Every German who renews a passport, files taxes through ELSTER, fights for a Bürgeramt appointment, or signs into a statutory health insurer does all of it inside a rendering engine they do not control, cannot audit, and that rewrites itself overnight from a server on the American west coast. The browser engine is the most widely deployed piece of foreign software in the whole of German public life. And I don’t see it on a single critical-infrastructure list.
The thing about things not on the list
KRITIS, the German critical-infrastructure regime overseen by the BSI, names everything: energy, water, food, telecommunications, health, finance, and transport. NIS2 widened the perimeter across the EU. And the client-side browser engine? It is the door into every one of those sectors — the layer through which the citizen actually reaches their critical services — outside everything being designated.
Three engines run the open web today. Google’s Blink carries roughly three-quarters of all traffic, through Chrome, Edge, and nearly all the rest. Mozilla’s Gecko, the heart of Firefox, now languishes below five percent. Apple’s WebKit has iOS locked down. All three are inside and steered from the United States. The European Commission’s June 2026 tech-sovereignty package admits it outright: for the important digital technologies, the Union depends on sources outside Europe for over eighty percent. That goes beyond dependency; it is a relationship.
This is not idle ownership desire or anxiety. It is an open barn door in the governance conversation everyone is having. An engine that updates itself is a remotely controlled write channel into every public machine that runs it: whoever controls the update server decides what gets pushed onto those devices tonight, tomorrow and the day after. We never tolerate that for an electricity meter or a telephone exchange. Chinese toys have been banned for less. But for the layer through which the entire state meets its citizens, we stare like deer in headlights while it “works.” That is exactly what every captured piece of infrastructure looks like. Right up to the day it stops working.
Three engines, two you’ll never build yourself
Take the romance out of the word engine and it’s just assembly of seven parts in a loop: networking, HTML parsing, the DOM, the CSS cascade together with style computation, layout, rendering and compositing, and the bindings that couple JavaScript to the tree.
The deepest and most expensive of those parts are the commodities. A JavaScript engine, a stack for text shaping and font rasterization, and the GPU primitives beneath rendering — each is person-millennia of work, and rebuilding them buys you exactly zero sovereignty. Nobody will control the web when they own a font rasterizer.
What actually belongs to you is the layout engine, the rendering pipeline, and the security boundary around them. That is the part time is worth spending on, and greenfield isn’t necessary. Servo already exists: a memory-safe engine in Rust, stewarded by the Linux Foundation Europe, taken by a five-person team at Igalia from 41 to 62 percent on the Web Platform Tests, with its first tagged release in 2026. A German engine is therefore a problem of forking and funding the low hanging fruit. The full accounting, including the costs below, is already laid out in an excellent reality check on browsers and sovereignty.
The shopping list, all in Rust
Here is the stack a funder should actually pay for — selected by a single rule: no American platform gatekeeper for critical browser parts.
| Subsystem | Sovereign choice | What it replaces |
|---|---|---|
| Language | Rust | memory safety as the foundation — and the whole ecosystem beneath it |
| JavaScript engine | Boa | V8 (Google), JavaScriptCore (Apple), SpiderMonkey (US) |
| GPU rendering and compositing | WebRender + wgpu | Skia and platform-native graphics stacks |
| TLS | rustls | Google’s BoringSSL, OpenSSL |
| Layout | built in-house, on the Taffy framework for Flexbox/Grid | a part you can’t buy |
| Text and i18n | rustybuzz, fontations, ICU4X | HarfBuzz, FreeType, ICU (the old C libraries) |
| Accessibility | AccessKit | the platform’s accessibility APIs |
| Base codebase | Servo | a from-scratch rewrite |
The one component that decides whether the word “sovereign” applies is the JavaScript engine. Embed Google’s V8 or Apple’s JavaScriptCore and the dependency is still there with a nicer logo. Mozilla’s SpiderMonkey is the honest bridge — open, embeddable, the fastest path to a running browser — but it is still code from the US.
Boa is the ideal target: an embeddable engine in Rust, MIT-licensed, community-maintained, and already at roughly 94 percent conformance on Test262, the official ECMAScript suite. It is further along than anyone gives it credit for — its Temporal library for dates and times is good enough that V8 itself now uses it. The gap to V8 and SpiderMonkey is real, but it lies in raw speed and in the thousand edge cases, not in correctness. And a gap of exactly that kind is the sort of work a state initiative should be working on: bounded, affordable, no vague or fuzzy bits.
Fund Boa up to web grade, and the JavaScript layer of the European stack contains no foreign-controlled code at all.
Where money actually helps
The actual engineering picture is that this is doable, and the time is right. Almost everything on the list is either a commodity you connect once, or a defined problem you solve once. There is exactly one barrier that money buys, and that is the web compatibility. It has to behave like Chrome. Layout is loosely specified at the edges, so “correct” in practice means “behaves like Blink, including where Blink departs from the spec” — because the world’s websites are tested against Chrome and not against the specification. There is no shortcut to this part. It is the long, stubborn cycles against the Web Platform Tests, and that is where the lion’s share of the work will sit over time.
Two other problems are genuinely hard, and both are security problems where a Rust engine can be better than the incumbents rather than merely catching up: the renderer sandbox and the trust boundary between it and the privileged process — and the lifetimes of the DOM objects the JavaScript garbage collector tracks, the classic source of exploitable use-after-free bugs, the very thing memory safety was invented to kill.
The total money for all of it?
Estimated at roughly 50 to 70 million euros a year — for developers, testing, security audits, and standards work. Set that next to the European Space Agency’s 7.8-billion budget, or the 300 billion the EuroStack initiative wants to pour into digital infrastructure, and a proper sovereign browser engine for everyone is a rounding error.
It was never really about the money. It is about permanence and ease of the commitment: an engine is not a project that finishes, it has to outlive the politician’s handshake and ministry that paid for it.
In public hands, federally speaking
Germany already builds sovereign public software, and already does it federally. ZenDiS, the Center for Digital Sovereignty of Public Administration — a federally owned company founded in late 2022 and explicitly on its way to becoming a joint federal-state body — runs openCode, the public sector’s code forge, and openDesk, the sovereign alternative to Microsoft 365. When the heads of government of all sixteen states gathered for the Minister-Presidents’ Conference, they used openDesk — a week after launch. And at EU level the apparatus is taking shape too: an EU consortium for digital infrastructure and digital commons, with ZenDiS and Germany’s Sovereign Tech Agency set to carry the first projects. The chassis a browser engine would need is half-built before anyone has written a line of layout code.
So put the engine where the rest of the sovereign stack already lives: one upstream, sixteen stewards. A single federal browser authority would recreate the very thing you are running from — one point for political capture and one blast radius for every vulnerability. A federated model, maintained at the state level, distributes the security review, fits the subsidiarity the German state is built on, and ensures no single ministry and no single company holds the keys. Engines do not pool at Google because it would be impossible for everyone else. They pool there because no one else was willing to pay for permanence. A federated public mandate is the one structure that can fund permanence without raising a fresh monopoly under a European flag.
And now the plain truth about the real risk: it is not technical. Germany’s own open-source efforts have already been throttled because federal departments protected their legacy contracts — netzpolitik documented exactly how this agency got the red pencil. The threat to a German engine is procurement politics at home. Rust has been ready and waiting for the go signal (pun intended).
A republic that cannot render its own government in a browser it controls has already handed critical information infrastructure to someone else. The standards are open, the language is Rust, the foundation is Servo, the JavaScript engine is Boa, and the chassis to govern it is already standing. Fork it. Fund it. Put it in KRITIS. And the keys for it all go to the trusted states.
Für meinen Großonkel Lutz und seine Familie, 1941 – die wir nicht mehr aus Berlin herausholen konnten, bevor sie wegen der Angaben in ihren Papieren getötet wurden.
