Part of the Technological Sovereignty Package presented on 3 June, the Open Source Strategy elevates open-source software from an innovation policy instrument to a core pillar of Europe’s digital sovereignty agenda. In fact, this policy is one of the strategic pillars of President Von der Leyen agenda to lead on technological sovereignty, allowing startups and SMEs to develop their own solutions while increasing Europe’s sovereignty goals.
Strategically, the initiative signals a broader evolution in EU digital policy. Open source is increasingly being viewed not merely as a procurement or innovation tool, but as an instrument of resilience, competitiveness, and technological autonomy.
By investing in trusted open-source ecosystems, the EU is seeking to create alternatives to proprietary technology dependencies while ensuring that European actors play a more influential role in shaping the digital foundations of future cloud, AI, cybersecurity, and data infrastructures.
GLOBSEC GeoTech Center highlights the difficult balance at the heart of the strategy — between openness to international technology and the protectionist instinct that sovereignty can invite. By actively supporting EU-led alternatives to dominant proprietary ecosystems and reinforcing the open-source value chain—from foundations to enterprise adopters—the Commission is trying to balance openness to international tech companies while ensuring some levels of Europe’s technological sovereignty are developed.
In fact, Europe wants to build tech alternatives to the big international entities, but Europe can only do that if there are open-source systems where Europe can build on top of them. This trade-off between technological sovereignty and strategic openness to international companies and systems is a discussion that has been high on the political and policy agenda in a wide range of countries. On AI, that is precisely the main discussion between open and closed models, and how countries and companies can strategically benefit from it.
The integration with the Cyber Resilience Act, including a voluntary security attestation regime for open-source components, introduces the first EU-level attempt to formalise trust and security assurance in open ecosystems.
The initiative reflects a growing recognition in Brussels that open-source software is not only a driver of innovation but also a strategic asset for Europe’s technological sovereignty. By promoting the development and adoption of European alternatives to non-EU proprietary technologies, the strategy seeks to reduce dependency on a small number of dominant foreign vendors while strengthening Europe’s capacity to shape critical digital infrastructure.
Rather than focusing solely on software adoption, the initiative takes a broader ecosystem approach. It aims to support the full spectrum of actors that sustain open-source innovation—including developers, foundations, research institutions, companies, and public-sector users—recognising that Europe’s competitiveness increasingly depends on its ability to contribute to and influence the technologies that underpin the global digital economy.
A key component of the strategy is its alignment with the implementation of the Cyber Resilience Act (CRA). In particular, the Commission plans to support the development of a voluntary security-attestation programme for open-source software under Article 25 of the CRA. The objective is to strengthen trust, transparency, and security across widely used open-source components without undermining the collaborative and decentralised nature of open-source development.