Software sovereignty: open source in the EU

November 17, 2022 
Open source maturity model from Mindtrek 2022. Applicable to the European Commission's open source journey as well. Photo: Samuli Seppänen, 2022

What is software sovereignty

Software sovereignty is a subset of digital sovereignty. In essence, digital sovereignty means controlling your data, hardware and software. In Europe digital sovereignty has been driven by the EU. The reason is the reliance on services from big, global US-led vendors such as Amazon, Microsoft and Google. This poses a risk to the EU, just as does reliance on Chinese manufacturing is similarly a risk.

These worries are compounded by the threats to democracy posed by rise of authoritarianism (e.g Russia and China) and other threats to democracy, such as Trump's rise to power and the MAGA movement in the US, and the rise of far-right nationalistic parties in various European countries. Without digital sovereignty in general, or software sovereignty in particular, somebody could "pull the plug" and you would loose access to your own data, hardware and software. Moreover, if you do not control your data, hardware and software, you're capability to innovate is severely hindered.

Open source and software sovereignty

Open source software is a part of the "software" part of digital sovereignty. If you are not able to see and modify the source code for the applications you run, you need to rely on somebody else to do it. If your are using closed source (proprietary) software, the vendor might never implement the features you'd like it to.

Big organizations may be able to get the commercial vendors to customize their software for them. Small actors, such as individuals and small companies, are essentially at the mercy of the vendor. The vendor may or may not implement or may or may not drop features. The vendor may or may not decide to change the prices or the pricing model at will. Software as service (SaaS) is in this regard the worst, as the vendor manages everything, including the configuration of the application. You can typically customize closed-source self-hosted applications to a greated degree than software as a service.

This is where open source comes in. Being open, it allows anyone with the proper skillset to inspect and modify software to suit their needs. This characteristic of open source helps avoid vendor lock-in, even when using commercially supported open source software. Even in the SaaS context you're not out of luck, as you can typically migrate your data from a vendor-managed service to a self-hosted instance.

Perspectives from the Mindtrek 2022 event

In Mindtrek 2022 Miguel Diez Blanco and Gijs Hillenius from the Open Source Programme Office (OSPO) in European commission had a presentation about their open source journey. Timo Väliharju from COSS ("The Finnish Centre for Open Systems and Solutions") gave some perspectives on open source in Europe through his experience in APELL ("Association Professionnelle Européenne du Logiciel Libre"). What follows is a essentially a summary of their analysys of the state of open source and digital sovereignty within the EU and the European member states.

European commission's open source journey

European Commission started their open source journey around year 2000 by using Linux, Apache and PHP for setting up a wiki. Later they set up a lot more wikis. Open source was at that time also used on the infrastructure layer. Later it gradually crept up to the desktop. In 2007 they started to produce open source software themselves (see By 2014 the commission had started contributing to other, external open source projects. So, over the years they climbed up the open source maturity level ladder. The Commission's usage of open source software continues to increase. OSPO's goal is to lead by example: by working towards open source and software sovereignty others tends to encourage others to pick it up, too. Something that works for the EU, is likely to work for a national government also.

Culture of sharing and open source

There are about three thousand developers (employees and contractors) in the European Commission. As seems to often be the case, many of these internal teams previously worked in isolation. The isolation is by accident, not by design, but is still harmful for introduction of open source and hence for achieving software sovereignty.

OSPO tackled the problem by encouraging use of an "inner source" by default. The term meant using code developed in-house code when possible. This did, however, require a culture of sharing first. While some software projects were good to share as-is, some had issues that the authors had to resolve first. Some projects were not useful outside of the team that had developed them, so the authors decided to keep them private. The cultural change took a couple of years. OSPO encouraged the change by providing really nice tools for those teams that decide to join. That is, they preferred a carrot to a stick.

Outreach to communities

Along with their internal open source journey, OSPO have also reached out to open source communities.They fund public bug bounty programs and organize hackatons for important open source projects. The hackathons help gauge the maturity of those open source projects. They also help OSPO find ways to help them become more mature.

OSPO also holds physical and virtual meetings between presentatives of European countries once a year. The goal of these meetings is to increase open source usage and software sovereignty with data-based decisions.

Improving security of open source software

OSPO has gone beyond bug bountries in their attempts to improve the security of open source software. FOSSEPS stands for "Free and Open Source Software Solutions for European Public Services". One of its key objectives has been to improve the security of open source software use the the Commission. OSPO achieved the goal by building an inventory of software used by the EU. It used the inventory to figure out what software required an audit. Once they had finished auditing, they fixed thesecurity issues they had identified.

The journey to software sovereignty continues

The European Commission's open source work is still ongoing. In the member state the status of digital sovereignty vary a lot. Some countries like France and Germany put a lot of emphasis on open source in their policies, but funding may at times be a bit thin. Other countries, for example Finland and Denmark consider open source as "nice to have" instead of "must have". On the commercial front the challenge is that European open source companies tend to be small. This is the reason why one of APELL's goals is help them work together more efficiently.

Open source at Puppeteers

We, the Puppeteers, are an open source company. We do Cloud automation with infrastructure as code using open source tools such as Puppet, Terraform, Ansible, Packer and Podman. The majority of the code we write is available in GitHub and in various upstream open source projects. We provider our clients with high quality peer reviewed code and help them avoid any form of vendor lock-in.

If you need help with your Cloud automation project do not hesitate to contact us!

Samuli Seppänen
Samuli Seppänen
Author archive