14 minute read

As the OSPO 4 Good conference is approaching, I thought I’d do a recap of a study we did for the European Commision and DIGIT mapping out how Public Sector Open Source Program Offices (OSPOs) are structured and organized. An OSPO may be compared to a center of competency and excellence driving organizational readyness related to OSS within or across a set of organizations. In the study, we looked at 12 cases across the EU member states, and synthesized six different OSPO archetypes to provide guidance for Governments and Public Sector Organizations in how they can go about to build institutional capabilities internally and in common to leverage OSS as a tool in their digital transformation journeys.

The post is a synthesized extract based on my talk on the topic during last year’s OSOR turns 15 Awards. The study is currently going through the EC’s internal publication process but should hopefully be out soon. Let me know if you wish further insights until then :)

Adoption slow but accelerating

We’ve been sharing and reusing each other’s code bases in the open now for quite some time, way before any definitions was coined. And looking at society at large, we’ve come quite far. But looking at the public sector, we are lagging behind. We’ve seen numerous good examples on migration efforts, collaborative development, nationally across border, procurement, policy initiatives, etc. A lot of them were very successful, but a lot of them have been and are still today very fragile in terms of sustainability. Just as the many open source projects we depend on today in our everyday lives. Why is this?

Common challenges inhibiting adoption

One of the main challenges is the limited knowledge within the public sector in terms of both what open source is, but also how it can be leveraged as an instrument in achieving your policy goals and your digital transformation, depending on what level.

A second point (and not limited to public sector) is culture. If we look in the public sector, we have a very high level of conservatism, of risk aversiveness, a preference of keeping the status quo, using what we trust, what’s already there, the brands and the people we know. And there’s also this fear of going outside of your bubble, interacting, collaborating, getting feedback from people outside of your organization on what you actually do.

And third, we also have resources. In Sweden, we have 290 municipalities. The smallest one has about 2,000 people. The largest one has about 1 million. You can’t expect a municipality of 2,000 people to have the resources or capabilities to leverage or understand what open source is. A procurement officer, they need to procure gravel, hand sanitizers, and software. They will go and look into the catalog and see, okay, what kind of software is there? What are we using? What is the neighboring municipality using?

Open Source Program Offices (OSPOs) enters the stage

If we look into the private sector in industry when addressing challenges like these, one of the best practices since the beginning of the 2000s is the establishment of what is called Open Source Program Offices. These can be described as centers of competency and excellence. They help to support, accelerate open source consumption, collaboration, development. They help to improve and mature the organizational readiness to help to design, facilitate, and execute on the open source strategy of the organization so that open source can be used in alignment with the business or policy goals.

If we just forget about the label os OSPOs and just look at the actual support function here, we have seen a number of different centers of competency come and go through the years. In a recent report we did for the Danish Agency for Digital Government, we surveyed 16 countries on their policy and support actions promoting OSS reuse. There we can note how entities corresponding to OSPOs (but not labeled so) have been present right after the coining of the OSPO definition, and very much in the same time as the private sector OSPOs started to emerge.

Still, we can also note how fragile the public initatives have been compared to the private OSPOs. But something is changing now. Now we are seeing OSPOs being created both vertically and horizontally within the public sector on the international and national levels. And what’s more is that they are starting to interconnect. They are starting to collaborate, sustaining themselves much as an ecosystem or a community works.

Archetypes for Public Sector OSPOs

But how are these OSPOs structured and organized? We did a study where we looked at 16 different cases on different levels, trying to find these archetypes for others to learn from, for others to imitate and copy, so we can enable and create this ecosystem and really address the different challenges that we have discussed until now.

National Government OSPOs

The national government OSPOs are typically hosted on the national administration of ministries with responsibility for digital government or transformation, be it in general or in a specific area such as cybersecurity or public employment. Their main goal here is to build and scale the capabilities and possibilities of collaborating and adopting open source throughout the public sector or within the domain. Here we looked specifically at France, Italy, Germany, and Luxembourg.

Italy provided an interesting case as they’ve had a law for quite some time now, since 2012 requiring the public entities consider open source firsthand and the publicly funded developed software is released as open source. However, this law and policy has remained quite ineffective as to reports and interviews. It wasn’t really until what we label here as the OSPO - Developers Italia or Team Digitale was initiated in 2017 between the Department of Digital Transformation and the Agency for Digital Italy, and when the procurement guidelines was released in 2019, that the law started to have effect.

The Italian OSPO have really done an effort in creating guidelines, doing active support, creating a discoverability platform to find open source projects used and enable their reuse. And what I think is very important here is that they go outside and create this ecosystem or community of communities within the public sector and cross the sectors, enabling practitioners, policymakers, hackers to interact, to share knowledge, to engage, to create new communities, to create new projects, engage in existing projects and so on.

Institution-centric OSPOs

Institution-centric or organization-centric OSPOs are typically hosted within the Department for IT Provisioning Services, within the overarching institutional organization. Their primary goal is more organizational focused, much like industry OSPOs, focusing on scaling and building an internal capacity in terms of adopting and benefiting from open source. Here we look specifically at the European Commission’s OSPO, the French Public Employment Service, and the Dutch Tax and Customs Administration.

Considering the European Commission’s OSPO specifically, it’s situated in the Directorate General for Digital Services, DIGIT, and came as a consequence of the 2020 open source strategy, which they are also set to help facilitate its renewal and execute on. They provide a liaison and an interface enabling the interoperability between internal and external stakeholders, and not just technical, but also cultural and organizational. This is exemplified through the EC OSPO’s European OSPO network, where they identify and bring on public sector OSPOs throughout Europe, helping them to benefit, share knowledge, share each other’s challenges, and progress and evolve.

Internally looking, the EC OSPO is also functioning much like the industry OSPOs, where they are facilitating, promoting, supporting the consumption and development contribution collaboration on open source. On one hand, by removing friction for the developers and decision makers, but also ensuring the risk management side so that the decision makers can feel safe and secure, both from the compliance perspective and the security perspective. and that we can trust what we have in production, but also from the sustainability aspect that what we use is actually maintained.

Local Government OSPOs

Local Government OSPOs are typically again hosted within the departments responsible for IT service provisioning or digital innovation policy and so on. Their goal is to enable the use of open source Not for the sake of it, but as an instrument in achieving their policy goals and their own digital transformation on the local level. Here, we looked specifically at the cities of Paris, Bratislava and Ventspils in Latvia.

In the case of the City of Bratislava, what we call a OSPO here is a part of the Department for Digital Services and Innovation created in 2019. They don’t have an explicit open source strategy, as could be expected, but in contrast to, for example, the European commission’s. But they have it highlighted in a lot of different places, such as the digital innovation policy, the Bratislava 2030 policy.

Looking at the department where the OSPO is hosted, there is a strong preference for open source due to the local knowledge and culture there. But looking at the city as a whole, there is still somewhat level of conservatism and there really needs to be a strong business case for whatever open source options you would consider in an acquisition. This should be seen as something positive as you shouldn’t just use open source for the sake of it. It needs to create value. And here the OSPO can help you, provide you with the business case, both from the risk perspective and the plus side.

The Bratislava OSPO is very developer-oriented, as we can see in the other cases as well. They focus a lot on developing, maintaining, providing, hosting open-source-based solutions for the city, such as their e-service platform, much similar to Lutece in the City of Paris. They have a very close collaboration with stakeholders throughout the public sector, civil society, and they use metrics quite heavily to guide their development. And looking long term, they are looking at how they can provide this as a service for other cities and governments across Slovakia.

Association-based OSPOs

The Association-based OSPOS can be compared a lot to the open source software foundations we have in the community at large and industry, and potentially to what the new Cyber Resilience Act refers to as Open Source Stewards. They provide this neutral proxy ground where everyone can come, feel safe, know and trust the standardized governance processes and ways of working. No one can run with it. It’s neutral and transparent. These associations basically have public sector organizations as either members or owners. And their primary goal is to enable their members to initiate, develop, collaborate on open source software-based solutions addressing common needs and goals. Here, we investigatd the cases of OS2 from Denmark, the Dutch Association of Municipalities, and open cities from the Czech Republic.

Considering the case of Open Cities, they are a nonprofit consisting of 20 plus cities, although they do have regions as members as well, which does expand the number of cities indirectly. They receive and host open source projects initiated by public sector organizations, in contrast to OS2, where the members initiate themselves directly. At the point of the study, they had six projects. One of the more prominent, CitiVizor, an open source tool for visualizing and providing transparency into municipal management, such as public spending.

They have a really close collaboration with civic tech hacker communities, and they are engaged in the national effort towards creating a national government OSPO within the Czech Republic (which was just recently announced!), but also driving the collaboration and maturity on the European international level through the Brno Declaration.

Academic OSPOs

The Academic OSPOs are typically hosted within the higher education and the scientific research organizations. They provide support for development and dissemination of research and outputs as open source. We looked at the cases of Trinity College Dublin, and LERO in Ireland.

Considering the case of LERO, they have a special setup where they have a very informal and very decentralized OSPO with a team of subject matter experts spread across the institution. They support and train the researchers in how they can develop, collaborate, and disseminate their outputs as open source. But they also consider it from the larger, more high-level open science perspective, bringing, for example, open data as a very important tool here.

They’re also looking at the trend at Trinity College Dublin and how you can start to spin out the research outputs using open source business models as well. Here, the Technology Transfer Office plays a pivitol role.

Complementary support functions / Civil-society OSPOs

In our survey, we also found an interesting case of complementary support functions for the public sector, organizations independent of any ownership or membership from public sector organizations. Despite this, they have as a goal to build and support the public sector in growing its open source capabilities and benefiting from it.

We looked specifically at the case of Code for Romania, a civic tech nonprofit from 2016, which has the aim to equip both civil society and public sector in more high quality public services. For example, within education, healthcare, environmental, social services. They develop, host and maintain these services for the public sector. Sometimes they transfer it to these organizations as well. They have a very structured process in how to do this and how to identify the critical areas.

Which archetype to choose?

This is very dependent on who you are, where you are, etc. But one thing you should definitely start out with doing is look into your local area and your own nation. What initiatives are there? Who can you learn from? Who can you interact with? Who can you collaborate with? Who can you join forces with?

One thing we really noted among the cases and the interviews was this need for growing common institutional capabilities here, common capacities, joining forces, pooling resources, pooling knowledge, creating knowledge, addressing common challenges as the ones we’ve talked about today. And on a positive note, we also know that with this need, that there is a will, especially from the more capable organizations to support those less capable.

Here, the Association-based OSPOs really provided a great example, how the larger municipalities, those with stronger budgets and internal development resources, take a lead and drive the development, but also enable those less capable, but still as important, actors to join in, contribute, be it financially just or tag along, but also with important inputs on different use cases and so on.

Collaboration needed cross-sector and cross-border

The archetype of Complementary support functions / Civil-society OSPOs highlights the potential of the other actors outside of the public sector stepping up. This is important in cases where Government may not have the will or resources to prioritize open source or digital transformation at large. Public sector organizations should hence strive to go outside of the public sector, include and talk to academia in terms of open science, knowledge transfer with the civic tech society, and interact with the industry who are leading the best practice and the development in terms of organizational use and consumption and collaboration, and especially sustainability. This is a collaboartive effort we need to do both on the international, national and local levels of society.

The OSPO - a policy enabler and change agent

To close and looking forward, the OSPO, as we can note, whatever name, is a support function, an enabler, and a change agent. It’s a driver of culture and organizational change, helping to address the fundamental fear and challenges that arise in people’s minds when they hear the word Open. Again, this is not unique for public sector in any way. Either way, these fears and concerns need to be met and acknowledged. Risks and costs need to be weigthed against the benefits and potential of going open. And the OSPO can really help provide you with the necessary tools and introducing the best practices.

Again, as noted in out earlier report on policy and support actions in public sector, defining a policy is not enough. You have to provide the knowledge, the support, the understanding, tooling infrastructure of how to actually know how to understand the requirement, but also from the vendor perspective. The OSPO is a policy enabler. You have the policy and you have the enablers with the OSPO, as we saw, for example, in the case of Italy. So this is needed to actually for us to reach the different policy goals, be it sovereignty, interoperability or innovation. And what we can note here is that the OSPO will continue to play a pivotal role going forward.

Ideally, the OSPO would dissipate with time as it will have a natural transition, as we’ve seen in a lot of the big tech companies that are down investing on their OSPOs. But that’s due to the fact that they are actually undergoing this change, that openness has started to become a natural part of the organization of how people work. And the term open source here, we need to go on and that will come gradually and naturally just to also include open data. We shouldn’t just not talk about open data. We need to talk about open data, software, standards, and also silicon, hardware, science, and not to forget open source AI (which is yet to be defined).