The managed-endpoint layer for sovereign Linux rollouts across Europe.
France is moving 2.5 million workstations to Linux by 2027. Schleswig-Holstein is rolling 30 000 PCs off Windows this year. The German Armed Forces and the International Criminal Court are on openDesk. The application layer is solved; the managed-endpoint layer isn't — IGEL OS 12 is now US-owned, HP ThinPro and Dell ThinOS aren't sovereign-compatible. VelaOS is the auditable, Cloud-Act-free, cosign-signed endpoint-management layer that slots underneath openDesk, La Suite Numérique, and the rest of the EU sovereign stack.
2.5M French government workstations mandated to migrate from Windows to Linux by 2027
France DINUM interministerial directive, April 2026
What eu public sector IT teams are dealing with
IGEL OS 12 is now US-owned (HP acquisition)
Public-sector procurement teams targeting sovereignty are being told by counsel that HP-owned IGEL inherits US Cloud Act exposure. The de-facto Linux thin-client manager is no longer a sovereign option. Stratodesk and Dell ThinOS have the same problem. Ministries are looking for a replacement that is auditable end-to-end.
openDesk is wonderful, but it needs an endpoint OS
openDesk (Nextcloud + Collabora + Element + Jitsi + OpenProject) is a brilliant application suite. It still has to run on something. That something cannot be Windows — the whole point of the migration is off Windows — and cannot be a US-owned thin client. VelaOS is the bootc Linux endpoint openDesk can stand on, with signed updates that meet the openCode standard.
Decades of legacy Windows apps you can't turn off overnight
Tax systems, HR databases, municipal ERP, CAD software — none of them have native Linux clients and won't for years. Ministries need a thin-client profile that bridges legacy Windows VDI into a sovereign endpoint, audited and session-recorded for NIS2 compliance. VelaOS ships Apache Guacamole and the Horizon / Citrix / AVD clients as signed VelaApps, all behind one policy.
Per-device compliance evidence your auditor can read
BSI-C5 and SecNumCloud auditors ask for signed artifact trees, SBOMs, and vulnerability-exploitability statements. We publish SPDX SBOM + OpenVEX + SLSA-L3 provenance on every VelaApp, cosign-attested and verified on pull by the device agent. Evidence is the default, not a report someone has to generate by hand every quarter.
Compliance landscape
NIS2 Directive
Endpoint audit trail, session recording on VDI bridges, signed updates with rollback.
DORA
Operational-resilience controls for financial-sector ministries; rollback + emergency-stop in the console.
EU AI Act
Local-only Whisper transcription for meetings; no cross-border data transfers for generative features.
Cyber Resilience Act (CRA)
Mandatory SBOM in machine-readable format from Dec 2027 — already shipping today per ADR-0024.
GDPR
Tenant-owned object storage, EU-region hosting roadmap (Outscale / Scaleway / Hetzner / OVH).
BSI-C5 / SecNumCloud
Roadmap — see SOVEREIGN_EU.md §6 for the certification sequence.
How VelaOS helps
- Single bootc image, profile switched by policy — the same device is a kiosk, VDI thin client, or civil-servant desktop depending on the role pushed from the console
- Signed-app supply chain: every VelaApp is cosign-signed with SBOM + VEX + SLSA-L3 provenance attested as OCI referrers; agent verifies before install, blocks on CISA-KEV matches
- Designed to host openDesk and La Suite Numérique — a pre-cut bundle spec (OPENDESK_BUNDLE.md) ships Nextcloud, Collabora, Element, Jitsi, OpenProject, XWiki, Grist, Keycloak, CryptPad as signed VelaApps
- Legacy-Windows bridging: Apache Guacamole with session recording, Horizon and Citrix clients as signed apps — all the transition pieces a ministry needs to leave Windows without breaking frontline work
- Open, auditable, Cloud-Act-free — source code and signatures public, primary hosting moving to EU-sovereign regions ahead of SecNumCloud application
Typical eu public sector fleet profile
Fleet size
5 000 – 100 000+ endpoints (municipality to national ministry)
Refresh cycle
4 – 6 years (public-sector IT) — VelaOS extends usable life via lightweight runtime on legacy hardware
Common VDI
VMware Horizon, Citrix Workspace, AVD / Windows 365 — all bridged via signed VelaApps. Apache Guacamole and Kasm for browser-only streaming where no thick client is sanctioned.
Run the numbers for your eu public sector fleet
Pre-filled with 2,500 devices — the typical starting point for eu public sector.