Johan Linåker

Senior Researcher at RISE Research Institutes of Sweden and Adjunct Assistant Professor at Lund University

22 minute read

TL;DR / Summary:

  • Europe stands at a crossroads: continue down the path of dependency or invest in strategic autonomy.
  • Today, Europe remains digitally dependent on a few global providers — often tied by closed standards, restrictive contracts, and limited access to data.
  • Global geopolitical tensions are exposing the fragility of supply chains, digital infrastructure, and critical technologies. Calls for digital sovereignty are increasing across European governments and institutions
  • As digital and physical infrastructures converge, autonomy requires a systemic approach, not point solutions. Sovereignty is further a full-stack challenge — spanning both the software and hardware stacks, along with the tools, infrastructure and input materials required for the design and manufacturing.
  • Digital sovereignty can be translated with Open Strategic Autonomy, and is not about isolation, but about control through openness: interoperability, reuse, collaboration, and shared innovation provide a strategic opportunity for Europe.
  • Control requires investments and contributions, underpinned by collective capabilities — from skilled talent and vibrant SMEs to the necessary policies and support structures.
  • The public sector often struggles with "comfort syndrome": risk-averse procurement, siloed mindsets, and resistance to change are common symptoms. Overcoming this demands sustainable leadership and systemic reforms.
  • Open technologies form a critical toolbox and vehicle towards strategic autonomy, from open source software and standards to data, hardware, and science.
  • Support structures like Open Source Program Offices (OSPOs) are key enablers — translating policy into practice, fostering collaboration, and driving change across government, academia, and industry.
  • Strategic investments (e.g. the OpenDesk and La Suite Numeriqe initiatives, and Schleswig-Holstein’s migration journey) show that alternatives to proprietary ecosystems are possible — and practical.
  • Public awareness of open source’s role remains low, despite underpinning 95%+ of global digital infrastructure. Initiatives like the European Open Source Academy and Awards are working to change that.
  • Long-term sustainability and maintenance are just as critical as innovation to reach strategic autonomy, requiring collective responsibility across communities, industry, and public sector.
  • SMEs and sustainable suppliers are essential to resilience, enabling digital sovereignty through real-world adoption and ongoing support.
  • In summary: Sovereignty is about control through openness. Achieving it requires not just technology, but investment, capabilities, and cultural change — with OSPOs and open collaboration at the core.

Europe is at a crossroads where it has to choose whether to default to the red path of convenience towards increased dependencies or take the optional route towards strategic autonomy. In reality, this is not a decision that can be avoided. Recently, I had the opportunity to present a keynote at the OSPOs for EUROPE event (hosted by Dirk Schröder, Minister und Chef der Staatskanzlei des Landes Schleswig-Holstein). The keynote covered why Europe needs to take the journey towards strategic autonomy together, and how open source can be used as a vehicle for the journey, as well as a tool for exploiting the many opportunities that the accelerating technology provides. The post below provides an iteration on my earlier post on the topic.

The Why

Europe digitally cuffed by dependencies

The opportunities are highlighted through both hype cycles and magic quadrants, as well as expectations expressed, such as those outlined in the EU Digital Decade and the Interoperable Europe Act, which aim to create an online and interoperable Europe by 2030. Such visions are, however, hampered by the fact that Europe is digitally cuffed by dependencies. Regardless of the vertical, 3-4 incumbents typically dominate the market, commonly through closed data formats and standards, long-horizon contracts, gated access to user data, and exploitation of the risk-averse, conservative, and self-centric procurement practices that often prevail in the public sector.

...and fueld by geopolitical cracks

There’s no news to this picture, though. What is new (relatively speaking) is the geopolitical cracks that are rupturing across the globe, where threats on regulatory actions, tariffs, and trade wars are targeting our access to components critical to our supply chains, as well as digital products, services, and infrastructure on which our Industry and governments depend.

Massive responses from across Europe

The response has accordingly been quite massive from various parts throughout Europe. Data integrity agencies (e.g., Sweden and Norway) are expressing caution in where and how organisations store their data. Parliaments (e.g., the Netherlands and Denmark) are calling for decreased dependency on non-European cloud and software service providers. Several examples are emerging of how national and federal governments are taking concrete steps to replace what many think is irreparable. Both European political leadership and Industry are expressing common calls for increased sovereignty and autonomy. They are calling for an end to the dependencies that keep being reinforced through continued and misdirected spending.

Sovereignty is a Full-stack problem

From the discourse, it is easily misunderstood that sovereignty is all about the clouds and the desktops. We couldn’t, however, be more mistaken. Sovereignty is a full-stack problem where applications are just the tip of the iceberg, consisting of the operating system, kernel, drivers, and firmware. These latter parts are on the positive note, what many consider a commodity, why the access to high-quality open source products and projects is relatively high.

And below the software stack comes the hardware stack, which paints a darker picture. Here, there is a lack of most forms of tools, frameworks, and infrastructure, considering the supply chain of silicon chips, an essential component for almost all things powered and connected. An example regards the access to EDA tools capable of designing, simulating, and verifying chip designs. The three main options are all proprietary, limiting both SME growth and skill training, and thereby substantially impacting Europe’s chances of growing its own regional capabilities in the area. Then there’s the access to Foundries and raw material, which is a post in itself.

Need to look at Infrastructrue as a whole (digital+physical)

Another essential aspect to clarify is that sovereignty is a topic for all parts of the infrastructure. We need to talk about both the digital and physical parts of infrastructure, which are becoming more and more intertwined. Consider the context of roads and traffic, where intelligent traffic management systems, mobility as a service, connectivity, smart city environments, and autonomous driving are all relevant. The boundary between what’s considered physical and digital is becoming increasingly thin.

That’s about the why - why we need to start talking about sovereignty. Next is how - how can we start walking the talk? And how can be leverage open source as a vehicle for the societal transformation necessary?

The How

Digital sovereignty <> Open Strategic Autonomy

First, let’s broaden the taxonomy beyond digital sovereignty to also talk about open strategic autonomy.

- “[Open Strategic Autonomy] reflects the EU’s fundamental belief that addressing today’s challenges requires more rather than less global cooperation… Open strategic autonomy is a policy choice, but also a mind-set for decision makers. It builds on the importance of openness, recalling the EU’s commitment to open and fair trade with well-functioning, diversified and sustainable global value chains”

The construct highlights the fact that what we are reaching for is control - control of our own digital sphere and the ability to make our own decisions therewithin, without the influence of anyone else. The way this is achieved is not by building walls and entering into self-isolation. It’s done by keeping doors and windows open. It’s achieved by promoting interoperability, sharing, reuse, open collaboration, and innovation.

Control <> Investments & contributions <> Capabilities

Second, it is crucial to recognize that gaining control (i.e., autonomy) requires being prepared to make the necessary investments and contributions. Both are necessary in all areas of technology critical to society, encompassing both innovation and maintenance. This is how you gain influence, and by extension control, in open source and open technologies at large. Followingly, to be able to make these investments and contributions, having the necessary capabilities in place is pivotal, implicitly referring to a skilled taskforce, vibrant SME ecosystem, strong and clear policies and support structures (things I’ll return to further down).

Once we understand the relationship of autonomy <> control <> investments & contributions <> capabilities, we can start to realise that we don’t have to close down. You can still be “sovereign” by collaborating openly, and so also globally. The discussion about “European” open source should, therefore, in my opinion, be avoided at all costs to prevent confusion and misinformation.

The Comfort Syndrome

Coming to this point, however, is no easy journey for any government or public entity. One explanation comes from the comfort syndrome that has been spreading and residing in the public sector for many (many) years. This is easily diagnosed through symptoms such as risk aversiveness, conservative procurement culture, self-centricity, siloed mindsets, and general resistance to change. That said, I’m not pointing any fingers. It’s not a he or she or they problem. It’s a WE-problem.

As highlighted by fore-runners such as the Chancellery of Schleswig-Holstein, there is a need for political leadership to act and foster an understanding that sovereignty requires systemic changes, not just technical replacements. This is challenging, as political leadership is often subject to change, and its priorities follow suit accordingly. Building sustainable support for change is therefore essential, again highlighting the need for us to be growing courage together and to start collaborating.

The toolbox of Open Technologies

This is where the toolbox of open technologies comes into the picture. And it’s not just about open source software. The toolbox also covers open source AI, open standards, open hardware, open knowledge, and open innovation at large. These are all tools that prove value in different use cases. Ensuring requirements and use of open standards, including data formats, along with providing access and ownership of data, can often be enough.

Buying a toolbox is not enough, though. First, you need direction and a clear vision for what you are building. It is accordingly critical that policymakers provide a clear vision for what they want to achieve and define appropriate goals and incentives. If it’s strategic autonomy, this should be expressed loud and clear, as well as what it implies and when it is achieved (when will the house be finished? Was it designed according to the requirements?). Indicators and guardrails may be necessary to facilitate follow-up, benchmarking, and evaluation as governments progress towards autonomy.

Policies guiding the way

Policies (and other instruments providing intent and direction) should ideally consider both how autonomy can be achieved and grown from both the Industry and public sector perspectives. Typically, it is one or the other. The former is a prime focus in countries as South Korea and Japan, while European countries are overwhelmingly focused on government and public entities. Ultimately, dependencies that affect one end will also impact the other.

Policies should further consider both the consumption and contribution sides of open source. This translates to inbound and outbound policies, referring to the acquisition and procurement of open source-based solutions, and the release of software developed through public funds, respectively. Such policies can either come in the form of high-level endorsements (e.g., in Sweden), be advisory (e.g., in Denmark, Iceland), or prescriptive (e.g., in France, Italy). Ideally, the latter two are preferable with explicit language on either when and how open source should be considered in the acquisition process, or if software developed should be released as open source.

Which one is more preferable is an open question. In Italy, open-by-default has been legislated since 2012 in both the inbound and outbound, but was not followed as guidance and incentives are lacking, including the lack of penalties. In the Netherlands, an open unless-policy rules that is triggered when a publicly developed software is requested by someone to be released. The software is then evaluated to determine whether there is any reason not to release the software as open source (considering, e.g., integrity and confidentiality rationales).

Scope and coverage of the policies should further (ideally) have as complete coverage as possible, including both the national, regional, and local levels of government. Organisational or institution-specific policies should also be promoted, as some organisations may need to implement more specific strategies based on higher-level instructions. It is therefore worth noting that there may be a need for complementary policies that come in different forms and definitions, e.g., through legislation, government instructions, and strategies.

Support structures and OSPOs

Once you have direction and vision, we can return to the hammer. Now we need to learn how to use it accordingly. In essence, someone is needed who can translate the policy lingo into words of practice. Let’s consider open source first in the acquisition process. How is the total cost of ownership evaluated? How about matters related to licenses and IPR? Security, and by extension, the health and sustainability of the project? The need and availability of support? Or the need and presence of suitable OSS-based solutions? Is there a need to combine several, and for any customisation (most likely yes)? Then how are the open alternatives compared with each other and other proprietary options? And how do you define qualification requirements for suppliers, and define the necessary contracting terms so you don’t end up in a lock-in (does not come by default just because you say open source)? The list could go on… The same also applies to the release of software as open source.

Construct imported from industry

These are things that cannot be expected of the general procurement offices. That’s why (as with the case of Italy) support structures are needed. These are more and more referred to as Open Source Program Offices (OSPOs), a term coming from the west-coast Big-tech in the early 2000s, and more conceptualized in the mid 2010s, as centres of competency for organisations’ open source operations and structure. They support and help accelerate consumption, contribution, and collaboration. They help mature the organisational readiness, moving from accidental (re)use to systematic contribution and leadership, leveraging open source operations in alignment with the overarching business or policy goals.

OSPOs = Policy enablers and Change agents

The OSPOs can be referred to as both policy enablers and change agents. They help realise the policies and strategies into practice. Here, it is essential to note that practices from the Industry and community on adopting and leveraging open source cannot always be copied directly. Public sector open source is different in many ways, e.g., in terms of how development resources typically need to be procured through rigid regulatory frameworks. Here, the OSPOs play an essential role in creating the necessary guidelines, tools, and infrastructure for both the procurement and release of open source from a public sector perspective.

Most importantly, however, is that they provide vehicles of cultural and organisational change underneath (and sometimes outside of) their organisational umbrellas. This is one of the most critical aspects to consider. Open source requires a shift in mindset and ways of working, which, for many, is outside of what they are used to, comfortable with, or thought they were allowed to do. Many Big Tech companies have downsized their OSPOs in recent years, not because open source is no longer critical, but because they have worked with change management for so long that it has begun to have an impact. The OSPOs are still there, but not at the size and scope as previously needed.

Growing common capabilities with OSPOs as the interface

To gain strategic autonomy, however, one needs to go beyond the single organisational level and consider the society and public sector as a whole. Organisational change is necessary across the board. There is a need to develop common capabilities if control is to be achieved. The OSPOs help provide interfaces between organisations, levels of government, and parts of society. Creating a national government OSPO won’t do it. They are commonly a good starting point, but don’t scale and can’t support a whole country with all its levels. A comprehensive support structure is needed with OSPOs all across national, regional, and local governments and institutions.

On the national level, some countries stand out among others. In Germany, the work has been led since 2022 by the Center for Digital Sovereignty (ZenDIS), a dedicated state company under the Ministry of the Interior. ZenDIS also serves as a national OSPO and knowledge hub that supports capability and capacity development in the German public sector at all levels to increasingly use open source and open standards to strengthen national sovereignty. Corresponding work is carried out in France through the Interministerial Digital Agency (DINUM) and in Italy through Developers Italia (a joint initiative between the Department of Digital Transformation and the Agency for Digital Italy).

On the regional level, there have been strong movements for a long time towards open source as a means of promoting regional sovereignty in many Spanish regions, e.g., by localizing various open source solutions to the regional languages and culture. Galicia is one of the more progressive, recently releasing their latest open source strategy. Schleswig-Holstein in Germany is another prominent example, which through its recent strategy announcement are aiming to rid itself of proprietary solutions within a few years.

On the local level, multiple cities are leveraging open source to drive change and create independence. Large open source platforms have, through the years, come out of cities like Madrid (Consul), Barcelona (Decidim), Valencia (gvSIG), and Paris (Lutece). Many of the cities have established their own OSPOs, with Paris and Munich being among the more progressive. These larger and typically more resourceful cities play an essential role in supporting those less capable, democratizing digital transformation, and improving sovereignty on the national scale. The cities of Sundsvall, Bratislava, and Ventspils provide a guiding light for others to follow.

For governments (whatever level) and public entities with limited resources, Association-based OSPOs (e.g., OS2 in Denmark, iMio in Belgium, or ADDULACT in France) can be a solution to help pool resources and steward projects on their members’ behalf. The construct of government stewards should be considered either way, as public entities are commonly not geared to steward projects themselves long-term. In Industry and community, neutral proxy organisations in the form of non-profit open source foundations are typically the norm for projects reaching a certain mass and adoption across several organisations. Association-based OSPOs or more general government stewards can provide a corresponding way forward to the public sector, and a topic I’ll return to in a separate post.

OSPOs as enablers for open science and technology transfer

Academic and scientific research institutes are another area that needs to be integrated into the bigger picture. Academic OSPOs typically involve the Technology Transfer Office, which helps researchers translate their research between and across projects as open source. It enables further exploitation by partners and follow-up projects that can build on earlier outputs through open science principles.

Complementary OSPOs supporting public sector

An interesting emerging example of OSPO structures is the Transnational OSPOs, such as the Inter-American Development Bank and its Code for Development initiative, which supports countries in the region in the design of open source policy, finding open source solutions, and building general capabilities in the area. Another type of complementary OSPOs supporting the public sector has also emerged from civil society (e.g., Coding for Romania in Romania, Danes je nov dan in Slovenia), helping to create and onboard solutions, both new and existing, that address local and national needs.

Findability and promotion of existing open source solutions

A core feature of many OSPOs is to promote and enable the findability of relevant open source projects and solutions. These are not always as easy to find. A standard practice is to establish software catalogues that index open source solutions, either external or released by public entities. In a recent initiative from the European Commission, several country-specific catalogues have been aggregated into one single repository to promote cross-border reuse. The publiccode.yml metadata standard emerging from Italy has been key to this work and is something to consider for all types of OSPOs.

Strategic investments in key open source technologies

Sometimes, there will be the need for making strategic investments and create core products where the market status quo resists to change. One example is the overlapping OpenDesk and La Suite Numerique initiatives from Germany and France, respectively, which integrate existing open source solutions (e.g., Jitsi for video, Nextcloud for document storage) by developing the glue between them, and integrating the solution with the rest of the surrounding infrastructure and application suites. The German version is offered as a containerized solution for self-hosting as well as a SaaS and is reported to have 40,000 users and is growing.

Schleswig-Holstein has worked directly with implementing the underlying open source solutions, and as of October 2025, has reduced its Microsoft licences to 30% of the original share. By 2029, they project to reduce this to 1%. These examples show both that a migration is possible and that key investments can be critical to nudge the possibilities and, by extension, create trust and courage to take the steps needed. Since Italy, the Netherlands, and Switzerland have followed suit and joined the German-French desktop collaboration.

Along with OpenDesk, there is also the OpenCode platform, a GitLab-based social collaboration and source code management platform for hosting German public sector open source projects (including OpenDesk). Again, this offers greater control of the development and maintenance efforts and removes doubts and risks related to data storage on foreign platforms while promoting increased share and reuse and co-development with the public sector (coming back to how open source adoption can be supported and enabled). Similar platforms are hosted in other countries, including the European Commission, and the ambition is for OpenCode to provide a blueprint for other countries. The platform today has about 5,400 users and 2,300 repositories, also growing.

Another example from Germany worth recognition, which I was introduced to during FOSDEM, is the Gesundheitsamt-Lotse project, a healthcare system developed by and for the German federal state of Hessen. It’s been developed using an agile approach in collaboration with teams of developers from external suppliers. New functionality is added continuously, increasing interest and contributions coming in from other federal states.

Public recognition and awareness on open source lacking

Awareness and recognition of the wide-scale adoption and potential of open source as a lever for strategic autonomy is also needed among the public. Very few know of the economic impact open source technology has, how it underpins 95%+ of our digital infrastructure, and that large amounts are (still) actually maintained by individuals in their spare time, not the government, as for most other types of infrastructure they use in their daily lives. The annual European Open Source Awards ceremony is a crucial component of this awareness-raising effort. The newly established European Open Source Academy, which gathers recognized and influential experts in open source software and hardware, aims to enlighten policymakers and the public on the impact of open source technologies and how they can be sustained.

Sustainability and maintenance often neglected but pivotal

The sustainability, meaning the longevity and long-term viability of an open source project to stay maintainable, is commonly neglected. From a strategic autonomy perspective, however, it is more critical than the development of new solutions. The question of how it is thought still resides in many people’s minds. In essence, it needs to be a collective responsibility, including both the communities of volunteers and Industry, as well as the governments and public entities.

OpenForum Europe recently proposed a European Sovereign Tech Fund, styled after the Sovereign Tech Agency in Germany. Although the solution is not set, it is not a one fund to rule them all. A system of multiple and overlapping initiatives are needed to provide both short-term (e.g., audits and fuzzing) and long-term interventions (e.g., employment contracts and social benefits). Such interventions should be enabled through centralized and decentralized initiatives, employing both push and pull, e.g., through central funding schemes, requirements in procurement contracts, and regulated responsibility similar to the CRA, which pushes for manufacturers to care for their supply chains. From a cybersecurity standpoint, Europe needs to ensure the sustainability of the building blocks its infrastructure is constructed by and stands on.

Sustainable suppliers = Sustainable software

A critical component in this equation is the software service suppliers, and primarily so in the SME space. They are the ones that possess the incentives and skills to support the public sector in adopting and leveraging open source. They are key to maintaining a digital infrastructure that stays robust and resilient. When discussing the development of common capabilities, SMEs and service suppliers are as crucial as growing competency and culture within public entities, as most development resources tend to be outsourced. Governments should accordingly ensure that service suppliers can create sustainable business models and that maintenance is included in any contract signed, including hosting and support contracts.

Establishing explicit strategies that show intent of dedicated and long-term investments into open source technology (i.e., going beyond words) can help incentivize SMEs to invest in existing and develop new open source solutions per market needs. Requiring open-by-default on outputs from R&I programs and convening industry (competition across) to trigger collaboration on commodity parts of the stack has also shown promise in nudging the European automotive industry, a recipe to trial in across other sectors as well.

Many vendors are organized in national open source vendor associations and united under APELL, their Eurpean umbrella. They provide an important voice for policymakers and governments on how to consider open source in relation to policy and in procurement and acquisition of new software services.

Eurostack, an initiative on growing and promoting a European technology stack, is a recent and quickly evolving example of how industry, SMEs, business associations, and Academia are starting to organize themselves in order to push policymakers towards a more sovereign agenda. Since the formal launch about a year ago in a high-level gathering at the European Parlament, the initiative seems to have split into one branch more focused on leveraging existing solutions on available, while another branch seems to be wanting to create a new stack from scratch. Despite inclination, they signal an overarching agenda that there is a need for action and provide a broad list of recommendations to consider.

Addressing the skills gap

While there definitely is quality, Europe still lacks the necessary quantity of people with the required mind- and skillset. Training and skills development on STEM and open technolgies must be pushed more strongly through the Skills agendas both on the European and national levels, and injected through elementary and high school, higher education, and lifelong learning. The current generational shift happening in open source is not leaving Europe unaffected. Training programs must consider roles across society, from policy and decision-makers to procurement officers, civil servants, product owners, developers, IT technicians, etc. This is essential if we in any way are to address the aformentioned comfort syndrome.

Final thoughts

In summary, digital sovereignty is about gaining control of the digital sphere, not isolating it with walls and ceilings. Open source provides a vehicle and a tool set. Control requires strategic investments and contributions that encompass both innovation and maintenance. Such investments and contributions require growing common capabilities across the public sector, Industry, and all of society. Both policies and support structures are needed to make this happen. OSPOs provide a policy enabler, change agent, interface, and cornerstone for the support structure.

Categories:

Updated:

You May Also Enjoy

How Denmark is Waking Up to the Challenge of Digital Sovereignty

5 minute read

Society’s institutions and our everyday lives have, for a long time (and increasingly) been transforming from physical to digital, where services, interactions, and communication now transcend the two worlds, which are becoming ever more integrated. Interestingly (and unfortunately), public policy and leadership have not kept pace, which, in the long term, poses a threat to security and, by ext...

French Cloud Strategy pushing Supply and Demand towards Digital Sovereignty

4 minute read

Countries across Europe are ramping up their efforts to adapt to the changing geopolitical climate, preparing for uncertainties that the near future might bring. Dependencies on non-European cloud providers are substantial and require proactive action both top-down and bottom-up. Top-down includes policy and legislation setting the stage by, for example, enabling demand and guiding buyers in ma...