[EN draft]

Tender: ΥΕΚΨΠ/2025/18/Α/Δ — Creation and Operation of the Government Hybrid Cloud
Official link: https://www.eprocurement.gov.cy/epps/cft/prepareViewCfTWS.do?resourceId=7751943
Estimated value: €34.2m (without VAT)
Duration: 125 months (~10.5 years)
Funding: EU Recovery and Resilience Facility (RRF)
Announcement date: 8 August 2025
Clarification deadline: 19 September 2025 (11:00)
Submission deadline: 3 October 2025 (11:00)

---

The Issue

Cyprus has launched a €34M procurement for the creation and operation of a Government Hybrid Cloud. This ten-year project will underpin the country’s digital infrastructure across ministries and public services.

The Danger

If implemented on proprietary terms or tied to foreign closed-cloud providers, Cyprus risks decades of vendor lock-in, dependency on transnational monopolies, and weakened digital sovereignty. This would contradict EU priorities for digital resilience, openness, and strategic autonomy, while misusing RRF funds intended to build long-term sustainability.

The Opportunity

By adopting the principle of Public Money, Public Code, Cyprus can build a sovereign digital backbone — open, auditable, interoperable, and reusable. This would:

• Align with the EU Declaration on Digital Rights and Principles (2022) (https://digital-strategy.ec.europa.eu/en/news/digital-rights-and-principles-digital-transformation-eu-citizens),
• the European Data Strategy (2020) (https://digital-strategy.ec.europa.eu/en/policies/strategy-data),
• and the Digital Compass 2030 (https://digital-strategy.ec.europa.eu/en/library/targeted-consultation-2030-digital-compass-european-way-digital-decade).
• Reduce long-term costs and increase transparency.
• Create opportunities for Cypriot universities, SMEs, and the FLOSS community to contribute to system development and maintenance.

Why It Matters

This tender is not just about technology. It is about the future of who controls Cyprus’ digital state infrastructure. With the right approach, Cyprus can avoid lock-in and align with the EU’s emerging push for a common ‘Eurostack’ and the increasing body of regulations and policies supporting European digital sovereignty by showing how RRF funds can build open, democratic digital sovereignty.

Key Problems and Democratic Deficits

The call for tenders highlights a number of serious problems and democratic accountability deficits relating to digital sovereignty, resilience, and societal participation. The following points are identified through an analysis of the terms of the tender and their comparison with EU policy guidelines.
Citations refer to the official Tender Notice ΥΕΚΨΠ/2025/18/Α/Δ as published on the Cyprus eProcurement platform.

1. Vendor Lock-in and Sovereignty Risks (Tender Notice, section 5.1.1 – CPV codes, no mention of open standards/FLOSS)
   The tender lacks explicit requirements for open standards or Free/Libre and Open Source Software (FLOSS).
   Risks long-term dependency on proprietary ecosystems (Microsoft Azure, AWS, Oracle).
   EU policy gap: undermines the EU Declaration on Digital Rights and Principles (2022) and the European Data Strategy (2020), which emphasise interoperability, openness, and data sovereignty.
   

2. Excessive Duration and Scale (Tender Notice, section 5.1.3 – Duration: 125 months)
   Contract length: 125 months (~10.5 years) — far longer than innovation cycles (2–3 years).
   Locks Cyprus into a single solution for over a decade, limiting adaptability.
   Conflicts with the EU Cybersecurity Strategy (2020) principle of resilience through diversification.
   

3. Language Restriction (Tender Notice, section 5.1.12 – Languages: Greek only)
   Offers can be submitted only in Greek.
   This blocks many EU SMEs and FLOSS consortia from competing.
   Contradicts: the EU SME Strategy for a Sustainable and Digital Europe (2020) and the spirit of the Single Market.
   

4. Opaque Quality Criteria (Tender Notice, section 5.1.10 – Award criterion: Best Price–Quality Ratio, no breakdown)
   “Best Price–Quality Ratio” is the award criterion, but with no transparent, measurable indicators.
   Risks arbitrary evaluation and political influence.
   Contradicts: EU procurement guidelines (Directive 2014/24/EU) on transparency and accountability.
   

5. Misuse of RRF Funds (Tender Notice, section 2.1.3 – Value and funding source: RRF)
   RRF intended to promote resilience, sustainability, and innovation.
   Using €34m for potentially proprietary, closed infrastructure creates new dependency instead of resilience.
   Contradicts: RRF Regulation’s emphasis on sustainable, future-proof digital transformation.
   

6. SME and Civil Society Exclusion (Tender Notice, section 5.1.6 and 5.1.12 – No lots, no multiple offers, appeals restricted)
   No subdivision into lots; no multiple or variant offers permitted.
   Appeals mechanism restricted to economic operators; citizens and NGOs cannot challenge democratic risks.
   Contradicts: Digital Compass 2030 and EU human-centric digital transition principles.
   

7. Geopolitical Dependence (Tender Notice, section 5.1.6 – GPA covered, international eligibility)
   WTO GPA rules open the tender internationally, but no safeguards for EU jurisdictional control.
   Without guarantees, Cypriot government data could fall under foreign laws (e.g. U.S. CLOUD Act).
   Contradicts: GDPR and EU’s pursuit of digital sovereignty.

---

European Counter-Examples of FLOSS-Based Sovereign Infrastructure

• Estonia – e-Government Cloud & X-Road: FLOSS-based secure data exchange underpinning national infrastructure (https://e-estonia.com/solutions/interoperability-services/x-road/).
• France – NUBO Cloud (DINUM): Sovereign public-sector cloud built on OpenStack (https://superuser.openinfra.org/articles/why-nubo-chose-openstack-to-build-a-sovereign-open-source-cloud-infrastructure/).
• France/Switzerland – NumSpot & Infomaniak: Sovereign cloud providers combining FLOSS and strong GDPR compliance (https://www.cispe.cloud/sovereign-cloud-providers-numspot-and-infomaniak-join-cispe/).

Lesson: FLOSS-based solutions can deliver resilience, transparency, and sovereignty when supported by open standards, modular procurement, and proper governance.

---

Recommendations

• Mandate Open Standards & FLOSS: Require FLOSS frameworks (e.g. OpenStack, X-Road).
• Subdivide into Lots: Allow SMEs and local innovators to participate.
• Widen Language Access: Accept bids in English and Greek to ensure EU-wide competition.
• Define Transparent Quality Metrics: Interoperability, uptime, open APIs, portability.
• Guarantee EU Jurisdictional Control: Keep state data exclusively under EU law.
• Enable Civil Society Oversight: Involve NGOs, academics, and citizens in governance.
• Future-Proof Design: Shorter terms, modular upgrades, exit strategies to avoid lock-in.

---

Mobilisation Call

• Working Group meet-up: Thursday 18/9/25, 18:00+ at the EL/LAK Matrix room → https://app.element.io/#/room/#ellakcy:matrix.org
• Official Deadline for requests for clarification: 19 September 2025 (11:00).
• Final tender submissions close: 3 October 2025 (11:00).

To connect, join the EL/LAK Cyprus Assembly on matrix: https://app.element.io/#/room/#ellakcy:matrix.org

Key Document Pools

Cyprus Tech Policy Document Pool