Digital Sovereignty and Open Source

Europe is banking on open source. In strategy papers, funding programmes, and political speeches, digital sovereignty has become a guiding concept. The idea behind it is correct: whoever controls the software on which the economy and public administration run is independent. Whoever does not control it is not.

But between strategy and reality, there is a gap. Because using open source does not yet mean being sovereign.

Using open source is not the same as mastering open source #

Digital sovereignty requires more than the decision to use open source software. It requires the ability to operate this software independently, to fix bugs yourself, to contribute, and to keep the ecosystem running — even when a maintainer stops, a project becomes orphaned, or a critical security issue arises.

Whoever merely consumes open source without intervening in the projects is not sovereign. They are dependent:

• On individual maintainers who work voluntarily — without contract, without SLA, without obligation
• On US-based tool vendors that promise visibility but do not solve problems
• On projects that can be deleted, abandoned, or relicensed at any time

This is not a theoretical danger. It is the normal state of the open source supply chain.

Who controls the software that powers Europe? #

Linux, curl, OpenSSL, nginx, zlib, LibreOffice — Europe's critical infrastructure runs on open source projects that are predominantly maintained by individuals and small teams. Many of these projects have no European connection. Governance often lies with US foundations or with no one at all.

The EU has recognised this problem. The Cyber Resilience Act (CRA) introduces the role of the "open source software steward" — a legal person that systematically supports the development and security of open source projects. This is a regulatory signal: Europe needs actors who do not merely use software but actively contribute to the security and stability of the ecosystem.

Sovereignty is an operational capability #

Digital sovereignty cannot be achieved through procurement decisions. It arises through operational capability: the ability to intervene when it matters.

Concretely, this means:

• Creating patches and contributing them upstream when a project does not respond
• Continuing to maintain orphaned projects because your own infrastructure depends on them
• Keeping mirrors and forks ready so the supply chain functions even when upstream fails
• Detecting security problems before they become public — and acting before attackers do

What does this mean for you? #

If you use open source — and you do, whether you know it or not — then relying on scanners and dashboards is not enough. The question is: Do you have someone who can work in the code? Who delivers fixes, stabilises projects, and keeps your supply chain running even when upstream fails?

OTTRIA is a European provider that establishes precisely this operational capability. As an Open Source Steward within the meaning of the CRA, OTTRIA works not at the dashboard but in the code — with patches, reviews, upstream contributions, and active project maintenance. Not as a promise but as daily work.

Further reading #

• The steward role in the CRA
• Open source has no contractual partner
• Why OTTRIA?

Digital sovereignty does not begin with a strategy. It begins with the ability to act. Talk to us about how OTTRIA establishes this capability for your organisation.