IFIP WG 8.9 · International Federation for Information ProcessingVienna, Austria · 12–13 September 2027
C27

CONFENIS 2027

13th International Conference on Enterprise Information Systems

TU Wien, Vienna
Hosted by Vienna University of Technology

CONFENIS 2027 · Paper 06 · Digital Sovereignty and Public-Sector EIS

Towards Digital Sovereignty: A Framework for Evaluating Vendor Lock-In Risk in Public-Sector ERP Deployments

Andreas Schwarz, Júlia Kovács, Karol Nowak

WU Vienna · Corvinus University Budapest · Warsaw University of Technology

Paper numberCONFENIS 2027 / 06
TrackDigital Sovereignty and Public-Sector EIS
Pages76–90
ProceedingsSpringer LNBIP vol. 528 (2027)
Correspondingandreas.schwarz@wu.ac.at
DOI10.1007/978-3-031-XXXXX-X_6
Abstract

Public-sector ERP deployments are by their nature long-lived, mission-critical and politically sensitive. The European discourse on digital sovereignty has rendered vendor lock-in — until recently treated as a procurement risk — a strategic governance concern. We propose VLIRA (Vendor Lock-In Risk Assessment), a structured framework for evaluating lock-in risk in public-sector ERP, operationalised across seven dimensions ranging from data portability to skills concentration. We apply VLIRA retrospectively to twelve public-sector ERP deployments across Austria, Hungary, Poland and the Czech Republic and prospectively to one ongoing tender, demonstrating the framework's diagnostic and prescriptive utility.

Keywords: Digital Sovereignty; Vendor Lock-In; Public-Sector ERP; Risk Assessment; European Public Administration

1. Introduction

The EU Strategic Compass for Digital Decade (European Commission, 2021) and Germany's GovTech Plan (BMI, 2023) have elevated digital sovereignty from a technical concern to a strategic-policy priority. Vendor lock-in in mission-critical ERP — historically treated by IT procurement teams as a contract risk — now sits in the wider conversation about whether European public administration retains agency over its operational data infrastructure. Yet the practical assessment of lock-in risk remains under-developed, with most procurement frameworks limited to point-of-sale checklists rather than longitudinal risk monitoring.

2. Method

We construct VLIRA through a Delphi study (Linstone & Turoff, 2002) of 17 senior public-sector CIOs from Austria, Hungary, Poland and the Czech Republic across three rounds (March 2025 – September 2025). The resulting framework defines seven risk dimensions, each scored on a 0–5 ordinal scale: (D1) data portability; (D2) functional replaceability; (D3) skills concentration; (D4) contract exit cost; (D5) regulatory alignment; (D6) supplier financial stability; (D7) jurisdictional exposure. A composite lock-in score is computed as a weighted Euclidean norm. We applied VLIRA retrospectively to twelve completed public-sector ERP deployments (four per country, excluding Austria where one site declined participation, yielding three) and prospectively to one Polish ministry tender.

3. Results

Retrospective scoring placed three of twelve deployments in the high-risk band (composite score > 3.5), eight in the medium-risk band (2.0–3.5), and one in the low-risk band. All three high-risk cases shared two features: a single-vendor stack and a contractual exit penalty greater than 200% of the residual contract value. The single low-risk case had explicitly mandated an open-source-led architecture from inception. Jurisdictional exposure (D7) was the highest-scoring dimension across the sample, reflecting the concentration of public-sector workloads on US-headquartered hyperscalers. Skills concentration (D3) was the second-highest dimension, reflecting the deep specialisation of SAP and Oracle consultancies in the region.

4. Discussion

VLIRA's value is twofold: as a diagnostic instrument for incumbent deployments, it identifies the specific dimensions in which mitigation can be targeted; as a procurement instrument for new tenders, it offers a structured alternative to ad-hoc lock-in screening. Two boundary conditions matter. First, weights across the seven dimensions are political-economic choices, not technical ones; we recommend transparent stakeholder-led weight setting rather than analyst-imposed defaults. Second, jurisdictional exposure (D7) reflects geopolitical conditions that change faster than ERP lifecycles; longitudinal re-scoring is essential.

5. Conclusion

Digital sovereignty in public-sector ERP is not a binary condition but a continuous risk-management practice. VLIRA offers a transparent, multi-dimensional framework supporting that practice. We release VLIRA's instrument and scoring tooling as a public good (CC-BY-SA).

References

  1. BMI: GovTech-Plan des Bundes 2023–2027. Bundesministerium des Innern und für Heimat, Berlin (2023).
  2. European Commission: Path to the Digital Decade — Strategic Compass. COM(2021) 574 final (2021).
  3. Hofmann, S., Beverungen, D., Räckers, M., Becker, J.: What makes local governments' online communications successful? Government Information Quarterly 30(4), 387–396 (2013).
  4. Kovács, J., Schwarz, A., Nowak, K.: Public-sector cloud adoption in Visegrád countries. Government Information Quarterly 41(2), 101892 (2024).
  5. Linstone, H.A., Turoff, M. (eds.): The Delphi Method: Techniques and Applications. Addison-Wesley (2002).
  6. Schwarz, A.: Vendor lock-in as governance risk in European public administration. Information Polity 29(4), 421–438 (2024).

Citation: Andreas Schwarz, Júlia Kovács, Karol Nowak. "Towards Digital Sovereignty: A Framework for Evaluating Vendor Lock-In Risk in Public-Sector ERP Deployments." In: Tjoa, A.M., Mendling, J., Wimmer, M. (eds.) Research and Practical Issues of Enterprise Information Systems. CONFENIS 2027. LNBIP 528, pp. 76–90. Springer, Cham (2027).

© Springer Nature Switzerland AG 2027. Reproduction with permission.

← Back to proceedings