The New EU Open Source Strategy is the Best in the World, but Where Should the Commission Start?

The co-legislative process on the Cloud and AI Development Act starts now. From here, the centre of gravity for CADA moves to the Council and the Parliament, where the binding text will be negotiated, amended, and argued over line by line. That is where a great deal of attention will rightly go, including ours.

But before the whole conversation becomes about what the co-legislators should change, it is worth stopping for a moment to look up at what the European Commission has actually produced. Alongside CADA, the Commission published an EU Open Source Strategy. 

In our assessment, it is the most sophisticated open source strategy produced by any region or country in the world. No other jurisdiction has set out, in a single coherent instrument, this depth of understanding of how open source is created, sustained, secured, and turned into public value. The maintenance and sustainability agenda in particular, the proposed Open Source Maintenance Instrument paired with the ENISA commitment to map critical dependencies, is a genuine landmark. It addresses, directly, the structural problem that components the whole European economy depends on are too often maintained by under-resourced volunteers. 

We say this not as a courtesy before criticism, and because the quality of the foundation is what makes the remaining work worth doing.

So here is the question we have been sitting with. The co-legislators have their job. But what can the European Commission itself do, today, without waiting for anyone? We were asked by DG CONNECT to submit concrete suggestions on exactly that, on how to move from policy objectives to effective action. This is what we submitted.

Start with the diagnosis

Europe’s dependency does not persist because sovereign supply is missing. It persists because demand is uncoordinated. The European tech industry is ready. Sovereign alternatives to over-dependence on a small number of vendors are not theoretical. They are in production, at scale, in governments and critical sectors today. The talent, the code, the running systems, and the commercial models already exist.

What is missing is a demand signal, and more precisely the coordination of it. This is a demand-pull problem, not a supply one. No single authority has enough reason to bear the full cost of moving first, because the benefits of reduced dependency, resilience, negotiating leverage, lower long-term cost, are real but diffuse and slow to arrive. So everyone waits, and the dependency deepens.

The mechanism that breaks this is aggregated demand coalescing around a shared set of open standards. And that does not happen through strategy documents. It happens through what the public sector procures, and the standards it procures to. Which leads to an implication: the EU has to be willing to identify the open standards that public investment can consolidate around, and the most credible place to start is its own procurement. We organised our recommendations in three pillars.

Pillar one: what the Commission can do to itself

The first pillar is internal reform, the measures the Commission can take directly. It can become an anchor customer for open source by applying an Open Source First assessment to its own ICT procurement, ahead of and independently of CADA. With DG DIGIT and DG CONNECT now under a single Commissioner, that is a great opportunity for intra-EC collaboration, and Commission practice becomes a reference point for every Member State watching.

It can define an open-standards-baseline for its own buying. For this to mean anything, open standards have to be understood as royalty-free and implementable in open source, because a specification that cannot be implemented in open source forecloses competition regardless of where the data sits or who signs the contract. Germany’s Deutschland Stack, with ODF as the default for editable documents and PDF/UA for accessible final ones, shows how concrete this can be.

And it can elevate the Commission’s own OSPO, which today sits inside DG DIGIT with no equivalent home on the policy side, into an inter-service unit jointly anchored in CONNECT and DIGIT, with procurement assessment as its core function rather than coordination alone.

Pillar two: demand across public administrations

The second pillar is demand-side measures for public administrations more broadly. Say procurement, and mean it, expressing the Strategy’s deployment goals as measurable purchasing commitments rather than soft aspirations to uptake. Study the Deutschland Stack and consider an EU-level counterpart, carried by the Open Internet Stack, that lets administrations across Member States buy to common specifications on a comparable timeframe, because simultaneous demand for a shared standard is what makes European alternatives commercially viable. 

The EC should also develop criteria that measure the sovereignty of public sector organisations rather than just focusing on the features of products. Vendor exit velocity, data and workload pivotability, multi-vendor agility should be measured, and then build them into the DESI index so that sovereign capacity is benchmarked year on year rather than asserted once at the point of purchase.

Then there is the catalogue, where a distinction is easy to miss but decides whether the instrument works. Europe is good at producing building blocks, the foundational components the Open Internet Stack funds and assembles. It is much weaker at completing them into installable solutions, the packaged, supported products a public body can actually procure and run. A public administration does not buy a component; it buys a solution that someone packages, secures, maintains, and stands behind. A focus on an end to end secure software supply is a necessity with today’s dependency on software in our entire society. 

So the EU Open Source Solutions Catalogue should be built around installable solutions rather than parts, and it should solve the business problem head on by showing, for each listing, that a commercial support pathway exists, because a solution with nobody accountable for its maintenance and security is not really procurable. Make each entry a register of real deployments, so it answers who already runs this at scale rather than merely what exists, and annotate it with the Union assurance level the solution meets, so that discovery, the sovereignty criteria, and the procurement default collapse into a single decision a buyer can act on instead of three disconnected ones.

None of this works without the office that does the work. The OSPO is the unit that turns open source intent into practice, where the legal, technical, security, and procurement capability to choose and sustain open source actually lives. The Strategy and CADA treat it as a network to convene rather than capacity to build, and that is the wrong way round. The Commission already funds and builds these offices outside the Union, in Kenya and in Trinidad and Tobago, on precisely the reasoning that an OSPO is where intent becomes institutional. The same investment should be made inside the Union, alongside national OSPOs such as Germany’s ZenDiS, so that when an Open Source First duty meets administrations actually equipped to carry it out.

Pillar three: settle the evidence

The third pillar is evidence and research. The general economic case for open source is already settled, including by the Commission’s own 2021 study, which found that the roughly one billion euros European companies invest in open source each year generates between 65 and 95 billion euros in economic impact. We also know what happens when procurement actively favours open source, because France ran the experiment: a Harvard Business School study by Frank Nagle measured nearly 600,000 additional open source contributions a year and a 9 to 18 percent annual rise in IT-related startups after the 2012 directive. What is still missing, and what would actually move the procurement debate, is a study of the specific effect of shifting public buying from proprietary to open source: fiscal efficiency, avoided lock-in and exit costs, new company formation, employment, and growth. That study can be commissioned now, and run continuously through a quantitatively strengthened Open Source Observatory (OSOR), so that procurement reform is argued on outcomes rather than aspiration.

The point

None of this requires waiting for the co-legislative process to conclude. All of it would make that process land better when it does. Europe’s push for digital sovereignty is no longer about direction. It is about execution. We have the technology, and we have the builders. The strategy is the first part of a policy backbone to generate the demand, and to make sure the standards that demand coalesces around are genuinely open.

The Strategy is the best in the world. SUSE is ready to invest behind it, to dedicate real resources, and to keep mobilising the European company ecosystem, because the companies are the actors that will answer a clear demand signal the moment it is sent. The Commission has produced an exceptional design, and the work now is to build it.