Europe: a plan for open source, or the belated admission of a strategic shipwreck
The European Union opened a public consultation at the beginning of 2026 aimed at building a common strategy around open digital ecosystems and open source. The stated objective is now acknowledged: reduce technological dependence on non-European actors, strengthen the competitiveness of European companies, improve cybersecurity and structure a viable industrial framework around open source (European Commission, Call for Evidence on Open Source Digital Ecosystems, January 2026).
The observation is correct. It is also terribly late. Open source today constitutes the de facto software infrastructure of the global economy. Between 70 and 90% of the code used in critical systems - cloud, telecommunications, finance, industry, healthcare - relies on open building blocks.
Europe uses it massively, but masters neither the value capture, nor the industrial governance, nor the strategic trajectory.
The Commission is only formalizing here a state of dependence that serious CIOs have been experiencing daily for more than fifteen years.
It must be said clearly: this strategy is born in urgency, under constraint, and not through vision.
The Commission is not at its first text, however. It already had an internal open source strategy (2020-2023), focused on the use and contribution to free software within its own services. Open source office, encouragement to inner source, code publication, security recommendations: on the technical level, the document was coherent.
On the systemic level, it was insignificant.
Nothing that really changes the market structure, nothing that creates an industrial shock, nothing that challenges the domination of large proprietary publishers in public and private tenders.
The 2026 consultation therefore marks a change of scale, at least in intention. It explicitly aims to cover the entire open source lifecycle: development, maintenance, security, industrial integration, economic models, and articulation with other European texts on cloud and AI.
The problem is not what is written.
The problem is what has been tolerated for decades before reaching this point.
Because this situation is not the result of chance. It is the result of structural bad faith from public decision-makers and lasting complacency towards dominant suppliers, essentially American. Microsoft, Broadcom, Oracle, Amazon and others have prospered on a double discourse perfectly accepted by Europe: on one side, the massive exploitation of open source as a technical foundation; on the other, total capture of economic value, governance and standards by proprietary platforms.
Alerts have never been lacking. They have simply been ignored. Projects for sovereign systems, Linux initiatives at the state level, attempts to structure European clouds or industrial open source stacks have been treated as ideological whims, never as strategic investments.
Too complex, too risky, not aligned enough with short-term interests.
Result: a deep dependence, acknowledged, and now officially recognized... when there is no longer really an operational alternative.
What makes the current discourse particularly irritating is that the problem is not a skills deficit. Europe is full of developers, architects, maintainers, researchers and very high-level engineers. The question is no longer even knowing what a developer is today: they are a key player in the digital value chain, an infrastructure producer, a guarantor of operational security.
The myth of scarcity mainly serves to mask another reality: the absence of structured economic pull.
The talents are there, but they are not employable on a European industrial scale, because the dominant economic models continue to favor the integration of proprietary solutions, subcontracting to foreign hyperscalers and long contractual dependence. Continuing "as we have always done" is exactly what led to the current impasse.
Imagining that European open source will emerge without cultural rupture, without aggressive public purchasing policy, without massive funding and without industrial reciprocity requirements falls under magical thinking.
In the best case scenarios, if a shock occurs now, the structural effects will only be visible in a decade.
To this economic incoherence is added a major political contradiction. The European Union claims to want to promote open source, transparency and software security, while simultaneously pushing projects like the so-called "Chat Control" regulation. This text, under the guise of fighting serious crimes, introduces automated communication surveillance mechanisms that directly challenge end-to-end encryption and the very principles of software security defended by open source. One cannot, in the same movement, advocate for verifiable systems, audited, safe, and impose control architectures that voluntarily weaken cryptographic foundations.
For a CIO or COMEX, the message is clear and uncomfortable.
One should not wait for Europe to solve the problem in your place.
The announced strategy can serve as a framework, possibly as a lever, but it will only have effect if companies take their responsibilities. This implies internalizing critical skills, really contributing to structuring open source projects, reviewing purchasing policies, and acknowledging that open source is not a means to reduce license costs, but a strategic asset to govern.
Europe has finally admitted that it has put itself in a situation of dangerous technological dependence. The plan now exists on paper. It is late, imperfect, and politically contradictory. But it at least marks the end of denial.
What follows will depend on one thing only: the capacity of economic and technical decision-makers to stop waiting for institutional solutions and to build, right now, true open source industrial sovereignty.
Without this, this strategy will join the long list of lucid and ineffective texts.
Sources
[1] European Commission — Commission opens a Call for Evidence on Open Source Digital Ecosystems, January 2026 https://digital-strategy.ec.europa.eu/en/news/commission-opens-call-evidence-open-source-digital-ecosystems
[2] European Commission — Open Source Software Strategy 2020–2023 https://commission.europa.eu/system/files/2023-02/fr_ec_open_source_strategy_2020-2023.pdf
[3] Open Source Observatory (OSOR) — Europe seeking input for its open source strategy https://interoperable-europe.ec.europa.eu/collection/open-source-observatory-osor/news/europe-seeking-input-its-open-source-strategy
[4] Help Net Security — EU call for evidence on open source ecosystems, January 2026 https://www.helpnetsecurity.com/2026/01/09/eu-call-for-evidence-open-source/
[5] ItsFOSS — EU Open Source Strategy Call 2026 https://itsfoss.com/news/eu-open-source-strategy-call-2026/
[6] Linux Foundation — Research on open source software supply chain and usage https://www.linuxfoundation.org/research
[7] Synopsys — Open Source Security and Risk Analysis (OSSRA) https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html
[8] OpenForum Europe — EU Open Source Policy Summit https://openforumeurope.org
[9] EU Open Source Policy Summit 2026 — official website https://summit.openforumeurope.org
[10] Electronic Frontier Foundation — After Years of Controversy, the EU's "Chat Control" Nears Its Final Hurdle https://www.eff.org/deeplinks/2025/12/after-years-controversy-eus-chat-control-nears-its-final-hurdle-what-know
[11] European Data Protection Board — Guidance and opinions on encryption and privacy https://www.edpb.europa.eu
[12] ENISA — Cybersecurity, open source and software supply chain risk https://www.enisa.europa.eu
[13] European Commission — Europe's Digital Decade: digital sovereignty policies https://digital-strategy.ec.europa.eu/en/policies/europes-digital-decade
[14] European Commission — Cloud and AI policy framework https://digital-strategy.ec.europa.eu
