Updated juni 27, 2026
Summary: The EU Open Source Strategy COM(2026) 503 makes open-source-first evaluation a procurement obligation, not a preference, and ties it to NIS-2, CRA SBOM requirements, and CADA cloud-assurance levels to protect sensitive public-sector data from foreign jurisdiction.

The EU Open Source Strategy, formally adopted as COM(2026) 503 within the June 2026 Tech Sovereignty Package, establishes open-source-first procurement as an enforceable evaluation criterion rather than a voluntary aspiration. For compliance officers, CISOs and IT decision-makers in regulated sectors, the document redefines the legal and procedural landscape for selecting collaboration platforms, infrastructure software and AI tooling, and ties those choices directly to NIS-2, the Cyber Resilience Act and the GDPR compliance chain.

Why This Strategy Matters Now

The political timing of COM(2026) 503 is inseparable from a broader anxiety about digital dependency on non-European vendors subject to foreign jurisdiction. The CLOUD Act (18 U.S.C. § 2713), FISA Section 702 and the US PATRIOT Act create legal pathways through which US law enforcement and intelligence agencies can compel American-owned cloud providers to disclose data regardless of where that data physically resides. The EU Open Source Strategy addresses this exposure not through diplomatic negotiation but through structural substitution: if the software stack is open-source, EU-controlled and hosted on infrastructure outside US jurisdiction, the legal hook disappears.

The European Commission estimates that EU public administrations spend over EUR 1 billion annually on software licences that could be replaced by reusable open-source solutions already developed within those same administrations (European Commission, Joinup, 2023). That figure represents both fiscal inefficiency and a sovereignty gap, because each proprietary licence typically bundles cloud storage or telemetry routed to US data centres.

Let op: Under COM(2026) 503, contracting authorities must now document in their procurement files why they did not select an open-source option. The burden of justification shifts: silence in favour of a proprietary product is no longer procedurally neutral.

The Three Pillars and What They Require in Practice

The strategy organises its obligations around three pillars. Each pillar translates into concrete tendering guidance that procurement teams can operationalise immediately.

Pillar 1: Trusted Assets

Trusted assets are open-source software components that have passed a documented security and sustainability review. The primary instrument here is the EU Open Source Solutions Catalogue, maintained on the Joinup platform. Solutions listed in the catalogue have undergone FOSSEPS-aligned assessments covering licence clarity, maintainer community health, vulnerability response times and deployment track records across member state administrations. A contracting authority that selects a Catalogue-listed solution can cite that listing as part of its Article 22 NIS-2 risk-management documentation, because the security baseline has already been independently evaluated.

For collaboration software specifically, this means a Nextcloud-based workspace deployment using components from the Catalogue carries a documented trust chain that Microsoft 365 or Google Workspace cannot replicate in the same format: those products do not publish source code, do not expose their dependency trees and do not permit the kind of independent audit that a NIS-2 essential entity must be able to demonstrate to its national competent authority.

Pillar 2: Empowered Communities

The second pillar institutionalises the Open Source Programme Office (OSPO) model at every level of public administration. The European Commission’s own OSPO, operational since 2021, serves as the reference model. Under COM(2026) 503, member state ministries and agencies are expected to either establish their own OSPOs or formally affiliate with the Commission OSPO network, using code.europa.eu as the shared repository for sovereign digital building blocks.

The practical governance requirement is that no digital investment decision above a defined threshold may proceed without an OSPO check covering four criteria: licence compatibility with EU public-sector obligations, availability of a CRA-compliant software bill of materials, demonstrated maintainer community diversity (to avoid single-vendor capture of a nominally open project), and a documented contribution strategy that returns improvements to the upstream project. This last point matters for organisations considering sovereign alternatives: a Nextcloud deployment where the deploying agency contributes security patches back to the project satisfies the empowered-communities pillar in a way that a hyperscaler SaaS contract cannot.

Pillar 3: Strong Governance

The governance pillar introduces the European Digital Infrastructure Consortium for Digital Commons (EDIDC), a cross-border coordination body designed to pool investment in shared open-source infrastructure. For procurement officers, the EDIDC creates a new category of pre-qualified sovereign infrastructure that can be referenced in tender specifications without triggering the full market-consultation procedure that would otherwise be required for a sole-source award.

As Margrethe Vestager stated in the European Commission press release accompanying the Tech Sovereignty Package: “Open source is not just a cost-saving measure; it is a strategic instrument of digital sovereignty. Administrations that control their software stack control their own data destiny.”

Using FOSSEPS and the Catalogue in NIS-2 Compliance Justifications

A compliance officer at a NIS-2-regulated entity (an essential or important entity under Directive (EU) 2022/2555) must demonstrate under Article 21 that security measures are proportionate, technically current and subject to supply-chain risk assessment. The FOSSEPS Preparatory Action, which mapped critical open-source dependencies across EU public administrations and assessed their security sustainability, provides exactly the kind of documented evidence base that Article 21 risk assessments require.

The practical workflow is straightforward. First, identify the software component under review. Second, check whether it appears in the FOSSEPS catalogue or the broader EU Open Source Solutions Catalogue on Joinup. Third, extract the FOSSEPS sustainability score and known vulnerability history. Fourth, document that score in the organisation’s information security policy under the supply-chain risk section. Fifth, if the component is not yet listed, initiate a FOSSEPS-style internal assessment using the published methodology and record the results. This paper trail satisfies both the NIS-2 audit requirements and the documentation obligation introduced by COM(2026) 503.

Let op: FOSSEPS-listed components are not automatically CRA-compliant. Compliance officers must separately verify that the upstream project publishes a software bill of materials meeting the CRA’s Annex I technical requirements before embedding the component in a production system.

CRA SBOM Obligations and Open-Source Supply Chains

The Cyber Resilience Act, which entered into force in 2024, requires manufacturers of products with digital elements to provide a software bill of materials (SBOM) that enumerates all third-party and open-source components, their versions and their known vulnerabilities. ENISA has noted in its position on the CRA: “The Cyber Resilience Act makes software bills of materials mandatory precisely because you cannot secure what you cannot see. Open-source supply chains must be auditable end to end.”

For public administrations reusing open-source components from code.europa.eu or the EU Open Source Solutions Catalogue, the CRA creates a two-layer obligation. The upstream maintainer must publish a CRA-compliant SBOM; the deploying administration must integrate that SBOM into its own supply-chain risk register and refresh it at each dependency update. COM(2026) 503 reinforces this by requiring OSPO governance checks to include SBOM availability as a non-negotiable criterion before any component is approved for deployment.

A 2024 study commissioned by the European Commission found that every euro invested in open-source software generates between EUR 1 and EUR 4 in additional GDP for the EU economy (European Commission / KU Leuven, 2024). The SBOM requirement, while adding process overhead, is the mechanism that makes that investment defensible: auditable supply chains are prerequisite to the insurance, liability and incident-response frameworks that regulators in finance (DORA Article 28) and healthcare demand.

CADA Levels 3 and 4: Where Open-Source Strategy Meets Cloud Assurance

CADA Level Key Requirement Open-Source Sovereign Stack US Hyperscaler (e.g., Microsoft 365)
Level 3 Data stored in EU; provider not subject to extraterritorial third-country orders Achievable with EU or Swiss hosting; CLOUD Act exposure absent Structurally problematic: US parent entity subject to CLOUD Act regardless of data location
Level 4 EU-controlled ownership and governance of hosting infrastructure Achievable with EDIDC-affiliated or Swiss-domiciled providers using open-source stack Not achievable without full structural divestiture from US parent

COM(2026) 503 explicitly cross-references the CADA framework by requiring that procurement specifications for cloud-hosted software state the target CADA level and justify how the selected solution meets it. For any entity handling data classified above RESTRICTED, the strategy’s guidance points unambiguously toward Level 3 or Level 4 solutions, which in practice means EU or Swiss-hosted open-source deployments rather than hyperscaler SaaS.

ENISA’s 2024 Threat Landscape report recorded a 58% year-on-year rise in ransomware incidents targeting public-administration entities across EU member states (ENISA Threat Landscape 2024). Sovereign open-source deployments, when combined with immutable off-site backup and continuous monitoring, allow the organisation to restore from a clean, auditable state without relying on a hyperscaler’s proprietary recovery tooling or negotiating access to encrypted backup data held under a foreign jurisdiction.

From Procurement Guidance to Operational Reality

The most immediate operational step for a compliance officer or CISO is to map the organisation’s current software portfolio against the EU Open Source Solutions Catalogue and identify components where a Catalogue-listed alternative exists and where the current contract is due for renewal within 24 months. That mapping exercise simultaneously satisfies the COM(2026) 503 open-source-first documentation obligation, generates input for the NIS-2 Article 21 supply-chain risk register and surfaces SBOM gaps that must be resolved before the CRA’s transition period expires.

For organisations replacing Microsoft 365 or Google Workspace, a sovereign Nextcloud-based workspace deployed on Swiss or EU-domiciled infrastructure addresses the CLOUD Act exposure at the architectural level, satisfies CADA Level 3 without contractual mitigations and provides a fully auditable file-permission and metadata trail that regulators in finance (DORA), healthcare and the public sector can inspect directly. COM(2026) 503 now provides the procurement-law framework to select that architecture without procedural risk: the open-source-first principle, the EDIDC pre-qualification route and the OSPO governance layer together constitute a defensible, documented decision chain from first evaluation to live deployment.

FAQ

Does the EU Open Source Strategy COM(2026) 503 make open-source procurement legally mandatory for all public bodies?

The strategy establishes an open-source-first principle as a binding evaluation criterion within public procurement procedures, meaning contracting authorities must document why they did not choose an open-source option when awarding contracts for software. It does not prohibit proprietary software outright, but the burden of justification shifts to the buyer who selects a closed-source product.

What is the FOSSEPS Preparatory Action and how does it help a compliance officer?

FOSSEPS (Free and Open Source Software as a European Public Service) is a European Commission initiative that identified critical open-source components used across EU public administrations and assessed their sustainability and security posture. For a compliance officer, FOSSEPS-catalogued solutions come with a documented maintenance and security history that can be cited directly in NIS-2 risk assessments and procurement justification documents.

How do CRA SBOM requirements interact with open-source software reuse in the public sector?

The Cyber Resilience Act requires manufacturers of products with digital elements to provide a software bill of materials listing all third-party and open-source components. When a public body reuses an open-source solution from code.europa.eu or the EU Open Source Solutions Catalogue, it must verify that the upstream maintainer provides a CRA-compliant SBOM and integrate that SBOM into its own supply-chain risk register.

What is the difference between CADA Level 3 and Level 4 in relation to sovereign open-source hosting?

CADA Level 3 requires that data remain within the EU and that the cloud provider is not subject to extraterritorial legal orders from third countries. Level 4 adds the requirement for EU-controlled ownership and governance of the hosting infrastructure. A sovereign deployment on Swiss or EU-domiciled infrastructure using open-source components can satisfy both levels, whereas US hyperscaler offerings subject to the CLOUD Act cannot reach Level 3 without mitigations that are difficult to prove in an audit.

What role does an OSPO play in a national ministry or agency implementing the new strategy?

An Open Source Programme Office coordinates the selection, security review, contribution policy and lifecycle management of open-source software. Under COM(2026) 503, ministries are encouraged to establish or join the European Commission OSPO network, use code.europa.eu for publishing and discovering sovereign digital building blocks, and embed OSPO governance checks (licence compatibility, SBOM availability, maintainer diversity) into every digital investment decision above the defined threshold.

Frequently asked questions

Does the EU Open Source Strategy COM(2026) 503 make open-source procurement legally mandatory for all public bodies?
The strategy establishes an open-source-first principle as a binding evaluation criterion within public procurement procedures, meaning contracting authorities must document why they did not choose an open-source option when awarding contracts for software. It does not prohibit proprietary software outright, but the burden of justification shifts to the buyer who selects a closed-source product.
What is the FOSSEPS Preparatory Action and how does it help a compliance officer?
FOSSEPS (Free and Open Source Software as a European Public Service) is a European Commission initiative that identified critical open-source components used across EU public administrations and assessed their sustainability and security posture. For a compliance officer, FOSSEPS-catalogued solutions come with a documented maintenance and security history that can be cited directly in NIS-2 risk assessments and procurement justification documents.
How do CRA SBOM requirements interact with open-source software reuse in the public sector?
The Cyber Resilience Act requires manufacturers of products with digital elements, including software distributed to public administrations, to provide a software bill of materials listing all third-party and open-source components. When a public body reuses an open-source solution from code.europa.eu or the EU Open Source Solutions Catalogue, it must verify that the upstream maintainer provides a CRA-compliant SBOM, and integrate that SBOM into its own supply-chain risk register.
What is the difference between CADA Level 3 and Level 4 in relation to sovereign open-source hosting?
The Cloud Assurance for Digital Administration (CADA) framework defines assurance levels for cloud procurement. Level 3 requires that data remain within the EU and that the cloud provider is not subject to extraterritorial legal orders from third countries. Level 4 adds the requirement for EU-controlled ownership and governance of the hosting infrastructure. A sovereign Nextcloud deployment on Swiss or EU-domiciled infrastructure with open-source components satisfies both levels, whereas US hyperscaler offerings subject to the CLOUD Act cannot reach Level 3 without contractual and technical mitigations that are difficult to prove in an audit.
What role does an OSPO play in a national ministry or agency implementing the new strategy?
An Open Source Programme Office within a public administration coordinates the selection, security review, contribution policy, and lifecycle management of open-source software. Under the EU Open Source Strategy, ministries are encouraged to establish or join the European Commission OSPO network, use code.europa.eu for publishing and discovering sovereign digital building blocks, and embed OSPO governance checks, such as licence compatibility, SBOM availability, and maintainer diversity, into every digital investment decision.