Open Source Initiative
OSI
For over 20 years the Open Source Initiative (OSI) has worked to raise awareness and adoption of open source software, and build bridges between open source communities of practice.
ID: 672028337929-77
Lobbying Activity
Response to Revision of the Standardisation Regulation
18 Jul 2025
Dear Commission Reviewer, The Open Source Initiative (OSI) is a global charity at the heart of the Open Source Community for over 25 years, recognized globally as the authority defining Open Source. As an ETSI associate member, we have been involved in standardisation for seven years now, and in particular in the context of the Cyber Resilience Act. It is in this context that we are glad to provide input on Standardisation as it relates to Open Source Software and the Open Source community. The relevance of harmonised standards to Open Source has grown dramatically, as a result of both increasing regulation of technology, and the growing prevalence of Open Source software components in products: Open Source components are now present in between 70 - 90% of software. This means that ensuring Open Source software can comply with the law is more important than ever for its survival. For this to be possible, we have identified three core issues with the current standardisation system that should be addressed: Barriers impeding access to and implementation of standards for compliance Procedural issues in the development of standards Barriers to participation and inadequate representation in standardisation Our feedback will detail each of these issues and then list potential solutions to them. While our feedback is focussed on Open Source, many of our observations are also valid for NGOs and micro, small and medium enterprises. For the full feedback, including detailed explanations of the issues faced in standardisation, and proposals to address them, please refer to the attached document. Please do not hesitate to reach out to us for any further clarifications, or for a meeting. Kind Regards, Jordan Maris (EU Policy Analyst, OSI)
Read full responseResponse to Cloud and AI Development Act
3 Jul 2025
Please find attached our full feedback, and below a summary of key points: 1. Hyperscalers got where they are because of the expertise and infrastructure they had from their original endeavors (search, shopping, operating systems). It isnt enough just to build infrastructure and platforms: there needs to be applications to run on that infrastructure. As of now, much of that demand is satisfied by the incumbents: Microsofts Office 365 and Google Workspace are examples of such cases: the cloud-based applications used in European businesses and public administrations today are predominantly American, and operated on the infrastructure of, and owned by the hyperscalers. 2. This presents a barrier both to expanding Europes Data Centre capacity, and to digital sovereignty and data protection, as data stored in foreign jurisdictions, or even stored by foreign companies in the EU could be subject to access by foreign governments. 3. Addressing this is the first step toward creating demand for a European Cloud, and this is where we believe Open Source comes in: Open Source alternatives to the applications offered by the hyperscalers already exist, and many of these alternatives are businesses based in Europe. Open Source software also offers other advantages: customers can choose to run Open Source solutions on any cloud provider, migrate easily between providers, audit the code to check it is secure, and fork the code and make changes if they have issues with the initial developer. This means that Open Source solutions foster competition between cloud providers, and that regardless of where the project is from, it can be secure and sovereign. 4. Several European Cloud providers, such as OVH, Scaleway, IONIS, Hetzner, Exoscale and the Open Telekom Cloud have already seen the potential of these solutions, and offer them to their customers. 5. We believe that adoption of these technologies in the Public sector can fuel demand for a European cloud, support the further refinement of Open Source solutions, and generate additional demand in the private sector. Our response to the recent public consultation on the revision of the Public Procurement directives details how this can be achieved in practice. 6. Finally, it is important to note that if Europe wants to build a highly secure EU-based cloud capacity, then it cant rely on proprietary solutions for its platforms: even when such solutions are designed in the European Union, they can be acquired by foreign companies, compromising the entire stack. Thankfully it is already possible to build cloud platforms using existing Open Source software, however, unlike Open Source software applications, the vital Open Source components used to build cloud platforms are harder to monetise. This is one of the reasons why OSI and many others recently called for the creation of an EU Sovereign Tech fund, to fund development and maintenance of software that is vital for our digital infrastructure. The fund, which could be part of the Cloud and AI Development act, or a separate initiative, could fund both the maintenance of this vital low-level software, and perhaps the development of features that are in the public interest within Open Source software solutions. A detailed feasibility study for such a fund will be published in the coming weeks. It will include analysis of different fund models and coordination requirements with legislation/regulation, both existing and proposed. We expect it to call for a minimum of EUR 350mn over the course of seven years.
Read full responseResponse to The EU Cybersecurity Act
20 Jun 2025
Please find below our feedback. For your convenience, it is also attached as a PDF with structured formatting. Dear Commission Reviewer, The Open Source Initiative (OSI) is a global charity at the heart of the Open Source Community for over 25 years, recognized globally as the authority defining Open Source. We are pleased to provide input on the Cyber Security Act, in particular as it relates to the work of Open Source Communities. The Open Source Initiative values the work of ENISA, in particular when it comes to the resources it provides to citizens and businesses, and its efforts to set up a European vulnerability database (EUVD). We believe ENISAs guidance to citizens and businesses, as well as its guidance on software solutions (in particular, Open Source ones), can help democratise access to strong cybersecurity, especially for citizens, and Micro and Small Enterprises. Furthermore, the creation of a European Vulnerability Database has proved a vital contingency given the recent funding issues of the US CVE programme. Today, the world faces unprecedented cybersecurity challenges. We believe that ENISAs mandate should either be maintained or expanded to help meet these challenges. To achieve these goals, we have the following suggestions. 1. Continue to develop the EUVD, align with the existing Vulnerability reporting format used in the CVE system, and focus on a federated vulnerability reporting system in the long term. The funding issues experienced by the CVE programme underline the risks associated with reliance on a system funded by a third country. It is vital that the EU maintains its own Vulnerability Reporting System, however the value of that system is reduced if it does not align with the existing vulnerability reporting formats that developers and cybersecurity experts are used to. For instance, it would be valuable to align with the Vulnerability ID format used by the CVE programme. In the long term, to avoid a single point of failure operating from one jurisdiction, ENISA should support the development of a federated vulnerability reporting framework, where the CVE programme, EUVD, and other Vulnerability reporting systems can interoperate. 2. Expand the resources ENISA provides to the public and to SMEs ENISAs public resources can be extremely valuable in democratising access to information on Cybersecurity. We particularly commend efforts to share lists of valuable (and often Free and Open Source) tools that companies can use to strengthen their Cybersecurity. We believe that further developing and promoting this work offers a path to improve cybersecurity across the Union, including in micro and small enterprises which might lack internal cybersecurity expertise. 3. Support core Open Source projects vital to Europes Cybersecurity The OSI and several Open Source organisations proposed the creation of a EU Sovereign Tech fund (https://opensource.org/blog/investing-in-open-source-sustainability-osi-supports-open-forum-europes-eu-sovereign-tech-fund-proposal#comments) as part of its contribution to the public consultation on the multiannual financial framework. We believe that ENISA should either be assigned part of such a fund, or set up its own fund to support security audits, pentesting, and bug bounties for Open Source projects and components which are heavily used by European public authorities and companies. Best Regards Jordan Maris Open Source Initiative
Read full responseResponse to Evaluation of the Public Procurement Directives
5 Mar 2025
Dear Commission Reviewer, The Open Source Initiative (OSI) is a global charity central to the Open Source Community for over 25 years, recognized as the authority defining Open Source. We are pleased to provide input on the European Unions procurement legislation, focusing on digital solutions. Please find our detailed feedback attached as a PDF, a basic summary is available below: Open Source software, built by communities of individuals and enterprises, allows free use, study, modification, and redistribution. It powers nearly 90% of software applications today, including mobile devices, vehicles, the internet, and critical infrastructure. As the EU and its member states digitalize, the procurement of software and digital services has grown significantly. However, the current geopolitical context necessitates considering Europe's strategic autonomy in public procurement. Open Source offers solutions to many of the EU's challenges, enabling independent, interoperable, and sovereign solutions at a lower cost and greater societal benefit. Benefits: Open Source software promotes digital independence and sovereignty by allowing Europe to control its technological infrastructure, ensuring trust in software, interoperability, and easy switching between providers. It fosters a more competitive market by eliminating vendor lock-in and reducing the cost and inconvenience of migration. Open Source software is flexible, allowing for easy modifications and the development of new features. This benefits everyone, as features developed for one contracting authority can be used by others at no additional cost, reducing the need to reinvent the wheel. Procuring Open Source solutions also creates societal benefits, such as multiplying the value delivered by tenders and creating high-quality jobs that strengthen Europe's digital independence. Barriers: Several barriers hinder the procurement of Open Source solutions. Procurement templates are often designed with proprietary software in mind, making it challenging for Open Source suppliers to compete. Contracting authorities may be locked into proprietary ecosystems, leading to further lock-in and increased costs. Tenders often mention specific proprietary solutions or standards, excluding Open Source suppliers by default. Important factors like interoperability, total cost of ownership, reusability, and exit strategies are not systematically considered in tenders. Additionally, it can be difficult for contracting authorities to identify suppliers that contribute back to the Open Source community, which is essential for the success of Open Source projects. Proposed Solutions: To address these barriers, the OSI proposes several solutions. These include prohibiting the use of patent-encumbered or proprietary standards in defining project needs and focusing on open standards. Public authorities should not be allowed to require specific proprietary software solutions in their tenders. Interoperability, reusability, vendor lock-in, and digital sovereignty should be considered systemic criteria for procurement. Mandating interoperability through open APIs can prevent vendor lock-in. Contracting authorities should consider exit strategies and total cost of ownership, including the cost of procurement, lifetime cost, duration of support, future upgrades, and migration or exit costs. Suppliers of Open Source software should be evaluated based on their contributions to the Open Source project. Additionally, consider mandating the storage of code or source code escrow to ensure the code is available even if the supplier ceases development or becomes insolvent. We hope our input highlights the benefits and challenges of procuring Open Source software, and that our recommendations will serve as a basis for improving the approach to procurement of software in the European Union. Please do not hesitate to reach out to us with any questions you may have.
Read full responseMeeting with Birgit Sippel (Member of the European Parliament)
24 Sept 2024 · AI and open source questions
Response to Standard Essential Patents
10 Aug 2023
Many thanks for the opportunity to offer feedback. Input from the Open Source Initiative is in the attached document.
Read full responseResponse to Cyber Resilience Act
23 Jan 2023
OSI recognise that the European Commission has framed an exception in recital 10 attempting to ensure the provisions of this proposed Act do not accidentally impact Open Source software. However, drawing on more than two decades of experience, we at the Open Source Initiative can clearly see that the current text will cause extensive problems for Open Source software. The problems arise from ambiguities in the wording and a framing which does not match the way Open Source communities actually function and their participants motivated. OSI recommends further work on the Open Source exception to the requirements within the body of the Act to exclude all activities prior to commercial deployment of the software and to clearly ensure that responsibility for CE marks does not rest with any actor who is not a direct commercial beneficiary of deployment. Leaving the text as it is could chill or even prevent availability of globally-maintained open source software in Europe. There is a longer explanation in the attached document, and we would be pleased to participate in ongoing evolution of the text to help it achieve its goals.
Read full responseResponse to Standard Essential Patents
9 May 2022
OSI is grateful for an opportunity provide feedback, which is detailed in the attached letter.
Read full response