Brussels asks open source developers for help while funding programs reject their work
A new European consultation on digital sovereignty arrives alongside concrete funding mechanisms—but developers remain sceptical that institutions understand what they actually need
"Why don't you rewrite it from scratch in Rust?"
This was NLnet Foundation's response to a programmer seeking funding to maintain shadow-utils, a piece of Unix infrastructure that handles user accounts on millions of systems. He wanted support for the unglamorous work of keeping critical software running. The foundation, one of Europe's most established open source funders, wanted innovation instead. Maintenance, apparently, was not interesting enough.
The rejection crystallises everything wrong with how European institutions approach the software they depend upon. They want the benefits of open source—the flexibility, the security, the freedom from vendor lock-in—without grasping that someone must do the work. The code does not maintain itself.
Now Brussels is asking for help. The European Commission opened a consultation in January 2026 seeking input on its forthcoming Open Digital Ecosystems Strategy. It wants to reduce dependence on American technology. It acknowledges that open source contributes between sixty-five and ninety-five billion euros annually to the European economy. But its language betrays a conceptual error that developers spotted immediately.
The consultation describes open source as "a public good to be freely used, modified, and redistributed." This is technically accurate and fundamentally misleading. Open source code is freely available. The labour that creates and maintains it is not free. One developer's response captured the frustration: the Commission sees open source "as free candy, rather than the result of love and hard work."
The two-billion-euro habit
European governments send roughly two billion euros to Microsoft every year. The company holds between seventy-seven and ninety per cent of the productivity software market across EU public institutions. Under American laws like the CLOUD Act, Washington can compel Microsoft to hand over European data even when it sits on European servers. In one striking case, Microsoft acknowledged complying with American legal demands that affected services to an international court. A foreign corporation can, it turns out, switch off a sovereign institution's communications without judicial process or recourse.
The dependency is not inevitable. The French Gendarmerie migrated 103,164 workstations away from Microsoft beginning in 2004. Twenty years later, the project endures, saving roughly two million euros annually—forty million in total. Munich attempted something similar with its celebrated LiMux project, but rolled it back in 2017 amid user complaints, inadequate training, and political lobbying. The lesson usually drawn—that open source transitions are too hard—misses the point. Munich failed not because the software was inadequate but because the commitment was.
What would adequate commitment look like? The answer requires understanding what open source actually is, which means borrowing a framework from an unexpected place.
Fisheries, pastures, and code
In 1968, ecologist Garrett Hardin published "The Tragedy of the Commons." His argument was simple: resources that everyone can access but no one owns tend toward destruction. Each herder grazing cattle on common land acts rationally by adding one more animal. Collectively, they overgraze the pasture into oblivion. The same logic explains collapsed fisheries, polluted rivers, and depleted aquifers.
It also explains Log4Shell.
In December 2021, a vulnerability in logging software used across vast swathes of the internet threatened systems from the Belgian government to Google. The flaw had originated, improbably, in a modification for Minecraft. The open source library containing it was maintained by a handful of volunteers. They were expected to fix a problem affecting billions of users while being compensated by almost no one.
Legal scholar Chinmayi Sharma calls this the "tragedy of the digital commons." Open source code is non-excludable—anyone can use it—and non-rivalrous—my using it does not prevent yours. These are the defining characteristics of a public good. But unlike a lighthouse or a road, software requires constant maintenance. Security patches. Dependency updates. Documentation. The people who do this work are often volunteers or minimally paid contributors, while the companies extracting the most value contribute the least.
The result is a doom cycle. Critical infrastructure grows increasingly fragile precisely because it grows increasingly essential. Everyone assumes someone else will maintain it. No one does.
Germany's experiment
Berlin decided to try something different. The Sovereign Tech Fund, established in 2022, has provided over twenty-four million euros to more than sixty open source projects. Its philosophy inverts the usual government approach: it funds maintenance and security rather than demanding novel features. It reaches out proactively to maintainers rather than waiting for elaborate proposals. It has learned that the reporting requirements suitable for traditional contractors become burdens that drive away the very people it aims to support.
The fund represents proof of concept. Government money can flow to open source without strangling it in bureaucracy. Maintainers can be paid for the work they actually do rather than the work funders imagine they should do.
This success gave rise to something larger. In late October 2025, the European Commission approved the Digital Commons European Digital Infrastructure Consortium. It launched formally in The Hague on December 11th, with France, Germany, the Netherlands, and Italy as founding members. Luxembourg, Slovenia, Poland, and Belgium have joined as observers.
The consortium is not another strategy document. It has legal personality, dedicated governance, and pooled member state resources. Any software it develops will be released under open source licences by default. By 2027, it promises a one-stop shop for funding, a Digital Commons Forum, and an annual report on the state of European digital infrastructure.
The timing matters. The consultation now open arrives just weeks after this institutional machinery began operating. For once, there is a mechanism designed to act on whatever feedback Brussels receives.
Two cultures
Yet developers remain wary, and their wariness is not irrational.
The NLnet rejection was not an isolated incident but a pattern. Funding bodies, even those dedicated to open source, prefer exciting new projects to grinding maintenance. They impose accountability requirements designed for contractors and misapplied to volunteers. They evaluate proposals using academic criteria ill-suited to infrastructure work.
One commenter on the discussion summarised the core demand: "If EU wants to be serious, it needs to give money to projects without telling projects how to spend it." The comparison to commercial licensing cuts deep. Governments do not instruct Microsoft how to allocate their licence fees. They pay for a product that works. Open source maintainers, providing equally critical infrastructure, find themselves subjected to elaborate justifications for every euro.
The cultural barrier runs both ways. Procurement officers struggle to understand why they should pay for something available online for free. Politicians want ribbon-cutting moments, not invisible maintenance. The Interoperable Europe Act, effective since 2024, requires public bodies to consider open source alternatives first—but changing procurement culture is generational work.
And then there is Chat Control. A separate Commission initiative seeking to mandate scanning of encrypted communications has drawn fierce opposition from the technology community. How, developers ask, can institutions proposing surveillance backdoors be trusted partners in building open digital infrastructure?
There is no satisfying answer. The European Commission is not a unitary actor. Different directorates pursue different agendas, sometimes in direct conflict. Engaging with the open source consultation does not mean endorsing every other Commission policy.
The question
The consultation runs until February 3rd 2026. The EDIC will proceed regardless of participation levels. But the questions Brussels poses—what barriers hamper open source adoption, what sectors would benefit, what concrete measures might help—are ones developers are better positioned to answer than anyone else.
For two decades, the open source community has complained that governments do not understand them. Now a government is asking to be taught. The teacher may prove an indifferent student. The institutional habits are deep. The cultural divide is real. But the alternative—ceding influence to those less qualified—has its own costs.
Someone applied for funding to maintain shadow-utils and was told to rewrite it in Rust. The question now is whether the institutions capable of that response are also capable of learning from it.