Today, the Commission published its proposals in the EU Tech Sovereignty Package, which includes, among other policies, the EU Open Source Strategy and the EU Cloud and AI Development Act (CADA). One of the most highly anticipated policy efforts in years, perhaps decades, when it comes to the European tech sector. We’ve been digesting it in the hours since it was published. There is still a lot to process, but some things are already clear. First, what we got is the most ambitious commitment to open source by the Commission ever:
“Open source first” appears as a named principle in operative law, not buried in a recital- The establishment of a EU Public Sector OSPO Network, giving open source expertise an institutional home with a role in procurement guidance - A structured cloud sovereignty certification framework with four assurance levels, creating legal categories that distinguish genuine sovereignty from contractual arrangements A EUR 2 billion investment envelope for the open source strategy, including a dedicated Open Source Maintenance Instrument for critical shared infrastructure- The explanatory memorandum formally names “ autonomy across the cloud stack” as one of its four core strategic objectives. This gives the EU’s technology independence agenda a legal mandate that extends beyond data residency into the full infrastructure layer - Operational Objective 2 of the Cloud and AI Leadership Initiative (Article 4) mandates the development and piloting of “secure, resilient and performant open cloud computing stacks covering on-device edge, connectivity, data and AI tools, backend and service layers for strategic sectors” — describing, in architectural terms, exactly the stack that open source infrastructure providers already deliver today - Every EU Member State is now legally required to include in its national cloud strategy “measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty” (Article 7(2)(g)) — elevating open stack infrastructure from a procurement preference to a national policy obligation Supply chain trustworthiness is becoming a legal standard. The proposed Cybersecurity Act revision explicitly targets the hardware and software ICT supply chain, reinforcing the same trustworthiness criteria the Cloud and AI Development Act establishes for cloud sovereignty.Open source infrastructure, where every component is inspectable and every dependency is declared, is structurally positioned to meet that barin a way proprietary software stacks cannot.
These eight points clearly prove that big portions of SUSE’s vision of sovereignty has just been validated by the European Commission.
But our big test for CADA is simple: does it include a binding and enforceable Open Source First requirement or not? Simply put – are we getting words, or action?
This is what we got:
Article 41: Promoting open source solutions and open source first
“The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria.”
The EU open source strategy, published today alongside CADA, makes clear that the Commission understands what is at stake and the direction Article 41 points in is right.
However, in our view, the legislative framing falls short of our “binding and enforceable” test.
Open source can’t just be a procurement preference to be weighed against others such as cost and functionality.
What we need (and aren’t getting yet) is a clear procedural requirement:
- Before public money is spent on proprietary software, the contracting authority must determine whether a qualified open source solution exists.
- That assessment must be documented and auditable.
- The burden of justification should attach to the choice that creates dependency, not the choice that avoids it
Open source is the only architectural condition under which European sovereignty becomes real. It is foundational.
The signal is there but the structure, and commitment to action, needs to follow.
Our open letter to the Commission, now approaching a hundred signatories, sets out what filling it properly requires.
Related Articles #
Jun 06th, 2025
Choosing the Right Edge Computing Platform May 28th, 2025