How the EU’s Tech Sovereignty Package Finally Puts Open Source to the Test

With today’s release of the European Commission's “European Technological Sovereignty Package”, which includes a full Open Source Strategy, open source sits at the center of EU digital policymaking for the first time. This is a landmark moment for Europe and the global open source ecosystem.

Today's package is the culmination of 23 years of work by the OpenForum Europe (OFE) (where the authors work) and the open source ecosystem as a whole to position open source as a key lever in Europe’s digital future, at a critical inflection point in its digital history. While the strategy represents the Commission's most ambitious open source commitment to date, we also keep in mind the opportunities ahead and the path forward to ensure its full potential is realized.

What does the Tech Sovereignty Package actually say and commit the Commission to?

The “Communication on European Tech Sovereignty” — part of a combined package that includes draft legislative proposals for the Cloud and AI Development Act (CADA) and the CHIPS Act 2.0, as well as a roadmap on digitalization and AI in the energy sector — positions open source as a structural lever of sovereignty. In the document, it is embedded alongside these other texts. This integration matters: previous EU digital strategies have not centered on open source, which has been seen as useful in specific procurement contexts or research programs but as peripheral to the core policy agenda.

The acknowledgment that the EU spends EUR 264 billion annually on IT products and services, and that these are largely proprietary, creating structural dependencies rather than mere market inefficiencies, marks a first: the Commission acknowledges that proprietary software hinders the achievement of digital sovereignty. The document goes further than previous communications from the Commission by drawing an explicit line between vendor lock-in and strategic vulnerability, framing the concentration of EU digital infrastructure in the hands of a small number of non-EU providers not merely as a competition concern.

The package’s demand-side anchors are substantive. CADA strongly promotes the use of open source components released under an open source licence, acknowledging the importance of open source software for technological sovereignty; the EU Digital Identity Wallet (EUDI)'s open source mandate embeds sovereignty by design into a core piece of EU digital (public) infrastructure; and the target of 30 million active users of open source collaboration tools by 2030 gives the strategy a concrete, measurable outcome.

The Open Source Strategy itself offers warm words about open source as a transparency and auditability mechanism, one that enhances cybersecurity and enables public inspection of the code underpinning critical systems. This directly counters narratives that have sought to portray open source as a security liability rather than an asset. This narrative has intensified in recent weeks, with Claude Mythos making headlines around the globe for its impact on open source communities and its implications for cybersecurity.

The strategy also rightly identifies the opportunity not just to mandate open source but to build a sustainable ecosystem around it, with trusted assets, services, and guidance, empowered communities, and strong governance and decision-making. This framing is consistent with calls, like those from NGI Commons (a project to which OFE contributes), for the Commission to continue treating OSS as a digital commons. The governance infrastructure being assembled around mechanisms such as the EU OSPO Network, the Digital Commons EDIC, and the Open Internet Stack — as well as the proposed European Digital Public Infrastructure Steward Organization/Foundation and European Maintenance Instrument — provides a plausible delivery architecture, if well coordinated.

Furthermore, recognition of steward organizations under the CRA and the commitment to develop a stewardship toolkit for establishing foundations under EU rules address a long-standing structural gap: the absence of a clear, harmonized legal and governance framework for open-source foundations operating across the Single Market. The proposed feasibility study on an EU-level framework for single-ruleset foundations is also a particularly welcome commitment that could meaningfully reduce the administrative friction organizations currently face when navigating 27 different national legal systems.

It is clear that the strategy builds on a 2021 study by OFE and Fraunhofer ISI on the economic impact of OSS and open source hardware (OSH) on the EU economy, and is a landmark moment in valuing the contributions of open source to the European economy. That study's core finding — that every euro of public investment in open source generates a return of between four and five euros for the European economy — appears to have informed the Commission's framing of open source as a strategic investment rather than a line item. Seeing that evidence base reflected in a Communication of this significance is a reminder of why rigorous and independent research on open technologies matters.

Preparing carefully for the implementation of the strategy

Ambition and specificity are not the same thing. Upon closer examination, certain elements still require careful consideration during the implementation phase to avoid limiting the strategy's intended impact. We highlight these as opportunities, not to take away from what is already in place and quite robust in the strategy. Instead, we use them to show where a lack of precision in key areas of the text itself could lead to uneven implementation if not carefully addressed and implemented in close coordination with the open source community.

Opportunity #1: Clearly link OSS development to open standardization processes

The Commission recognizes the close interlinkage between OSS and standardization. A key aspect of this, open standards, appears throughout the strategy, and there are provisions in the text for integrating open source processes into standard-setting processes. But the relationship of open standards with open source is not yet precisely defined. Supporting a constructive complementation of both matters because the two concepts, while often complementary, can come into tension. The most familiar problem is sequencing: Should open source reference implementations lead standardization, establishing implementer consensus before a formal standard is published? Or should standards come first, with open source implementations following? Different answers lead to very different regulatory designs.

The stakes are not trivial. As AI regulation, cybersecurity rules, and data governance frameworks increasingly rely on technical standards, the way open source communities engage with these processes will significantly determine whether EU digital legislation produces truly interoperable, sovereignty-aligned outcomes or merely shifts dependency from proprietary products to proprietary standard-setting processes.

Opportunity #2: Prioritize not just open source software, but also open source hardware

The strategy's treatment of OSH is limited to developing RISC-V hardware IP and investing in open source Electronic Design Automation (EDA) tools. Given the broader ambitions of the package, this brevity is a notable omission, but one that can be overcome. Embracing OSH within the strategy requires both creative interpretation of its broader provisions and deliberate attention to the key technology areas identified — semiconductors, operating systems, future Internet architecture, cloud stack, DevOps, AI, and cybersecurity — to ensure they adequately leverage existing OSH designs, communities, and reference implementations.

The impact of not forgetting OSH when interpreting “open source” could be material: Europe has invested around EUR 500 million in open RISC-V through the Chips Joint Undertaking, and the CHIPS Act 2.0 commits to reducing semiconductor dependency through an open foundry and accelerated pilot lines, yet the strategy draws no connection between these efforts. OSH is equally relevant to robotics, edge computing, and networking equipment — all identified strategic priorities — and it deserves the necessary funding and attention to close gaps across the board.

Opportunity #3: Ensure funding and sufficient sustainability levels and draw on additional resources where possible

The strategy is clear about the funding and sustainability challenges of open source. Lack of sustained funding beyond the early project stages, uncertainty about maintenance, and barriers to capital for scaling up are identified as central challenges. The Call for Evidence – with more than 1,600 responses – highlighted this repeatedly: NGOs, foundations, industry, and a range of other actors called maintenance capacity the central market failure, making maintenance funding a core demand. This builds on a key challenge that OFE advocated in our feasibility study on an EU Sovereign Tech Fund (EU-STF) with Fraunhofer ISI and the European University Institute (EUI).

Against this diagnosis, the proposed funding levels for all open source activities within it are welcome but insufficient. The proposed EUR 2 billion envelope over seven years (estimated in the communication), spread across accelerators, the Open Internet Stack, stewardship support, and skills programs, leaves relatively little room for the core maintenance challenge. The proposed Open Source Maintenance Instrument – which would provide sustained financial support for critical open source dependencies – is the right idea, but we conservatively priced it at EU 350 million in the EU-STF study. In reality, spending EUR 2 billion would be a good start, but even at our incredibly conservative estimate, 2 billion for all the actions listed there is somewhat low. The strategy will work best in practice by identifying ways to draw on additional resources. To that end, the EU-STF is currently being piloted by the DC EDIC, and close coordination will be critical to the success of maintenance funding.

Opportunity #4: Ensure a clear framework and institutional support for the implementation of open source skills initiatives

The skills commitments – open source software in schools and universities, master programs in collaborative development and community governance, Erasmus+ mobility, civil servant training through the Interoperable Europe Academy (IEA) – are positive and build on a foundation that has already reached 44,000 enrolments. The gap is a distinction between users and contributors. The framework is largely oriented toward broadening familiarity with open source rather than developing the practitioner-level skills needed to contribute to, maintain, and govern open source projects.

We believe the European Open Source Academy (EOSA) (disclosure: OFE supports the EU-funded project OSAwards.eu, which supports its setup) is well-positioned to fill this gap. Established with founding members drawn from across the European open source ecosystem, EOSA was designed specifically to develop practitioner-level skills and community governance competencies, the skills needed not just to use open source but to lead it. While the IEA addresses civil servants learning to navigate open source procurement and deployment, EOSA addresses contributors, maintainers, and community leaders developing the organizational and governance capabilities that sustain open source projects over time. The two can be complementary.

The path forward

The Commission’s Open Source Strategy is Europe’s most significant step to date in utilizing open source to achieve a sovereign and resilient digital future. The implementation of any norm must be authoritative, precise, and committed; this has been shown to be especially true in the digital policy domain. The strategy thus needs to be set up for success not only in the drafting stage but also in its implementation.

As we have identified above, some parts of the strategy still lack specificity, and we encourage the European Commission to work towards clear commitments that secure these aspects as part of its implementation. We have identified specific, evidence-based opportunities for making the strategy as impactful as possible, building on its myriad strengths and commitments.

Funding will be especially determinative. The EUR 2 billion envelope, spread over seven years across a wide range of activities, will likely not close the identified EUR 264 billion dependency gap on its own, and we encourage the Commission to seek additional capital, commitments, and investments. This is not impossible, given that this is a small percentage of the proposed EUR 409 billion budget for the European Competitiveness Fund (ECF), which is currently being negotiated as part of the ongoing Multiannual Financial Framework (MFF) negotiations (the EU budget). There are further possibilities through the Member States and industry committing funding to the DC EDIC.

We remain optimistic. With this strategy, the Commission commits to bringing vision and leadership to harness open source for Europe. OFE and the wider open source community, industry, and civil society stand ready to help make this ambition a reality.