Germany invests millions in open source whilst Britain's digital infrastructure relies on volunteers
The cost of maintaining ten miles of motorway could secure software that millions depend on daily—yet only one country is taking this seriously
The mathematics are staggering: for what Britain spends maintaining ten miles of motorway, Germany has secured the digital foundations that power government services across Europe. Germany's Sovereign Tech Fund has invested €23 million over two years in 60 critical open source projects. Meanwhile, Britain's NHS appointment systems, tax collection databases, and emergency services dispatch all depend on software maintained by unpaid volunteers working in their spare time.
When a bridge shows cracks, engineers rush to repair it. When digital infrastructure fails, entire economies can collapse overnight—yet governments systematically ignore the warning signs until catastrophe strikes.
The invisible empire built on volunteer labour
Imagine discovering that 96% of your country's electrical grid was maintained by 5% of the engineers, most working for free in their spare time. This is precisely the reality of digital infrastructure. A 2024 Harvard Business School study found that replacing critical open source software would cost $8.8 trillion globally—yet this vast digital empire rests on the shoulders of a tiny group of often unpaid contributors.
The concentration is breathtaking: a few thousand programmers effectively prop up the digital foundations of modern civilisation. When they burn out, get new jobs, or simply lose interest, critical systems serving millions can suddenly find themselves without maintenance.
Consider the scale of this dependence. The European Commission runs hundreds of websites on Drupal, an open source platform maintained largely by volunteers. France operates over a thousand government sites using the same software. Australia has made it their national digital standard. Yet these governments contribute almost nothing to keeping the underlying technology secure and functional.
In December 2021, this fragility exploded into public view. A vulnerability in Log4j—a logging library maintained mostly by volunteers—threatened to bring down vast swathes of the internet. Within hours, 93% of enterprise cloud environments were exposed. Government systems, banks, hospitals, and military networks all faced potential compromise from a flaw in code that most organisations didn't even know they were using.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, called it "one of the most serious vulnerabilities I've seen in my entire career." The scramble to patch systems revealed a terrifying truth: most organisations had no idea which open source components powered their critical systems, let alone who maintained them or whether they were secure.
Two nations, two philosophies
Whilst Britain debates which American software companies to avoid, Germany quietly revolutionised how governments can secure their digital foundations. The German Sovereign Tech Fund, launched in 2022, treats open source software like public infrastructure—because that's exactly what it is.
The fund's approach is surgical: identify critical digital components that multiple systems depend on, then invest directly in their security and maintenance. Funding ranges from €50,000 to €1 million per project, targeting everything from cryptographic libraries that secure financial transactions to JavaScript frameworks powering millions of websites.
The results speak for themselves. Critical security patches that might have taken months now happen within weeks. Projects that were slowly accumulating dangerous technical debt now have resources to modernise. Maintainers who were burning out from unpaid work can now focus on keeping systems secure rather than begging for donations.
Meanwhile, Britain's digital sovereignty strategy remains focused on procurement theatre. Government departments are encouraged to "consider" open source alternatives, but no systematic funding exists for the maintenance of projects that government services actually depend on. It's the equivalent of encouraging departments to use public roads whilst refusing to fund road maintenance.
The procurement trap
Government procurement rules, designed to ensure fairness, have created a perverse system that actively undermines digital security. Contracts go to the lowest bidder, not the company that contributes to maintaining the open source projects the government depends on.
The result? Companies that invest in securing critical infrastructure are systematically undercut by firms that contribute nothing back. It's a race to the bottom where the winners are those who exploit the commons whilst others pay the maintenance costs.
When Log4j exploded, this short-sighted approach extracted its price. Organisations that had saved money by choosing vendors with no upstream involvement suddenly found themselves completely dependent on those same vendors to understand and fix vulnerabilities in code they had never contributed to. The cleanup cost millions—expenses that could have been avoided with procurement that valued infrastructure contribution alongside price.
Europe wakes up
Germany's success has sparked broader European action. A recent study commissioned by GitHub proposes a European Sovereign Tech Fund with €350 million in EU funding. The study, by Open Forum Europe and leading research institutions, outlines how pooled financing could address the maintenance crisis across critical digital infrastructure.
Denmark's transition from Microsoft to LibreOffice and Linux demonstrates growing European concern about digital dependence. But without investment in the open source infrastructure these alternatives rely on, such moves merely shift dependence from paid software to unpaid volunteers—trading one vulnerability for another.
The price of security
The numbers expose the absurdity of current priorities. Belgium spends over a billion euros annually maintaining roads for ten million people. A tiny fraction of that could secure open source software supporting public services for those same millions of Belgians.
If the world's top 100 countries each contributed $200,000 annually to critical open source projects, those projects would have $20 million budgets—roughly what governments spend maintaining ten miles of motorway. Yet this modest investment could transform the sustainability of digital infrastructure spanning continents.
The Sovereign Tech Fund's survey revealed the human cost of this neglect: a third of open source maintainers receive no payment for their work but would like to. Another third earn some income but cannot make a living from it. Most alarming of all, a third work completely alone, and three-quarters of critical projects are maintained by three people or fewer.
From consumption to contribution
The solution requires governments to shift from consuming open source to contributing to its sustainability. This means implementing procurement that rewards upstream contribution, establishing dedicated funding mechanisms for critical projects, and adopting "public money, public code" policies that ensure taxpayer-funded software development benefits the commons.
Switzerland recently embraced this approach with its EMBAG law, requiring government-developed software to be published as open source unless third-party rights or security concerns prevent it. This prevents duplicate spending whilst building shared digital infrastructure that anyone can reuse, improve, and help secure.
The stakes extend beyond individual projects to the entire model of how digital societies function. The current system privatises the benefits of open source whilst socialising the maintenance costs onto a small group of contributors. This represents a fundamental market failure that only systematic public investment can address.
The choice ahead
Every government faces the same stark choice: invest in digital infrastructure or wait for it to fail catastrophically. Germany chose investment. The German Parliament recently increased the Sovereign Tech Fund's budget, recognising that €23 million is a small price for securing trillions of dollars worth of economic activity.
Other nations can follow this path or continue the current charade—depending on volunteer labour to maintain infrastructure that their entire economy runs on. The mathematics are clear: the solutions exist. The only question is whether governments will act before the next Log4j-scale crisis forces their hand.
Fifteen years ago, paying people to work on open source was controversial. Today, with critical digital infrastructure facing sustainability challenges that threaten national security, government investment isn't just sensible—it's essential. The volunteers who built the digital world deserve better than our benign neglect. More importantly, the millions who depend on the systems they maintain deserve the security that only systematic investment can provide.
Physical infrastructure collapses dramatically. Digital infrastructure fails silently, until millions discover their government services, banks, and hospitals no longer work. Which type of failure a nation experiences depends entirely on choices being made now, in budget meetings and procurement offices, by officials who may not even realise that the choice is theirs to make.