OSI welcomes the European Union’s “Tech Sovereignty” package
This week, the European Union (EU) published its “Tech Sovereignty” package, with a vision that puts Open Source at the heart of the EU’s digital sovereignty ambitions, while addressing many concerns and requests of Open Source communities.
In February of this year, the OSI submitted feedback for the EU’s Open Digital Ecosystems Strategy. Our feedback set out a vision for how Open Source could serve the EU’s digital sovereignty goals in a way that benefits both Open Source communities and the European Union.
Originally delayed twice, the strategy was eventually merged into the flagship Tech Sovereignty package. The wait was worth it: over a third of the 29-page document is devoted to Open Source, with many of the OSI’s key asks addressed, as well as some exciting new announcements! Below, we explore what we asked for and how the strategy delivers.
Procurement: Opening Doors for Open Source
One of the biggest barriers to Open Source adoption has been public procurement. Too often, tenders have been designed around proprietary solutions, ignoring the benefits of Open Source and locking public institutions into closed ecosystems. The OSI called for procurement rules that prioritize interoperability, reusability, and vendor independence.
The package takes a major step forward in this area. The EU pledges to make the public sector an anchor consumer for Open Source solutions. The Commission plans to reform procurement rules to remove barriers for Open Source, provide better guidance to EU countries on procurement criteria to avoid excluding Open Source, and uphold the “public money, public code” principle when procuring software development.
Both proposals align with the OSI’s feedback. The next critical step is the EU’s public procurement law reform. The OSI will continue advocating to ensure these pledges translate into action.
Business: Supporting Open Source Startups
Beyond procurement, the OSI highlighted challenges faced by Open Source communities in Europe, particularly difficulties accessing investment and expertise to commercialize and scale projects.
The Commission has responded by committing to ensure Open Source companies are considered for funding under the European Competitiveness Fund (ECF). It also plans to create “Open Source business accelerators” that will offer mentorship, training, legal and licensing consulting, and business development support, including marketing. Additionally, the Commission will work to raise industry awareness of Open Source solutions by leveraging the EU’s existing business support networks.
These measures directly address the OSI’s concerns and could significantly boost the Open Source ecosystem in Europe.
Funding: Supporting the ecosystem
Taking action to ensure the Open Source ecosystem remains sustainable was one of the key requests of the OSI to the European Commission. This is especially true for the Open Source components we all rely on: if adequate resources are not available for the maintenance of these components, we risk degraded security or orphaned software.
In our feedback, we called for the continuation of the Next Generation Internet (NGI) initiative that has funded many Open Source projects, and for the creation of a European Sovereign Tech Fund to fund ongoing maintenance and features development to meet the EU’s needs. We also highlighted the need to mainstream Open Source in other funding opportunities (like the €100bn+ Horizon Europe programme).
The Commission’s strategy addresses these requests. The NGI will be scaled up under the new name “Open Internet Stack.” A new Open Source Maintenance Instrument will fund the “maintenance and security upkeep of essential components.” The Commission will also create a list of critical and security-relevant Open Source dependencies to inform funding decisions and promote Open Source solutions as the default approach in Horizon Europe funding.
Additionally, we emphasized the need to operationalize the EU Cyber Resilience Act (CRA) in a way that benefits—not burdens—Open Source projects, particularly through “voluntary security attestations” as a funding mechanism. While the Commission does not explicitly mention funding, it commits to expediting voluntary security attestation programs. The OSI will continue advocating to ensure these programs truly benefit Open Source communities.
Stewardship: supporting foundations
Speaking of the CRA, the package also includes measures to address some of the concerns that OSI, Eclipse Foundation and Apache Software Foundation have been raising to the Commission about “Software Stewards” under the CRA. We were worried the barriers to setting up and running stewards in Europe could be too high, preventing the emergence of software stewards and the success of the law, and negatively impacting Open Source sustainability. We also raised these concerns in our feedback to the Commission.
The Tech Sovereignty package proposes a series of measures to address these concerns: the development of a “stewardship toolkit” to guide projects who want to establish stewards, associations and foundations in the EU. They have also pledged to launch a study on the feasibility of an EU-level framework for foundations, so foundations can be governed by a single set of rules rather than different rules for each of the EU’s 27 countries.
We believe these measures will help organisations that want to establish, or to set up a subsidiary or sister organisation in the EU. We also believe the aforementioned funding opportunities could also be available to foundations.
Standards: breaking down barriers to Open Source participation
Over the last two years, we have worked extensively on standards around the EU’s Cyber Resilience Act. We’ve pushed ourselves to our limits to ensure Open Source has a voice in the development of these standards and it hasn’t been easy.
Day-long meetings, synchronous decision-making, and financial and organisational barriers to Open Source participation meant that our European team had to spend almost all their working time to ensure Open Source voices are heard, and while those efforts are now beginning to bear fruit, this effort simply isn’t repeatable for every new law.
We already raised this issue with the European Commission in our Feedback on Standardisation reform, but raised it again in our feedback to the Digital Ecosystems Strategy: not being able to participate in standardisation means Open Source projects and companies don’t get a say in rules that impact them. This has to change.
The Commission recognizes the challenge and commits to making it easier for Open Source communities to participate in standardization through specific funding and revisions to the Standardisation Regulation. However, which changes it will implement in the Standardisation Regulation are unclear, and it does not address our demand for a rights-waived mode, which would ensure standards required for legal compliance are not patent-encumbered or blocked behind a paywall. The OSI will continue pushing for this change, and other improvements to the EU standards system.
Leading by Example: the EU’s Open Source adoption
The EU is also taking steps to lead by example in Open Source adoption. It is deploying a Matrix-based communications system and the openDesk collaboration environment internally, trialing an alternative operating system to replace Windows, which is currently widely used in EU institutions, and expanding its presence on the Fediverse, with Commissioners and key departments already joining the EU’s Mastodon server.
We will monitor these initiatives closely, but we welcome the EU’s commitment to leading by example.
Skills and Knowledge: Building a Sustainable Future
Open Source thrives on collaboration and shared expertise. To ensure its long-term success, Europe needs a workforce that understands and contributes to Open Source projects. The OSI emphasized the importance of integrating Open Source into education and reskilling programs, as well as supporting developers in commercializing their projects.
The Commission’s strategy aligns closely with these goals. It proposes Master’s programs on collaborative Open Source development and community governance, support for Open Source deployment in schools and universities, upskilling civil servants to use Open Source solutions, and Erasmus+ funding for Open Source learners to cover mobility costs (e.g., for traineeships in Open Source companies or community meetups).
These measures can help close the Open Source knowledge gap, strengthen adoption, and foster stronger communities through mobility and education.
Conclusion
The Commission’s Tech Sovereignty package addresses many of the OSI’s concerns and adopts numerous recommendations. It’s encouraging to see Open Source communities’ voices being heard in Brussels. We see it as a testament to the growing recognition of Open Source’s importance among lawmakers and the hard work of community representatives.
The strategy has set the EU on the right path, but whether it stays the course depends on whether the Commission’s proposed laws are adopted—and how they’re shaped along the way. By autumn 2026, we expect the package’s legislative proposals to reach the European Parliament.
The OSI, for its part, will continue its educational and advocacy work to ensure lawmakers understand the benefits of Open Source and have the tools to make decisions that help both Open Source and Europe thrive.
| OSI proposal | Outcome | Commission response | Notes / gaps | Sources |
|---|---|---|---|---|
| Prohibit tenders from requiring specific proprietary solutions or patent-encumbered standards | Partial | CADA promotes open source components and introduces criteria to reduce proprietary dependencies; guidelines on drafting open tenders to be developed | Commission stops short of a prohibition — it proposes guidelines and best practices rather than a binding ban on proprietary-only specs | OSI response p. 11 COM(2026) 503, p. 24 |
| Consider interoperability, reusability, vendor lock-in, digital sovereignty, and total cost of ownership as procurement criteria | Fixed | CADA introduces non-price award criteria including contribution to a European cloud and AI ecosystem; open source strategy explicitly promotes TCO and lock-in considerations | Strong alignment, though binding application is limited to specific CADA circumstances rather than all public procurement | OSI response p. 11 COM(2026) 503, pp. 11, 24 |
| Ensure procurement templates are designed with open source in mind | Fixed | Commission commits to developing guidelines and best practices for drafting tenders that accommodate open source, including bid evaluation and innovative partnership provisions | Closely matches the OSI ask; delivery depends on the forthcoming procurement rules review | OSI response p. 11 COM(2026) 503, p. 24–25 |
| Consider code and financial contributions to open source components as a procurement criterion | Partial | Commission proposes open source participation as a factor in procurement evaluation under CADA; no explicit criterion for upstream code/financial contributions | Commission addresses the spirit but does not go as far as making upstream contribution a formal scoring criterion | OSI response p. 11 COM(2026) 503, p. 11 |
| Adopt an ‘Open by Default’ / Public Money Public Code policy for internally built or procured solutions | Fixed | Commission explicitly invokes the ‘public money, public code’ principle and commits to prioritising openness; OSPO and code.europa.eu already implementing this | Strong alignment; Commission also encourages member states to adopt similar policies | OSI response p. 11 COM(2026) 503, p. 25 |
| Create a European Sovereign Tech Fund (modelled on the German STF) to replace the Next Generation Internet initiative | Fixed | Commission proposes an ‘Open Source Maintenance Instrument’ and EUR 2 billion mobilisation over seven years; European Competitiveness Fund (ECF) to support open source scaling | While it isn’t called a STF, the maintenance instrument and ECF together could fill the gap | OSI response p. 12 COM(2026) 503, pp. 9, 22 |
| Include open-sourcing deliverables as a criterion in Horizon grants where software is a deliverable | Fixed | Commission states that making research outputs publicly available under an open source licence should count towards fulfilling dissemination requirements in R&I programmes | Direct match to the OSI proposal | OSI response p. 12 COM(2026) 503, p. 20 fn. 77 |
| Create a one-stop shop for funding opportunities relating to open source | Partial | Commission plans to scale up the Open Internet Stack as a shared catalogue and one-stop shop for open source building blocks; no single dedicated funding portal announced | The Open Internet Stack addresses discoverability of solutions but not specifically a funding opportunities portal | OSI response p. 12 COM(2026) 503, p. 18 |
| Develop open source security attestations under the CRA as a revenue source for stewards | Fixed | Commission commits to expediting voluntary security-attestation programmes under CRA Article 25 and creating a voluntary EU assessment framework for open source | Matches OSI proposal; Commission also notes this can create sustainable funding mechanisms for stewards | OSI response p. 12 COM(2026) 503, p. 22 |
| Create an Open Source Expert Group representing companies, foundations, communities, and individual developers | Not Fixed | Commission references collaboration with open source communities and calls for evidence (1,600+ contributions); OSPO Network and Interoperable Europe Community serve coordination roles | No formal standing expert group with the composition OSI described is announced; existing structures partially substitute | OSI response p. 13 COM(2026) 503, pp. 17, 25–26 |
| Avoid ‘Know Your Contributor’ requirements that would reduce open source participation | Not Fixed | Communication does not address contributor identification requirements | This concern is not acknowledged or resolved in the communication; may need to be raised in the context of the CRA revision or future legislative reviews | OSI response p. 13 — |
| Mandate that European Standardisation Organisations have a rights-waived mode so standards can be accessed and implemented freely | Not Fixed | Commission proposes to improve cooperation between open source and standardisation communities in the upcoming Standardisation Regulation revision, including conditions to make certain standards implemented in open source | Direction is aligned but a mandatory rights-waived mode is not explicitly committed to; delivery is deferred to the Standardisation Regulation revision | OSI response p. 13 COM(2026) 503, p. 27 |
| Empower the Commission to designate publicly available, patent-free open specifications as European Standards | Fixed partially in CSA | Commission proposes measures to better integrate open source into standard-setting and to fund open source community participation, but does not explicitly propose a designation power for open specs | The Standardisation Regulation revision is the right vehicle but specific empowerment is not confirmed | OSI response p. 13 COM(2026) 503, p. 27 |
| Ensure open source ecosystem is represented and financially supported in standardisation (akin to Reg. 1025 Annex III) | Partial | Commission commits to providing sufficient funding to support open source community participation in standardisation and to better integrating open source processes | Financial support is promised but formal representation status equivalent to Annex III is not explicitly proposed | OSI response p. 13 COM(2026) 503, p. 27 |
| Integrate open source into education and reskilling programmes | Fixed | Commission commits to master programmes on open source development, Erasmus+ learner mobility for open source, and skills training for civil servants; also references Digital Skills Academies | Strong match across all three levels (education, reskilling, public sector) | OSI response p. 14 COM(2026) 503, pp. 22–23 |
| Provide support to developers wanting to commercialise open source projects | Fixed | Commission will establish open source business accelerators offering mentorship, legal/licensing consulting, business development; ECF to support projects reaching commercial maturity | Strong alignment with OSI ask | OSI response p. 14 COM(2026) 503, p. 20–21 |
| Support local authorities in knowledge-sharing around open source deployment | Partial | OSPO Network and Open Source Observatory support best-practice sharing; guidance for public administrations on procurement and adoption is planned; member states encouraged to give OSPOs advisory roles | Emphasis is on national and EU-level administration; specific focus on regional/municipal authorities as OSI requested is less prominent | OSI response p. 14 COM(2026) 503, pp. 24–25 |
| Create procurement incentives for companies contributing to open source projects they depend on | Not Fixed | CADA introduces evaluation criteria related to contribution to a European cloud/AI ecosystem; no explicit incentive for contributing to upstream open source dependencies | Partial overlap — the CADA criterion is broader and not specifically tied to upstream contribution | OSI response p. 15 COM(2026) 503, p. 11 |
| Provide guidance to member states to allow open source contributions to be tax-deductible as R&D | Not Fixed | Communication does not address tax treatment of open source contributions | No mention of tax guidance for member states; this would likely require a separate fiscal coordination initiative | OSI response p. 15 — |
| Provide guidance to member states on allowing CRA security attestation sales to fund open source stewards | Partial | Commission commits to expediting CRA attestation programmes and notes their potential as a funding mechanism; no specific member state tax guidance on this revenue stream | The funding mechanism is enabled but the specific guidance to member states on tax treatment is not addressed | OSI response p. 15 COM(2026) 503, p. 22 |
| Support fledgling open source companies with training, guidance and funding | Fixed | Commission will set up business accelerators, leverage ECF for scaling, provide mentorship and business development support; EU Startup and Scaleup Strategy referenced | Well addressed across multiple mechanisms | OSI response p. 15 COM(2026) 503, pp. 20–21 |
| Make it easier for open source foundations to establish in Europe (28th regime, cross-border association directive, template statutes) | Fixed | Commission commits to a ‘stewardship toolkit’ for setting up foundations and a feasibility study on an EU-level framework for a single rulebook for foundations across the single market | Feasibility study is a step short of the concrete directive or 28th regime OSI requested; toolkit helps but does not resolve the underlying legal fragmentation | OSI response p. 15 COM(2026) 503, p. 21 |
| Use OpenDocument formats by default in EU institutions | Not Fixed | Communication does not address default document formats for EU institutions | Not mentioned; would need to be pursued through internal Commission administrative decisions rather than this communication | OSI response p. 15 — |