The EU Open Source Strategy

1 month ago (digital-strategy.ec.europa.eu)

I wish there was somewhere I could earnestly and intelligently have discussions about EU related tech and tech policy, but HN isn't it. As you can see already in this thread, there's 14 comments besides mine and they are 100% negative, and about 95% low effort/reactionary.

Of course there's a lot to criticize and also to appreciate about the EU. But this is supposed to be a forum for intelligent, thoughtful discussion and yet as soon as the EU gets mentioned it basically turns into reddit.

  • What points could we even discuss? It's all terribly vague and I imagine nobody here can even tell how that supposed 'strategy' is different from the one 5 years ago. And half of the things mentioned there, like the EUDI Wallet or age verification have been heavily criticised for good reasons.

    If the headline was "EU invests 100B into open source to further independence from US", I imagine things would be different. But right now it's "we have intentions to have plans about tech and open source in the EU sometime in the future".

    • It’s a PR website meant for… people that read PR websites.

      The agencies downstream that will spend 4 million euros comparing LibreOffice with OpenOffice are the ones doing some of the work.

      I think it’s okay for the institutions to signal something positive, as long as they actually back it up later.

  • A huge chunk of HN is 20-something kids who are way too online and parrot in earnest Polandball-style memes like "Germany doesn't have freedom of speech" or "France has too much regulation". They are fine to discuss tech with but I wouldn't take their opinions on politics or culture seriously

  • > Of course there's a lot to criticize and also to appreciate about the EU. But this is supposed to be a forum for intelligent, thoughtful discussion and yet as soon as the EU gets mentioned it basically turns into reddit.

    You dislike criticism? I find criticism an important part of discourse and discussion. HN is very clearly not anything like reddit - just the insane amount of censorship on reddit alone, is already one argument against that claim. Many more could be given. I have been using reddit in the past for many years, so I know how reddit changed. Not that everything is perfect on hackernews; I dislike the "you are posting too much" limitation, for instance. But we don't have over-eager censor-mods here whereas that was locking down numerous interesting discussions on reddit.

    With regards to the EU situation: the EU is in a very strange situation. On the one hand it is doing good things; this then gets cancelled by the EU commission acting as a pure lobbyist group, as well as a huge army of bureaucrats who want more and more money and dream about assimilating more and more countries, which makes zero sense. Whether the EU will succeed with regards to their open source strategy or not, who knows. What I do know is that individual countries, such as France or the Netherlands, are quite intelligent when it comes to good decisions (Germany is absolutely undermined by lobbyists, so it is totally paralysed here); I am not convinced the EU is in a similar situation. It would have to be reformed, but people in Brussels don't want to see their job axxed away, so nothing will improve here.

    My recommendation is that if you are unhappy, go and talk about it - but don't expect others to turn to your assumptions about how a discussion should happen when it comes to the EU, because they may not share your opinion here.

    • > You dislike criticism

      No, I love criticism, as long as it's balanced and thoughtful, and invites discussion rather than being knee-jerk reactionary. Please read my comment more carefully.

      3 replies →

  • Honestly, as a European, I am okay with this.

    I want the US tech community to continue thinking of us as some sort of technological backwater. Ridiculing and deriding us, so they never see as any place where they are welcome. Since given the last ten years, they pretty much aren't. There's basically little to nothing that US tech services have to offer Europe.

  • True but it also reflects that the EU has indeed destroyed most goodwill towards it in the last decade regarding most things digital.

    Most EU initiatives have damaged everyday UX on the web and in tech. Yes, some malicious compliance has played a role by over-reacting to well-intended regulations. But overall the EU has brought this upon itself.

    This specific Open Source Strategy memo is typical. It's in fact not a strategy but a list of key goals and requirements, put together in technocratic jargon. It will have zero effect on the actual open source ecosystem.

    • > True but it also reflects that the EU has indeed destroyed most goodwill towards it

      Or you have been brainwashed by the billions spent annually to make you believe stories about bendy bananas and occult initiation ceremonies as a condition of being a member.

      1 reply →

    • > True but it also reflects that the EU has indeed destroyed most goodwill towards it in the last decade regarding most things digital.

      Not for me, my opinion of things like GDPR and forcing usbc on phones gives me the impression that the EU is holding corporations accountable and looking out for normal people.

      Its been mentioned before but i feel like while alot of negative views might be organic, alot are also the result of tech companies' smear campaigns against the EU

    • " True but it also reflects that the EU has indeed destroyed most goodwill towards it in the last decade regarding most things digital. " And these criticism destroys any goodwill from me. These are non topics my among political diverse friends. Most people criticise the EU internet regulations are American cry babys. Their arguments are shallow, their knowledge about EU is low.

      7 replies →

    • > Most EU initiatives have damaged everyday UX on the web and in tech.

      Are you really trying to suggest that GDPR and PECR are bad pieces of legislation because businesses have decided that they’d prefer to give you a bad UX?

      17 replies →

  • It's not only HN. You can see big tech media hate against any effort europe does. Everybody is mocking europe for building 10 years old chip fabs or their measly small unusable clouds or bad startup scene.

    It's interesting because not that long ago nobody cared about what europe did in tech. Or more like everybody was fine with the fact that europe imported computers and exported something else. It was like that forever. I am not sure where this is coming from. It almost seems like even these weak efforts might mess up with somebodys business.

    • It’s even more interesting because a big supply chain problem during Covid were related to old chips used in tons of mechanical engineering products, like cars. Given that experience you could argue that the old fabs are much better value for money for resiliency.

      2 replies →

    • There is a type of videos, where people mock US-citizens for their ignorance about the rest of the world and how things are working there. Those mocking EU for their efforts, usually have that same smell.

    • The thing is that Europe needs to really decouple as much as possible from crazy dictatorships such as Russia or the USA. US companies are part of that toolbox of containment that the USA is presently doing against Europeans.

      Sooner or later Europe will wake up. Right now we still have too many lobbyists but this will change - at the latest when key lobbyists are put in jail for many decades. Sadly this also means the current EU commission has to go to jail too.

      1 reply →

  • HN is full of people which EU is fighting against, so of course is there little chance to find sane discussions here. You could try some european subreddits, or local tech-sites from Europe, there is usually a better chance to find people who benefit from EU-regulations and have a more rational view on them.

  • I guess the hate is because the EU also invented the following monstrosities:

    - CRA (cyber resiliency act): Manufacturers must handle and release security patches for vulnerabilities, and developers are required to report actively on exploited vulnerabilities and breaches.

    - PLD (Product Liability Directive): A failure to provide critical security updates or the presence of exploitable vulnerabilities can now legally constitute a "defect" and if defective software causes physical harm or property damage, manufacturers are strictly liable and cannot contractually exclude or limit this liability.

    And the kicker is this: Non-commercial open-source software is generally exempt from these commercial liability frameworks. However, if an open-source component is integrated into a commercial, for-profit product, the responsibility shifts to the corporate manufacturer.

    So good luck making some money of your open source project where the risk outweighs any potential profit, or integrate an open source project into your commercial offering.

  • That's because American BigTech Bros are afraid of the below and will take every opportunity to diss on it.

    "Support uptake of open source alternatives to proprietary solutions together with Member States and the Digital Commons EDIC — cloud, workplace tools, secure e-mail, decentralised social media."

  • [flagged]

    • Every day, I pass by numerous signs and plaques reading "funded by EU funds." Most of the time, they are attached to public transport or road infrastructure. For anyone genuinely trying to understand the EU's impact — rather than just defaulting to blind hatred — there are plenty of public resources available. You can find maps and project lists detailing descriptions, funding amounts, and progress statuses.

      Granted, this data is usually "boring" by today’s dopamine-driven attention standards, so it's no wonder people rarely talk about it. But if you actually stop and take an interest in what has been accomplished, you start noticing the impact everywhere—it just takes a little effort. After all, how hyped can you really get over a repaved road in some remote village you've never even heard of? You can't. But the people living there certainly feel the impact, even if they don't always notice where the money came from.

      Go search for maps provided by EU or your government sites, for instance https://mapadotacji.gov.pl/?lang=en

      You might disagree with certain aspects of the EU, but leaving a rage-baited, hateful comment is the easy way out. Looking at actual accomplishments—despite your frustrations—takes real effort.

      For stuff which actually can matter and had impact on daily lives (beside aforementioned public transport impact):

        - USB-C as a standard power connector
        - hassle-free travel between countries
        - GDPR you mentioned
        - recent "stop killing games" public initiative which shows that common people can stand a chance against multimillion dollar companies
        - abolition of roaming charges and access to a free internet up to certain limits — huge PITA solved for people going on vacations  
        - universal healthcare between countries on vacations  
        - strong 14 day guarantee for online purchases, free return policies and minimum 2 year warranty  
        - food safety regulations (but if you don't care you won't be impressed by it)  
        - certain regulations regarding flights and passenger rights (cancellation compensation, recent regulations regarding baggage, to fight with scammy practices of flight operators)   
        - right to repair 
        - even the commonly memed bottle caps is nice UX — you (or more commonly a kid) won't be able to drop a cap on sand rendering :) And thanks to that there is noticeably less "small trash" on beaches and in parks (left to solve are beer caps ;)
      

      The intend of this comment is just to show that it's not "nothing" if you bother to look, the stupid/bad/ugly is beside the point here.

  • With the European Chips Act I already a total disaster, please help me with your intelligence, thoughtful discussion to explain the feasibility of miracles to me in rational terms, since the EU is obviously oblivious to the fact, that they are delusional and hubris might be a better term to explain, what "the EU" wants to achieve - and maintain.

    BTW, the EU also plans for a energy transformation, being a military powerhouse, surveillance state - what else could be wish into reality?

    • Sovereign manufacturing supply chains? A competitive EV company? A competitive space launcher?

      How about a healthy native birth rate and relatively low levels of immigration?

      But to create that many strategies, you're gonna need a huge EU bureaucracy. So better create a strategy to reduce the growth of EU bureaucracy, too.

  • So instead of adressing the article and provide the potential base for a intelligent debate, you decided to raise the bar by lamenting?

    My impression in general is that there is rather a very EU friendly view here on HN in general, but HN is critical of everything.

    So I also say, lot's of nice words, great that they at least start so late with that now, but more concrete steps would be more welcome.

    "Making public administrations anchor users and contributors to open source, through procurement guidance, open-source friendly tendering, strengthening the Open Source Programme Office and its networks, reusable public digital assets and by embedding openness and sovereignty in digital investment decisions"

    Because this for example sounds great. But is it very concrete? It sounds like it, but I don't see how it is.

All great, but I would love EU and (national, local, ...) governments in the EU simply use the open source stuff already available.

Often there is an 'you must open source, unless you explain why not' and then there is some faff about why they really need to be buying more stuff from Microsoft (which is more and more cloud stuff and thus under the CLOUD act etc.)

Time to get rid of the 'unless' bit.

  • Although I usually come up negative on my The Year of Linux Desktop comments, that would already be a starting point.

    Unless EU citzens are able to easily walk into FNAC, Vobis, Cool Blue, MediaMarket, Carrefour, Publico,.... and come out with a laptop or desktop with e.g. SuSE Linux already set up, this will always be a niche thing from nerds assembling their own PCs, or finding their ways into Tuxedo and co.

    And there needs to be some kind of value in actually doing that for normal people, otherwise it will be just like netbooks, most people will return them and ask for a Windows PC, after being "tricked" into getting one of those Linux PCs.

    • > And there needs to be some kind of value in actually doing that for normal people, otherwise it will be just like netbooks, most people will return them and ask for a Windows PC, after being "tricked" into getting one of those Linux PCs.

      This is the big thing.

      Even as a massive nerd, I keep trying various distros and going "meh" and right back to MacOS.

      1 reply →

    • I do not think I want my public sector running GNU/Linux desktops. There is no distro that meets the security requirements.

      I don't know if Windows is better, I have heard rumours that it's pretty bad.

      I know MacOS is MUCH better from a security PoV but I definitely don't want my public sector shelling out to Apple and I don't think it meets the boring IT management requirements anyway (I think big tech has a lot of crazy workarounds to make their MacBook fleets workable).

      So yeah overall no good options here. I would love to see the EU fund development of a better distro for this usecase, but doubt it's the highest ROI thing you can do in this space.

      21 replies →

  • There is definitely a lot of this happening, e.g. this is a 'collaboration suite for civil servants' that's basically a collection of existing open source projects

    https://github.com/MinBZK/mijn-bureau-infra/

    They show all the components they use here https://minbzk.github.io/mijn-bureau-infra/docs/category/com... and have set up guides for departments to operate it all on Kubernetes

    I'm guessing from my own use of NextCloud, Matrix etc that this will simply be deemed not good enough compared to Google Workspace or Microsoft WhateverItsCalledNow as these things are pretty rough around the edges in my experience, but this looks like a good step in the right direction to me

    • I like the thing the French have been cooking up, La Suite Numerique: https://github.com/suitenumerique#%E2%84%B9%EF%B8%8F-about-l...

      It looks much more polished than a lot of the existing open source tooling, they've been building a lot of stuff in-house and really been paying attention to UX (which imo is the biggest problem with a lot of existing FOSS solutions).

      I have high hopes this'll become a viable solution going forward, maybe even for non-gov users.

    • All laudable efforts, but I'd love for my Dutch govt to actually use these broadly. With the support behind it to file down those rough edges for the benefit of all.

A challenge they forgot to mention is EU‘s very own new Product Lianility Directive.

Although the Directive exempts free and open-source software (OSS) from strict product liability, it does so only if the software is developed or provided outside the course of a commercial activity.

As soon as a company integrates OSS into its own commercial product or uses it for economic purposes, the company becomes liable for any potential defects in the open-source component.

Looks Like fun for freelancers and companies who get Clients thanks to their Open Source projects, for example.

  • Company sells product for profit - they are liable for the product and all its subcomponents - there is nothing unfair about this - it doesn't matter if you found the components in a hole in the ground or on github - if you are selling a product based off it, you are liable.

    For freelancers / oss companies - you can still sell services such as consulting or support - without selling your oss project - then its a service - not a product.

  • Does this mean that you think a company should not be held liable for defects caused in a product they ship, if the defect is caused by an open source component?

    Why not?

Empty words. Without changes to anti-circumvention laws, safe harbor commitments for security researchers and serious funding for foss projects nothing is going to change.

  • ... and I'd still be very happy for them. Some money, is better than none.

    Besides, supply chain payments are already a thing and help maintainers like myself already while providing security benefits for corporations.

  • > serious funding for foss projects

    this is a sure way for grifters to make a boatload of money by lobbying for various projects to be funded.

Always the same broken pattern of the EU: throwing shitload of money to the big actors of a field without really a coherent strategy or a real control of how the funds are used.

Like that, a few companies are specialized in sucking public funds and delivering nothing. Or just the minimum to say that they did something.

Again here, no money will be directed to the thousands of core and essential OSS projects that are maintained by individuals without a corporate backing. Or to the individual contributors that are the key to these stacks.

Instead, the only one that will be able to get money, legally per EU policy, will be consortium of suckers and eventually nice but useless researchers in University...

  • One counter example: https://nextgraph.org/elfa-consortium-encrypted-local-first-... (eg.. https://www.ironcalc.com/)

    • Is it really a counter example?

      "Gathering 12 partners for at least 3 years, towards a suite composed of 16 apps!"

      Read the About page and tell me what is it exactly that you will be paying for? https://nextgraph.org/introduction/

      I mean we all agree of how good are the values posted on these page, but what are we paying for? Oh I see: https://nextgraph.org/roadmap/

         This is the new roadmap for 2025, established thanks to the new grant received from NLnet Foundation and the NGI Zero Commons Fund.
         The main goal is to finish the Core protocol, improve the Wallet and App, and bring about the Framework/SDK so that developers can create standalone or embedded apps based on NextGraph. Those apps can make capability-based access requests on the user's data, define smart-contracts and implement any business logic within cross-document transactions. 
      

      No LOL, this is where your money is going... At the same time, the maintainers of the openssl, sqllite, openssh, ... or for example NGINX that now belongs to big american company...

      1 reply →

  • The pattern is not broken, it works as designed. This is mostly a money-pump from government(s) to private interests, mostly sitting in large IT houses.

  • > Like that, a few companies are specialized in sucking public funds and delivering nothing. Or just the minimum to say that they did something.

    Agreed. Fraunhofer institute in Germany is a prime example.

    • In all cases, it is not 100% of the money that is wasted uselessly. There is still a few percents that are directly to useful use. Like there some companies or big companies that contribute in some cases in significant open source projects that are used by everyone. But that is more the exception than the norm.

  • > Like that, a few companies are specialized in sucking public funds and delivering nothing.

    Not just public, private funds as well. Typical EU, I call that helicopter regulating: you see a problem, throw a regulation at it, then close you eyes.

    GDPR pop-ups are the most obvious example, but there are so many more.

    For instance, now apparently companies can opt to send payslips digitally instead of physically (paper). Of course, some smart ass nitpicked that employees could loose or change their mail address, so the company is now forced to store digitally delivered payslips in some kind of European-hosted vault for 10 years. And since no sane company want to be liable for that, we now have a wonderful ecosystem of trash "payslip digital vaults" startups, which companies use to proxy-send employee payslips.

    So in essence, my company is now sending my payslips (with name, address, contact details, compensation breakdown, etc) to a stupid start-up with egregious ToS, just because "send it by mail and let the employee back it up" was too simple. Thanks !!!

I have so many mixed feelings about it. I mean there OSS software already, nobody prevents its use. It would have been better to just give OSS grants to SMEs who use OSS that originates in EU. But this is internet we are talking about, if I have an OSS repo and it contains contributions from Chinese or US citizens, is it still EU OSS? The core underlying issue is that nobody is incentivised to use EU “only”, if that changes the you will see the results. It does not even talk about devs like me who create such software.

There is the light headed assumption that any time propr software can be replaced by open source. By regulation, by being fed up with closed source, by saying so etc. It cannot, it's very hard.

In this realm, software is like a car. Would you buy an open source car? You might know any aspect of it but where would be the professional support, the strict safety regulations, the security feeling that you are under the wing of a company? I am full OSS, but I am not sure for the average Joe and Mary or better for the Oliver, Lucas, Matteo and Sofia.

is any money going into it, or are they just "supporting"?

  • There is money but it's all vague and hard to get and usually with tax breaks instead of just money. I would opensource everything we built, but I have to eat something so it'll be when I die and/or the company is sold and/or we earned enough to make everyone eat during their life (with some reasonable amounts that assume hyper inflation won't happen) (it is contractually arranged). Many EU gov institutions use our software and would LOVE for us to open source it - they would immediately stop paying.

As far as I know EU is a full slave of Big Tech and does not have the intent to actually break free (it is going to hurt, the more you get into Big Tech, the more it will hurt to break free).

First thing first, restore web sites in a solid security network infrastructure. Namely, noscript/basic HTML.

Will EU mandated backdoors be open source too?

> When it describes how the groundwork might be laid for mandating encryption backdoors, the EU chooses to use euphemisms such as creating roadmaps for “lawful and effective access to data for law enforcement” and seeking “technological solutions for accessing encrypted data.”

https://reclaimthenet.org/eu-protecteu-strategy-encryption-b...

> European Commission pushes for encryption ‘backdoors’

https://brusselssignal.eu/2025/04/european-commission-pushes...

To people confused or wondering why it's too little, too late, too incompetent, etc.:

The EU makes a lot more sense when you understand it's a neoliberal institution. Just giving people money to work on open source directly would violate state aid/market disruption rules, they aren't allowed to do that because that could negatively impact the profit of some shareholder somewhere. Member states that want to do that even have to ask permission from the commission if they want to give aid to companies [1].

Everything is like that with the EU, they aren't like China that can just put money whereever to develop or fix strategically, rather the EU can't do anything strategically, or fix anything. It's by design they aren't incompetent, that is what market liberalism is. It's core to what they mean when they say "European values".

[1] https://competition-policy.ec.europa.eu/state-aid/overview_e...

  • > The EU makes a lot more sense when you understand it's a neoliberal institution

    I think that's a perfect summary.

    As an aside, regarding what I would like EU to do in opensource - when American government writes some code, it must be put in the public domain (no copyright). EU doesn't have a similar rule.

    • That's true, it's an interesting case where the EU is even more ideologically committed than the US, like licenses on photographs taken by ESA vs. NASA for example, but it's everything.

      With universities it's similar, publicly funded research gets patented (including software!) and exploited by private enterprise, but even worse private industry dictates the areas of research so it's impossible for there to ever be a coherent research strategy in the EU.

    • BTW, this doesn't just apply to code -- everything the US govt releases publicly is in the public domain. This is why, for example, you can find US Foreign Service Institute language textbooks floating around the net.

I think unless they have some alternative to Github (Codeberg yes) but with comparable number of repo's this strategy does not yet look very encouraging. Difference between number of open repos is huge, about 100 times