On open source infrastructure, digital sovereignty, and building systems that work whether or not the internet does.

Most of the technology underpinning UK higher education is rented. We rent our email from Microsoft. We rent our storage from Google. We rent our AI from OpenAI. We rent our databases from AWS and Supabase. The per-seat costs are manageable, the convenience is real, but the trade-offs are increasingly hard to ignore.

This isn’t a polemic against cloud services. They have a legitimate and probably permanent place in institutional life. But there’s a parallel question worth asking, one that rarely gets space in procurement discussions: what would it look like to own a meaningful slice of your own digital infrastructure? And, given current technology, is that actually harder than it used to be?

The answer, in 2026, is no. The open source ecosystem has matured to a point where a capable, secure, privacy-respecting digital stack is not a research project. It’s an afternoon of Docker containers.

The Problem With Permanent Rental

The UK government’s own House of Commons Library acknowledged in 2024 that the UK lacks a coherent overarching digital sovereignty policy, while noting the growing tension between cloud convenience and data residency obligations for public institutions [1]. That tension is felt acutely in universities, where every new AI or data tool triggers DART reviews, ICT sign-off processes, and data processing agreements whose sub-processor chains stretch across multiple US jurisdictions.

Academic researchers writing in Policy & Internet have described this as a “strategic dependency” problem: European institutions, including universities, have gradually offshored their digital infrastructure to a small number of US hyperscalers, and the leverage that creates runs in one direction only [2]. The EU’s response, a €75 million sovereign digital infrastructure programme involving universities and research centres across 13 countries, is the clearest institutional signal yet that the calculus is shifting [3].

The US CLOUD Act complicates things further. A 2026 legal white paper from CMS Law notes that even cloud services nominally hosted in the UK can be subject to US government access requests, a consideration with direct implications for any HE institution handling research data, student records, or clinical material [4].

What “Owning Your Stack” Actually Means

Self-hosting has a reputation problem. It conjures images of a server under someone’s desk, blinking into the dark. That reputation belongs to about 2015. What’s available now is something quite different.

A modern self-hosted open source stack, deployable on a mid-range NAS device, a refurbished mini PC, or institutional hardware, can include:

• File storage and collaboration: Nextcloud, the open source platform used by institutions including the University of Münster (45,000 students), TU Berlin (32,000 students), and University of Nantes (37,000 students), provides Google Drive/SharePoint-equivalent functionality with full data residency control [5]. CryptPad offers encrypted, zero-knowledge collaborative documents without requiring students to create external accounts [6].
• Databases: PostgreSQL, the same engine underlying Supabase, runs cleanly in Docker containers on modest hardware. With the pgvector extension, it supports semantic AI search. With proper configuration, it is robust, auditable, and entirely UK-resident.
• AI tooling: Tools like Ollama and Open WebUI now allow institutions to run capable large language models entirely offline. A 2025 analysis demonstrated viable LLM deployment on a $200 mini PC [7]. The privacy implications are significant: no prompt data leaves the building, no third-party AI provider receives institutional content, and the system works without internet access.
• Learning management: Moodle, used by over 200 million learners worldwide since 2002, remains the most deployed open-source LMS in HE globally [8]. Self-hosted Moodle integrates cleanly with Nextcloud, creating a unified, institution-controlled learning environment with FERPA and GDPR compliance built in by design.
• Access and connectivity: WireGuard, an open source VPN with a codebase small enough to be fully audited, provides secure remote access to all locally-hosted services without exposing ports to the public internet.

This is not an experimental configuration. These are production tools with millions of users, active development communities, and well-established security track records. Harvard’s computer science department published peer-reviewed research in 2022 on Docker containerisation for standardised student environments, the same foundational pattern [9].

Security and Privacy as Architecture, Not Policy

One of the most important shifts in thinking about self-hosted infrastructure is treating security and privacy not as compliance checkboxes applied after the fact, but as properties of the architecture itself.

When data never leaves your building, there is no cross-border transfer to assess. When models run locally, there is no AI sub-processor agreement to negotiate. When containers are isolated, the blast radius of a misconfiguration is bounded. Virtue Technologies UK has written specifically about the role of air-gapped and offline backup infrastructure in protecting educational institutions against ransomware [11].

EDUCAUSE’s 2025 Top 10 IT priorities for higher education placed “Restoring Trust” at the centre of its framing, reflecting a sector-wide recognition that institutional confidence in digital infrastructure has eroded [12]. The open source response to that erosion is structural: you trust what you can inspect, modify, and run yourself.

The On/Offline Dividend

There’s a less-discussed benefit to self-hosted infrastructure that becomes obvious the moment you need it: it works without internet.

For simulation training environments, field research, remote teaching, or simply resilient day-to-day operation, services that run locally are not exposed to cloud outages, degraded API performance, or licensing disruptions. Full offline AI deployment pipelines, local LLM, local knowledge base, local retrieval-augmented generation, function entirely without connectivity [13].

For HE specifically, this has implications for widening participation: students in areas with poor connectivity, clinical environments with restricted internet access, or international field settings all benefit from tools that aren’t dependent on a stable connection to a US data centre.

The Institutional Framing Question

One thing that becomes very clear when you work through this in a university context: self-hosted infrastructure only lands well institutionally if it’s framed correctly. An ad hoc personal device is a shadow IT concern. A UK-hosted controlled innovation environment, designed to DART-compatible standards, with documented security controls and encrypted VPN access, is a risk-managed research asset.

The framing matters because it determines whether ICT sees a problem or a solution. Jisc’s 2024 work on sustainable open research infrastructure takes exactly this institutional posture, positioning open source not as a workaround but as a principled choice with governance and compliance implications that can be managed [14]. Their community advisory resources document open-source implementations across UK HE at scale [15].

The Free Software Foundation’s articulation of the connection between open source and right-to-repair is useful here: institutional software that you can inspect, extend, and maintain is qualitatively different from software you merely license [16]. Universities that contributed to the open source commons in the early internet era helped create the infrastructure the web runs on. There is an argument that they have both the capability and the responsibility to continue that tradition.

A Practical Starting Point

None of this requires a large capital project or an institutional mandate. A proof-of-concept self-hosted stack for innovation and research, covering AI tooling, document storage, vector search, and collaboration, can be built on commodity hardware for under £500 and deployed in an afternoon using Docker Compose. A 2026 survey of open-source cloud alternatives identifies over 50 production-ready tools covering every major cloud service category [17].

The European digital sovereignty movement, now encompassing the EU Cloud Services Scheme, national sovereign cloud projects, and cross-border research consortia, is creating institutional momentum that will eventually reach procurement policy [18]. Getting ahead of that curve, at the level of practical experimentation, is exactly what innovation roles in universities are for.

The technology is ready. The use case is clear. The compliance arguments, when made carefully, are sound. The only remaining question is whether institutions are willing to treat their own digital infrastructure as something worth owning, rather than something to perpetually rent from someone else.

---

References

1. House of Commons Library. Digital Sovereignty (Research Briefing CBP-10547). UK Parliament, 2024. commonslibrary.parliament.uk
2. Blancato. “The Cloud Sovereignty Nexus: How the European Union Seeks to Reverse Strategic Dependencies in Its Digital Ecosystem.” Policy & Internet, Wiley Online Library, 2024. onlinelibrary.wiley.com
3. Innovation News Network. “Europe Launches €75M Sovereign Digital Infrastructure Platform.” 2024. innovationnewsnetwork.com
4. CMS Law. “White Paper: Demystifying the Debate on the US CLOUD Act vs European/UK Data Sovereignty in the Context of Cloud Services.” 2026. cms-lawnow.com
5. Nextcloud / Moodle. “Moodle x Nextcloud: Open Source Communities Empowering Education.” Nextcloud Blog, 2024. nextcloud.com
6. Blue Fox Consultant. “CryptPad: Self-Hosted, A Collaborative Suite for Privacy and Data Sovereignty.” 2024. bluefoxconsultant.com
7. XDA Developers. “I Ran Ollama and Open WebUI on a $200 Mini PC and This Local AI Stack Actually Works.” 2025. xda-developers.com
8. Learning Systems Authority. “Open-Source Learning Management Systems: Moodle, Canvas, and Alternatives.” 2026. learningsystemsauthority.com
9. Harvard CS Department / Malan et al. “Standardizing Students’ Programming Environments with Docker Containers.” Proceedings of ITiCSE, 2022. cs.harvard.edu
10. Linux Foundation. “Cloud & Containers Training.” training.linuxfoundation.org
11. Virtue Technologies UK. “The Essential Role of Air-Gapped Backups in Education.” virtuetechnologies.co.uk
12. EDUCAUSE. “2025 EDUCAUSE Top 10: Restoring Trust.” EDUCAUSE Review, October 2024. er.educause.edu
13. AddWeb Solution. “Run Your Own ChatGPT Offline: Open WebUI + Ollama + Local Knowledge Base.” DEV Community. dev.to
14. Jisc. “New Infrastructure Option to Support Sustainable, Affordable Open Research.” 2024. jisc.ac.uk
15. Jisc Community. “Open Source Projects.” Advisory Services Library. community.jisc.ac.uk
16. Free Software Foundation. “Free Software at the Core of the Right to Repair.” FSF Bulletin, Spring 2023. fsf.org
17. DreamHost. “50+ Open-Source Alternatives to Cloud Services in 2026 (Expert Picks).” 2026. dreamhost.com
18. World Economic Forum. “What Is Digital Sovereignty and How Are Countries Approaching It?” January 2025. weforum.org

Adrian Cowell is Innovation Lead at Imperial London’s Faculty of Medicine, working across AI, VR/XR, simulation training, and educational technology.