Public Procurement - An Enabler for Digital Sovereignty

A main theme from this year FOSDEM was without a doubt the role of public procurement in enabling Europe’s digital sovereignty and improving sustainability and security of its digital infrastructure. Several panels and talks were more or less dedicated to the topic, stressing its importance for promoting demand and supply under sovereign conditions. Below are some key take aways and reflections.

Risk-aversive procurement practice incompatible with sovereignty focus

Procurement is generally stifled due to a risk aversiveness, which is symptomatic for most parts of public sector. Risk aversion was described by some as part of civil service training; it’s easier to buy what you’ve always bought. Another good quote regards how it is the civil servants’ job to ensure the state functions, not to take risks. The need for cultural change and political signals promoting a new “risk-based” procurement strategy is inherent.

Price main focus, yet still missing the switching and exit costs

Another challenge for procurement is that it first and foremost designed to prevent bribery and ensure fairness, which is of course essential, but many of the same safeguards now act as structural barriers. The process is slow, complex, and often anchored around price as the dominant criterion, even though price alone rarely captures the full cost or long-term implications of a digital dependency.

Rasmus Frey from OS2, a Danish municipal association calls out why the cost of exit or transition is so seldom factored in when looking at the price criteria. If switching away from a service three years down the line becomes prohibitively expensive, was it really the cheapest option in the first place? Calculating and asking for the switching costs in tenders should be a standard requirement for any procurement process.

Regulation and Buy European policies can enable demand/supply…

Several talks emphasized that Europe must create and shape its own market, and the problematics in how demand and supply is in desperate need of scaling. Procurement plays a fundamental role here: not by excluding competition, but by making sure the competition is fair, transparent, and aligned with long‑term public interest. SMEs in particular depend on a regulatory environment that gives them a realistic chance to compete against incumbent vendors with deeply entrenched positions. Buy European, as advocated by the Eurostack movement, highlights how priority should be shifted to European vendors and service providers to help grow capabilities and alternatives to the incumbents.

…but not necessarily sovereignty

Buying European, in this way, is a compelling narrative as it can stimulate demand and signal that the public sector is serious about supporting its own ecosystem. But it is not a guarantee of sovereignty. You can still end up locked into a European vendor the same way you can be locked into a non‑European one. Sovereignty ultimately means being able to act, to switch, to see what’s inside the digital “package” being bought, and ideally to modify it if needed. In that sense, the important narrative is that code can come from anywhere, as long as it doesn’t lock you into one provider.

Open source as a lever, but requirements definition needed

Here open source provides a key lever, but again, does not translate into sovereignty by design. Requirements ensuring full and free access to source code, documentation, building tools and knowledge needed to fully develop, compile, and run the software is critical. As are requirements and evaluation criteria that promotes and ensures vendors and service suppliers are engaging and contributing their work to concerned communities and openly via established social coding platforms with full transparency and history.

Sovereignty as a requirement, with the cloud is first test case

Compulsory sovereignty requirements was called out and wished for by several, including the German Centre for Digital Sovereignty (ZenDIS). How such requirements would be defined was less discussed in detail, although specification of the usual ones including open source and standards, data ownership, exit strategies, etc. were iterated. Several also referred to the newly launched EU Cloud Sovereignty Framework (CSF), which enables evaluation of cloud offering across eight dimensions. While the framework is still fresh, examples are mentioned of first applications, e.g., from Deutsche Telekom.

Important to note though, as put by Emil Broek from SUSE, is that sovereignty is neither black or white. Most vendors and offerings will be somewhere in between. Evaluation criteria such as the CSF can simplify the process, and transparently enable both buyers and suppliers to evaluate options on the table. SUSE announced a CSF evaluation tool to further help simplify the process. Regardless of the framework or tool, there will be a need training and clear signalling from leadership will be needed for any adoption to happen.

Template requirements and model tenders needed

Several stressed the need for standard contracts and tenders, and template requirements that can be used to guidance and inspiration for how sovereignty can be turned from theory to practice. Several ongoing initiatives were mentioned, such as resources provided by the Dutch Ministry of Health, Welfare and Sport, and model open source tenders and requirements synthesised by the German Open Source Business Alliance (OSBA). The Dutch Open Source Business Alliance (DOSBA) announced a new initiative of gathering example tenders, to be presented at next years’ FOSDEM.

Measurable targets requested to push development

There was a repeated call for measurable targets. For example, one idea raised by APELL, the European Open Source Business Association, was setting a goal for the share of open source in public digital infrastructure, moving from around 30% today to 100% within ten years. Whether or not this exact number is right, the underlying point is sensible in that clear goals help guide behaviour, and procurement needs guardrails. Sovereignty criteria could be treated as a “must”, and if a solution does not meet them, the procuring organisation should have to justify why.

If there’s a bug, allow for others to fix it

One government representative reports on mixed views on procurement, where on the one side buyers wonder why there are no suppliers answer to tenders for open source services, while vendors question why tenders have requirements disqualifying their participation. The gap need to be closed from both sides, and is contrasted as a lesson for both parties. Increased collaboration is generally called for, to allow for mutual learning. Basically, if there is a bug in the procurement practice, it should be open for a pull request and fixed.

Overall an optimism about the potential and progression

Despite the several challenges highlighted, the overall message from FOSDEM and fringe events such as the EU Open Source Summit was surprisingly optimistic. Europe has the tools, the criteria, the expertise, and the political momentum to move procurement in a sovereign direction. The question is less whether it is possible and more whether public administrations are willing to commit to the cultural and structural changes that are required.

Procurement, more than any other lever, gives governments the ability to actively shape their digital future rather than simply react to it. And if Europe is serious about sovereignty, sustainability, and security, then procurement will need to be treated not as a bureaucratic necessity, but as a strategic instrument.