Open Source as a Sovereignty Lever

The case for open source as a sovereignty mechanism is not primarily about cost — it is about control. Proprietary software operates under a licence that grants the vendor ultimate authority: they can change pricing, alter functionality, discontinue products, restrict usage, or — critically for sovereignty — comply with foreign government demands that the customer cannot even see. Open-source software, by contrast, is distributed under licences (GPL, Apache, MIT, EUPL) that guarantee the user's right to use, study, modify, and redistribute the code.

This creates three structural properties that are unique to open source:

• Auditability: The source code is available for inspection. For security-sensitive workloads — government communications, healthcare data processing, financial systems — this means the software can be reviewed for backdoors, vulnerabilities, or undisclosed data exfiltration. Proprietary software operates on trust; open-source software operates on verification.
• Forkability: If the entity maintaining an open-source project changes direction, is acquired by a hostile party, or ceases to operate, the community or any organisation can fork the code and continue development independently. This happened when Oracle's management of MySQL led to the creation of MariaDB, when Elasticsearch's licence change spawned OpenSearch, and when HashiCorp's relicensing of Terraform produced OpenTofu.
• Self-hostability: Open-source server software can be deployed on any infrastructure — on-premises, in a European data centre, or on any cloud provider. This decouples the software choice from the infrastructure choice, allowing organisations to achieve data residency and jurisdictional control without being locked into the vendor's hosting.

The European Commission has progressively strengthened its institutional support for open-source software. In October 2020, the Commission adopted its Open Source Software Strategy 2020-2023, built around the principle of "Think Open" — a commitment that EU institutions should prefer open-source solutions, contribute to open-source communities, and share software developed with public funds. The strategy explicitly linked open source to digital sovereignty, stating that "open source helps Europe keep control of its own technology infrastructure."

The European Commission's code.europa.eu platform hosts open-source projects developed by EU institutions, making publicly funded software available for reuse by Member States, local governments, and the public. The European Union Public Licence (EUPL), maintained by the Commission, provides a copyleft licence specifically designed for compatibility with European legal frameworks.

At the national level, the "Public Money, Public Code" campaign led by the Free Software Foundation Europe (FSFE) has gained endorsements from over 200 organisations and multiple government agencies. The principle is straightforward: software developed with public funds should be publicly available as open source. Germany, France, Italy, and Spain have all adopted policies requiring or encouraging open-source adoption in public procurement, with varying degrees of enforcement.

The European Parliament has repeatedly called for stronger open-source mandates. A 2023 resolution on digital sovereignty urged the Commission to "increase the use of open-source software in public institutions" and to ensure that EU-funded software is released under open licences by default.

Gaia-X, announced jointly by France and Germany in 2019 and formally established as a non-profit association in 2021, aims to create a federated data infrastructure for Europe based on open standards, transparency, and interoperability. Rather than building a single European cloud, Gaia-X defines a framework of trust, identity, and data-exchange standards that any compliant provider can implement.

The project's architecture centres on three core concepts:

• Self-descriptions: Machine-readable declarations by service providers detailing their data-processing locations, applicable jurisdictions, security certifications, and terms of service — enabling automated compliance checking.
• Federated catalogues: Registries of Gaia-X-compliant services that organisations can query to find providers meeting specific sovereignty, security, and interoperability requirements.
• Data spaces: Sector-specific ecosystems (healthcare, mobility, energy, manufacturing) where participants share data under controlled conditions using Gaia-X trust framework components.

Gaia-X's progress has been slower and more contentious than its founders envisioned. Membership controversies arose when US hyperscalers (AWS, Microsoft, Google, Palantir) joined the association, leading to accusations that the initiative had been captured by the incumbents it was supposed to counterbalance. Several founding members, including Scaleway, publicly withdrew in protest, arguing that Gaia-X had drifted from its sovereignty mission.

Despite these challenges, Gaia-X has produced tangible outputs. The Gaia-X Trust Framework provides specifications for digital identity, credential verification, and service-level transparency. Several Gaia-X Lighthouse Projects — including Catena-X (automotive supply chain), Health-X (healthcare data), and Agri-Gaia (agriculture) — are operational, using Gaia-X standards for real-world data sharing. Whether Gaia-X evolves into the foundational layer of European digital infrastructure or remains a standards body with limited adoption will depend on whether its outputs are mandated through procurement requirements and regulatory references.

Open source's structural advantages for sovereignty come with a critical vulnerability: funding and maintenance. The most important open-source projects — the ones that underpin not just European but global digital infrastructure — are often maintained by remarkably small teams with precarious funding.

The Log4Shell vulnerability (CVE-2021-44228), discovered in December 2021 in the Apache Log4j logging library, exposed this fragility dramatically. Log4j was used by millions of applications worldwide, yet its maintenance was handled by a handful of volunteer developers. The vulnerability triggered a global scramble involving CISA, ENISA, and national cybersecurity agencies — all because critical infrastructure depended on insufficiently supported open-source software.

The response has been multi-pronged:

• Germany's Sovereign Tech Fund directly funds the maintenance of critical open-source infrastructure, including curl, OpenSSL, PHP, WireGuard, and dozens of other projects. Established in 2022 with €67.5 million, it has become a model for public investment in open-source sustainability.
• The EU's Next Generation Internet (NGI) programme has funded hundreds of open-source projects through Horizon Europe, including privacy-preserving technologies, decentralised identity systems, and secure communication tools.
• The Open Source Security Foundation (OpenSSF), hosted by the Linux Foundation, has developed frameworks for supply-chain security (SLSA, Sigstore) and vulnerability management that are increasingly adopted by European organisations.
• The Cyber Resilience Act (Regulation (EU) 2024/2847) introduced obligations for "open-source software stewards" — organisations that systematically support open-source software used in commercial products — to implement vulnerability handling and reporting processes, acknowledging open source's role in critical infrastructure while trying to improve its security posture.

For European organisations building sovereignty strategies on open-source foundations, contributing to the projects they depend on is not charity — it is risk management. The organisations that fund, maintain, and contribute to the open-source projects in their stack are the ones best positioned to ensure those projects remain secure, maintained, and aligned with European needs.