The Netherlands Just Quit GitHub. Developer Infrastructure Is the Next Sovereignty Battle.

Hosting code on GitHub feels so default that most of us forget it’s a Microsoft product. The Dutch government just cracked that assumption wide open by spinning up its own open-source code platform. The question they’re really asking — why does our government’s code live on a US company’s servers? — carries more weight than it sounds.

Why developer infrastructure, why now

Europe’s digital sovereignty push isn’t new. Cloud (Gaia-X), office suites (LibreOffice), messaging (Matrix) — the continent has been chipping away at US tech dependence for years. But the most foundational layer of all, the code repository itself, has remained almost entirely in Microsoft’s hands.

Two risks make that uncomfortable. The first is legal exposure. Under the US CLOUD Act and various export control regimes, government code and collaboration history sit inside American jurisdiction. The second is operational risk. Just yesterday, GitHub disclosed an RCE vulnerability (CVE-2026-3854) alongside a major availability incident. When government infrastructure rides on a single vendor, that vendor’s bad day becomes your bad day.

The choice: self-hosted Forgejo

The Netherlands didn’t build something from scratch. They deployed a battle-tested open-source Git forge on their own infrastructure — the same approach that’s quietly become the European public-sector standard. Codeberg, the nonprofit-run forge, and Forgejo, the community-governed Gitea fork it’s built on, are designed around one principle: no single company should be able to flip a switch and break your workflow.

This isn’t a one-off. Schleswig-Holstein in Germany, France’s code.gouv.fr, the European Commission’s code.europa.eu — public-sector Europe has been building out non-GitHub forges for years. The Netherlands is the latest signatory, not the pioneer.

What changes for developers

Day-to-day, not much for developers outside Europe. But the signal matters. First, the open-source forge ecosystem is now being stress-tested as a real GitHub alternative. Forgejo and Gitea have long carried a “fine for hobby projects, not government-grade” stigma. National adoption changes that conversation.

Second, it’s a forced reckoning with vendor lock-in. PRs, Actions, Issues, Projects — half your team’s daily workflow runs through one company’s product, and you only notice when it breaks. If your CI froze during yesterday’s GitHub outage, you already know what I mean.

Third, zoom out and a pattern emerges. Mitchell Hashimoto pulling Ghostty off GitHub. US export controls locking out developers in sanctioned countries. The Dutch move. The realization is spreading: code hosting is political infrastructure, whether we treat it that way or not.

The hard parts

It’s not all upside. GitHub’s network effects are crushing — library discovery, issue tracking, the contributor pool, Copilot. No government-run forge will replicate that ecosystem. The likely outcome is a dual-stack model: canonical repos on the sovereign forge, mirrors on GitHub for outside collaboration. That doubles the cost and the operational complexity.

Then there’s staffing. Security patches, scaling, uptime monitoring — all the things GitHub silently handles — now land on government IT teams. Yesterday’s GitHub RCE is a useful reminder that even Microsoft-scale resources don’t catch everything. There’s no guarantee a smaller team does better.

The takeaway

Digital sovereignty has moved past cloud and data. The frontline is now developer infrastructure, and the Netherlands just drew a clear line on which side it’s on. This isn’t procurement housekeeping — it’s a policy answer to a question most organizations haven’t asked yet: where should our code actually live?

So: where does yours live? Company repos, side projects, open-source contributions, all sitting on one company’s servers. Most of us have never paused to find that strange. Maybe it’s time we did.