← Back

Digital sovereignty requires funding, not just adoption

The European Commission has launched a call for evidence on a new “European Open Digital Ecosystems Strategy.”1 The consultation runs until February 3rd, and the framing is telling: open source as a “public good to be freely used, modified, and redistributed” that could strengthen EU technological independence and cybersecurity.2

They’ve correctly identified the problem. European governments and businesses are deeply dependent on non-EU software vendors—Microsoft, Google, Amazon—creating supply chain vulnerabilities in critical infrastructure. The solution they’re reaching for is open source. No vendor lock-in. Auditable code. The freedom to fork if a project dies or a company pivots against your interests.

I’ve written separately about how the US CLOUD Act and deteriorating trust in transatlantic data handling are already pushing European governments to unwind Microsoft dependencies. Europe’s quiet revolt against US cloud makes the sovereignty risk concrete: a hostile US administration could compel providers to withhold or seize data, leaving Europe exposed unless it controls its own stack.

It’s the right instinct. But it won’t work unless they’re willing to pay for it.

Open source is genuinely the right tool

Let’s be clear: the EU isn’t wrong about the technology choice. Open source genuinely is the path to digital sovereignty, and the reasoning is straightforward.

When your government runs on proprietary software, you’re renting your own infrastructure. Microsoft can change licensing terms. Oracle can audit you into submission. Amazon can deprecate the managed service you’ve built your systems on. You have no recourse because you don’t own the code.

Open source changes the power dynamic. You can audit it for security vulnerabilities and backdoors—critical for government systems. You can fork it if the maintainers take the project in a direction that doesn’t serve you. You can hire local developers to customise it for your specific needs. You’re not locked into a single vendor’s roadmap.

This isn’t theoretical. Munich famously migrated to Linux, then back to Windows, then is reconsidering Linux again.3 The back-and-forth isn’t a failure of open source—it’s a demonstration of optionality. They could switch. Try doing that with a decade of Microsoft 365 integrations.

What I’ve seen in open source

I’ve been writing code professionally for over fifteen years, and open source has been the foundation of everything I’ve built. The products I’ve work on—Flowstate, Jamie, MimeProtect, Blinq—are built on thousands of dependencies maintained by people I’ll never meet.

Some of those maintainers are employed by large companies who contribute to open source as part of their business model. But many aren’t. They’re individuals maintaining critical infrastructure in their spare time, often for little or no compensation.

I’ve watched this pattern repeat: a brilliant developer creates a library that solves a hard problem. It gets adopted. Companies build products on it. The maintainer’s GitHub notifications become overwhelming. They burn out. The project either gets abandoned or limps along with sporadic updates.

The worst part is when something breaks. A vulnerability gets disclosed. The maintainer—who’s been doing this for free, often while holding down a day job—suddenly has the entire internet demanding an urgent patch. Some handle it gracefully. Others disappear.

This isn’t sustainable. We’ve built the digital economy on volunteer labour, and we keep acting surprised when volunteers run out of energy.

The value extraction problem

What the EU consultation is acknowledging is that much of the value generated by European open source projects is captured by large international tech companies rather than benefiting the EU economy.4

European developers build tools. They publish them as open source. Amazon takes those tools, wraps them in managed services, and sells them back to European companies. Elastic, Redis, MongoDB—the pattern is well-documented. The creators build; the hyperscalers monetise.

This is the sovereignty leak the EU is trying to plug. But you can’t solve it just by using more open source. If European governments adopt open source but the developers behind those projects still can’t pay rent, you’ve just shifted your dependency from Microsoft to unpaid volunteers.

The value needs to stay in the ecosystem. That means paying the people who build and maintain the software.

Grants are not the answer

The EU knows how to fund things. Horizon Europe, Digital Europe, national innovation programmes—there’s no shortage of grant mechanisms. But grants solve the wrong problem.

Grants are goal-oriented. You apply for funding to build something new. You hit milestones. You deliver a final report. The project ends.

Open source infrastructure doesn’t work that way. The OpenSSL library that secures most of the internet wasn’t under-resourced because nobody funded a new TLS implementation. It was under-resourced because nobody funded the ongoing maintenance of an existing one. When Heartbleed hit in 2014, the world discovered that critical encryption infrastructure was maintained by a handful of developers working part-time.5

Log4j was the same story. A logging library used by virtually every Java application on the planet, maintained by volunteers. When the Log4Shell vulnerability emerged, those volunteers had to scramble to fix a critical flaw affecting billions of systems—without being paid for it.6

You cannot grant your way to infrastructure. Grants fund projects; infrastructure needs operations. The distinction matters.

What real funding looks like

The EU consultation mentions “sustainable developer compensation models” and industry stakeholders have submitted a 70-point roadmap covering investment mechanisms.7 These are the right conversations to be having.

Real funding for open source looks like:

Operational budgets, not project grants. Pay maintainers a salary to keep critical infrastructure secure and updated. Fund the boring work: security patches, dependency updates, documentation, community management.

Public procurement preferences. If European governments are spending billions on software, require that spending to preference open source solutions with European maintainers. Every euro spent on Microsoft licences is a euro not spent building sovereign alternatives.

Infrastructure support. Build and host services that open source projects need: CI/CD, package repositories, documentation hosting. The Linux Foundation and Apache Foundation provide some of this, but there’s room for European equivalents.

Technical writing and accessibility. Good documentation makes projects usable. Fund technical writers to make open source tools accessible to government IT teams who might not have the expertise to work from source code alone.

The consultation feedback shows the community understands this.8 The question is whether the EU will commit the budget.

Sovereignty is a spending decision

The EU spends enormous sums on software. Government departments across Europe pay Microsoft, Google, and Amazon licensing fees that collectively run into billions annually. Some of that spending is inevitable—you’re not going to replace Windows overnight.

But every procurement decision is a choice. Every renewal of an enterprise agreement is money that could fund sovereign alternatives.

Digital sovereignty isn’t a technology choice. It’s a budget line item.

The EU has correctly identified that open source is the tool. But a tool sitting in a shed doesn’t build anything. You need people to use it, maintain it, and improve it. Those people need to pay rent.

Open source won’t save Europe from technological dependency unless Europe pays for it. Not with grants for flashy new projects, but with operational funding for the infrastructure we already depend on. Not with innovation programmes, but with procurement policies that direct money toward European maintainers.

The consultation closes February 3rd. The question isn’t whether the EU understands the problem—they clearly do. The question is whether they’ll write the cheques.

Footnotes

  1. EU launches call for evidence on European open digital ecosystems – Linuxiac

  2. European Open Source Strategy: Key Takeaways – LWN.net

  3. Munich considers Linux, again – ZDNet

  4. The Linuxiac article notes that “much value generated by European open-source projects is captured by large international tech companies rather than benefiting the EU economy.”

  5. The Heartbleed Bug and Open Source Security – OpenSSL Security Advisory, 2014

  6. The Log4j vulnerability and the importance of open source security – CISA

  7. The LWN.net article references a 70-point roadmap from industry stakeholders covering technological development, skills training, procurement practices, investment mechanisms, and governance frameworks.

  8. Have your say: European Open Source Strategy – European Commission