Every German who renews a passport, files taxes through ELSTER, fights for a Bürgeramt appointment, or signs into a statutory health insurer does all of it inside a rendering engine they do not control, cannot audit, and that rewrites itself overnight from a server on the American west coast. The browser engine is the most widely deployed piece of foreign software in the whole of German public life. And it is not on a single critical-infrastructure list.
The thing nobody puts on the list
KRITIS, the German critical-infrastructure regime overseen by the BSI, names everything: energy, water, food, telecommunications, health, finance, and transport. NIS2 widened the perimeter across the EU. And the browser engine? It is the door into every one of those sectors — the layer through which the citizen actually reaches the services — and it sits outside everything we have ever designated.
Three engines run the open web. Google’s Blink carries roughly three-quarters of all traffic, through Chrome, Edge, and nearly all the rest. Apple’s WebKit has iOS locked down. Mozilla’s Gecko, the heart of Firefox, now languishes below five percent. All three are steered from the United States. The European Commission’s June 2026 tech-sovereignty package admits it outright: for the important digital technologies, the Union depends on sources outside Europe for over eighty percent. That is no longer a dependency, it is a relationship.
And here is the point: this is not ownership anxiety. It is an open barn door in governance. An engine that updates itself is a remotely controlled write channel into every public machine that runs it: whoever controls the update server decides what gets pushed onto those devices tonight. We would never tolerate that for an electricity meter or a telephone exchange. But for the layer through which the entire state meets its citizens, we look the other way — because it “works.” That is exactly what every captured piece of infrastructure looks like. Right up to the day it stops working.
Three engines — two of them you’ll never build yourself
Take the romance out of the word and an engine is an assembly of seven parts in a loop: networking, HTML parsing, the DOM, the CSS cascade together with style computation, layout, rendering and compositing, and the bindings that couple JavaScript to the tree. The trick is to grasp that the deepest and most expensive of those parts are commodities. A JavaScript engine, a stack for text shaping and font rasterization, and the GPU primitives beneath rendering — each is person-millennia of work, and rebuilding them buys you exactly zero sovereignty. Nobody controls the web because they own a font rasterizer.
What actually belongs to you — the sovereign silver — is the layout engine, the rendering pipeline, and the security boundary around them. That is the part money is worth spending on, and you do not rebuild it on a greenfield. Servo already exists: a memory-safe engine in Rust, stewarded by the Linux Foundation Europe, taken by a five-person team at Igalia from 41 to 62 percent on the Web Platform Tests, with its first tagged release in 2026. A German engine is therefore a problem of forking and funding — on a European foundation, not a blank page. The full accounting, including the costs below, is laid out in this excellent reality check on browsers and sovereignty.
The shopping list, all in Rust
Here is the stack a funder should actually pay for — selected by a single rule: no American platform gatekeeper in any load-bearing part.
| Subsystem | Sovereign choice | What it replaces |
|---|---|---|
| Language | Rust | memory safety as the foundation — and the whole ecosystem beneath it |
| JavaScript engine | Boa | V8 (Google), JavaScriptCore (Apple), SpiderMonkey (US) |
| GPU rendering and compositing | WebRender + wgpu | Skia and platform-native graphics stacks |
| TLS | rustls | Google’s BoringSSL, OpenSSL |
| Layout | built in-house, on the Taffy framework for Flexbox/Grid | the one part nobody will sell you |
| Text and i18n | rustybuzz, fontations, ICU4X | HarfBuzz, FreeType, ICU (the old C libraries) |
| Accessibility | AccessKit | the platform’s accessibility APIs |
| Base codebase | Servo | a from-scratch rewrite |
The one component that decides whether the word “sovereign” survives the reality check is the JavaScript engine. Embed Google’s V8 or Apple’s JavaScriptCore and you have merely rebuilt the dependency with a nicer logo. Mozilla’s SpiderMonkey is the honest bridge — open, embeddable, the fastest path to a running browser — but it is still code from the US. Boa is the target: an embeddable engine in Rust, MIT-licensed, community-maintained, and already at roughly 94 percent conformance on Test262, the official ECMAScript suite. It is further along than anyone gives it credit for — its Temporal library for dates and times is good enough that V8 itself now uses it. The gap to V8 and SpiderMonkey is real, but it lies in raw speed and in the thousand edge cases, not in correctness. And a gap of exactly that kind is the sort of work a state initiative is good at: bounded, affordable, no black magic. Fund Boa up to web grade, and the JavaScript layer of the European stack contains no foreign-controlled code at all.
Where the money actually goes
The honest engineering picture is the opposite of frightening. Almost everything on the list is either a commodity you wire in once or a bounded problem you solve once. There is exactly one barrier that money only buys down slowly, and that is web compatibility — concretely: it has to behave like Chrome. Layout is loosely specified at the edges, so “correct” in practice means “behaves like Blink, including where Blink departs from the spec” — because the world’s websites are tested against Chrome and not against the specification. There is no elegant shortcut. It is long, stubborn testing against the Web Platform Tests, and that is where the lion’s share of the work will sit over time.
Two other problems are genuinely hard, and both are security problems where a Rust engine can be better than the incumbents rather than merely catching up: the renderer sandbox and the trust boundary between it and the privileged process — and the lifetimes of the DOM objects the JavaScript garbage collector tracks, the classic source of exploitable use-after-free bugs, the very thing memory safety was invented to kill.
The money for all of it? Estimated at roughly 50 to 70 million euros a year — for developers, testing, security audits, and standards work. Set that next to the European Space Agency’s 7.8-billion budget, or the 300 billion the EuroStack initiative wants to pour into digital infrastructure, and a browser engine is a rounding error. It was never about the money. It is about permanence: an engine is not a project that finishes, it is a commitment that has to outlive the ministry that paid for it.
In public hands — and federally
Germany already builds sovereign public software, and already does it federally. ZenDiS, the Center for Digital Sovereignty of Public Administration — a federally owned company founded in late 2022 and explicitly on its way to becoming a joint federal-state body — runs openCode, the public sector’s code forge, and openDesk, the sovereign alternative to Microsoft 365. When the heads of government of all sixteen states gathered for the Minister-Presidents’ Conference, they used openDesk — a week after launch. And at EU level the apparatus is taking shape too: an EU consortium for digital infrastructure and digital commons, with ZenDiS and Germany’s Sovereign Tech Agency set to carry the first projects. The chassis a browser engine would need is half-built before anyone has written a line of layout code.
So put the engine where the rest of the sovereign stack already lives: one upstream, sixteen stewards. A single federal browser authority would recreate the very thing you are running from — one point for political capture and one blast radius for every vulnerability. A federated model, maintained at the state level, distributes the security review, fits the subsidiarity the German state is built on, and ensures no single ministry and no single company holds the keys. Engines do not pool at Google because it would be impossible for everyone else. They pool there because no one else was willing to pay for permanence. A federated public mandate is the one structure that can fund permanence without raising a fresh monopoly under a European flag.
And now the plain truth about the real risk: it is not technical. Germany’s own open-source efforts have already been throttled because federal departments protected their legacy contracts — netzpolitik documented exactly how this agency got the red pencil. The threat to a German engine is procurement politics at home. It was never Rust.
A republic that cannot render its own government in a browser it controls has already handed the front door to someone else. The standards are open, the language is Rust, the foundation is Servo, the JavaScript engine is Boa, and the chassis to govern it is already standing. Fork it. Fund it. Put it in KRITIS. And the keys — those go to the states.
Für meinen Großonkel Lutz und seine Familie, 1941 – die wir nicht mehr aus Berlin herausholen konnten, bevor sie wegen der Angaben in ihren Papieren getötet wurden.