For the first time in the EU's digital history, open source – openly licensed software whose source code is made available, enabling use, modification, and redistribution – sits at the centre of European policymaking. Widely recognised by the software industry as the foundation on which all modern digital infrastructure is built, open source software is no longer seen as an afterthought or a procurement footnote by policymakers.
The European Commission's Tech Sovereignty Package, released on 3 June, does this explicitly by treating open source not just as a niche passion of software developers, but as a structural lever of technological sovereignty that responds to a genuine strategic problem: Europe spends vast sums annually on IT products and services, but the vast majority of it flows to non-EU proprietary vendors. That's not a market inefficiency, but a geopolitical liability.
Why is open source important for technological sovereignty in Europe?
What once looked like a rational outcome of globalisation and global integration – buying the best software from wherever it was built – now looks like a set of dependencies that can be weaponised. Export controls, investment restrictions, and extraterritorial data reach, particularly during the Donald Trump administration in the United States, have all become instruments of statecraft. Europe has watched this happen and decided it can no longer afford to be a passive consumer of other regions’ technology stacks.
The Tech Sovereignty Package, while top-down in characteristic EU fashion, is ambitious in its aim to show a third way for Europe. Its ambitions are varied and diverse, but the core thesis is that Europe must take active control of the full stack of its digital infrastructure – from chips to cloud to AI and beyond – by combining public investment, regulatory coordination, and strategic procurement into a coherent industrial policy. Open source software is central to this agenda because it is, structurally, the opposite of dependency. Its source code is available for inspection, modification, and redistribution, and its governance – at least when well-designed – is distributed and resistant to capture by any single vendor or government.
How is open source featured in the Tech Sovereignty Package?
The mere presence of an Open Source Strategy in the Tech Sovereignty Package marks a significant inflection point, as it shows how the world has shifted in its thinking about its software dependencies in response to the very forces highlighted above.
A few elements in particular stand out. First, the proposed Open Source Maintenance Instrument – which would provide sustained funding for critical open source dependencies – addresses the market failure that has long left the foundations of the internet chronically underfunded. Second, an open source-first approach in public procurement – as is favoured in the new proposal for the Cloud and AI Development Act (also part of the package) – institutionalises an important principle that will likely help non-hegemonic tech compete in public tendering processes.
There are many other smaller but positive signs in the strategy as well. The EU Digital Identity Wallet, highlighted prominently in the strategy, demonstrates how an open source mandate can embed sovereignty-by-design into the EU’s critical digital infrastructure. The governance architecture being assembled around the EU OSPO Network, the Digital Commons EDIC, and the European Digital Public Infrastructure Stewardship Organisation/Foundation provides a plausible delivery framework for this strategy. And the recognition of the importance of institutional stewards to the success of open source is welcome.
The strategy also gets something important right: it acknowledges that Europe's open source ecosystem is already world-class and a real source of strategic differentiation compared with other regions. Linux was born here, and the strategy also cites important communities like Drupal and Matrix (both of which are represented in the European Open Source Academy). Companies like Nextcloud, SUSE, Odoo, and Mistral AI are all here, and they are not marginal players. In other words, Europe has the talent, communities, and technical depth to deliver this strategy.
Are there any risks of centering open source in this way?
Let's address the uncomfortable questions directly, because critics will raise them. Is this just protectionism dressed in open source clothing? Is “European tech sovereignty” a polite way of saying “Buy European”? And is there any possibility that this strategy could create fragmentation in the global open source ecosystem?
The answer is no on all counts, though admittedly, there are real challenges. Protectionism erects barriers to foreign competition. This strategy does the opposite: it bets on open source precisely because open source is structurally anti-monopolistic. The “vendor lock-in” the strategy targets is not foreign vendors per se, but the concentration of critical infrastructure in the hands of any small number of providers, domestic or otherwise, whose terms can be changed, whose access can be revoked, and whose source code cannot be inspected.
Open source is also, by definition, globally collaborative. The same codebase that a German hospital runs can be contributed to by developers in Brazil, South Africa, India, and South Korea. The EU explicitly wants to promote EU-grown open source solutions in partner countries, not as export controls but as alternatives to the proprietary lock-in that developing economies face even more acutely than Europe does.
However, there will be hurdles during implementation. In public procurement, it will be critical to ensure that solutions address interoperability and sovereignty rather than merely mandating open source as a box-checking exercise. Support for open source stewards must also not be fully overtaken by large, profitable overseas foundations rather than by those who can make a real impact locally. There will also need to be more money; the proposed €2 billion envelope is a start, though likely insufficient.
A welcome and important step forward
Despite some omissions, the European Commission should be lauded for making Europe's most significant open source commitment to date. It reflects years of evidence-based advocacy, community consultation, and a genuine shift in policymakers' understanding of the relationship between software and sovereignty. The hard work of implementation, funding discipline, coordination, and sustained political will comes next.
