Foreign companies own the majority of Canada’s software tools, and the government’s Buy Canadian procurement policy has no way to account for that exposure, according to a new analysis. 

The analysis, conducted by Joshua van Es, a policy researcher who works in corporate law, looked at more than 700 software tools used by Canadian organizations and mapped them to their parent companies and corporate jurisdictions. He found that 63 per cent of those tools—which include applications like Slack, Microsoft 365 and Zoom—are U.S.-owned, while just 17 per cent have parent companies based in Canada. 

Van Es said the research began as an attempt to quantify something widely discussed but rarely measured: the extent to which Canadian organizations rely on foreign software providers to operate their businesses. 

Much of the public discussion about digital sovereignty in Canada has focused on infrastructure, such as cloud computing and data centres, said van Es. The application layer—the software tools that organizations use everyday—is often overlooked, he said. 

The findings arrive as Ottawa tries to use federal procurement to strengthen domestic industries and curb reliance on the U.S. The Buy Canadian Procurement Policy Framework, introduced in December 2025, directs federal departments to prioritize Canadian suppliers and content in government purchasing. Among other measures, the policy treats some Canadian bids as if they were slightly cheaper in the evaluation process to give them an edge over foreign competitors. 

The framework has been criticized, however, for how it defines a Canadian company. A supplier can qualify as Canadian under the policy if it has a business presence in the country, such as employees, an office and tax obligations. The procurement process, therefore, treats a foreign company’s Canadian subsidiary the same as a domestically owned firm. 

Tech lobby group the Council of Canadian Innovators warned that allowing foreign-owned subsidiaries to qualify as Canadian risks undermining the policy’s goal of strengthening economic sovereignty. The Canadian Shield Institute, an economic think tank, recommended a stricter definition of a Canadian company based on where it is governed and controlled, rather than simply where it has offices or employees. 

Van Es said that distinction is crucial for software, where the laws governing a product and the data it handles are often tied to the country where its parent company is based. His research found that about 88 per cent of software tools that companies market as having Canadian data residency are governed by a U.S. law known as the CLOUD Act. 

Under the act, American authorities can compel U.S.-based technology firms to hand over data they control, even if it is stored on servers in Canada. Van Es said that creates potential privacy and security risks for Canadians. 

The economic implications of relying on U.S. software may be even bigger, Van Es said, as American firms—rather than Canadian ones—enjoy the benefits that come from owning intellectual property and charging Canadian organizations subscription fees to use their tools. 

Foreign software often finds its way into government projects, even when Canadian firms win the contracts. 

Shash Anand, senior vice-president of product strategy at SOTI, a Mississauga, Ont.-based software company, said suppliers often have wide latitude in choosing the technology they use. “They don’t stipulate that Canadian companies must be considered over foreign tech,” Anand said.

SOTI—which makes software for large organizations and governments to secure and manage their mobile devices—operates in 170 countries with more than 17,000 customers, including UPS, McDonald’s, and American Airlines. Anand said the firm commonly has to prove itself outside Canada before winning business at home. “We often go to the U.S. to generate our credibility, and then we are able to sell back to the Canadian government,” he said.

Montreal-based Coveo makes just three per cent of its revenue in Canada because it isn’t well known here, said executive chair Louis Têtu. The firm’s technology sits between AI models and clients’ data, helping generative tools give better responses and powering self-service customer support systems. 

Still, Têtu doesn’t think businesses and public-sector organizations should make software choices based simply on the seller’s home country. “I don’t want anybody in Canada to buy Coveo because we’re Canadian,” he said. “We’re damn good at what we do, and the market’s discovering it now.” Coveo’s international clients include Mac, the Reserve Bank of New Zealand and Salesforce.

To ensure sovereignty, Canadian governments and businesses must ensure foreign states can’t turn off their technology, Têtu said, adding that they can do so by ensuring they have technical control of the code and run it on Canadian infrastructure and soil.

Van Es said it’s impractical, and in some cases, not possible, to require organizations and government departments to use Canadian tech. His research identified nine software categories that businesses commonly use for which there was no Canadian provider. 

He said relatively small changes to procurement processes, however, could help governments better understand just how dependent the country is on foreign tech and potentially limit the risks. That could include requiring vendors to disclose where their parent companies are based so officials can see which legal regimes they’re beholden to. That exercise, he said, could also reveal gaps in Canada’s own tech stack. “That knowledge is good,” he said. “If you want more Canadian options, these might be potential areas to explore.” 

With files from Murad Hemmadi.