Belgium may not grab headlines, but its Digital Transformation Office (BOSA) is taking strong steps toward open software ecosystems. It open-sourced its national ID middleware and issued clear guidelines to reduce government reliance on Microsoft infrastructure.
By preparing its IT backbone for long-term independence, Belgium is laying the foundation for improved cloud computing security and vendor-neutral digital services. The initiative supports European software ecosystems and reduces the country’s legal and privacy exposure from foreign-owned platforms.
COUNTRY 5 OF 10: NETHERLANDS →
Belgium seldom lands on tech-sovereignty watch-lists, yet its Federal Policy & Support Service (BOSA) has quietly published more than sixty GitHub repositories, including the full middleware for the national eID card. Open-sourcing that cryptographic core in 2021 was more than a transparency gesture: it enabled universities and cybersecurity start-ups to probe—and patch—vulnerabilities before hostile actors could exploit them. By 2024 BOSA began integrating Itsme, the wildly popular mobile identity wallet, into government portals without paying per-transaction royalties, thanks to the open stack. In early 2025 the agency pushed a draft bill that would make open standards mandatory for any system processing citizen identifiers. Behind the scenes, civil servants are beta-testing a LibreOffice plugin that signs PDFs with the eID certificate, eliminating the last Microsoft-only macro in judicial workflows. What does this mean for cloud computing security? First, identity remains on Belgian soil: encryption keys never leave the country. Second, every commit to the middleware triggers CI pipelines that publish Software Bill of Materials (SBOM) artefacts—a practice recommended by ENISA but still rare in public administration. Third, BOSA partnered with KU Leuven to stress-test the codebase against quantum-resistant algorithms, future-proofing the platform well past the typical five-year IT horizon. The cumulative effect is a layered defence model in which vendor-lock risk is not merely reduced but structurally impossible: if a supplier walks away, the government retains full rights to fork, audit and extend the stack. Observers at the European Interoperability Framework call Belgium’s model “the clearest blueprint yet for sovereign digital identity in the EU.”