Beyond Open Source

What the Tech Sovereignty Package gets right and misses on Digital Commons
Analysis
June 17, 2026
#Digital Commons

On 3 June 2026, the European Commission announced the long-awaited Tech Sovereignty Package. The proposals respond to mounting concerns about the EU’s exposure to extraterritorial surveillance regimes and geopolitical risk through its technology dependencies. These issues have become more pressing in recent years and have visibly limited the bloc’s ability to enforce its own digital rules.

The package includes proposed legislation — the Chips Act 2.0 and the Cloud and AI Development Act — alongside a Communication on Tech Sovereignty that incorporates an Open Source Strategy, as well as a Strategic Roadmap for Digitalisation and AI in Energy. The approach is meant to address dependencies across the stack: from chips and supply chains, to cloud and AI, to the software ecosystems public institutions depend on.

In our Policy Building Blocks for the Digital Commons and Digital Sovereignty, we argued that sovereignty requires more than regulating dominant technology providers or building domestic industrial capacity. It also requires fostering an ecosystem of meaningful alternatives: open infrastructures and commons-based governance models. These give people and institutions agency — the ability to develop and deploy technology on their own terms.

With a particular focus on the Open Source Strategy, this analysis explores the elements of the package that could enable a durable shift in how the EU develops and deploys open source technologies. We also consider the decision of the Commission to exclude non-code Digital Commons from the scope of the strategy.

Digital Commons receive minimal support

The new strategy has the goal of setting a strategic approach to the open source sector, as one of the key levers for European technological sovereignty. While it was clear from the start that open source would be the focus, it remained to be seen whether other types of open resources, and the digital commons that create them, would also be in scope.

The call for evidence provided a broad definition of Digital Commons, as covering software, data, design, or content — hinting also that the Digital Commons EDIC would potentially have such a broad scope. The responses to the consultation (which we previously analyzed) demonstrated the need to consider other types of Digital Commons as complementary to open source, as levers for technological sovereignty.

The change in name – from the originally proposed “Open Digital Ecosystems Strategy” to “Open Source Strategy” – is more than a cosmetic one and clearly signals a shift in focus. This indicates the limitations of the ‘sovereignty’ agenda in supporting the Digital Commons. Even with regard to open source software, the strategy downplays the aspects of collective production and governance of code.

A bundle of actions related to Digital Commons communities is included, but framed narrowly in a section on public administration. The strategy asks public institutions to engage with Digital Commons: communities and networks that create knowledge, assets, or services:

“Open source communities, alongside open-science networks, standards bodies, data stewardship initiatives and GovTech innovators, constitute a critical layer of Europe’s digital capacity.”

Although narrow in scope, these actions can demonstrate the value of Digital Commons. And the focus on public administration is welcome, as public support is key to the sustainability of the commons – as argued in a recent report from the French Council for AI and Digital Technology (CIANum). At the same time, the strategy lacks mechanisms to support the Digital Commons themselves, which often face precarious existences.

Overall, the strategy fails to acknowledge that the broader Digital Commons – including non-code resources like Wikimedia, OpenStreetMap, or shared scientific datasets – are themselves public digital infrastructures that are key to Europe’s sovereignty. Like critical open source components, they provide foundational layers on which research, public services, or private innovation depend. Leaving them out of scope means a significant part of Europe’s digital foundations are excluded from the strategic support that they need.

Frontier AI needs more than open source code

The limited scope of the strategy becomes an issue, especially when we consider Europe’s ambitions to build frontier AI models. The strategy reasserts the strategic vision of the Apply AI strategy, where open source frontier models are considered “major drivers of innovation”. These models are at the heart of the flagship AI solutions deployed in the various economic and social sectors. The Frontier AI Initiative, launched earlier this year, is meant to accelerate progress on these models.

And Europe is already making significant bets on open source AI development. Across Europe, multiple open source AI development initiatives are supported both at European (for example, Open Euro LLM, EuroLLM, or the Frontier AI Challenge) and national levels (Mistral’s family of open models, SOOFI, or PLLUM).

Open source code is only one of the inputs needed to deploy AI systems as European public infrastructure. In a policy brief published earlier this year, we argued that a sovereign approach to AI requires a coordinated strategy across data, compute, and model governance. A broader scope of the Open Source Strategy would have helped recognize the value of data as infrastructure critical to the EU’s sovereignty.

On data, Europe’s open source AI developers face a widening gap between them and proprietary actors. Closing that gap requires legal clarity: confirmation that existing text and data mining exceptions cover AI model training on lawfully accessible data and clear guidelines for training within these exceptions. A European data commons also needs to be built, stewarded by public data labs and governed in the public interest. The Data Union Strategy points in this direction, and the Open Source Strategy could have anchored this connection.

Without data, European open source models will continue to be trained on an increasingly impoverished base. Data should not be an afterthought to the new strategy, as otherwise the bet on the European open source frontier AI runs the risk of producing models that are capable, but dependent on data outside of European control.

Public Procurement and “open source first”

In our Policy Brief on public procurement, we noted that procurement functions both as a vector through which public bodies entrench their dependence on proprietary ecosystems and as a lever to strategically support alternative approaches to developing technology and foregrounding public value. This recognition is clearly reflected across the Tech Sovereignty Package.

The Open Source Strategy is explicit in recognizing that tender processes have historically been designed around proprietary solutions, placing open technology providers at a disadvantage. In response, the Strategy proposes using public procurement to help open source initiatives become sustainable businesses and to support open source vendors, integrators, and providers in reaching anchor customers.

Across instruments like the proposed Cloud and AI Development Act  (CADA) and the revised public procurement directives, the Commission will support EU public authorities in incorporating an ‘open source first’ approach. This includes developing guidelines and best practices on drafting tenders, evaluating bids, and developing calls for innovation partnerships based on Open Source.

Much of the focus appears to be on creating an institutional framework that supports a shift towards open source alternatives: The proposed CADA would empower the Commission to act as a central purchasing body for cloud services, giving public bodies stronger collective bargaining power and helping address the capacity and expertise gaps that often prevent contracting authorities from applying strategic procurement criteria. Article 44 also proposes establishing a network between Open Source Program Offices to promote collaboration in implementing the Act’s open source provisions.

This approach aligns with our analysis, which found that existing procurement rules were not the main barrier preventing public bodies from moving away from proprietary platforms.  What was missing were political will, clearer guidance for contracting authorities, mechanisms for sharing expertise, and coordination structures around monitoring and compliance. In this context, the Open Source Strategy’s monitoring framework, connected to the Digital Decade Board, also brings open source into how the Digital Decade targets are interpreted. This is a welcome shift — away from chasing digitalization for its own sake, toward accounting for how digital infrastructure enables or constrains the autonomy of public institutions.

Open source maintenance and stewardship

The Open Source Strategy also introduces some long-missing mechanisms for the maintenance and stewardship of the commons. The Strategy proposes an “open source maintenance instrument” to support the maintenance and security upkeep of essential open source components. The goal is also to create European capacity and capability to fork critical projects. While no further details are given, the proposal responds to many calls for an EU-level instrument to ensure that critical open source infrastructures are sustainably maintained. This requires supporting the people and communities that do this work, which are frequently reported to be isolated, under-resourced, and burnt out.

The DC EDIC, positioned as a key player in implementing the strategy, is already piloting this approach in collaboration with the German Sovereign Tech Agency — the national model that the new instrument can now build on at European scale.

The maintenance instrument is a positive step toward sustaining shared critical foundations and ensuring their resilience. Public coordination around this can fill a gap where distributed approaches have fallen short. However, questions about governance and sustainability models remain open. These are foundations that both public and commercial entities depend on and profit from, and public coordination should not become a substitute for reciprocity. The strategy should continue to explore structural mechanisms that ensure those who benefit most from shared infrastructure also contribute to its upkeep.

The Strategy also introduces the concept of a European Digital Public Infrastructure Foundation, with the aim to provide a “single EU-anchored home to govern strategic

open source assets developed or co-funded by the EU, beyond code stewardship and

reference framework implementation and conformance.” The Strategy envisages using this institutional framework to steward initiatives like the European Identity Wallet and the European Business Wallet.

The proposal for a new institutional model to steward digital infrastructure at European scale addresses a gap in the current framework. The limitations of existing institutional models for stewarding open source infrastructure have been illustrated by Mastodon’s loss of non-profit status in Germany: a reminder that national legal frameworks were not designed with digital infrastructure communities in mind, and that non-profit structures more broadly may be ill-suited to this role.  While the DC EDIC can play an enabling role, it may not be the right vehicle for this purpose. EDICs are effectively multilateral treaties — slow to establish and oriented toward Member State cooperation rather than the distributed communities that sustain open digital infrastructure.

As we argued in our Strategic Agenda for the Digital Commons, a fit-for purpose European-level mechanism may be needed to steward Digital Commons. Previously proposed models like a “public product organization” point to what this could look like in practice, and the Foundation represents an opportunity to develop something along these lines.

Open source as the basis for Commons

While some stakeholders point mainly towards building a more competitive domestic ecosystem and migrating to European providers, Open Future (together with partners in the NGI Commons consortium) has argued for a different approach. One centred not just on open source, but also on commons-based alternatives. Otherwise, we risk replacing one set of corporate dependencies with another.

The Tech Sovereignty Package has promise because it keeps this door open by centering open source and open digital infrastructures in the conversation on sovereignty. But open source is just a license and should be the starting point for advocacy around more commons-based governance: ensuring sustainable appropriation from the ecosystem and communities that maintain these infrastructures, ensuring reciprocal benefit from commercial use of open infrastructure and code, and developing stewardship structures that can deliver durable governance.

Alek Tarkowski
Aditya Singh
with:
keep up to date
and subscribe
to our newsletter
Subscribe
hello@openfuture.eu
Unless otherwise indicated all content is published under the Creative Commons Attribution License  |  Privacy statement
Website by panGenerator