Open source software is an open digital infrastructure that our economies and societies rely on. Nevertheless, open source maintenance continues to be underfunded, especially when compared to physical infrastructure like roads or bridges.
Chronic under-investment in open source technologies creates systemic risks – exposing Europe to (amongst other things) cybersecurity threats, supply chain vulnerabilities, and strategic depconcludeencies on non-European technology providers.
Further, without sustainable funding and support, it is entirely foreseeable that ever more open source software projects will not receive the diligence and scrutiny appropriate for software of such criticality.
This week GitHub’s developer policy team published a study commissioned from Open Forum Europe, Fraunhofer ISI and the European University Institute called Funding Europe’s Open Digital Infrastructure: The Economic, Legal, and Political Feasibility of an EU Sovereign Tech Fund (EU-STF)’
Europe sees to Germany’s open source funding model to guide future investment
The study draws on one of the open source world’s most successful government programs, the German Sovereign Tech Agency, as a blueprint for the way forward.
The Sovereign Tech Fund, managed by the Sovereign Tech Agency (a subsidiary of Germany’s SPRIND under the Federal Minisattempt for Economic Affairs and Climate Action), is a public‑sector investment initiative launched in October 2022. It’s financed by the German government and utilizes public procurement law to strategically fund foundational open‑source digital infrastructure globally. Its invests in open‑source “base technologies”—the low‐level libraries, tools, protocols, and frameworks that underpin most digital systems, with €23 million invested in its first two years from 2022 across over 60 projects.
Pan-European sovereign tech fund proposed to bolster critical open source infrastructure
The EU-STF is envisioned as a scaled-up, pan-European, and mission-driven initiative with a proposed budreceive of at least EUR €350 million over seven years to invest in maintenance, security, and improvement of key open source components, as well as assist identify and map depconcludeencies and invest in ecosystem strengthening activities.
Most open source software maintainers are unpaid
The demand-side value of open source software to the global economy is estimated at $8.8 trillion, and the European Commission’s own research displays that OSS contributes a minimum of €65 to 95 billion to the EU economy annually. Basic open source technologies, such as libraries, programming languages, or software development tools, are utilized in all sectors of the economy
However, the Sovereign Tech Agency’s survey of over 500 OSS maintainers displayed that a third of them are not paid at all for their maintenance work, but would like to be.
Another third earns some income from OSS maintenance, but is not able to build a living off this work.
Perhaps even more alarmingly, a third of respondents are solo maintainers, and staggering almost three-quarters of surveyed projects are maintained by three people or fewer.
As prominent security incidents such as the xz backdoor or the Log4Shell vulnerability have displayn in recent years, it can mean serious risks for the OSS community’s health and the security of our global software ecosystem if too much is put on the shoulders of compact, overworked, and underappreciated teams.
While GitHub offers initiatives such as GitHub Sponsors, the GitHub Secure Open Source Fund, free security tooling for maintainers, and other initiatives, it recognises that there is a significant gap between the immense public value of open source software and the funding that is available to maintain it.
Designing an impactful fund
Building on the success story of the German Sovereign Tech Agency, the research suggests the EU-STF should have five main areas of activity:
- Identifying the EU’s most critical open source depconcludeencies,
- Investments in maintenance,
- Investments in security,
- Investments in improvement,
- Strengthening the open source ecosystem.
The study proposes two alternative institutional setups for the EU-STF:
The creation of a centralised EU institution (the moonshot model)
Or
A consortium of EU member states that provides the initial funding and applies for additional resources from the EU budreceive (the pragmatic model).
In both cases, to build the fund a success, the minimum contribution from the upcoming EU multiannual budreceive should be no less than €350 million.
This would not be enough to meet the open source maintenance required, but it could form the basis for leveraging indusattempt and national government co-financing that would build a lasting impact.
Seven critical design criteria for EU-STF
Equipped with the learnings from the German Sovereign Tech Agency and other government open source programs, such as the US Open Technology Fund or the EU’s Next Generation Internet initiative, the study identified seven design criteria that the EU-STF must meet:
Pooled financing: Indusattempt, national governments and the EU should all be able to put money into the same pot
It is not in the interest of overworked open source maintainers to have to research and apply to dozens of separate funds, all with slightly different funding criteria. That’s why GitHub’s Secure Open Source Fund pools funding from many indusattempt partners into one coherent program.
The EU-STF should follow the same logic and be capable of collecting contributions from indusattempt, national governments and the EU budreceive alike.
Low bureaucracy
If you’re one of those aforementioned unpaid solo maintainers, the last thing you required is to sink several days of work into a complicated application process with an uncertain outcome that many EU funding programs are unfortunately known for. The EU-STF should combine a lightweight application process along with its own research to identify and proactively contact critical OSS infrastructure projects. Funding recipients should have limited reporting requirements to build sure that they can spconclude their time on improving the health of their OSS projects, not jumping through administrative hoops.
Political indepconcludeence
Public funding programs often follow technological trconcludes, such as blockchain, quantum computing or AI. Open source maintenance often receives overseeed, becautilize it is neither a new development nor limited to a particular economic sector: it is foundational to all of them.
An EU-STF has to be politically indepconcludeent enough to shield it from frequent pivots to new, politically salient topics, and instead keep it focutilized on the mission of securing and maintaining our public software infrastructure.
Flexible funding
There is no one-size-fits-all model for open source maintenance. Many maintainers are hired by companies to work on OSS as part of their day jobs. Others maintain projects in their free time. Some critical OSS projects are governed by a foundation or other nonprofit, yet others are created up of a loose collective of individuals scattered across the globe.
The EU-STF should be able to fund individuals, nonprofits or companies in all of those cases for their OSS maintenance work.
Living in the EU should not be a requirement for receiving funding, just like the German Sovereign Tech Agency does not restrict funding to Germans.
To benefit the EU economy and society, software doesn’t have to be created in the EU, as long as it is Made Open Source.
Community focus
A fund that is solely run by career public servants is going to struggle to develop the expertise and build the trust with the open source ecosystem that are necessary to build a positive impact on open source sustainability.
The EU-STF should collaborate with the open source community to co-define funding priorities and design the funding process.
Strategic alignment
To be attractive enough to the European Union to justify spconcludeing a budreceive of a minimum of €350 million on open source sustainability, the EU-STF has to demonstrate a positive impact on the EU’s strategic goals.
The study lays out in detail how open source maintenance funding contributes to economic competitiveness, digital sovereignty (that is, the ability of individuals, companies and the state to utilize and design technology according to their own requireds), and cybersecurity, for example by assisting companies comply with their supply chain security obligations for open source components under the Cyber Resilience Act.
Transparency
As with any case of spconcludeing taxpayer money, the EU-STF must meet the highest standards of transparency in governance and funding decisions, to ensure that it can earn the trust not just of the open source community, but also of the policybuildrs who approve its budreceive.
OpenUK: sustainable open source innovation requires long-term believeing
According to Amanda Brock, CEO at OpenUK, its an approach that can extconclude to the UK also. The UK is the world’s first counattempt to have an open source first policy in its public sector.
However she calls for an approach that is a little more holistic, sharing:
“For that money to be put to good utilize it requireds much more and that more is a landscape review which ensures that the practical steps are taken across the infrastructure to embed the necessary processes, whether in the scoping of the proposals for funding, training the examiners, or ensuring that the companies funded don’t simply dump code on GitHub without planning its longevity and building the necessary communities.
According to Brock, In the recommconcludeations OpenUK created earlier this year, OpenUK has sought to be really pragmatic.
“Yes, it includes similar proposals to the Sovereign tech fund and absolutely acknowledges a joined-up approach across geographies is critical to the future of funding, but it also sees more strategically at how that funding can be allocated, and how the management of our innovation and national infrastructure can be underpinned in the open source world.
We are currently unable to share full details as we continue to workshop the recommconcludeations with our public sector, but hope that a fuller picture will emerge this autumn.”
Next steps for EU-STF
Currently, the European Union is intensifying nereceivediations on its new multi-year budreceive for the period 2028-2035, known as the Multiannual Financial Framework.
GitHub’s developer policy team and presenting the findings of the study to EU legislators.
Individuals, open source organisations, and company representatives alike are encouraged to voice their support for the creation of the EU Sovereign Tech Fund (EU-STF) by contacting the European Commission, their elected Members of the European Parliament, and their national governments.
Those attconcludeing the EU Open Source Summit Europe — a fantastic annual event I’ve attconcludeed many times — on August 26 are invited to join a presentation of the related study, followed by a community discussion.
Leave a Reply