4 minute read


Here’s a brain dump with thoughts and reflections from two intense days of EU Open Source and policy discussions together with my great collegue Sachiko Muto in Brussels organized by the European Commision and OpenForum Europe respectively.

  • There is an ongoing discussion on the differentiation between European OSS and OSS in general, where the former is (primarily or fully) created by European companies and individuals related to digital sovereignty. Instead of putting up flags, OSS should rather be seen as the public good it is. And to maintain an open strategic autonomy, concerned actors need to partake in the collaboration and influence the direction, just as companies do in OSS in general. This way, open collaboration and development can be ensured, and by extension, the sovereignty of not becoming locked into a specific vendor or government.
  • Policy development and regulation are escalating in pace, and if done on a too detailed level, it may risk limiting innovation and competition in European industry. The Cyber Resilience Act was a difficult exercise for how regulators and the OSS ecosystem, highlighting the need to improve in communication and knowledge sharing. This requires an initiative both top-down and bottom-up from the two sides where stakeholders need to learn each other’s rules of play, culture, and language. As regulations keep on coming, and technology is accelerating even faster, getting this right is pivotal. Here, OSS foundations (or stewards, see below) and companies can play an important role.
  • OSS is catching on even in conservative industries such as Automotive. -One hundred thirty- years old, the industry is now moving towards software-defined vehicle architecture where features are updated continuously over the air, and connectivity and cloud services offer new possibilities, as well as risks. OSS is pivotal to enabling this transition but is today mainly limited to infotainment. The industry is slowly finding its way in moving towards a networked collaboration structure and function-safety compliant development processes and defining the non-differentiating arena where actors can collaborate with standardized interfaces that allow for modular and flexible configurations of the future SDV. A recent report for the Eclipse SDV WG sheds more light on the topic [1].
  • The importance of OSS and open technologies as instruments for addressing the SGDs is echoed from the highest levels of the United Nations with UNDP and ITU, who, together with the European Commission, have launched the Open Source Ecosystem Enabler initiative. The project aims to under 42 months sponsor the public sector internationally in building institutional capacity for leveraging the possibilities of OSS through the creation of national and interconnected Open Source Program Offices. A report will soon come out from the European Commission providing blueprints for how such OSPOs may be designed.
  • There will also be a continuation of the OSPO for Good conference on the 9-10 of July, focusing on bringing representatives from developing countries into the ecosystem and empowering them in overall work towards minimizing the digital divide and addressing the SDGs. The event follows on from last year’s successful event in bringing these stakeholders together. A white paper summarizing the 2023 event is available [2].
  • Open Source AI is ever-growing in development in industry and attention from policymakers. The AI Act provides high-level principles aiming to regulate the use and risks of the technology while still enabling innovation to keep on. There are difficulties, however, in defining what Open Source AI implies, what is the preferred form for modification and what components needed. The limitations of global frameworks covering everything from input data to the various outputs raise concerns. The Open Source Initiative is driving an inclusive community discussion in trying to address the unclarity; the goal is to, by the end of the year, have a first version of a definition. Open governance is highlighted as a key for creating trust and transparency into the ongoing development. Public sector organizations should specifically find their way in partaking in such discussions.
  • OSS stewards is a new construct coming from the Cyber Resilience act that includes “any legal person, other than a manufacturer, which has the purpose or objective to systematically provide support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source”. This definition applies to the existing OSS foundations. It adds explicit responsibilities related to cybersecurity practices, which are quite often already widely adopted. However, some may need to scale by creating a single point of contact for each OSS project for security-related matters. The OSS stewards further provide good candidates for taking a representative role in the wider OSS ecosystem related to the standardization efforts which are going to prescribe the actual implementation of the CRA. The application of the OSS stewards label to public sector OSS associations remains to be seen.
  • There is a continued discussion on how the maintenance of OSS projects can be funded and sustained. Being a critical part of the digital infrastructure, OSS projects typically constitute a common, falling between the responsibilities of private and public institutions. All need to contribute, even though the industry consumption and potential to contribute may be bigger than the public. In the long term, maintenance efforts need to be included in risk management, and dedicated funding needs to be planned for in the budgeting processes. The amount needed is far more than probably anticipated by many. Francesca Bria calls for a 10 billion Euro fund addressing the full stack of components needed to enable an open and sovereign technology stack for public services and the common digital infrastructure. I think, however, that the long-term and sustainable approach is to get upstream contribution, support, and engagement into tenders and internal processes of public sector organizations, and further encourage (or require) industry to do their part. Many topics, thoughts and talks compressed. Looking forward to following up on all the conversations and insights 😊

  • [1] https://outreach.eclipse.foundation/oss-auto-vision
  • [2] https://www.un.org/techenvoy/sites/www.un.org.techenvoy/files/OSPOs_for_Good_Report_1.pdf