An Introduction from the Organisers to the Open Source & EU Policy devroom.
European digital sovereignty is moving from slogan to strategy. Faced with dependencies and in line with its resilience goals, the EU increasingly turns to open source as a pillar of its technological autonomy. Yet the debate often stalls on the questions: Where is software “made”? Who “owns” the code? And can sovereignty be achieved simply by adopting European-labelled alternatives? - all questions that often are not compatible with how open source actually works, and potentially leading to missing out on the vast potential of the global OS ecosystem for Europe.
In this panel, the speakers will focus not on trying to define “European open source” but on the fact that sovereignty is less about origin or ownership than about capability, participation, and influence. Drawing on perspectives from the industry and SMEs, as well as the global open source ecosystem, the discussion will focus on the future-looking (and pragmatic) idea of interdependent autonomy: where strategic independence is strengthened, not weakened, by deep engagement in global open source communities.
Europe’s IT landscape has long been heavily reliant on just a few large American tech providers, and this is equally true for the systems used in public administration. This dependence jeopardises the administrative services that underpin our states’ functioning. To counter this, Europe needs a tech stack that strengthens digital sovereignty at every level, from databases and virtualisation to operating systems and end-user applications.
Various governments and governmental organisations in Europe are already working to provide building blocks for a sovereign public infrastructure. The newly founded European Digital Infrastructure Consortium for Digital Commons (DC-EDIC) can fuel this development. This session brings together actors involved in setting up DC-EDIC in conversation with civil society and the wider open source community. We will explore the EDIC's role in supporting the open source ecosystem, as well its connections to European policy:
With this session, we hope to help steer the EU's ambitions for digital sovereignty toward models that genuinely empower the open source community and reinforce the sustainability of Digital Commons.
As it takes a village to raise a child, it takes a global open ecosystem to build a Euroshack. Inspired by the Frugal Manifesto, we envision the Euroshack as the first agile prototype of a truly open EuroStack: modest in form, ambitious in purpose. Grounded in pragmatism and powered by free and open software, the Euroshack avoids nationalist overtones and instead champions a scalable, dependable core. “Shack” is a humble name, but it reflects a bold mission: to secure digital sovereignty and protect our electronic freedoms in Europe from the mood swings of oligarchs. With its modular, adaptable structure, the Euroshack is built to grow, evolve, and empower.
Europe has bold ambitions for open source and digital sovereignty, yet most initiatives struggle to deliver meaningful change where it matters: at the level of local institutions. Despite strong strategies and political commitments, implementation stalls because the policy frameworks guiding European digital transformation ignore a simple truth. Europe is built on a multi-level governance system where local actors carry the responsibility for execution but lack the incentives, support, and capacity to act.
Drawing on hands-on experience from Denmark’s OS2 (os2.eu) community, where more than 85% of municipalities jointly develop and maintain open source solutions, this talk examines why current EU-level open source policy risks failing in practice. It unpacks three systemic barriers:
The talk ends with practical policy recommendations: risk-bearing EU capital for local transitions, stronger alignment between EU-level commitments and local implementation realities, and a cultural shift where every new digital project must explicitly break with “doing things the way we always have”.
Rasmus Frey is Chief Executive and Secretary at OS2 (os2.eu), Denmark’s open-source community for public digital collaboration.
He works at the intersection of governance, innovation, and technology, helping municipalities and public institutions co-develop and reuse digital solutions through open collaboration and shared ownership.
Rasmus contributes to European networks on open-source governance and digital sovereignty, with a focus on institutional design and democratic digital infrastructure.
Roundtable discussion with policymakers and the community: how can the public procurement framework, that is currently being reformed, be used to achieve digital sovereignty goals? Open Source provides many answers to the questions digital sovereignty raises, but how can public procurers be empowered to buy more Open Source, what are their expectations, and what hurdles exist?
A Blueprint for Trusted European Digital Services
The European Commission’s Cloud Sovereignty Framework (Version 1.2.1, Oct. 2025) is a critical blueprint for defining, assessing, and ensuring the sovereignty of cloud services used within the European Union. Born from initiatives like Gaia-X, CIGREF's Trusted Cloud Referential, and EU legislation (NIS2, DORA), this framework supplements security requirements with sovereignty-specific safeguards to reduce dependency on non-EU actors and proprietary systems.
This session will dive into the technical and legal requirements of the framework, which uses a dual assessment approach: the Sovereignty Effective Assurance Level (SEAL) and a quantitative Sovereignty Score.
Key Components
In this talk Emiel will break down the framework's core pillars:
The assessment is built around eight objectives that define what sovereignty means in a cloud context:
SOV-1: Strategic Sovereignty SOV-2: Legal & Jurisdictional Sovereignty SOV-3: Data & AI Sovereignty SOV-4: Operational Sovereignty SOV-5: Supply Chain Sovereignty SOV-6: Technology Sovereignty SOV-7: Security & Compliance Sovereignty SOV-8: Environmental Sustainability
The SEAL levels determine the minimum required level of assurance a cloud provider must meet for each objective:
SEAL-0: No Sovereignty SEAL-1: Jurisdictional Sovereignty SEAL-2: Data Sovereignty SEAL-3: Digital Resilience SEAL-4: Full Digital Sovereignty
This talk is crucial for open-source developers, EU-based cloud providers, and policymakers interested in contributing to or complying with the future of digital service procurement in Europe. We will discuss that digital sovereignty starts with open source and how open-source technology can directly contribute to achieving the highest SEAL levels and the maximum Sovereignty Score.
We will also dive into the EU first policy and how that helps EU organizations to be more sovereign.
Simpl is the open-source smart middleware platform that enables cloud-to-edge federations and all major data initiatives funded by the European Commission.
https://simpl-programme.ec.europa.eu/ https://code.europa.eu/simpl
The recently proposed Digital Omnibus aims to simplify a series of digital regulations, such as the GDPR, the Data Act and other laws, such as the ePrivacy directive. The goal of this legislative package is to reduce administrative burdens on organisations and boost innovation, although it can have significant impacts on open source communities, foundations and SMEs building open-source software.
Using Matrix as a case study, this talk will go through the areas of the Omnibus proposal which might have potential impacts on the wider FOSDEM community, namely proposals around redefinition of key concepts, changes to incident reporting requirements (and how they align with CRA requirements) and data sharing. It also aims to identify opportunities which might be brought on by the Omnibus, particularly around standardisation of approaches and improved collaboration.
This panel will bring together lawmakers who worked on the Digital Services Act and the Fediverse community for a panel on the challenges modern social media bring, from disinformation to hate speech and censorship, and how the EU's Digital Services Act and the Fediverse try to solve them.
Further information on speakers and content will be provided shortly.
This session will explore the specific consequences for the Open Source community arising from the EU's policy agenda on protecting children online. While there is a very real need to ensure reasonable child safety measures, many lawmakers favour blunt 'solutions' that can have serious consequences for privacy and data protection, and can particularly impact free and open source software projects.
For example, the draft CSA Regulation (sometimes referred to as "chat control") contains provisions that could make the use of age verification tools effectively mandatory for many online communications providers (messages, emails etc.) and app stores. Whilst a final law has not yet been agreed, negotiations are likely to be in their final stage by FOSDEM 2026.
In addition, calls from lawmakers for a minimum age for the use social media are getting increasing traction. Proposals range from implementing such age gating at the level of online platforms, app stores or operating systems.
This could not only impact code collaboration platforms, which could inadvertently be classified as social media. Mandatory age verification at the OS level could pose insurmountable problems for open source operating systems. Furthermore, projects that now rely heavily on a distributed system to offer software downloads and collect as little data as possible from their users would be forced to either thoroughly test every application they offer in advance or, even worse, completely centralize for the sake of age verification. Finally, age verification could threaten users’ ability to install apps outside of proprietary app stores. For all these reasons, open source developers should raise their voices in the age verification debate.
The 2024 European elections marked the start of the new 5 year mandate of the European Parliament followed by forming a new political direction of the European Commission. What does this change mean for cryptography and its regulation in Europe? How can encryption be framed as a vital tool to secure fundamental rights in the digital age, rather than as a law enforcement nightmare? The talk will primarily focus on the recent developments in political narratives around securing access to encrypted data by law enforcement authorities, the current European Commission’s plans as presented in ProtectEU: the European Internal Security Strategy, and the impact on privacy, security, and Free and Open Source Software.
Whether you are new to the Brussels EU Policy maze or already experienced in arguing your case with policymakers, this session wants to help you find your way.
Who are the right contacts to reach out to, and how to find their contact details?
How does my submission to a call for feedback develop the most impact?
What can I do to make my voice heard?
This interactive session brings together experts from different civil society organisations, with experience from past or present work in the European institutions, and Open Source practitioners at FOSDEM to advocate for fundamental rights, digital, and Open Source policy towards the European institutions, including the European Commission, Parliament and Council.
Participatory platforms are now widely used across Europe for consultations, participatory budgeting, petitions, and deliberation. However, despite this growth, civic tech ecosystems remain deeply fragmented: platforms are isolated, data is locked into silos, and citizen contributions rarely travel across institutional levels or over time. This fragmentation limits transparency, weakens democratic legitimacy, and prevents collective learning at scale.
This talk presents the Democracy Data Space, an open, interoperable infrastructure designed to reconnect participatory processes across platforms, institutions, and territories while preserving local autonomy and data sovereignty. Inspired by European data space principles and built on open standards, this initiative explores how interoperability can enable traceability of citizen contributions, federated identity, shared governance rules, and cross-platform democratic intelligence.
We will share:
The political and technical problems caused by today’s civic tech silos The core architectural principles of a Democracy Data Space How open protocols and federated data spaces enable democratic traceability Early experiments, governance challenges, and next steps for this european data space for democracy This session is aimed at open-source developers, civic tech builders, data space practitioners, and anyone interested in building public digital infrastructure for democracy.
We present HowTheyVote.eu, a free and open-source website that makes roll-call votes in the European Parliament more accessible and transparent. We briefly showcase the site’s features and how we built it, focusing on the different official data sources we combine. We will discuss good and not-so-good practices of the European Parliament’s websites and take stock of what we learned from four years of scraping parliamentary data. Lastly, we present examples of HowTheyVote.eu data being used in journalism, research, and civil society, showcasing how accessible voting records can inform debates and thus ultimately strengthen European democracy.
The European Parliament is the only directly democratically elected EU institution, and, as such, the voting behavior of its members is of particular interest. With a significantly larger number of right-wing MEPs since last year's elections, keeping an eye on the developments in Parliament has become more important than ever. Although the Parliament publishes information such as roll-call vote results and plenary minutes on its website, it can be difficult to find out what exactly MEPs voted on or how a particular vote turned out, as the data is scattered across multiple sources, published in different formats, and made available at different times.
We started HowTheyVote.eu in 2021 as a free and open-source project to address these problems. On HowTheyVote.eu, users can search for votes and view results. We also publish our entire dataset under an open-data license.
Across Europe, open source is increasingly used to address systemic challenges in a variety of sectors, including agriculture, energy, and public infrastructure. However, its full potential depends on how projects, policies, and markets are being shaped in those verticals.
This panel brings together concrete experiences from digital agriculture, energy system modelling, and public procurement to explore how open source enables innovation, transparency, and technological sovereignty across vertical industries. Drawing on EU-funded projects, open science methodologies, and real-world procurement practices, speakers will discuss how open source supports interoperable solutions, trustworthy policymaking, and resilient public infrastructures. The session highlights the critical role of policy choices - funding, licensing, procurement rules, and governance - in turning open source software into sustainable ecosystems that serve Europe’s economic, environmental, and democratic goals.
This talk is for a broad audience, including projects and smaller organisations that don't have compliance and policy staff. The primary goal is to give people information so that they can check if they have CRA obligations, and what compliance work might be required. It will also show what projects can do voluntarily to make compliance work easier for others that want to use their software.
The secondary goal of this session is to enable more people to participate or provide feedback. Eclipse Foundation and other entities of the FOSS ecosystem are creating educational materials and compliance tools. To ensure that such tools are useful for the entire ecosystem, feedback is needed from all types of projects and organisations. Do the current information resources meet your needs? What more would be useful?
What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.
In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path for open source project maintainers, stewards, or third parties to reduce manufacturer's cybersecurity compliance obligations in exchange for sustained funding. The exchange benefits companies by reducing their compliance costs, but without turning the open source foundation into a manufacturer itself, without assuming liability, and without jeopardizing a steward's non-profit status.
In this presentation, Æva Black will introduce their ongoing work with the Eclipse Foundation to develop an understanding of how such a programme might function and how it might impact different segments of our community-of-communities.
This presentation is part one of a two-part series. Part two will feature a panel discussion with representatives of open source foundations and the European Commission.
What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.
In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path to reduce manufacturer's CRA-related compliance costs in exchange for support for the volunteers maintaining open source projects -- and to do this without becoming a manufacturer, without assuming liability, and without jeopardizing a steward's non-profit status.
In this panel, we will hear different perspectives on how this could improve the sustainability of open source across Europe, explore the potential impacts of different approaches, and invite audience participation and questions.
This presentation is part two of a two-part series. In part one, Æva introduced their ongoing work with the Eclipse Foundation to develop a holistic view of how such a program might function.
In this short talk, Jordan Maris and Simon Phipps of the OSI will explain how the Open Source Community can get involved in building the standards for the EU's Cyber Resilience Act, and why you should!
The European Commission’s report on Regulation 1025 openly acknowledges what practitioners have long observed: the EU standardisation system is struggling to deliver the kinds of outcomes needed to support the Union’s ambitious push into digital regulation. In this presentation, Tobie draws on his long experience driving large-scale standardisation efforts in organisations such as OASIS, W3C, JDF, Ecma, and the WHATWG, as well as on his work introducing open-source development practices within them. He will discuss why these practices work, the benefits they bring, how they could be adopted by the European Standardisation Organisations, and which transition mechanisms could help bridge the gap until the ESOs are able to catch up.