Open source software is an open digital infrastructure powering our digital economy, yet, unlike roads or bridges, it remains chronically underfunded.
Chronic under-investment in open source technologies creates systemic risks, exposing Europe to (amongst other things) cybersecurity threats, supply chain vulnerabilities, and strategic dependencies on non-European technology providers.
Further, without sustainable funding and support, it is entirely foreseeable that ever more open source software projects will not receive the diligence and scrutiny appropriate for software of such criticality.
This week GitHub’s developer policy team published a study commissioned from Open Forum Europe, Fraunhofer ISI and the European University Institute called Funding Europe’s Open Digital Infrastructure: The Economic, Legal, and Political Feasibility of an EU Sovereign Tech Fund (EU-STF)’
Europe looks to Germany’s open source funding model to guide future investment
The study draws on one of the open source world’s most successful government programs, the German Sovereign Tech Agency, as a blueprint for the way forward.
The Sovereign Tech Fund, managed by the Sovereign Tech Agency (a subsidiary of Germany’s SPRIND under the Federal Ministry for Economic Affairs and Climate Action), is a public‑sector investment initiative launched in October 2022. I
Financed by the German government, it uses public procurement law to strategically fund foundational open‑source digital infrastructure globally.
It invests in open source “base technologies”—the low-level libraries, tools, protocols, and frameworks that underpin most digital systems —with €23 million invested in its first two years from 2022 across over 60 projects.
Pan-European sovereign tech fund proposed to bolster critical open source infrastructure
The EU-STF is envisioned as a scaled-up, pan-European, and mission-driven initiative with a proposed budget of at least EUR €350 million over seven years to invest in maintenance, security, and improvement of key open source components, as well as help identify and map dependencies and invest in ecosystem strengthening activities.
Most open source software maintainers are unpaid
The demand-side value of open source software to the global economy is estimated at $8.8 trillion, and the European Commission’s own research shows that OSS contributes a minimum of €65 to 95 billion to the EU economy annually. Basic open source technologies, such as libraries, programming languages, or software development tools, are used in all sectors of the economy
However, the Sovereign Tech Agency’s survey of over 500 OSS maintainers showed that a third of them are not paid at all for their maintenance work, but would like to be.
Another third earns some income from OSS maintenance, but is not able to make a living off this work.
Perhaps even more alarmingly, a third of respondents are solo maintainers, and staggering almost three-quarters of surveyed projects are maintained by three people or fewer.
As prominent security incidents such as the xz backdoor or the Log4Shell vulnerability have shown in recent years, it can mean serious risks for the OSS community’s health and the security of our global software ecosystem if too much is put on the shoulders of small, overworked, and underappreciated teams.
While GitHub offers initiatives such as GitHub Sponsors, the GitHub Secure Open Source Fund, free security tooling for maintainers, and other initiatives, it recognises that there is a significant gap between the immense public value of open source software and the funding that is available to maintain it.
Designing an impactful fund
Building on the success story of the German Sovereign Tech Agency, the research suggests the EU-STF should have five main areas of activity:
- Identifying the EU’s most critical open source dependencies,
- Investments in maintenance,
- Investments in security,
- Investments in improvement,
- Strengthening the open source ecosystem.
The study proposes two alternative institutional setups for the EU-STF:
The creation of a centralised EU institution (the moonshot model)
Or
A consortium of EU member states that provides the initial funding and applies for additional resources from the EU budget (the pragmatic model).
In both cases, to make the fund a success, the minimum contribution from the upcoming EU multiannual budget should be no less than €350 million.
This would not be enough to meet the open source maintenance need, but it could form the basis for leveraging industry and national government co-financing that would make a lasting impact.
Seven critical design criteria for EU-STF
Equipped with the learnings from the German Sovereign Tech Agency and other government open source programs, such as the US Open Technology Fund or the EU’s Next Generation Internet initiative, the study identified seven design criteria that the EU-STF must meet:
Pooled financing: Industry, national governments and the EU should all be able to put money into the same pot
It is not in the interest of overworked open source maintainers to have to research and apply to dozens of separate funds, all with slightly different funding criteria. That’s why GitHub’s Secure Open Source Fund pools funding from many industry partners into one coherent program.
The EU-STF should follow the same logic and be capable of collecting contributions from industry, national governments and the EU budget alike.
Low bureaucracy
If you’re one of those aforementioned unpaid solo maintainers, the last thing you need is to sink several days of work into a complicated application process with an uncertain outcome that many EU funding programs are unfortunately known for. The EU-STF should combine a lightweight application process along with its own research to identify and proactively contact critical OSS infrastructure projects. Funding recipients should have limited reporting requirements to make sure that they can spend their time on improving the health of their OSS projects, not jumping through administrative hoops.
Political independence
Public funding programs often follow technological trends, such as blockchain, quantum computing or AI. Open source maintenance often gets overlooked, because it is neither a new development nor limited to a particular economic sector: it is foundational to all of them.
An EU-STF has to be politically independent enough to shield it from frequent pivots to new, politically salient topics, and instead keep it focused on the mission of securing and maintaining our public software infrastructure.
Flexible funding
There is no one-size-fits-all model for open source maintenance. Many maintainers are hired by companies to work on OSS as part of their day jobs. Others maintain projects in their free time. Some critical OSS projects are governed by a foundation or other nonprofit, yet others are made up of a loose collective of individuals scattered across the globe.
The EU-STF should be able to fund individuals, nonprofits or companies in all of those cases for their OSS maintenance work.
Living in the EU should not be a requirement for receiving funding, just like the German Sovereign Tech Agency does not restrict funding to Germans.
To benefit the EU economy and society, software doesn’t have to be made in the EU, as long as it is Made Open Source.
Community focus
A fund that is solely run by career public servants is going to struggle to develop the expertise and build the trust with the open source ecosystem that are necessary to make a positive impact on open source sustainability.
The EU-STF should collaborate with the open source community to co-define funding priorities and design the funding process.
Strategic alignment
To be attractive enough to the European Union to justify spending a budget of a minimum of €350 million on open source sustainability, the EU-STF has to demonstrate a positive impact on the EU’s strategic goals.
The study lays out in detail how open source maintenance funding contributes to economic competitiveness, digital sovereignty (that is, the ability of individuals, companies and the state to use and design technology according to their own needs), and cybersecurity, for example by helping companies comply with their supply chain security obligations for open source components under the Cyber Resilience Act.
Transparency
As with any case of spending taxpayer money, the EU-STF must meet the highest standards of transparency in governance and funding decisions, to ensure that it can earn the trust not just of the open source community, but also of the policymakers who approve its budget.
OpenUK: sustainable open source innovation requires long-term thinking
According to Amanda Brock, CEO at OpenUK, its an approach that can extend to the UK also. The UK is the world’s first country to have an open source first policy in its public sector.
However she calls for an approach that is a little more holistic, sharing:
“For that money to be put to good use it needs much more and that more is a landscape review which ensures that the practical steps are taken across the infrastructure to embed the necessary processes, whether in the scoping of the proposals for funding, training the examiners, or ensuring that the companies funded don’t simply dump code on GitHub without planning its longevity and building the necessary communities.
According to Brock, In the recommendations OpenUK made earlier this year, OpenUK has sought to be really pragmatic.
“Yes, it includes similar proposals to the Sovereign tech fund and absolutely acknowledges a joined-up approach across geographies is critical to the future of funding, but it also looks more strategically at how that funding can be allocated, and how the management of our innovation and national infrastructure can be underpinned in the open source world.
We are currently unable to share full details as we continue to workshop the recommendations with our public sector, but hope that a fuller picture will emerge this autumn."
Next steps for EU-STF
Currently, the European Union is intensifying negotiations on its new multi-year budget for the period 2028-2035, known as the Multiannual Financial Framework.
GitHub’s developer policy team and presenting the findings of the study to EU legislators.
Individuals, open source organisations, and company representatives alike are encouraged to voice their support for the creation of the EU Sovereign Tech Fund (EU-STF) by contacting the European Commission, their elected Members of the European Parliament, and their national governments.
Those attending the EU Open Source Summit Europe — a fantastic annual event I’ve attended many times — on August 26 are invited to join a presentation of the related study, followed by a community discussion.
Would you like to write the first comment?
Login to post comments