The Open Source Procurement Agenda: A Guide for IT Leaders, Procurement Teams and Policymakers

The EU Cloud and AI Development Act lands on 27 May. The architectural and economic arguments for embedding Open Source First as a binding procurement principle are well established, and the preceding posts in this series have set them out. 

This post addresses a more practical question: given that CAIDA will establish the policy conditions, what do different actors need to do to ensure those conditions produce results in practice? Navigating digital resilience in this new environment will depend not just on policy, but on execution.

The gap between policy intent, IT procurement strategies and operational outcome is not a theoretical risk in European digital policy. There is a substantial record of well-drafted directives that have changed procurement behaviour slowly, or not at all, because the institutional capacity to act on them was never developed alongside the mandate. 

What follows is directed at three groups whose decisions will largely determine whether CAIDA’s open source provisions translate into practice.

For public sector IT leaders: become the reference case

The single most consequential barrier to open source adoption across European public administrations is not the software. It is the absence of reference cases from comparable institutions. Every CIO evaluating an open source alternative is implicitly asking who else of their type has done this and what the experience was. 

The procurement culture, the legal frameworks and the professional incentives all orient toward the established vendor with the mature support contract and the existing reference list. In the absence of early adopters, open source solutions remain theoretically available and practically unchosen. This is where organisations must leverage digital sovereignty to break free from influences on your IT stack and actively shift the default.

The multiplier effect of an institution willing to go first is substantial and tends to be underweighted in policy thinking, because it does not show up in individual procurement calculations. France’s electricity transmission operator RTE made open source a genuine procurement priority from 2018; not because every solution was immediately production-perfect but because the organisation concluded that the value of establishing a reference case outweighed the cost of operating at an early stage of a technology’s maturity. The experience they accumulated and the procurement guidelines they developed became the infrastructure on which subsequent adopters’ decisions were considerably easier to make.

If you lead a public sector technology function, and you’ve been presented with a Sovereignty Strategy, the most productive action in the current environment is to create formal institutional cover for your team to work with open source solutions. Build an OSPO to help you do this. Framing adoption as a contribution to the broader European digital ecosystem, rather than as procurement risk to be managed away, changes what decisions your organisation is capable of making. Open by design, sovereign by choice becomes not just a principle, but an operational model.

For procurement professionals: account for the full cost

Current procurement frameworks do not explicitly ban open source. However, the structural problem is that procurement frameworks’evaluation criteria rests on proprietary-era assumptions that systematically hide the long-term costs of lock-in.

Standard tender processes are heavily weighted toward upfront acquisition costs. This creates a “cheap entry, expensive exit” trap. To fix this, procurement leaders must evolve from a simple Total Cost of Ownership (TCO) to a Total Cost of Sovereignty (TCS) model. When you include the following factors in your weighting, open source and open standards suddenly become the most cost-effective path:

• Projected Exit Cost: Calculate the price of leaving a vendor before you join them. This includes data egress fees, proprietary re-integration, and the “disruption tax” of rebuilding a stack from zero. In a landscape where migration complexity is a primary barrier to resilience, failing to price the exit is a significant fiscal oversight.
• Cost to Inspect: Sovereignty requires the ability to audit. With proprietary systems, “inspecting” is an expensive, often impossible legal battle or a high-priced third-party service. With open source, the right to inspect is “built-in,” allowing for continuous, low-cost compliance and security auditing.
• Pivotability Premium: Factor in the cost of adapting to geopolitical or commercial shifts. Proprietary stacks often require “re-purchasing” infrastructure when moving between on-premise and cloud; open source allows you to pivot your existing investment without paying a vendor a second time.

Open source inverts the proprietary cost structure. While the initial integration effort may be visible, the long-term savings are dramatic because you are not paying a “sovereignty tax” every time you need to move or audit your data. This is central to building a future-proof strategy that can adapt to regulatory, economic, and technological change.

Adding these criteria to tender evaluations is not a departure from sound procurement, rather it is a modernisation of it. It is the only way to ensure that the “choice” promised by CAIDA is economically viable for the public body.

For those who shape policy and public funding: resource what you mandate

To achieve the market shift expected from the  EU Tech Sovereignty Package’s open source provisions, two instruments need to work in combination. A binding Open Source First procurement requirement creates the demand signal. Sustained public and private investment in maintaining and hardening existing open source solutions provides the supply-side foundation that makes the signal meaningful.

Examples of open source investment for sovereignty

Efforts like the Sovereign Tech Agency and the proposed EU Sovereign Tech Fund deserve recognition as important contributors to open source health and cybersecurity, independent of any sovereignty framing. That work matters regardless of geopolitical context, and it should continue.

But the more instructive models for what sovereignty-oriented open source investment looks like in practice are those already operating at the intersection of government demand and open source delivery:

• Germany’s ZenDiS, the Centre for Digital Sovereignty of the Public Administration, has built OpenDesk, a sovereign open source digital workspace now in active deployment across German public administration and, as of late 2025, adopted by the International Criminal Court. 
• France’s DINUM has developed La Suite, a growing stack of sovereign digital tools for French civil servants, and in April 2026 announced a transition of the French state’s systems from Windows to Linux. 
• The German state of Schleswig-Holstein is advancing a comparable migration.
• The Dutch government is piloting MijnBureau across municipalities.

Far from being simple pilots or aspirational policies, these are fundamental operational choices. They are being driven by a clear-eyed realisation: the long-term risk of dependency and escalating vendor costs has finally eclipsed the immediate hurdle of transition. They also highlight a critical distinction: open, but not sovereign, where openness alone does not guarantee control without the right governance and deployment models.

Strengthening the supply-side foundation

The institutional architecture to support this at European scale is now forming. The Digital Commons EDIC, established in October 2025 by France, Germany, the Netherlands, Italy and Luxembourg, and now joined by seven further participating countries, is the first European-level body specifically focused on shared open source digital infrastructure. Its initial work programme includes a pilot for a European Sovereign Tech Fund developed with Germany’s Sovereign Tech Agency, and a 100 Day Challenge to build sovereign and interoperable open source components. What it needs now is the demand signal that makes its work the foundation of European procurement rather than a parallel initiative alongside it.

The principle here is as important as any specific institution or funding figure. A mandate without funded capacity to deliver on it produces compliance on paper and continued dependency in practice. Conversely, investment in open source infrastructure without a procurement mandate that creates the demand to sustain it produces well-maintained software that public administrations still do not buy. The two instruments need to move together.

The open source industry is not waiting for permission to deliver digital sovereignty: the software exists; the companies exist; and the institutional frameworks are forming. And more of the actors in this ecosystem than may be immediately visible are preparing to make that case together before 27 May. The hand is there to play.

A blueprint without borders 

While these strategies are rooted in European resilience, the challenge of digital sovereignty is a global one. In the final part of this series, we explore how this framework serves as a universal model for a more balanced global digital exchange.

[Read Post 5: A Global Exchange: Applying the European Sovereignty Frameworks Everywhere →]