source is that its hard to even make a developer salary comparatively even in India
That's the reality of OSS. There's a reason most OSS contributors for critical projects are employed by the organizations that heavily utilize that project (eg. Python and Google, OCaml and Jane Street).
Comment by Imustaskforhelp 3 days ago
https://news.ycombinator.com/view?id=46712907
I do believe that open source has its value. I love Open source and Privacy first is only possible with OSS-first. I have always been interested in how to monetize Open source (https://news.ycombinator.com/item?id=45558430) where the reason I found most people aren't interested or weren't (not sure if the mood changed now that the geopolitical wind has changed completely) but the reason I found was that people wanted OSS to almost be perfect but the rough corners in OSS were usually for the most part because of lack of funding.
So, I will probably try out some ways of funding OSS or at the very least have it be in a source available license. Proprietory just doesn't align with my idea of privacy first.
So yea hopefully it makes sense and we can all create or use privacy preserving services.
At the end of the day, I just hope that OSS can find ways to be funded. Much of what I want to do wouldn't be a problem or wouldn't even exist (As I got much of ideas that I want to implement because OSS wasn't funded and I had made that thread on HN) and honestly I hope that one day OSS can be funded the way it truly deserves.
have a nice day man!
Comment by alephnerd 3 days ago
With the right metrics, you could end up at YC.
Comment by cess11 3 days ago
Comment by Imustaskforhelp 3 days ago
I think this might be the only option available right? Do you know of any other option perhaps cheaper than this?
I think I can only promise at this point that if project becomes worth it ie. makes reasonably lot more than >1500 per year then the project might migrate to as such.
I was seeing an estimates of 300$-400$ on internet and I assumed that was expensive (here, the MSME's don't even require a company formation itself & you get benefits of payment dispute collection & investment from govts directly and lower rate loans and you can get it all online just using aadhaar card which everyone has)
LLC's are a bit of a mess with accounting (I actually wanted to be chartered accountant during my middle school so I saw they make a bank in fees comparatively too) but its still pretty reasonable.
Anyways, what would be the best bet, would this still be the best bet or is there anything which can allow for something say cheaper/easier? Would say having an European co-founder might help comparatively in the fees/other options?
Comment by cess11 3 days ago
If you squeeze it you could probably get down to 3-400 euros per year starting from the second year (due to one-time fees the first year) if you do your own books and taxes and whatnot, but just paying upfront for keeping things neat according to the local bureaucracy is likely a kind of convenience you'd want.
I'd say you should start buying some services from european infra and compute providers and see if your ideas make money. You can get away with very little if you get some storage and processing time through e.g. Scaleway or Hetzner, and with a bit of fiddling I expect them to sell to you regardless of whether you have a company or not. If you start making money enter some Hetzner auction and get real hardware, cost will be predictable and typically you get a lot for the money.
Comment by Imustaskforhelp 3 days ago
{Ovh is great but it has a one time setup fee for its dedicated, personally I love hetzner auctions for the most part too but Hetzner is a little restrictive in ban first policy and they are strict so for some workflows like creating a reseller etc., Hetzner does have some flaws but still one of the best companies and their support's really feels good as well!}
Thanks for your response, I will look into the estonia thing later if I would need to seriously pivot to EU for any reason.
Currently thinking that I can use wise or anything to accept SEPA bank payments and other if need be.
Comment by Imustaskforhelp 3 days ago
I have decided to be transparent and here's what I will most likely do if I ever create a company.
I would firstly create an Indian company & operate it as such. I will try to be GDPR compliant from day one, and still use EU providers/privacy providing services instead of hyperscalers in general.
Instead of trying to get a legal thing which says EU first or India first, I will try to be privacy first, by open sourcing things or relying and contributing to either open source or at the very least source available licenses (so that people can indepdently audit, I prefer using open source but we will see how much monetizable it is, I am not looking for too much money as I am frugal but still I do want sustainability, I might start out source available and pledge to release it open source once the project might reach enough users let's say or I can earn "enough" with a proper definition)
So a big emphasis on privacy & sustainability. most EU cloud options are definitely green as well (like Netcup) so I can get that checkbox available as well most likely but there isn't any guarantee but still my point is I would still try to keep Climate change in mind as a factor hopefully too while still optimizing for a good enough price range.
I will also create a blog post probably highlighting all of this and also the fact that I am willing to go EU first if my product would focus on EU/actually trends with EU consumers/businesses & then I will establish an estonia company as people have said here and make my Indian company the subsidiary of my estonian company and use either a fin-tech solution either from the start of my Indian company which could support SEPA or other EU solutions or I will do it afterwards with a proper bank account/fin-tech support after I make an estonian company (which I would if my project can make say make some fixed amount of money most likely from EU customers such that the 1000 euros or more becomes a reasonable investment, or If I ever create a EU branch, my point is I will try to make the EU branch the head branch and Indian branch subsidiary and not vice versa hopefully though, currently please take what I am saying with a grain of salt as I can be wrong I usually am, I am just figuring out life :] and how to build and live off of building things that I myself would enjoy working on/the ideas around it like infrastructure decisions etc!)
My point is I am very much more open to work with sustainability/privacy goals with a more focus on open source and probably try not to take any VC funding hopefully and still be day one profitable & transparent/sustainable. Nothing's set in stone right now but hopefully I am able to explain what I think about these ideas.
Comment by BiteCode_dev 3 days ago
All MacOS, iOS, Windows and Android are all produced by the USA. Virtually all chips as well.
It is foolish to assume there are not backdoors in every one of them.
Meaning we should assume the USA can shut down the entire Europe's IT if they really want to.
Then you got the authentication systems, security software (antivirus, proxies like cloudflare, crowdstrike and so on), the various Saas (docs editors, drives, ticket systems, chats...), the payment systems (including Visa and swift, but also Paypal, google pay, stripe, etc), the software stores, the root DNS, the SSL root certificates and a ton of network hardware.
Given the current political situation, it's a very bad spot to be in.
Comment by self_awareness 3 days ago
I only knew there is a bad cookie banner when I've opened the website in another browser.
Have mercy, webmasters.
Comment by Piraty 3 days ago
Comment by self_awareness 3 days ago
I mean, if a project is not able to get a functioning website, then well...
Comment by netfortius 3 days ago
Comment by 28304283409234 3 days ago
Comment by sirdvd 3 days ago
Comment by jijijijij 3 days ago
Comment by 372927352929 3 days ago
Comment by nkoren 3 days ago
Comment by tucnak 3 days ago
Unless you're a hyperscaler yourself, hyperscaling is overrated.
Comment by nkoren 2 days ago
It's already an uphill battle, because humans in large organisations seem to have an innately conservative bias which says that "nobody ever got fired for choosing ${giganticEvilStatusQuoCorporation}". That, combined with the fact that the US hyperscalars have, I dunno, hundreds of billions of dollars worth of ability to put their thumb on the political and regulatory scales, make this an uphill battle. There will need to be a specific plan for leveling the playing field.
What is that plan?
Comment by kevin061 3 days ago
Comment by nkoren 2 days ago
I'm at a point in my life (personal bandwidth hovering near 0%) where I'm not getting involved in anything unless I have not just a good reason ("this is a noble agenda; somebody should do something about it, and hey, I guess I'm a somebody"), but a damned specific reason ("I have unique capabilities which can help this specific initiative in this specific way").
Anyhow, in this particular domain, I'm pretty sure there are people who could be MUCH more useful contributors than I. I'd love to forward the "manifesto" to them -- except I know that they're in the same position as me: essentially zero bandwidth. Any new project they get involved with means dropping something else that's currently on their plate, and is presumably important. They're not going to do that on a lark. They'll need need a damned good reason to participate, before deciding to spend time on something new.
To be honest, ANY real power-players will be in this position. They don't have free time on their hands; they won't just join up in the vague hope that maybe it'll be a place where things can happen. You will need power-players on-side, and without a much more specific proposition, you're not going to get them.
But I'm glad you've joined. Job no. 1: that manifesto needs to do a lot more manifesting before it's fit for purpose!
Comment by sam_lowry_ 3 days ago
AI slop again?
Comment by self_awareness 3 days ago
Comment by sam_lowry_ 3 days ago
So much for EU-something, riddled with EU-problems.