Open source has reached the procurement file

Open source software is often discussed as if it were a developer preference or a cheaper line on a budget. Europe’s latest digital policy package treats it as something less decorative and more consequential: infrastructure. The interesting part is not that the European Commission has praised open code. That has happened before. The shift is that open source is being pulled into procurement, maintenance, security and public-service delivery.

On 3 June 2026, the Commission adopted a wider technology sovereignty package covering semiconductors, cloud and AI infrastructure, open source and energy digitalisation. Inside that package, the EU Open Source Strategy sets out a full lifecycle approach, from research and development through market uptake, deployment, long-term maintenance and governance of critical components. In plain terms, it is no longer enough to say that a project is open. Someone has to be able to fund it, test it, procure it, patch it, reuse it and explain who is responsible when it becomes part of a public system.

That is a practical change in tone. The Commission says open source can reduce dependence on non-EU proprietary technologies, improve control over critical digital infrastructure, and increase transparency, security, interoperability and reuse. Its fact page also puts numbers beside the argument: Europe has more than three million open source contributors, spends more than €260 billion a year on digital technologies from third countries, and has more than 500 for-profit open source companies in areas such as cloud, cybersecurity, data and software-defined industrial systems.

Those numbers do not make open source a magic fix. They make the maintenance problem visible. A library used by thousands of services may be open to inspection, but inspection is not the same as sustained care. A public body may like the idea of avoiding lock-in, but a tender that quietly favours a familiar proprietary bundle can still shut smaller suppliers out. A ministry can publish code, but if no one budgets for documentation, security updates and governance, reuse becomes a slogan.

The new strategy is at its most useful where it acknowledges those weak points. It identifies limited long-term funding, difficulty scaling projects, fragmented visibility, weak access to public procurement, and value captured outside Europe as barriers for the European open source ecosystem. That list is less glamorous than a sovereignty speech, but it is closer to the daily reality of software. Code becomes resilient when boring support systems exist around it.

Public administrations are therefore central to the plan. The Commission wants them to act not only as users of open source, but as anchor users and contributors. The strategy points to procurement guidance, open source-friendly tendering, stronger Open Source Programme Office networks, reusable public digital assets and digital investment decisions that consider openness and sovereignty. For a reader outside Brussels, the signal is simple enough: open source may increasingly appear in the rules for how public technology is bought, not only in the preferences of individual engineering teams.

The policy also connects open source to specific systems that ordinary people may eventually touch. The Commission names the EU Digital Identity ecosystem, the European Digital Identity Wallet and the European Business Wallet as areas where open source can be promoted. That matters because identity wallets, business credentials and public-service logins are not side projects. If governments put digital identity into people’s phones, the software choices behind those systems deserve scrutiny, repairability and public accountability.

Businesses should not read this as a sudden instruction to replace every commercial product with an open source alternative. The strategy is broader and more careful than that. It is about building credible European alternatives, reducing avoidable dependence, and making public and private users less trapped by opaque systems. In some cases the best answer will still be a proprietary service. In others, the question will be whether the buyer has a real exit route, a visible software supply chain, and a way to support the components it relies on.

There is also a security caveat. Open code can make vulnerabilities easier to find, but it does not guarantee that someone will fix them quickly. Security depends on maintainers, disclosure processes, funding, review, packaging, deployment habits and incident response. The Commission’s emphasis on dependency analysis, stewardship and a maintenance instrument is important because it moves the discussion away from the comforting but incomplete idea that visibility alone equals safety.

The Discover-friendly version of this story might be: Europe is betting on open source. The more useful version is narrower. Europe is trying to turn open source from an underfunded commons into a set of dependable building blocks for public systems, cloud services, AI infrastructure and digital identity. That means procurement officers, security teams and product owners matter as much as developers.

If the strategy works, most people will not notice it as a grand political project. They will see public services that are easier to audit, suppliers that are less able to trap buyers, smaller firms with a fairer route into tenders, and software components that are maintained because someone finally treated maintenance as part of the job. If it fails, open source will remain something institutions praise in speeches while buying and operating technology in the same old way.

The test, then, is not whether Europe can write an approving paragraph about open source. It is whether the procurement file, the maintenance budget and the risk register change with it.